From 708c70a158fffe5ef06b91a6aaae0781639004a1 Mon Sep 17 00:00:00 2001 From: alvinmorales1 Date: Thu, 26 Jul 2018 10:41:44 -0700 Subject: [PATCH 01/34] Adding Preserving user Always On preference Adding a note under the AlwaysOn node to explain to users how the AlwaysOn preference is stored in the registry and take precedence over the AlwaysOn setting if enabled. --- windows/client-management/mdm/vpnv2-csp.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e98cd44400..e7dc68df1b 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -255,7 +255,14 @@ An optional flag to enable Always On mode. This will automatically connect the V > **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. -  +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + Valid values: From 6dd59afcf5fbd66f5fc2053e12064818a0a96bdb Mon Sep 17 00:00:00 2001 From: alvinmorales1 Date: Thu, 26 Jul 2018 10:45:34 -0700 Subject: [PATCH 02/34] Adding info Preserving user Always On preference Adding information under the Always On section to educate customers about how the Always On preference is stored in the registry and how it can override the setting. --- .../vpn/vpn-auto-trigger-profile.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 22c5b6361e..a57b762d3a 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -58,6 +58,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. +Preserving user Always On preference + +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. +Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config +Value: AutoTriggerDisabledProfilesList +Type: REG_MULTI_SZ + + ## Trusted network detection This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered. @@ -86,4 +95,4 @@ After you add an associated app, if you select the **Only these apps can use thi - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) From 2320f4674d2f7fb25e9a5449c229b9a5f2c1e21f Mon Sep 17 00:00:00 2001 From: Nash Pherson Date: Thu, 26 Jul 2018 13:45:43 -0400 Subject: [PATCH 03/34] Fixed typo --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0e3ae864cf..d0c4ddbf52 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -70,7 +70,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha ### Naming changes As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting common terminology to make it as easy as possible to understand the servicing process. Going forward, these are the new terms we will be using: -* Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". +* Semi-Annual Channel - We will be referring to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] From e88012605b17c02b16d184fc8fe8bd3f4b074baf Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 26 Jul 2018 16:07:10 -0700 Subject: [PATCH 04/34] Update use-set-up-school-pcs-app.md Typo --- education/windows/use-set-up-school-pcs-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index bdf6a298c9..ff0db1d6b4 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -15,7 +15,7 @@ ms.date: 07/11/2018 # Use the Set up School PCs app -IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app anrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. +IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings Set up School PCs configures through the MDM. Set up School PCs also: * Joins each student PC to your organization's Office 365 and Azure Active Directory tenant. From cd752e58d346cada2b517b0b2f6b09194758803f Mon Sep 17 00:00:00 2001 From: sccmentor Date: Fri, 27 Jul 2018 21:39:55 +0100 Subject: [PATCH 05/34] Update mbam-25-supported-configurations.md --- mdop/mbam-v25/mbam-25-supported-configurations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 4eb36ebf32..db4b4232a6 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -365,7 +365,7 @@ https://www.microsoft.com/en-us/download/details.aspx?id=54967< **Note** -In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 . In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features. +In order to support SQL 2016 you must install the March 2017 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=54967 and to support SQL 2017 you must install the July 2018 Servicing Release for MDOP https://www.microsoft.com/en-us/download/details.aspx?id=57157. In general stay current by always using the most recent servicing update as it also includes all bugfixes and new features.   ### SQL Server processor, RAM, and disk space requirements – Stand-alone topology From 0c5e05b531fa67c9dfeeb75d589dc97918523132 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 21:19:27 +0000 Subject: [PATCH 06/34] Merged PR 10154: Added descriptions to Antispyware nodes in DeviceStatus CSP --- windows/client-management/mdm/devicestatus-csp.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 89a798ab13..a20317c21f 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/26/2018 --- # DeviceStatus CSP @@ -178,11 +178,24 @@ Supported operation is Get. **DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antispyware signature. +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 - The security software reports that it is the most recent version. +- 2 - Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + Supported operation is Get. **DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the antispyware. +Valid values: + +- 0 - The status of the security provider category is good and does not need user attention. +- 1 - The status of the security provider category is not monitored by Windows Security Center (WSC). +- 2 - The status of the security provider category is poor and the computer may be at risk. +- 3 - The security provider category is in snooze state. Snooze indicates that WSC is not actively protecting the computer. + Supported operation is Get. **DeviceStatus/Firewall** From beb20690c2e3339893afda55f290801abb921c3e Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 21:33:18 +0000 Subject: [PATCH 07/34] Merged PR 10166: Experience - added new policies in Policy CSP --- .../policy-configuration-service-provider.md | 8 + .../mdm/policy-csp-experience.md | 158 ++++++++++++++++++ 2 files changed, 166 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 6ff4d2dc96..e95aba3fb5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1246,6 +1246,12 @@ The following diagram shows the Policy configuration service provider in tree fo
Experience/DoNotShowFeedbackNotifications
+
+ Experience/DoNotSyncBrowserSetting +
+
+ Experience/PreventUsersFromTurningOnBrowserSyncing +
### ExploitGuard policies @@ -4319,6 +4325,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) - [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) - [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSetting](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) - [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) - [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) - [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index f2dec99193..a0a6355c06 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -90,6 +90,12 @@ ms.date: 07/13/2018
Experience/DoNotShowFeedbackNotifications
+
+ Experience/DoNotSyncBrowserSetting +
+
+ Experience/PreventUsersFromTurningOnBrowserSyncing +
@@ -1390,6 +1396,158 @@ The following list shows the supported values: +<<<<<<< HEAD +
+ + +**Experience/DoNotSyncBrowserSetting** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +By default, the "browser" group syncs automatically between user’s devices and allowing users to choose to make changes. The "browser" group uses the **Sync your Settings** option in Settings to sync information like history and favorites. Enabling this policy prevents the "browser" group from using the **Sync your Settings** option. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option. + +Related policy: PreventUsersFromTurningOnBrowserSyncing. + +Value type is integer. Supported values: + +- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes. +- 2 - Prevented/turned off. The "browser" group does not use the **Sync your Settings** option. + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + + + + + + + + + + + +
+ + +**Experience/PreventUsersFromTurningOnBrowserSyncing** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +By default, the "browser" group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle in Settings. If you want syncing turned off by default but not disabled, select the Allow users to turn "browser" syncing option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. + +Related policy: DoNotSyncBrowserSetting + +Value type is integer. Supported values: + +- 0 - Allowed/turned on. Users can sync the browser settings. +- 1 (default) - Prevented/turned off. + +This policy only works with the Experience/DoNotSyncBrowserSetting policy, and for this policy to work correctly, you must set Experience/DoNotSynBrowserSettings to 2 (enabled). By default, when you set this policy and the Experience/DoNotSyncBrowserSetting policy to 0 (disabled or not configured), the browser settings sync automatically. However, with this policy, you can prevent the syncing of browser settings and prevent users from turning on the Sync your Settings option. Additionally, you can prevent syncing the browser settings but give users a choice to turn on syncing. + +If you want to prevent syncing of browser settings and prevent users from turning it on: +1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 1 (enabled or not configured). + +If you want to prevent syncing of browser settings but give users a choice to turn on syncing: +1. Set Experience/DoNotSyncBrowserSetting to 2 (enabled). +1. Set this policy (Experience/PreventUsersFromTurningOnBrowserSyncing) to 0 (disabled). + + + +ADMX Info: +- GP English name: *Do not sync browser settings* +- GP name: *DisableWebBrowserSettingSync* +- GP element: *CheckBox_UserOverride* +- GP path: *Windows Components/Sync your settings* +- GP ADMX file name: *SettingSync.admx* + + + + + + + + + +**Validation procedure:** + +Microsoft Edge on your PC: +1. Select More > Settings. +1. See if the setting is enabled or disabled based on your setting. + + + +======= +>>>>>>> 785954ffa54220bce4c3bdaef580253b43197a5a
Footnote: From 4d9bbf21125121c875e0818913e02232f6874333 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 23:21:44 +0000 Subject: [PATCH 08/34] Merged PR 10168: Updated the MDM change history table Change history table --- ...ew-in-windows-mdm-enrollment-management.md | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 80cdf791b0..c92f8d40fc 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 07/27/2018 --- # What's new in MDM enrollment and management @@ -1638,32 +1638,36 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware +[PassportForWork CSP](passportforwork-csp.md) +

Added new settings in Windows 10, next major version.

+ + [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) -

Added NonRemovable setting under AppManagement node.

+

Added NonRemovable setting under AppManagement node in Windows 10, next major version.

[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) -

Added new configuration service provider.

+

Added new configuration service provider in Windows 10, next major version.

[WindowsLicensing CSP](windowslicensing-csp.md) -

Added S mode settings and SyncML examples.

+

Added S mode settings and SyncML examples in Windows 10, next major version.

[SUPL CSP](supl-csp.md) -

Added 3 new certificate nodes.

+

Added 3 new certificate nodes in Windows 10, next major version.

[Defender CSP](defender-csp.md) -

Added a new node Health/ProductStatus.

+

Added a new node Health/ProductStatus in Windows 10, next major version.

[BitLocker CSP](bitlocker-csp.md) -

Added a new node AllowStandardUserEncryption.

+

Added a new node AllowStandardUserEncryption in Windows 10, next major version.

[DevDetail CSP](devdetail-csp.md) -

Added a new node SMBIOSSerialNumber.

+

Added a new node SMBIOSSerialNumber in Windows 10, next major version.

[Policy CSP](policy-configuration-service-provider.md) From 5736a9c89be1e2613a432492970309472a24a4e4 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 27 Jul 2018 23:22:08 +0000 Subject: [PATCH 09/34] Merged PR 10155: Add RemoteFind to list of CSPs supported in Windows Holographic --- .../mdm/configuration-service-provider-reference.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 441c14e310..cd6b862e43 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/24/2018 +ms.date: 07/27/2018 --- # Configuration service provider reference @@ -2660,6 +2660,7 @@ The following list shows the configuration service providers supported in Window | [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | [PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | | [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | | [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | From 12390e6c133048ec019bce4234ed831571cb2740 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Sat, 28 Jul 2018 19:28:05 -0500 Subject: [PATCH 10/34] Fix broken link Link to TPM Cmdlets in Windows PowerShell is broken. Changed the link to what I believe is the correct page. --- .../hardware-protection/tpm/change-the-tpm-owner-password.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md index 85fc58c11a..7731079b80 100644 --- a/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md @@ -45,7 +45,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule). ## Related topics From 5d80200b40e5c3f2a03c48cd1dab9d9b531f9d6c Mon Sep 17 00:00:00 2001 From: Menno Stevens Date: Sun, 29 Jul 2018 17:00:08 +0200 Subject: [PATCH 11/34] Update surface-dock-updater.md (initial docs update for 2.22.139.0) Actual update details still t.b.d. Just reflecting in docs that the download link now offers version 2.22.139.0 --- devices/surface/surface-dock-updater.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 227433e7b2..6141054da4 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -117,6 +117,12 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.22.139.0 +*Release Date: 26 July 2018* + +This version of Surface Dock Updater adds support for the following: +t.b.d. + ### Version 2.12.136.0 *Release Date: 29 January 2018* From 4dd04bde84d9c9e0e6e28b54c70e7073573f606f Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Sun, 29 Jul 2018 20:23:40 -0500 Subject: [PATCH 12/34] Clarification Clarified the requirement of TMP 2.0 for Device Health Attestation to resolve question raised by user Thomas Redmer --- .../hardware-protection/tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md index 829d773086..43699df08e 100644 --- a/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/hardware-protection/tpm/trusted-platform-module-overview.md @@ -68,7 +68,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> The device must be running Windows 10 and it must support at least TPM 2.0. +> The device must be running Windows 10 and it must support at least TPM 2.0 in order to utilize Device Health Attestation. ## Supported versions From 1d865bdb5d32e9ec4bd14fce73f45d04776dfe37 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 30 Jul 2018 16:02:25 +0300 Subject: [PATCH 13/34] asc integration --- ...ows-defender-advanced-threat-protection.md | 19 ++++++++++++++- ...ows-defender-advanced-threat-protection.md | 6 ++++- ...ows-defender-advanced-threat-protection.md | 24 ++++++++++++++----- 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 5947c3167a..4df77c291d 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 05/08/2018 +ms.date: 07/30/2018 --- # Onboard servers to the Windows Defender ATP service @@ -114,6 +114,23 @@ You’ll be able to onboard in the same method available for Windows 10 client m If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). + +## Integration with Azure Security Center +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +The following capabilities are included in this integration: +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to ASC. For more information on onboarding to ASC, see Onboarding to Azure Security Center Standard for enhanced security. + >[!NOTE] + > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. +- Servers monitored by Azure Security Center will also be available in Windows Defender ATP - ASC seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. +- Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach + +>[!IMPORTANT] +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support. +>- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. + + + ## Offboard servers You can offboard Windows Server, version 1803 in the same method available for Windows 10 client machines. diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 16ca374715..8675655043 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 07/30/2018 --- # Windows Defender ATP preview features @@ -49,6 +49,10 @@ Onboard supported versions of Windows machines so that they can send sensor data - Windows 8.1 Enterprise - Windows 8.1 Pro +- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 37aca9ce88..99e9e5c8c6 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/12/2017 +ms.date: 07/30/2018 --- # Troubleshoot service issues @@ -22,11 +22,11 @@ ms.date: 07/12/2017 This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. -### Server error - Access is denied due to invalid credentials +## Server error - Access is denied due to invalid credentials If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### Elements or data missing on the portal +## Elements or data missing on the portal If some UI elements or data is missing on Windows Defender Security Center it’s possible that proxy settings are blocking it. Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. @@ -35,17 +35,17 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -### Windows Defender ATP service shows event or error logs in the Event Viewer +## Windows Defender ATP service shows event or error logs in the Event Viewer See the topic [Review events and errors using Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. -### Windows Defender ATP service fails to start after a reboot and shows error 577 +## Windows Defender ATP service fails to start after a reboot and shows error 577 If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy). -#### Known issues with regional formats +## Known issues with regional formats **Date and time formats**
There are some known issues with the time and date formats. @@ -65,6 +65,18 @@ Support of use of comma as a separator in numbers are not supported. Regions whe >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) +## Servers monitored by Azure Security Center automatically onboarded to Windows Defender ATP service + +When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. + +If you want to store your data from Europe to another data center, please contact support. + +> [!WARNING] +> Deleting the existing Windows Defender ATP tenant will also delete all historical data and alerts. + + + + ## Related topics - [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) From 328fa5f0c9776f2ce53cba4b5d84a3a4e4f37702 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 30 Jul 2018 10:52:24 -0700 Subject: [PATCH 14/34] revised tab name --- ...e-the-workstation-authentication-certificate-template.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md index 4aeab49c4b..840bf5b9b7 100644 --- a/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md +++ b/windows/security/identity-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md @@ -6,8 +6,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft -ms.date: 04/19/2017 +author: Justinha +ms.date: 07/30/2018 --- # Configure the Workstation Authentication Certificate Template @@ -36,7 +36,7 @@ To complete these procedures, you must be a member of both the Domain Admins gro 6. Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**. -7. Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. +7. Click the **Cryptography** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048. 8. Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**. From 12727381d5f659b61315f2c3ce454c1e8d55b78d Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 30 Jul 2018 18:21:15 +0000 Subject: [PATCH 15/34] Merged PR 10193: DeviceGuard/EnableSystemGuard - added to Policy CSP --- .../policy-configuration-service-provider.md | 4 + .../mdm/policy-csp-deviceguard.md | 77 ++++++++++++++++++- 2 files changed, 80 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e95aba3fb5..2a6faa8bbb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -979,6 +979,9 @@ The following diagram shows the Policy configuration service provider in tree fo ### DeviceGuard policies
+
+ DeviceGuard/EnableSystemGuard +
DeviceGuard/EnableVirtualizationBasedSecurity
@@ -4284,6 +4287,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard) - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 345a36f617..cacbb2acc6 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,11 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 07/30/2018 --- # Policy CSP - DeviceGuard +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -19,6 +21,9 @@ ms.date: 03/12/2018 ## DeviceGuard policies
+
+ DeviceGuard/EnableSystemGuard +
DeviceGuard/EnableVirtualizationBasedSecurity
@@ -31,6 +36,75 @@ ms.date: 03/12/2018
+
+ + +**DeviceGuard/EnableSystemGuard** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows the IT admin to configure the launch of System Guard. + +Secure Launch configuration: + +- 0 - Unmanaged, configurable by Administrative user +- 1 - Enables Secure Launch if supported by hardware +- 2 - Disables Secure Launch. + +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). + + + +ADMX Info: +- GP English name: *Turn On Virtualization Based Security* +- GP name: *VirtualizationBasedSecurity* +- GP element: *SystemGuardDrop* +- GP path: *System/Device Guard* +- GP ADMX file name: *DeviceGuard.admx* + + + + + + + + + + + + +
@@ -215,6 +289,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. From 5505d251facfa7577ff631798ad3f73d2b0bb67c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 30 Jul 2018 11:26:27 -0700 Subject: [PATCH 16/34] s=fixed sid --- .../identity-protection/access-control/local-accounts.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index cdfbc8c21a..2cc7a62ad3 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 04/19/2017 +ms.date: 07/30/2018 --- # Local Accounts @@ -114,11 +114,11 @@ Even when the Administrator account has been disabled, it can still be used to g ### Guest account -The Guest account (SID S-1-5-32-546) is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary. +The Guest account is disabled by default on installation. The Guest account lets occasional or one-time users, who do not have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account has a blank password. Because the Guest account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave the Guest account disabled, unless its use is entirely necessary. **Account group membership** -By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. +By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a server. On occasion, an administrator who is a member of the Administrators group can set up a user with a Guest account on one or more computers. **Security considerations** From 09e8b51e42880d8db4efdf2f0ad05559deff0675 Mon Sep 17 00:00:00 2001 From: Arsham Mesbah Date: Mon, 30 Jul 2018 11:41:13 -0700 Subject: [PATCH 17/34] Fixing the registry path for setting telemetry level via GP --- ...ws-diagnostic-data-in-your-organization.md | 890 +++++++++--------- 1 file changed, 445 insertions(+), 445 deletions(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 17d45d542b..80ab6e72d3 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -1,445 +1,445 @@ ---- -description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. -title: Configure Windows diagnostic data in your organization (Windows 10) -keywords: privacy -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: high -author: brianlic-msft -ms.date: 04/04/2018 ---- - -# Configure Windows diagnostic data in your organization - -**Applies to** - -- Windows 10 Enterprise -- Windows 10 Mobile -- Windows Server - -At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. - -To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: - -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. - -This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. - -Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. - -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. - -## Overview - -In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. - -For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. - -## Understanding Windows diagnostic data - -Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. - -The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. - -### What is Windows diagnostic data? -Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: - -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces - -Here are some specific examples of Windows diagnostic data: - -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers - -### What is NOT diagnostic data? - -Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. - -There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. - -If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). - -The following are specific examples of functional data: - -- Current location for weather -- Bing searches -- Wallpaper and desktop settings synced across multiple devices - -### Diagnostic data gives users a voice - -Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. - -### Drive higher app and driver quality - -Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. - -#### Real-world example of how Windows diagnostic data helps -There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. - -### Improve end-user productivity - -Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: - -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. - -**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** - - -### Insights into your own organization - -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -#### Upgrade Readiness - -Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. - -With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Readiness to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer, driver, and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools - -The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -## How is diagnostic data handled by Microsoft? - -### Data collection - -Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. - -1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. -2. Events are gathered using public operating system event logging and tracing APIs. -3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. -4. The Connected User Experiences and Telemetry component transmits the diagnostic data. - -Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. - -### Data transmission - -All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. - -The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). - - -### Endpoints - -The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. - -The following table defines the endpoints for Connected User Experiences and Telemetry component: - -Windows release | Endpoint ---- | --- -Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

Functional: v20.vortex-win.data.microsoft.com/collect/v1
Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
settings-win.data.microsoft.com -Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

settings-win.data.microsoft.com - -The following table defines the endpoints for other diagnostic data services: - -| Service | Endpoint | -| - | - | -| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | -| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | -| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | - -### Data use and access - -The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. - -### Retention - -Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. - -## Diagnostic data levels -This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. - -The diagnostic data is categorized into four levels: - -- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - -- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. - -- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. - -- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. - -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. - -![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) - -### Security level - -The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. - -> [!NOTE] -> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. - -Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. - -The data gathered at this level includes: - -- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). - -- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. - - > [!NOTE] - > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. - - > [!NOTE] - > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). - - Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. - -For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. - -No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. - -### Basic level - -The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. - -The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. - -The data gathered at this level includes: - -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - - - Device attributes, such as camera resolution and display type - - - Internet Explorer version - - - Battery attributes, such as capacity and type - - - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number - - - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware - - - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system - - - Operating system attributes, such as Windows edition and virtualization state - - - Storage attributes, such as number of drives, type, and size - -- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. - -- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. - -- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. - - - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. - - - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. - - - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. - - - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. - - - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. - -- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. - - -### Enhanced level - -The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. - -This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. - -The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. - -The data gathered at this level includes: - -- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. - -- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. - -- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. - -- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. - -If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. - -#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics -Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. - -In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. - -- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. - -- **Some crash dump types.** All crash dump types, except for heap and full dumps. - -**To turn on this behavior for devices** - -1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. - - -AND- - -2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. - - a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. - - -OR- - - b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. - -### Full level - -The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. - -Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. - -If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. - -However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: - -- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. - -- Ability to get registry keys. - -- All crash dump types, including heap dumps and full dumps. - -## Enterprise management - -Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. - -Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. - -IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. - - -### Manage your diagnostic data settings - -We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. - -> [!IMPORTANT] -> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). - -You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. - -The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. - -### Configure the operating system diagnostic data level - -You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. - -Use the appropriate value in the table below when you configure the management policy. - -| Level | Data gathered | Value | -| - | - | - | -| Security | Security data only. | **0** | -| Basic | Security data, and basic system and quality data. | **1** | -| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | -| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | - - > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. - -### Use Group Policy to set the diagnostic data level - -Use a Group Policy object to set your organization’s diagnostic data level. - -1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. - -2. Double-click **Allow Telemetry**. - -3. In the **Options** box, select the level that you want to configure, and then click **OK**. - -### Use MDM to set the diagnostic data level - -Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. - -### Use Registry Editor to set the diagnostic data level - -Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. - -1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection**. - -2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. - -3. Type **AllowTelemetry**, and then press ENTER. - -4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** - -5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. - -### Configure System Center 2016 diagnostic data - -For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: - -- Turn off diagnostic data by using the System Center UI Console settings workspace. - -- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). - -### Additional diagnostic data controls - -There are a few more settings that you can turn off that may send diagnostic data information: - -- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). - -- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. - -- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). - -- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. - - > [!NOTE] - > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. - -## Additional resources - -FAQs - -- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) -- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) -- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) -- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) -- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) -- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) -- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) -- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) -- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) - -Blogs - -- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) - -Privacy Statement - -- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - -TechNet - -- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - -Web Pages - -- [Privacy at Microsoft](http://privacy.microsoft.com) - - +--- +description: Use this article to make informed decisions about how you can configure diagnostic data in your organization. +title: Configure Windows diagnostic data in your organization (Windows 10) +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.date: 04/04/2018 +--- + +# Configure Windows diagnostic data in your organization + +**Applies to** + +- Windows 10 Enterprise +- Windows 10 Mobile +- Windows Server + +At Microsoft, we use Windows diagnostic data to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Diagnostic data gives users a voice in the operating system’s development. This guide describes the importance of Windows diagnostic data and how we protect that data. Additionally, it differentiates between diagnostic data and functional data. It also describes the diagnostic data levels that Windows supports. Of course, you can choose how much diagnostic data is shared with Microsoft, and this guide demonstrates how. + +To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: + +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. + +This article applies to Windows and Windows Server diagnostic data only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, diagnostic data controls, and so on. This article describes the types of diagnostic data we may gather, the ways you might manage it in your organization, and some examples of how diagnostic data can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers. + +Use this article to make informed decisions about how you might configure diagnostic data in your organization. Diagnostic data is a term that means different things to different people and organizations. For this article, we discuss diagnostic data as system data that is uploaded by the Connected User Experiences and Telemetry component. The diagnostic data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services. + +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. + +## Overview + +In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. + +For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. + +## Understanding Windows diagnostic data + +Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us. + +The release cadence of Windows may be fast, so feedback is critical to its success. We rely on diagnostic data at each stage of the process to inform our decisions and prioritize our efforts. + +### What is Windows diagnostic data? +Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: + +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces + +Here are some specific examples of Windows diagnostic data: + +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers + +### What is NOT diagnostic data? + +Diagnostic data can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not diagnostic data. For example, exchanging a user’s location for local weather or news is not an example of diagnostic data—it is functional data that the app or service requires to satisfy the user’s request. + +There are subtle differences between diagnostic data and functional data. Windows collects and sends diagnostic data in the background automatically. You can control how much information is gathered by setting the diagnostic data level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data. + +If you’re an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services). + +The following are specific examples of functional data: + +- Current location for weather +- Bing searches +- Wallpaper and desktop settings synced across multiple devices + +### Diagnostic data gives users a voice + +Windows and Windows Server diagnostic data gives every user a voice in the operating system’s development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits. + +### Drive higher app and driver quality + +Our ability to collect diagnostic data that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Diagnostic data helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues. + +#### Real-world example of how Windows diagnostic data helps +There was a version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our diagnostic data, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on diagnostic data from the Windows Insiders’ devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Diagnostic data helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls. + +### Improve end-user productivity + +Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: + +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. + +**These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** + + +### Insights into your own organization + +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +#### Upgrade Readiness + +Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. + +With Windows diagnostic data enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer, driver, and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +## How is diagnostic data handled by Microsoft? + +### Data collection + +Windows 10 and Windows Server 2016 includes the Connected User Experiences and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores diagnostic data events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology. + +1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces. +2. Events are gathered using public operating system event logging and tracing APIs. +3. You can configure the diagnostic data level by using MDM policy, Group Policy, or registry settings. +4. The Connected User Experiences and Telemetry component transmits the diagnostic data. + +Info collected at the Enhanced and Full levels of diagnostic data is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels. + +### Data transmission + +All diagnostic data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks. + +The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day, but occasionally up to 2 MB per device per day). + + +### Endpoints + +The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access. + +The following table defines the endpoints for Connected User Experiences and Telemetry component: + +Windows release | Endpoint +--- | --- +Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1

Functional: v20.vortex-win.data.microsoft.com/collect/v1
Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1
settings-win.data.microsoft.com +Windows 10, version 1607 | v10.vortex-win.data.microsoft.com

settings-win.data.microsoft.com + +The following table defines the endpoints for other diagnostic data services: + +| Service | Endpoint | +| - | - | +| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | +| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | + +### Data use and access + +The principle of least privileged access guides access to diagnostic data. Microsoft does not share personal data of our customers with third parties, except at the customer’s discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/privacystatement). Microsoft may share business reports with OEMs and third-party partners that include aggregated and anonymized diagnostic data information. Data-sharing decisions are made by an internal team including privacy, legal, and data management. + +### Retention + +Microsoft believes in and practices information minimization. We strive to gather only the info we need and to store it only for as long as it’s needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Microsoft Store purchase history. + +## Diagnostic data levels +This section explains the different diagnostic data levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, except for the **Security** level, which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. + +The diagnostic data is categorized into four levels: + +- **Security**. Information that’s required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experiences and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + +- **Basic**. Basic device info, including: quality-related data, app compatibility, and data from the **Security** level. + +- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels. + +- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. + +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. + +![breakdown of diagnostic data levels and types of administrative controls](images/priv-telemetry-levels.png) + +### Security level + +The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. + +> [!NOTE] +> If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. + +Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data about Windows Server features or System Center gathered. + +The data gathered at this level includes: + +- **Connected User Experiences and Telemetry component settings**. If general diagnostic data has been gathered and is queued, it is sent to Microsoft. Along with this diagnostic data, the Connected User Experiences and Telemetry component may download a configuration settings file from Microsoft’s servers. This file is used to configure the Connected User Experiences and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop). + +- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address. + + > [!NOTE] + > You can turn off the MSRT infection report. No MSRT information is included if MSRT is not used. If Windows Update is turned off, MSRT will not be offered to users. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +- **Windows Defender/Endpoint Protection**. Windows Defender and System Center Endpoint Protection requires some information to function, including: anti-malware signatures, diagnostic information, User Account Control settings, Unified Extensible Firmware Interface (UEFI) settings, and IP address. + + > [!NOTE] + > This reporting can be turned off and no information is included if a customer is using third-party antimalware software, or if Windows Defender is turned off. For more info, see [Windows Defender](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender). + + Microsoft recommends that Windows Update, Windows Defender, and MSRT remain enabled unless the enterprise uses alternative solutions such as Windows Server Update Services, System Center Configuration Manager, or a third-party antimalware solution. Windows Update, Windows Defender, and MSRT provide core Windows functionality such as driver and OS updates, including security updates. + +For servers with default diagnostic data settings and no Internet connectivity, you should set the diagnostic data level to **Security**. This stops data gathering for events that would not be uploaded due to the lack of Internet connectivity. + +No user content, such as user files or communications, is gathered at the **Security** diagnostic data level, and we take steps to avoid gathering any information that directly identifies a company or user, such as name, email address, or account ID. However, in rare circumstances, MSRT information may unintentionally contain personal information. For instance, some malware may create entries in a computer’s registry that include information such as a username, causing it to be gathered. MSRT reporting is optional and can be turned off at any time. + +### Basic level + +The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a specific hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a specific driver version. The Connected User Experiences and Telemetry component does not gather diagnostic data about System Center, but it can transmit diagnostic data for other non-Windows applications if they have user consent. + +The normal upload range for the Basic diagnostic data level is between 109 KB - 159 KB per day, per device. + +The data gathered at this level includes: + +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: + + - Device attributes, such as camera resolution and display type + + - Internet Explorer version + + - Battery attributes, such as capacity and type + + - Networking attributes, such as number of network adapters, speed of network adapters, mobile operator network, and IMEI number + + - Processor and memory attributes, such as number of cores, architecture, speed, memory size, and firmware + + - Virtualization attribute, such as Second Level Address Translation (SLAT) support and guest operating system + + - Operating system attributes, such as Windows edition and virtualization state + + - Storage attributes, such as number of drives, type, and size + +- **Connected User Experiences and Telemetry component quality metrics**. Helps provide an understanding about how the Connected User Experiences and Telemetry component is functioning, including % of uploaded events, dropped events, and the last upload time. + +- **Quality-related information**. Helps Microsoft develop a basic understanding of how a device and its operating system are performing. Some examples are the device characteristics of a Connected Standby device, the number of crashes or hangs, and application state change details, such as how much processor time and memory were used, and the total uptime for an app. + +- **Compatibility data**. Helps provide an understanding about which apps are installed on a device or virtual machine and identifies potential compatibility problems. + + - **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage. + + - **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade. + + - **System data**. Helps provide an understanding about whether a device meets the minimum requirements to upgrade to the next version of the operating system. System information includes the amount of memory, as well as information about the processor and BIOS. + + - **Accessory device data**. Includes a list of accessory devices, such as printers or external storage devices, that are connected to Windows PCs and whether these devices will function after upgrading to a new version of the operating system. + + - **Driver data**. Includes specific driver usage that’s meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements. + +- **Microsoft Store**. Provides information about how the Microsoft Store performs, including app downloads, installations, and updates. It also includes Microsoft Store launches, page views, suspend and resumes, and obtaining licenses. + + +### Enhanced level + +The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. + +This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. + +The normal upload range for the Enhanced diagnostic data level is between 239 KB - 348 KB per day, per device. + +The data gathered at this level includes: + +- **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. + +- **Operating system app events**. A set of events resulting from Microsoft applications and management tools that were downloaded from the Store or pre-installed with Windows or Windows Server, including Server Manager, Photos, Mail, and Microsoft Edge. + +- **Device-specific events**. Contains data about events that are specific to certain devices, such as Surface Hub and Microsoft HoloLens. For example, Microsoft HoloLens sends Holographic Processing Unit (HPU)-related events. + +- **Some crash dump types**. All crash dump types, except for heap dumps and full dumps. + +If the Connected User Experiences and Telemetry component detects a problem on Windows 10 that requires gathering more detailed instrumentation, the Connected User Experiences and Telemetry component at the **Enhanced** diagnostic data level will only gather data about the events associated with the specific issue. + +#### Limit Enhanced diagnostic data to the minimum required by Windows Analytics +Windows Analytics Device Health reports are powered by diagnostic data not included in the **Basic** level, such as crash reports and certain operating system events. In the past, organizations sending **Enhanced** or **Full** level diagnostic data were able to participate in Device Health. However, organizations that required detailed event and field level documentation were unable to move from **Basic** to **Enhanced**. + +In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data to the minimum required by Windows Analytics** feature. When enabled, this feature lets you send only the following subset of **Enhanced** level diagnostic data. For more info about Device Health, see the [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor) topic. + +- **Operating system events.** Limited to a small set required for analytics reports and documented in the [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md) topic. + +- **Some crash dump types.** All crash dump types, except for heap and full dumps. + +**To turn on this behavior for devices** + +1. Set the diagnostic data level to **Enhanced**, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Allow telemetry** setting to **2**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/AllowTelemetry** value to **2**. + + -AND- + +2. Enable the **LimitEnhancedDiagnosticDataWindowsAnalytics** setting, using either Group Policy or MDM. + + a. Using Group Policy, set the **Computer Configuration/Administrative Templates/Windows Components/Data collection and Preview builds/Limit Enhanced diagnostic data to the minimum required by Windows Analytics** setting to **Enabled**. + + -OR- + + b. Using MDM, use the Policy CSP to set the **System/LimitEnhancedDiagnosticDataWindowsAnalytics** value to **1**. + +### Full level + +The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro. + +Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level. + +If a device experiences problems that are difficult to identify or repeat using Microsoft’s internal testing, additional data becomes necessary. This data can include any user content that might have triggered the problem and is gathered from a small sample of devices that have both opted into the **Full** diagnostic data level and have exhibited the problem. + +However, before more data is gathered, Microsoft’s privacy governance team, including privacy and other subject matter experts, must approve the diagnostics request made by a Microsoft engineer. If the request is approved, Microsoft engineers can use the following capabilities to get the information: + +- Ability to run a limited, pre-approved list of Microsoft certified diagnostic tools, such as msinfo32.exe, powercfg.exe, and dxdiag.exe. + +- Ability to get registry keys. + +- All crash dump types, including heap dumps and full dumps. + +## Enterprise management + +Sharing diagnostic data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the diagnostic data level and managing specific components is the best option. + +Customers can set the diagnostic data level in both the user interface and with existing management tools. Users can change the diagnostic data level in the **Diagnostic data** setting. In the **Settings** app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic and Full. The Enhanced level will only be displayed as an option when Group Policy or Mobile Device Management (MDM) are invoked with this level. The Security level is not available. + +IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a diagnostic data level. If you’re using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security diagnostic data level is available when managing the policy. Setting the diagnostic data level through policy sets the upper boundary for the users’ choices. To disable user choice after setting the level with the policy, you will need to use the "Configure telemetry opt-in setting user interface" group policy. The remainder of this section describes how to use group policy to configure levels and settings interface. + + +### Manage your diagnostic data settings + +We do not recommend that you turn off diagnostic data in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center. + +> [!IMPORTANT] +> These diagnostic data levels only apply to Windows, Windows Server, and System Center components and apps that use the Connected User Experiences and Telemetry component. Non-Windows components, such as Microsoft Office or other 3rd-party apps, may communicate with their cloud services outside of these diagnostic data levels. You should work with your app vendors to understand their diagnostic data policy, and how you can to opt in or opt out. For more information on how Microsoft Office uses diagnostic data, see [Overview of Office Telemetry](http://technet.microsoft.com/library/jj863580.aspx). + +You can turn on or turn off System Center diagnostic data gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center diagnostic data is turned on. However, setting the operating system diagnostic data level to **Basic** will turn off System Center diagnostic data, even if the System Center diagnostic data switch is turned on. + +The lowest diagnostic data setting level supported through management policies is **Security**. The lowest diagnostic data setting supported through the Settings UI is **Basic**. The default diagnostic data setting for Windows Server 2016 is **Enhanced**. + +### Configure the operating system diagnostic data level + +You can configure your operating system diagnostic data settings using the management tools you’re already using, such as Group Policy, MDM, or Windows Provisioning. You can also manually change your settings using Registry Editor. Setting your diagnostic data levels through a management policy sets the upper level for diagnostic data on the device. + +Use the appropriate value in the table below when you configure the management policy. + +| Level | Data gathered | Value | +| - | - | - | +| Security | Security data only. | **0** | +| Basic | Security data, and basic system and quality data. | **1** | +| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** | +| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | + + > [!NOTE] + > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + +### Use Group Policy to set the diagnostic data level + +Use a Group Policy object to set your organization’s diagnostic data level. + +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**. + +2. Double-click **Allow Telemetry**. + +3. In the **Options** box, select the level that you want to configure, and then click **OK**. + +### Use MDM to set the diagnostic data level + +Use the [Policy Configuration Service Provider (CSP)](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to apply the System/AllowTelemetry MDM policy. + +### Use Registry Editor to set the diagnostic data level + +Use Registry Editor to manually set the registry level on each device in your organization or you can write a script to edit the registry. If a management policy already exists, such as Group Policy or MDM, it will override this registry setting. + +1. Open Registry Editor, and go to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection**. + +2. Right-click **DataCollection**, click New, and then click **DWORD (32-bit) Value**. + +3. Type **AllowTelemetry**, and then press ENTER. + +4. Double-click **AllowTelemetry**, set the desired value from the table above, and then click **OK.** + +5. Click **File** > **Export**, and then save the file as a .reg file, such as **C:\\AllowTelemetry.reg**. You can run this file from a script on each device in your organization. + +### Configure System Center 2016 diagnostic data + +For System Center 2016 Technical Preview, you can turn off System Center diagnostic data by following these steps: + +- Turn off diagnostic data by using the System Center UI Console settings workspace. + +- For information about turning off diagnostic data for Service Management Automation and Service Provider Foundation, see [How to disable telemetry for Service Management Automation and Service Provider Foundation](https://support.microsoft.com/kb/3096505). + +### Additional diagnostic data controls + +There are a few more settings that you can turn off that may send diagnostic data information: + +- To turn off Windows Update diagnostic data, you have two choices. Either turn off Windows Update, or set your devices to be managed by an on premises update server, such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) or [System Center Configuration Manager](http://www.microsoft.com/server-cloud/products/system-center-2012-r2-configuration-manager/). + +- Turn off **Windows Defender Cloud-based Protection** and **Automatic sample submission** in **Settings** > **Update & security** > **Windows Defender**. + +- Manage the Malicious Software Removal Tool in your organization. For more info, see Microsoft KB article [891716](http://support.microsoft.com/kb/891716). + +- Turn off **Linguistic Data Collection** in **Settings** > **Privacy**. At diagnostic data levels **Enhanced** and **Full**, Microsoft uses Linguistic Data Collection info to improve language model features such as autocomplete, spellcheck, suggestions, input pattern recognition, and dictionary. + + > [!NOTE] + > Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information. + +## Additional resources + +FAQs + +- [Cortana, Search, and privacy](https://privacy.microsoft.com/windows-10-cortana-and-privacy) +- [Windows 10 feedback, diagnostics, and privacy](https://privacy.microsoft.com/windows-10-feedback-diagnostics-and-privacy) +- [Windows 10 camera and privacy](https://privacy.microsoft.com/windows-10-camera-and-privacy) +- [Windows 10 location service and privacy](https://privacy.microsoft.com/windows-10-location-and-privacy) +- [Microsoft Edge and privacy](https://privacy.microsoft.com/windows-10-microsoft-edge-and-privacy) +- [Windows 10 speech, inking, typing, and privacy](https://privacy.microsoft.com/windows-10-speech-inking-typing-and-privacy-faq) +- [Windows Hello and privacy](https://privacy.microsoft.com/windows-10-windows-hello-and-privacy) +- [Wi-Fi Sense](https://privacy.microsoft.com/windows-10-about-wifi-sense) +- [Windows Update Delivery Optimization](https://privacy.microsoft.com/windows-10-windows-update-delivery-optimization) + +Blogs + +- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10) + +Privacy Statement + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) + +TechNet + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) + +Web Pages + +- [Privacy at Microsoft](http://privacy.microsoft.com) + + From 9cd7e1c4daaa3ff8b52c72526fc1cd692df5e244 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 30 Jul 2018 18:50:27 +0000 Subject: [PATCH 18/34] Added new beta rule --- .../attack-surface-reduction-exploit-guard.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 8cecfe7be5..9f78476437 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- @@ -103,6 +103,7 @@ Block credential stealing from the Windows local security authority subsystem (l Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c The rules apply to the following Office apps running on Windows 10, version 1709. See the **Applies to** section at the start of this topic for a list of supported Office version. @@ -214,12 +215,16 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block Office communication applications from creating child processes +### Rule: Block Office communication applications from creating child processes (available for beta testing) Office communication apps will not be allowed to create child processes. This includes Outlook. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. +### Rule: Block Adobe Reader from creating child processes (available for beta testing) + +This rule blocks Adobe Reader from creating child processes. + ## Review Attack surface reduction events in Windows Event Viewer You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): From 5a3ec49f02ad5a7a66a2b90730fc508429e2bf0f Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 30 Jul 2018 18:51:23 +0000 Subject: [PATCH 19/34] Added new beta rule --- .../enable-attack-surface-reduction.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index de3f852b51..59f434e325 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- @@ -65,6 +65,7 @@ Block credential stealing from the Windows local security authority subsystem (l Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 Block Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 5e87bf8ce38465ddb45e5641c44fcec725b54c1a Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 30 Jul 2018 18:54:38 +0000 Subject: [PATCH 20/34] Added new beta rule --- .../customize-attack-surface-reduction.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 0732ac1826..d3fdfd801d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/29/2018 +ms.date: 07/30/2018 --- # Customize Attack surface reduction @@ -76,7 +76,8 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark no](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 8c6e51d147a879dd470de0de41b182f06c916e17 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Mon, 30 Jul 2018 19:26:24 +0000 Subject: [PATCH 21/34] Merged PR 10196: revised TOC --- .openpublishing.redirection.json | 20 +- windows/configuration/TOC.md | 21 +- ...change-history-for-configure-windows-10.md | 8 +- .../guidelines-for-assigned-access-app.md | 6 +- .../configuration/images/kiosk-desktop.PNG | Bin 0 -> 21252 bytes .../images/kiosk-fullscreen-sm.png | Bin 0 -> 18044 bytes .../configuration/images/kiosk-fullscreen.PNG | Bin 0 -> 28905 bytes windows/configuration/images/kiosk-intune.PNG | Bin 0 -> 30283 bytes .../configuration/images/kiosk-settings.PNG | Bin 0 -> 25047 bytes windows/configuration/images/kiosk-wizard.png | Bin 0 -> 6624 bytes windows/configuration/images/kiosk.png | Bin 0 -> 4352 bytes windows/configuration/images/office-logo.png | Bin 0 -> 2566 bytes .../images/set-assignedaccess.png | Bin 0 -> 7012 bytes windows/configuration/images/user.PNG | Bin 0 -> 2312 bytes windows/configuration/images/windows.png | Bin 0 -> 631 bytes windows/configuration/index.md | 3 +- .../kiosk-additional-reference.md | 37 ++ windows/configuration/kiosk-mdm-bridge.md | 86 ++++ windows/configuration/kiosk-methods.md | 77 +++ windows/configuration/kiosk-policies.md | 82 +++ windows/configuration/kiosk-prepare.md | 81 +++ windows/configuration/kiosk-shared-pc.md | 26 - windows/configuration/kiosk-shelllauncher.md | 201 ++++++++ windows/configuration/kiosk-single-app.md | 244 +++++++++ windows/configuration/kiosk-validate.md | 94 ++++ windows/configuration/kiosk-xml.md | 2 +- .../lock-down-windows-10-applocker.md | 4 +- .../lock-down-windows-10-to-specific-apps.md | 167 +----- .../lockdown-features-windows-10.md | 4 +- .../multi-app-kiosk-troubleshoot.md | 4 +- .../provision-pcs-for-initial-deployment.md | 2 +- .../provision-pcs-with-apps.md | 6 +- .../provisioning-create-package.md | 2 +- .../provisioning-packages.md | 2 +- .../configuration/setup-digital-signage.md | 87 ++++ .../setup-kiosk-digital-signage.md | 487 ------------------ windows/configuration/wcd/wcd-accounts.md | 2 +- .../wcd/wcd-provisioningcommands.md | 2 +- windows/configuration/wcd/wcd-smisettings.md | 2 +- 39 files changed, 1059 insertions(+), 700 deletions(-) create mode 100644 windows/configuration/images/kiosk-desktop.PNG create mode 100644 windows/configuration/images/kiosk-fullscreen-sm.png create mode 100644 windows/configuration/images/kiosk-fullscreen.PNG create mode 100644 windows/configuration/images/kiosk-intune.PNG create mode 100644 windows/configuration/images/kiosk-settings.PNG create mode 100644 windows/configuration/images/kiosk-wizard.png create mode 100644 windows/configuration/images/kiosk.png create mode 100644 windows/configuration/images/office-logo.png create mode 100644 windows/configuration/images/set-assignedaccess.png create mode 100644 windows/configuration/images/user.PNG create mode 100644 windows/configuration/images/windows.png create mode 100644 windows/configuration/kiosk-additional-reference.md create mode 100644 windows/configuration/kiosk-mdm-bridge.md create mode 100644 windows/configuration/kiosk-methods.md create mode 100644 windows/configuration/kiosk-policies.md create mode 100644 windows/configuration/kiosk-prepare.md delete mode 100644 windows/configuration/kiosk-shared-pc.md create mode 100644 windows/configuration/kiosk-shelllauncher.md create mode 100644 windows/configuration/kiosk-single-app.md create mode 100644 windows/configuration/kiosk-validate.md create mode 100644 windows/configuration/setup-digital-signage.md delete mode 100644 windows/configuration/setup-kiosk-digital-signage.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f3234c0e64..cae7712f27 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6566,6 +6566,21 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/kiosk-shared-pc.md", +"redirect_url": "/windows/configuration/kiosk-methods", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/setup-kiosk-digital-signage.md", +"redirect_url": "/windows/configuration/kiosk-single-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/configuration/multi-app-kiosk-xml.md", +"redirect_url": "/windows/configuration/kiosk-xml", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/lock-down-windows-10-to-specific-apps.md", "redirect_url": "/windows/configuration/lock-down-windows-10-to-specific-apps", "redirect_document_id": true @@ -6686,11 +6701,6 @@ "redirect_document_id": true }, { -"source_path": "windows/configuration/multi-app-kiosk-xml.md", -"redirect_url": "windows/configuration/kiosk-xml.md", -"redirect_document_id": true -}, -{ "source_path": "windows/configure/provisioning-uninstall-package.md", "redirect_url": "/windows/configuration/provisioning-packages/provisioning-uninstall-package", "redirect_document_id": true diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 6480fcac26..dad54fdffa 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,13 +1,20 @@ # [Configure Windows 10](index.md) ## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) -### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) +## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) +### [Prepare a device for kiosk configuration](kiosk-prepare.md) +### [Set up digital signs on Windows 10](setup-digital-signage.md) +### [Set up a single-app kiosk](kiosk-single-app.md) +### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md) +### [More kiosk methods and reference information](kiosk-additional-reference.md) +#### [Validate your kiosk configuration](kiosk-validate.md) +#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +#### [Policies enforced on kiosk devices](kiosk-policies.md) +#### [Assigned access XML reference](kiosk-xml.md) +#### [Use AppLocker to create a Windows 10 kiosk](lock-down-windows-10-applocker.md) +#### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) +#### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -#### [Use AppLocker to create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-applocker.md) -### [Assigned Access configuration (kiosk) XML reference](kiosk-xml.md) ## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) ### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) ### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 8fac2d4142..2407ef393e 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,14 +10,18 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 06/27/2018 +ms.date: 07/30/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## July 2018 +New or changed topic | Description +--- | --- +[Configure kiosks and child topics](kiosk-methods.md) | Reorganized the information for configuring kiosks into new topics, and moved [Set up shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md). ## June 2018 @@ -70,7 +74,7 @@ New or changed topic | Description New or changed topic | Description --- | --- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) and [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) | Added events and fields that were added in the March update. -Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) and reorganized the information to make the choices clearer. +Set up a kiosk on Windows 10 Pro, Enterprise, or Education | Renamed it **Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education** and reorganized the information to make the choices clearer. ## February 2018 diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 844295ad38..cde506630f 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,6 +1,6 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10) -description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. +description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 05/31/2018 +ms.date: 07/30/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -55,7 +55,7 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr >[!NOTE] >If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE). -#### Kiosk Browser settings +### Kiosk Browser settings Kiosk Browser settings | Use this setting to --- | --- diff --git a/windows/configuration/images/kiosk-desktop.PNG b/windows/configuration/images/kiosk-desktop.PNG new file mode 100644 index 0000000000000000000000000000000000000000..cf74c646c70832fe28623bff4554930a57c24c71 GIT binary patch literal 21252 zcmb?igL5T5w61L%x3+ED-EM7e-EM6gx3+D!+jeW)wz0KtvF+R6n|c4iJ2TNtGC9e2 zqAy95s^7`W=ccr6^vKmR0|rs`h+?y4>$4puiqbp9^^WhJI0 z1_sucfcRko{VxsgB&*{J28J^9p94>2Kp_MJQ_qx>6w~xHyfT0_#vWezbeR5q9+s#I zQRo4FuEdW(uOy1rC2Y5beZ0;f-1zSA_x5LYM->Y(7z_KH_P2r(99_vykH?p*`BP@PHyIQuFFZbtEHtCa`P$Ex6>gcC@ffGR#EYPa z!z~t6ei#0zuEj6#wylT1p|Mh>i`%G_6oQzfT=h|kF3ZR0n@zv}{zZ0?`RPA3Od@TmgMV&_(0K>jAWqC1L`mxMXaqEM9Wd-+I{TE99cklR* zASNcv@WBW$TfEq%ybg`TimttjZ&=XbYfe~g*5IJC_IcG>d9rdbivdo26A#b8=}qIt z^%8(CYQgevQsHLw9TfY$VtF1kk+jqD8xxF(3)r_H|tGNBAb@Fq9GI6e+||6Qd(T_~G^!Z=HqM7d2={Pr+Y ztYCltwq6_YW}=lf%oa*MYI%U_g0`Zb=8}TD6h1zV7-3n>6$$|`w-#%60CM;ioM8B*Y4_#o0<%T!8ZU1E zKUag;6Awe(t!n70sOFyiXI(jMIV0;%%s@Z@4w3};3c92FB2^Y4IMfc$FQ~t zZV@0IxLuPna2^iCDj2JLU4_BmQoTn&!du)3POtxy5E&`kr(pLFEH#sVT}gRc^NVdO z-s7}>@Ll0^NUuFXEaC*H+HKAr(<&ob#3fl`SMt8)0GJYI^gM8>*>OWl=xs)dj1LWx z?R6o`tl6*VG}lxUO?!W|3J_lmZ}dDVBM%&f4SQ8F z+VY}Dy92ik+_NiJ)9|e<(4#i+FVh?TGcLqh`P~&M|AE4tWGt-Tw1`YD4+A3rHc6BL zQ&RS07LO$S$)}0+EeyNkVe7fWMHI7OuKIUarESvjkCdZX6U7`&fv%<;?UeKWtPrWd z%#Yw3X9zsn`1~S1sWol=> z1RuoMiuc_-1Nb)*q+IIa{3NbusCF8)=*Y|c=H&|o>5%pu3t@%)6n zmI(}DA<2aR#j5%S-OU9)e^(5Yw2uB!;DqT5UBYMCQAp$r;e}Nu4aVnx@7nJXsxQ1f zA>pi9)l=|(W_-0cY6eqI`s2U0H?lvlX~Bb!U$(r$4e!wLanLEex6X(%LkMT0`bJ+K`#S>?hI@F*4{m+Z zjc+zJ8t<0jwQtYRw)h1RgfI|H?)Zk>J`R%et<|>@h`z!n!*E$HgMqo(#(icn&U@DA zirgeGjO4n=7PJ568)fVy(P}93z~;)@Hxs0Gli6!d#Q-n5k;n7MnaVh@c2xfb-u04~ zQyf##OI|^~TEvxJPi*eLFYetg?^ufX8_?r-K-x!sppGhB`fAu39AbF>HU`UK-A#E)R6U4j_{6vt!bY?0)(I4#2e~`p#wwl2r+3*OIwUC-Dkb9e-D~+$ zrXHtpEhSIJTvqIrq@--^Zf~gBc{y^%7d_tm_~3V|%3n*3}STR4Yes{^R69t zpF>-bm^mH+)kv|`rey3*TC785l=%dM_HQ28@4dGaZ8uc!BK$}=m~*8zjBP}8ls#I; zC!s_<*Z3*QYz?|Gdo)T}Esq%~)MLZ~SXG0>fWOONNg~>{k>g{MpAklVMA#aH3JOI{ zVojs9gW_9eIf5`KCnIPdwD2wR1-9N)1o;W0lGyY{!f#uipZ6pk_WGpg&;3=uJ#G3? zYIZx2g-M6oHAto{5%%fLZ`mpwKy5R={ND4GehO1r3xw$}%IISG%-f;(H#HJ@A=(?J zg_BDzW693G{I?aCJFbjMonj zp}jskFKK52-emOO<^*eYyuo@h!dZt$2dy~gOleM>toaIpQ z!!a+YbO!jqYS* z-msQ&2eNdvlm@Z*_ygUKf+SIiAjAxU>IoTUjJhuu1Xjw9`8zRv+rT8FNSxYilbdF< zu&-g3uUM4;5N2c)l~OVs2U@-}KjrtWVvaNZc}v9Txmq_QZb6?)>$BoKo#5fg_I^Bt z;68lxC_v7I85AAs>%C)VtQ@1N@V97=SkYh1Se7d7sDAv^g#j_1g|8aS5NsDToWbm- zj+W>+_Pnuxo!;An7@L-Ux0p;`qD zYbi7`IK!zr^S6CCb(LV zazOi^Vb{uE1XH)CC&g|*1k^AbiUCnt%3p_X4Qsro3C zW`Fdgm#Sc_(1KhtX}fW1WrsILVT)x>+jIjZ>9BYW&RjMl#wcvhMNvog*H{;U^V=P&KQ)-(!?87OcEXM>bR!MiGek@*b*$IG0fUY zP~OVuGA3*zWe&{5gH9JoIR_OP% zo52BO88DVq^vb`%Qi_s^MQVr}^Ynp;d6U48R5KJo?oz7j-bekZ+;)QI&v!zks5{m> zJ#opg4W%lus{FIe$ISu2hnb>4_h$mSr|mqB{=P)t+)(dA3ewxsAsBSHEDG4 zL1)LCtgRYQpUqAJ4xaw-Q&H})jn*5O;V>(!^fR2d7Y=#=u}G@}~KRK1~x5VuY(UXmNVG`T*a& zu5O;E9xv5(K^hFrZeb8&H(a^la~7hv$$rQnt&!Q?$Q0rn<4B~H@GJE8*DLnh&KHyA z-%~51X_g|F{l8_D@vt^inq?+Svi4dF6|x~X$BJ=Hh5{EgPyG*L6=R}0;A|$AlEAJ0 zK?%cU4dq}mubRLOOMU$u*$5CdUhfW(c$XlyEM^apwS1c8UK3h{{{m+uS=O20b54uMj_qoSN3ummdSQ&^uvw4}rX^ zJtXj`q_EQSVZGH9A5gIzB^$F z*k6r<9d<*FzX_Hpdy;5}4d~0ycJC*`$6mUqLfwLtL-0Hk&lEj> zYjvAcF_UkZa}{X)0p(KwK^3IM#@S!qYoQyceK@+)4O+OufSx%tq+VD9$Z8mX&a5A8 z7SY1h>IX9+^0?FuCD8yX;OII&gO17*aonQQs|?M8JejhviW}kBqEf z1a%qnKeiP_q{bPg#vf;M8I#wgg2@$>2Od_aB+}ZtQ(`%=5M&1lUnR5pS<_P^$@f3@ zPm8`032!7qhh}pn_rk!Za7k&$f_@rw@{+EF!_LV$$wd#@30VwU1C%CI;&#u)1PxfL zY%zB7))DJa%lf~rsd#Tcc>m-GpzzfjLOm5T+>Z82@8xUo7uiZ&2zD=t3L0X_^GVF^ zMRDt(Q0+At+t+J@livdWR(0iooU^F3`DRn0ygT)9$Wmx!N!_2Sh1T-mkejV#pkDm+yY#TP6%^ll#9XIF1#U(``qSWK)fiyOi z(6499m27Fk><}V5A}HVE|3tC+n3MfovUNpeM$*PM5NH{|T#PVY*TCIBuJ$gH%R!bG zLl4soD6X*I+qyI-&pnxtsOb21MgNb7k_dz^XklOz0bLP=jbah|*JSuW8+O`(@h8d= zjZ90UMM#s3A`p#Dxdg5DM|q5gIVuHlDm8~;9OGD3A{U|en`NfZ&*V4M-3w*-96B)u zfW&{=%u5bohK^ICl43_I42*7Y<|4R8J`iGB_D{_lG#-u1odvkle}t7pMORZ%Ui@PS z*fT(5cl|Pyg^4zG9lokLhHN3V6_$C61x|j9qY22aG6mJ1)#9XsCV&IhIQngegf`fU zd?WPYJQdIiTE=`w**G@V34o3|2`*)}wfnxhYLZj{)+2Wlo_iU04AnMUcOLE`=D>xd zWp$f3w268mgi8b4{@@C9)&IceYHkKB(vXQvFp2u+idD(v_zD$Q>?g}~3P z+@~{5P@of=t4$LjOP(F8U4&L2O&HN8+V0LY+^UFGs0ev?$9qtw`vlG-U%Yu3GHkc9 zFqs=P8?)*_6f9=dimUbk4xD??F_{Q8 zK}}zOGc_sEmBQ=$vDCWu_rgN^=~25Tg9C@qC@1u{qd|;7JqcvUs2tMaU<aOprS z6Rfx`CYHK?4n4SS{1!Qs01zcy{>Ucy`<*(cX%B$LfnX7VBis$cxvfh&1C=1Rw<2^bO0Ny;1wdw%!I?W?H^2Rl~%e)AVDnnZBdSaEluQmB8r4EA> z!oj^>HwJuvtNz0R?}90)NsF4hkICh*2T|Z)Jf`(!KHhWrhImcpmPcYP4F+tFz5c^0#)|UIsgmiU?LEh!hbhM&sn*3DFkBMB%VMuI=+zs46l9n1 zF0g}sG*4ueQNz$;@BK*wc03#e5mmLiiUpVI31U*X)}GYIdEL*N_P~igtk%V~2e@ff|Gu>5^Y8MXe}0!VtgQ8%6( zsp~dVlP=hcVnsxhAq_p3kB0PC zbbDU;$Nt%jJy7kWtu^iDPMlqYHTv#SJ7%%>^G`!wU|dY5cNJR276ve}!hgvg!s39k zoYfh}Yj1Wsc-$H3j+zHO8*+>Mm6*RUFVc=zk!G@5`WcN7vpG%s z97=xnPC)Q%o1UOo*qzzCd<55a&2%k@gofw~Ctg|hk~)MK)0=0cq%LThn4ZnxEw|-f zZH|0AIuwq?XL*52^~5Xn8$aEbC$OOXHUQ*x?6^PJ2Wgb zPsyFL(WGuS@@a5yek;W34YrdvpDGwz6Z#DSO3j5JDrM)_p+09BO5np}e7+tx>6_zK z&V0{8E9_mNbOmyev;pFHoLGlqC8Hp#Y*&f1eqtK)Z3NFqB`R{ z6$*r*qkz=DT((%@?GzjaEp`Bcg+Yk`Irr)La_k#_Eb|d9te{IT z$I~`B7^JH##u){;`ysSDPr)=fZR?Ofbiwr4z6#Vfh(eclblZ1>A~KP3wdr+dG1?)7 z{^=2>cqSiR$N%`&!HN*5i4B^BuGiZe!f-QVTL6CQC{!!H?ev_5QalZJh9bjaBolI8 zMs#B~+k4UV-c9R!lqx6_8@haV%;)SEcI?Fl!L%s|6CS%GpG*emzPF)+jZ`?OmB z4+}!=m1SOT2%d!V*kcy`aJVk$=v9R*PMMTMURSjjxRlp|F}V#L2F3GK`V{W4&oft6PSmN=2lW4+~3>fTWw$=N?Ptfbl!F*%jJzW485 z*K~hyklt^DXocSuXZH$`lu2yg|8!DH8^3aB1Z^p@pLzlPmfegoFuuiAnI&X_wQ8n% z5Kr*O>QTR77%G}BrATSJg}_S&Tnq3Z4eI13kNX}c5NYN}u78}=drPmsmdf#;24Huj zll}Tp;qQ+UvN$%}&nqw=e>sZ0NBq4)V*Z1Yaz=8A38ECH3REE#t}|bs+NObVse`06 zTWM%7gGL*~#ZtT;U4Mfgrxk?*it&6fQT{HqM&UFIW^>^&m+yALyA4W(%>BbcGzVki zzMx7KBA?S=p$9dg`q3~lM5c=-A4qw|^HmM}v(Wtdq@33xr$qMPHlz7yLx>s>q~NO% zG5C`mYj3v`5qw7rr3!uYK4$3GGjj2UinySrI{VHanafaC%HjLdfYehsb(MWX^w-DM*(|YJ&*m_G2u#Nd-|&*ZM{~CE`kCIzv|{#We?k^- zJxc3mYzjV{IrHvzoMUmv9vD)xv{!#hSR^gdq#8Hu{mzcq?`_YGksTEV#h*mMW0TY# zXWFpU$(d6eL{F?F_!gLDpo=&N1m}857Ub0S{hlQP0dLgQjt)}Ma;`a2Bq803f{v6K zBNi{1I)L)lbI17xO5?Wco#^kHc=U$f-C{(eWMhQ^snXNVvkZu#xB=+Rc7@AO8KOFn zi(wHjQl0Kj3|PKTU=F`rSU0#zCT=_TPMKu91o-n+72Ahd!tHuN2_kpg*Ez*W{;IJC&tDl zlzT#iT3LgcU3@E61+9UvJ)rGJHTdk@f<*hv>!>j^U!Yy2>0aV=j52s*tJkDAi zbMWy#Cd%X2u@L%C_u^BX=6KA1#_|bIQlW&8usWR93injwaY@<<(;8SgV_OSsI>3>O z|1@Z~dVqR2j|1loA|LpZ5ft{`o2hj_+`l1ProFTK$p!~pniahGwUMawJaNQEA-A*x z#m9-4u}>+eOW|EcQNk{q9*`k|mf@81m!mUc6^{Zy&{Jw`qsaWXzeGexg*w|tHe^Pu z^M>axx;~43ZVR_tqds4+M+F%1WX*KgJ>Fi>mnS`zU>-kxj4H@-4ELA3Maz8)tmWg^ zj`WHB@5a-F{HR44qhd^ui@UThD3Wz=+h^pU=sJ#;tl)F0Le{_(rh>6ag5 zeN5zHE~H)#^x<2ZR6F<$Hs_6%6-RYWQ$<`{7)n zc$Ed>NWw*MyCYttcDBKmk%T?I(b9rbD1R8NuznEFi9J|SlCiqrKn-FPN2Dme9rRlQ z&VJQ{?%vAyDH+!S%YmF~tD4O*1AUKfcDP<%w#q$0&?WWH(Lc_)=(Z~*EuDQ&Bb+ab z*MeJj8>U2pClt^vLnSQIzo}JWPV<@$A3$=G&L-;Z)Mu-|iT@D~(!M3%x>XEo;jrx8 zgD^Lrt&E4Om_U|3)W$Jn9BI3&``gj9!PyvP^aE9q-0#L5HY^ZMZr*>XvAmR=?#uG% z*=+GL`z!$jsj9}vx zdAu&I<5k~2xxmx&mylSF`KIKFA&DzrFp9Jy;8J2TBj|^OYl#Y*+IFiD_XdhOF{@W9 z41aBe#ja}dH4x%R(>(wYev?fV=n`lIjk=auT$-Rhm9Y;;S38Kz`4Y zHLds=-lMG9F_we={9VO3G6Jk^?cmnurWn)d}F zBzoSsq91e6^tVg>8?lx@QaV5;`QwJ4UtaSTY# z*sbJ5?Iyx8UQ?Cd5{iZSPkW8AI2pK!DnJ6Wv-9gk>Fx(*&iCVFloiqsvsFVl@#q3l zj2dy8W4Xtyay;0U$n`VV&3a%BC?*t8twfw1qvS*IKqua-Bd}6lmrXX@{j@s;=xh~> z91?W5&_~HfA)~m}jlz=eWRp^KMOHDKs=AsaHGF?L;dB-r6qNNS{45K0Yzp*sgfD() zqW$J$2F2s_r+))8;^uq1ns$2#R~F|DF9|=~2vX~?aYE|kib0Ecs2;4qfRMUn5YAbo z##mJ&s3XJ+A&I+s^o^MlR>ogC@HGVNGEP{vA?}zlPjuCT@R3%2c6%8{ACjGhvg{&C zrJLkU74Ak4)~0^v4$~O?hP=F4xa0*T8!8~1CSp{GYgiXkBd#P|`PrSRDT4A@mWpm^ z#ci3hNwoUhei$u=jAmg8ad@Kt)H-lqo;Wq6{n1h52x0jc)0Zld-G4n9reZx;o)0r@ zRq_F2&bdo*9Y9@RI5oflVxqj>&JZl1JzJiNK9}e!P>7L+YYt1Edjoz?jEECJJ^Yp5 zMnSV0I(v;DB==im=qX`pH#%bX6Mv+_2`^Kvsv-RdUtXRONts4Cz?x{p!-nxA|H~cm z8ssF@%E6;pl1hYX;MCgENIgjEY>QjH_sJk#NG2dd%g4gJ5tD24%Tzp$uy}WWC?uI5 zKt%@>#QGyYJG{7i1tzm6_2HiYiTmUj;VMAYFaK)zTZFLQ_c!s$8tb)9m9)dmo(?El z)VDh3LdEUPxUs6kUDXxoVuL6SlTejQd+)jPpYg=J1guASF)V`1@GsqvBIqNx%Mz;j*7SK3Tpr zy+h}FlX+Q^rudbS5CMnkLL+|GVMqNAG?E=c4=ip-{QTj?_nDeiziLYz8}^aE7z)5a#57T23kt+a|VAM>4i_&z{skbx&J!UmGx*lAOe zJb!S5Mon8l(DO+aLpn)Hgbo5iQLChtJ}W2k;6#Lm-UH!*@I3P)A)gp4AJspN#kou@ zK?5UQC=;~hl(e`Bx6XesW-@9}{GKd(|JMyp{+`Yn$86+h(meiYt`hqOiHYxQpIhlQ z=401dJq&tE>U|&l(l$OEvpGMlAv<4<@CWG3GxjnQ!NI<^-m_^mq=&fmhT(j5{YtAvC8{V^^{~XeTyk?BVE7&y z8B^rj?v0CPL&XsT0VzlCPhBc;#F@xEBje>&|1w7?f}JEHf_wVp7{YQ*64EnW#1#OJ zO~T`Gq?jVg8!4zG95b1FnWU_Zb1p3It{o1_J5Cj-3^auYGTRz;}AzpU=V%i97c2VrF4AAQbWib=h_dF_KGpPFhcoz6*7 zm61+GDPz?Q{(y1@W(#2Y39uFoGj^le9SP$|=-`9U_L`sYt=(3AB@O?A1IAiA{~`)L zJeXirl=!96;gb^yMjZkkO6L%bfGXMMfGg!#xdqoy{E=CTxM`U?tmwnpa!=)Z3J$6H zNzE$WQ8Ulw3NjKBR_ z<9867Hs?(`CI%rz<+xH4I+HNm9&ZNU%YVVCgwO|4+uhRf| z7CO>{SHY2q*|Lrt?%sqC&-<7G-z8^f6BmgZ8~eiNpotJTQRnx>4PKnxUB1{4&Y~$= zr~R@7Zh-ShL}czA8-}c~jPNt$$<0i}+FqfeS~T_fUH>WB{W#4lB~z*q!M+ey=oIt@ zqvNmBhdCP{L@JH{SmVcCxzmSY)lai4DO7*CNQ=yCu`IU9CSB1Nw>d|DpU9iaClOSQVqV6BJzc)5 zZWV%#uE{-JbiZ@Pm?9UoXk&*EjGoQFdwSY2Z26clY`OUpQp#ksMCI>!n-rQ#Q&bwX z9T#}QX3RHwVRE);OJ*<$B1v?$pnsl^M(-W5nNG;=Dl?hv|7P|xCX{Xqj+^4?N$MRHsjwHkCf&q9jkS-n4Q~awPRZPtFbyZc zg{z@K2%-r39>Yy5C_;hzIeHP+cXy%byppgd$BjADYq$8bT>JmQ#Pb})tJ?(gBpW_< zG4@;y_jEiF_2u?~`sAub)TQ1i;NM{o$Lhp{{B+q)zv;zx%;w#V7T z=oD+Pofc_jtg)n;Z;PSJFZi-YW-PT4jI7C}ZS3!`G2Nbp;w+)%b`B}r^S zpXUw1D{Bj0l!Ms#`t$sAVEtPo-)}G#-!=s66bOwDXzFAH4uLNGvQSFAnyg<0u_$px z4M$Pq8A6S?%omx_m49^)7X#u)Q^0Ernz*GQs*b#z+#@_0vpJv>R7hhh&6AX_7a`gW z)*xd@vlX2+A|-#dACc&aWiL@O`u!2_W;IK}Gs;;iry6#QTF3M*3dn{L#|znjr^$s{ zjU8!(=@xXwBI*1IccRY?C8WzEU6xD$YwJbCBs%w}(ZqVg%pGwW8g`MvBJU^oM zJ&&`;kr|OrO(}vK zJLo!69UgD%px61B3T9Z7ANg8<&la&OC(`k@3_F&^Pbq&Fq7D5cv?qtnD(eKOQ@$Weo=f-cG@pA#-PiqGLnydtcot&sT zz4YLA)oP&5{9>?WTHQ+p%YdR$k8i@Z|5spk zv>@Ku-1OI+5FdfSX}s8trakJM{sMjajd0+wz>7wRQ@^E&NkL#i8z3$6sPymwmb&;` ztn?4W_ENJA%-zJ>+p!eZKFRwS;?rI8p&p6XHMxy8!{ZQvdDrGW`i%UzCH@;9305zb9O0d#I=BC(ADSMD74(PZ zPe+U}pBb7fP8OqgEM+cwcQL+#h^&D`?Ub+)h8}VCel4 z)JAj3d8NR;ykcnHfEiRg-_=t*=TqFXuUW@N^ZM*a8BAW{bDh@?ry-rQRdK>mi;#~d zzK1bD!HCSAChk0Urhz{Rtl6m9cgmIng}f5E&rTU!{sLPB+g#~K44Hzl{b7~>qLI#@ z4lPBMMP@mfZyExfh}0G_GciH|YG!cd11&mt_ouxF^)+UI8plg0eKvON)wpx!89sZC zQ-35?eGb%Tg-{qeCKJuHw*zO`0D{nIPsns*)#LPtz(B#LY3|34xFIj!Id zF=J!gCi5KTA?}9#qQdRa{E(yG8&}Z^&}E<4{_ahUd!%wK6*L({I?A=U zu%aZ4Z-Xyp=k6Vs^sW%9pW_$N_nxL$0_ zuqsZ#SX$TjqSHbVHS?xIwI2$PSDU!IGx-UYm2}ptm5?s7i%}GDb)#>uk(xq3iCa}@SFCP0+7Bf;YkenKP zbMd}Wq!~;aXW@Xd%6fAsdbAvvCfd9G_~(3x7_q<3;u}ObejX$ zWN^#*Og4+T7iGfoBi(kPMQ{FTP=E`<6qBt&!FE46Em^0x#-tqeO z;JhBYKL)Q$zxqp#S2y`-KD36(|8wOLV(QJ90%3h1N+mG)y4MAE94>RRe*zZ&yuHtfFMc9{o}ngJ6wGHn1PGwCDb@9;`X^a zZV84Eu)9AP{PZ45N|8si!mE6CqGthzB@)D0Us6;Y$=?C#zrg6l$;4I&u2ruSM`0s# zd-{eftE>!o+J;P6j#qx?hFcWPxNl7nk$PGnHGFCmQQ+~5wO*`YQ*@v1rXf~&bSWyQ zI6aL@M*D3F{*-0@u9}f=E(5Qvt~>I&aSMl7ROAWljfP|QA<0-kte+-|`kEpNd#8CJ zOV($&SUZ!Il-igF#CzNLQ}3r=nY-&uo1OwF&K;2vPm4D?M$=xzs0USS0rSh|vk7P*48GTXgAQf|&xe zr+E&_4fs4g?r;`_H_6HEsj~C?bmp5>2*S|H`4?mB*d-CDd-kF zMK;}ZqDV02mL!9XfX*N(sw@f_oC;a3z`382z~I}*r$Y!UnC`Dd0xSy+t4Rs4=-~Ki zjQL+W5Z+04O_y7YBv<2i6G4kfs3Iz|>b}Vcxl|O$j=6!fI%B+)#u=6FVuI9Fk~ zXE4j_^bX{_7}+N7YCg636N}6xVl|E{+a0kNj-AO7Z%h2+L~YjyRh7o{ka&pBAm+vWB?!D8a-MfW?xCxL7q-W8)X`KJ#RYj{AgElddJwRwTr6HpMxNX8@&jb zze{^0rblo@C1c^O4@?q7NY<5TtYIHw`o_COAm-Y&6TnI6+M_Mc{tIIk;q}9S$cTJl zGcOHsx#F^_Ms&l(()7f_<&lU@XTsi)GYJDrEl0rclhFxA@aMSkPkT&w5go>cu)|^K zOXty1Tc<-G%KRhHOK(r1avCGim0>w8P0_w{nWtm;zgHUw=;i~iZZ7jsEAi+X?T!&< zUcbgBruyUU1?H=*9C?Rapk`n#vIt+#A4#~tXB0As8MJ^Gvxq0~-AQ}XnWqN}CQ9H* zGEds*e6Tg(dG0P3s74s%#2ASy#6PBJyj2m4|U4k_+> zhqK1*$>UzO>NeJ>-3YaNDRNtM77C{6dv@f_ycK9v@rk0B_5@OUorqoieU4u#oLgY>g7JueUpu}jyQYh1%J;9c-&gkP zXaWWdW|@X_RagcLR9J?UX20V9!ny#{&QC4Lop5Yo%sN$l#>Q})&QIAK4Sl|q>3Y#W z_U_j9e=t$XgqFx+lAN}e`3mkDkMK+Lrde%!nXvLQR5-ABe-SPAMHVt9W zMqTU^>Zxu3d*Hc7KehY;=eWxbgPN4NWGjk`#9z*FoyUeCA|wQE!e$R)rRZwOdFfxPwcbmL04 z5L>}brZAf>Gk8S$ajSTtxTj2Wog<7C!f#F4ZT_I9==Ljky3+eCD3h@8^Mb1G&hSuVzQ?`FlexltUA|6WFRRjbhOFnr$e^bxO$ zSn2W6Zi4YF8txlO+1THPWa_$ zYhjF%b~6pJErbLgxA)AbNBm$+J4)X&u6uvX>eJvxISsJp_D8~k{g7?^P;NbogjUb9 z)-LpRmhp2-59Pm~RTUgK?D&lNL!<{22i>e|GF|!Md%G5D++}wabmV` z4E9P$24xA>Rv&sWHlkA5vrIeHVk=ofSJQaH7(f6co0{U6T8JPD~m|B zOgO?!DS^9JdhP(^$R>ijF)GN$w?@Q<51_N>+da57Z~?Bn7&DvcA>EOz*%ESi`K`gB z68UbSmE!JTSz^Ban;Bb6UqTzqh%!DmNl0AG$P{i*U!8tl-yv5ho2TuHc2kX)0tZvA zcr!fj8^yn=17DGz+XB@11!qe^WwPr)RvYBuxd+c#bt!Q^>O>pUdY)tz(Cko;2YK>d zA(>|e^Rw>|)3Z!#uxs~29NKEso+UuVYQxWwV4Wl#`9}1UQECG(PtvAg+lu;Ovs8QT zvMr%uzaHs+X(IQFTRu{J(-L`(R(Vr$w4dNNt#oZ{tG51XP-hW4_nngxn4L`|zUu`M zi~lvOIX|b%<&Gf9?zRYtEeUBv{q-*}%+B_})EfmCRndvTmh?2^RiGexy7Od*q31(5 z`p-WhN0JM%a^nZ_>z4c6MM46>HObqX3H$4g^3;w0NEu8_m{M^n$XxVZ2 z7OI&TrYXRX8i-KggA2+$k{`eM7iIoRL7Q$aD{_wa@nG*pmRc}v$dZ3fBfKnc6Krk# zwHS<7Chua3B{O5fCUh$+E&}#OICwf4L(Y`I&Qd`KSrv>WfcuFoGbCcc1P$8lVvZr| ztI9;{qmvG~_eKb!^p;kaYLvXjbH1Cj3zcX{FNWK6CmadGn!=k48PiCck#TC!gD}B# z@Kcc<4%5JFWG~Gf>*#dgkiM^40VT;;gBzJ70g36H`>EUm2N$`1rUJicC z&UyeFen6d@aIlYr$~NQTuV=0$rA2%(Zb$g?z{9Cj<67gqHWx zAg7KA{gs8;D531z6PC7_3E3rxrwSknG(Bk4xENFZrbSDv*wL0@-LcVHU|OhL8+}}( zuX<|3;L`WoCfidWA=|06EEF-n#okzYP@6q>xH^Dde+E#q-Gk`b z`v$4ExW!7imBHV{fkG-6IT*(L@2G}*@3#S^Q7wtdUot`=a0sVG!q|su`_hkwA0{D# z(BQc!EQz;$Hbr`kh;757PVslv%ziFzr_IqaX2$!E60wK$2Lv{x4vYC zPdqyru1bbk;rR#N{^%G69 zq&(B&fs3}I0A8!nStr8UgK2zf)vkk)l@b(fA!~k@!=y@q659-e$*Hk#^d0Em2L2WC zGlR;zMMvZ?*pg7SaOy|1iR@NoLBK$|X81;p6hC+@?Ju1zC%IpH)5nn6w0HDWY&6nqHg@PWg>@FdM2&2&K9wq~DaMNX`Uq8V;C>#YAjy_|eu0pszlfd9tRIs1XkwD9sDyQX-5AyCyRkmeuk3s)YG7|z zmeA}7GCnZJ=Pwp`eUo`_O)XMDx%1S>JAC0=%GhTZHf`+J!_7UU9s^3Wtq4lR9llNsQq#MK}*b z8;v8tr6bF0oIkm8?c&zXo#IA}PFouI9>Ew2o2ap#1c?(fXgN3QU|?d~#rGjXnsfZJ zrZI5%Y%AdS)o^D)BCZe1Y=njO^fHQXw2WL*pL1)5Fua7Gtpz9#7_lUHYHv%A~L=NJt~&|5hl-2j=KUYPua)dJZ5l6NjpyNY*`{n`1)(q z+RuzXI}_-lC;3(tu=B4wS)8mf5Xebmzjh{m-!S8xK#&a z_oHL(*Rt}N9LrUC5~HJb)|9Rk1q_U>Lok$a=UOGyp{#6~ZIE1+TtNn8+E=v&OyGcT zv(opeN1rb5Mb?tpr~0tl@wP$i_;+)@4OsCR*ceB){m^qV!)<(`*LciqISvN&o>@J; z@`LX42*h6Aqg+E(FYC08?Sb{jI9FndO$BWAOdRRYkQcETlWQNXzxf+cA$3ZI^nu!s z!klQUhIKrnxC`Nq{-?Nx_Qeo|cT)^QRTnrsv5LAgu=!38S)DQ~u`PQ${gYcK{*oyN z$RY7UyT9VJ(;!M4wl>IVEEhax=SdEjW8j$N)WJDBvZ>RxwW2G^rG7nfV9uoNKx#_u zSX9k_vlRa`W3Rs@N}AhwJwYDfp;@J{>jt7=WAm%m(XW<9k1zm@Zi@+mTx?&!{*%n4 z&9(8hO>mgGBm`qDPi04Hhz{@1&CDbi)7MW!jQ)edTM6VHq6U8KT6>6ac~M^e*nFCV znv=2XiC9zLA3kN1?Vj5cQ*+JIGg}RLf7No4;DVr+tf@&(1SENUptFhKS6i<6kQssz z76z5|AB#73%B9Xz=^Ov%pf)Aq=enA7 zy1ur1Jce`0qCpYG3Y$#co8(oMwc1UY7QNK46EjSvO}?y^tQ`vL?VgZxAnw&xFWY^HMe1^o@Q)Oyfw3q(0xm)!d`Clx=twH4v-tHI zws(jVPnev>!Gyx~%vGb|EF|<;7hpTn1t71KAhk;JYJgO+mbwE?8LRrMW1P|;c|&86 zkpHT7Hm#0%WP^_XLf3>-(~7}kbJmMo zl<-RQCAw`#l-ip+?w zmpy~A(t;U%XEFW~#z1&Lb9d}DcgFF`o-*InBEZ-GM(c=co+8ilDHr2|WuR`DPZ{H; zF~L3E9+i)H(Sjj33f?;CF-Oyj=ee68@X#y!xwc*w#c2vAq1CJ7mK(hB7+t3c%nr`dXP~Hus1M$DCfE6uC5v z`v}LGn_Yt7xewC26Dvyq!HYns=|hI6(6T4#gDmZ6}<6!s(Ue0 zga;|PW!&#hmOwN|^mhNL7CY*WuCsW*-dQWzu-nQ4TkV_0yJCucH17@6?X{NkDYHRp ze?_qXSZb~@F4T(KTs141DYmbI9A(^)T@p8jp1G|esDwKtD=mJpPs+SvP8ZNpp;$|f zu3vfZj}*QpslWTed273=?5>EtJ>|k$UjPzi>~6Np zGt}hLjq>7xt~q(tx9Tr6V z(3n*3KM~;+I*#{0<&TZiw#O7-piRdW(%w?#rebiUe*F$wvQMNwHf1U(>afB9m4lPy zzrPL-)pexwn3^ZB016UJ66-fj_-%N|RLc#+{*x>J9tZh&@ZM-8nMHYu;YADjbRV8p zw9RCfs_=AmRx5Ti8&d21;XL!DOYo(aK@|Ozf?)(*7FcSTGdE;L3T%$T(n4cS_m(1DE>>bvF^Pf-=-r_O z9adgGesGrbfQXh%kzCA_6-cMLype*OBH>+{u5t7`uK*?`C?M}RSZx~9`LZAK3~^>q zK?D&3BmCN+IsuGTKyG4k)Rc4opK1#hyOWf@`DL2)e8K?Qc)}?_bA36-KH){_+CGX{ zLei8@ZDXKu*w3Re?Up*jVj6baz`!Ym^UdWwQ;5~p%yC91rHe%iURd>xs6kZvMq;14 zI}U)5;~>v?(1nMlA~uq{9K<)q)vuum!kJq`*13u0ab0|RenWPQLfDEbb>Xkf#?<0emG?d~cFgs6o$! z3z?yGMEET|;_&hAU@uiPcxtNycGFOh2~&6EqpKKUiKNDHD zmcjtmN*PRhxVCA+b?m&IhbPU;SGS=VPVY&9$Q0m3&_SD^rn-of1xTC@KFEfJhmUK@WqsqVm$`Tx?M6>b^*qr2j6?-k$%?4+xw# zRpEr?6mQnPQ^GJsb)7l#wXaWj>YSkfDbF_!O%W@bV|F95!jMRGYM40_C^2AdGD3zO z8!jwMV+zd*Bk}X%t$Yx$I{1wu@B9@JZLiTBL%YQ$meF0uK8Q0bdv8EiSOXfn!w=jg z3R8u?uP8aX41A6O?^|TShi3N?e7)l73&`3%|0jVab>B{0=qA(AEWxn zX`u&Gt`jHYY85ZV9YoQ!c%A$Du+MVA0<63`3B#kQ{<2?YY z_WkwnKjp%xqD9h?_9%D_aF;IjlHtr}+m?1BZut#@OiLomML<%`OaU!aM{NdnD;#$k zA1w8LB2?m{KV#{0sN4Ve%^EACdc*UX0CnI8Hi^hs`kx}@m!NEyr8la4U}Cr@O`5$o z--`{h5Q_&D<3Ai{h_Oz$;~r8vT#<~~oyl7%L0yZYiY(@&LzG>5dVecO@O=+m8VwMM z26au%LM*N6#a>R$hOLj>|$|H`0!dCNeu^?#% z*Y6UY1awzyzpg!g`_gVkWc{4K_mC3yzf)TQCH1K)w&HxogSVHSsoLZHKj;@D@>bvH zrUQ%O(9i>l%JqMIFra#mE4{LE?s${FNMXQ~Zm_$N7y-US;9Ei4Nk{WjM<+m8s{x}i z>l~XNNJhp$p7@0(7nJ|jI7LBD>hQ46pPfmP@Qc4JL+OIrWyZy-^X>jfzT^)}{CDx! zlarIf6BBG*9>g@9_xqi5ZONM!s53`MuaDjqsU{6XLvAjaaN84f{W%2C*x2oAVcW>7 z6WDfPaJ>&&{UP<~uVCKBrly7f%p>s0j9DHyMApI4(Y|$&#L`?c0NZ)>cQHLTS7aFV zNyc{#+WGgVN880ghm6M$380V=#ax@OqrCf!&gH@P(iqX=R|o9?@6KcLM~@y6Tk7lR z%;?sW>%kqgE2?;u0umHZqz{&1<)7T9g^w4vaTG&4OYKc<@$&VLPOB(`zuudx;^5#I zn5Y3ExA(73S1h-`6{3~{rVV#-6Oc$7a8Sj26cww4$;HVY@{vn9Ew_?6-ctKahY-=( z!<1c{w6aSUcn5zx#2bg; zVPj)ElBD@dM@7|l*maX~vNs0^BV=n=O#R&v27~E!g7|IR?tE6qXU-Gs1fg{tdj6=| z{Rp-W;0=47B=zM<@@HDk`w|uF{Ba*hgIU3YBPq&RnGX-02>IRxr3jh`YyK$8k+hC4 zj=biGygUY6pYKU|F10a?Ln78bPzFNbJztAsYQ&xKv=x27fyfrNxK zZJS-w@mFg}Qll~^mkFo?Ksj?$X0$PsZxBB(Ghg?iN8`5RPzuY$C3Z|I zju&DX3^qcg&RX2Vhw!9oXK9Q2z(W2}e;U#b)CZ^~rNVHv4u|TM4PktG~?0s4=L}nOf6b z8Zw1If_~?{%gwd??dR|RSis^W6>@E2-Qq4ZI_TaK-R tfP$?5@&AD88vkE_zklsSjCA#e$S%BHS}8q>nn13+rK@QKtyO;>{eK|IzbgO$ literal 0 HcmV?d00001 diff --git a/windows/configuration/images/kiosk-fullscreen-sm.png b/windows/configuration/images/kiosk-fullscreen-sm.png new file mode 100644 index 0000000000000000000000000000000000000000..b096d6837d53c03aedd8ece40222b984fa112ba0 GIT binary patch literal 18044 zcmV)RK(oJzP)`1s00001b5ch_0Itp) z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXfMiEIwK~#8N?Og|8 zR7Lv#ZOxWsH@%UNKp=DsT|hbr(y^hZp8YK6-C53dma~_?=Xu_F>e)T9VOJETN-xq& zfIt#Rfb_n**}nhpo3}67gxw@+62!|7ChxtOc~idm%{Sl7oA*{>Fg)(d%1Xe-{Uv}( z0l-JD3tc!vz?`jgK{09KTfSARuY}^VHvydz@VWsd9lQA4g);%n*^i5$7(3<--*?|% zi1153^b^@55xEOpI1>;?T>Y{LN;W2}4wvM~V2>_z;S7Tk3I%HG9ds(&5?xI0!kGu9 zkBDq-Aaa*s+=Vj}l18>OkqKQq?!p-gA~H~8AtDo@yR3>XoT(5R+3Iw5Y2z-O(NOwG z4O`eoRuGe!%x%%iK91Yvx?Bgl9|2)n)Y@GVk=xAVE_9(Y&~`#A#!Ot~oB5|$-2d(| zK%;6Kk3AI0M&=0hgD#V#3mpPAIRpLid8KQf!v%x?frw)Cq<4K|uQT9ppOyexy0Il9 zdx^DP7tBTt9-2P@YL62haYGlIyU;#R5MfOkAHF)`!e{HV;R}n9o;J5ens?MAGc^{6{&A__vkP5lf4sG`4%a^N3Vh))@Oj*=6M4wkMZRHIN8z<^ zkGD=_*2s1%M)vK7El*xZ%Gm**g6`?UuNTAzg`X6@A2|X0v0!a1oYIHS4%A}dUtWXT z7)RDc>qJ(%-9FSi+h`jzh|G}&jW|`P)KIEaUG7)tRBAO;DzO&O=ua2yuVfbxx4oP~ zN%@HlYf40$`7hbWZRDlW?e)UpAsa-Xl^(~5lD%Rw=)|R$?(M>_1A*FBQhszzM-OqM z&T5Ct$KvkEl|2> zMp*A+6QQltS0N@sFP(Ss_>6!|RxyzZ;h2zo++R?P@0KmYZ|2WHBu$01P8$-!ys%W1 zBg|*V@IGlsPVI*0KHWy~nZ(SUb|wOqgNYmwPCRR)nXGh^Mz+(0k8f@f+-o@s#fvuj zCwpB?{zXG3Fq2demHZS;JYLS?l>oovRRN#JNu2Ru(WYa#=aLC9`K+jRDN#^TOS(&e zidq{^)cRnzRO6b7eQ>g@9MyGog8WP!R)g%?ixCz+)L;6G$*RFJBfrgRFSK;)T4%+#pcAJBZUYL z(<44M63Ovqz+Mf5UWH>NHE`0z-tKWAF(DROO7i+C{qW)1y_BlN0sh;5Y*0Y2R*?xy z8d(sSQ*N2bil`p{@I_vni2TAjDQ+lo@(P7Q4ZY8aW%tj)IRlcZC$nGs6~7DZgGMug zuN2sL@F;d2tAy33ho#O!O4uW`u!~0HFg2SMJgFk*w4%tR$2C*45TSHIuT^4KehFS) za}<+$M`QM|3`81LsIWL-BXe}grX6_l%9$d+_5_uL=520V{PfrOa&M*dxSI0_#x;2z z+2f(%!p#xdLP#H_sX}ywWLmW8mM(NUn8d7PcnbEfrF*d9U^QkA?vATQr{eZGL-Ci3 z&&ETSorA}IJ01`GW*qLn_EKPi0+YL&~;S%Q@UC;*~q-tf)^Ot0HvFHr`;8T?LnX=dr8Z-OGg;_9SB)#@Ugu$ z$S)B*3F8(jC@Mi+WidAFIf8XN4`KI_6F7LH8oA|moUC@CxYmQBS}%@OyHVv(ptRP3 z&3Wb6c(@cFt=@+0!+B8Gkj8V?BO|>Vj5-avMH{hZ_Yq7QoFQe_-Vk(DA;M_jiugTS zhDvFi_K>fS32xrXDWxEVGzTZBB)f%({JZl8!W2eB7hRtTkcV16%621Hhlen^zH*#j z4g7U2B^5g2tPIk$W~d?~alG1t+!LkPaqt*+=j3Difqd*da1=Y~`dDcdDJebNZZD#u zO&HoU4g-63rzxNkSv`_q4)dX=suDJp0q-o|i9gIAEAgV;A+4mW&Mv~HL*;1L1re-$ z$TY$s3&n|l%BNb83YW#+vdzn3WJje(g=520^O0;+!l&|^7{6cy5>z_Mf@jU#w64D< zGD~Z`Dy-Rc2*p+f7LLs%UshIfo3XwQhQOiRMOwQa?{7GcxkKX7J2@7I%AI)O-LEiz z)_6?m6(^qVwy(^%eIz13{^?HK|K4^eNok4)CBgEMZDetyB2=XUz=?Q02s3EOeo;$H zBBu#IMF((k?R4WOD>q^N{(QQUG&5JLDS)v>m4O`(c=(x*H>6>ge|wz>-8aAIV?Zus`T*@)86Wa1~77C)6BvcULm zshZNUIRew?dqkts5X*Obcd!aG9#~A12rZ_M8-|O9#$(pdBp9XW)a!ZF;kbM+)sK>D z_lD{OG}M_C&$044Ed1vx>^W8mpWB59a|Co@VbEw)2-h2-(~yQ%`rz^UP-n5i<#M9l z<%Z4XLTy8m4+9EYp{yksq8-Lgi4bCORMs6^GhqC z2qVQAiknR|GNDZx*5g5RxDINXQMQIaLh-rmxY9qx$@kMAv1x^m;@Xd3>C4wVF{Lwn z^zAwlhMVjv8gkcfz`}c9#)O++#>yiWk%lA!zK3Nd)iE%SGZDO(_pI~;n4;rhC#_mm z<3wRe9rBJ>VNXsWw(dQGt-EuveP2Fuj+G(5s1C&ycGSAL{z~-ANWuJRLvY>v$(S&5 z5Ro`cB2`C_n8C6aCq9Ie!r?8Q+;*)&Db^3Uv07>{4&wroP$G?5v29sghk)GpQnHeE zkX<9uq$HX;CXq}e*-7yO(+~lEaQbq7B8a?{gy2tV66{ae1iyg(x~jCJGp6?H`k^FRLIGN_VNkvJ3C$jl>t z&MpN6g+w5ESeMawhm+E)Cub*TrOs66Wv7IN9Q(0zk!!p|KBFU(%}?q;qO)-Mywu`E z&dC~SI^$z|P=nW(7T~yDhgIvhp!9edzF)Z;sRlPLKc_op_U2_C)-Dv4+>tUnj+EAj z3%1ud&A<+GrhrEklgWgHC?lB+b|E(*My^LF$6$@iW|l@vqpt!fG1A@|lCn6;vJh?D z?%*`J96p#L4A7~l{rtsh2?|Bb6F$ZH-Qcy7R^o~TD;yVEMRrPgDek|10v6qD^`ad}Z;rTbkT5 z4b;2=JFY>0I=D=d0^u?%@Xq%+xb2;dsHi6`D|kYGS}HOVnIb5CE?hQ#5dL=gFvLgb zgos7iQeF0jF+ilEtOG!Y~LJyMd8-Yp)PX>rI%jYThV zJyYY6mK2AC*jN~7GE(JG<7l}H%k~uG;~xs}&Z=y9NWhb`G9+7>3&N%Vm19$h1=H{T z6s2A>YV0n&v*84;8P^kQ@+)!YKfgqUM+@k5*m=Ab)#WzK?q$c*zn_ELatm&LFB@0B zxEdRFoP<@Sg~eKnQG?SlFgaTALGG9`p=HQ^zceyS;Bo;wa*MGg=Qu2OH@ph*yjRGp zMR>f3GDo6&q#Bou?jdBYAf?k;V0qTK)mZ%97S#E8+i-|7``3|GFid$!K}7boMr0)k zptc$d$7fAITUD4k=8vCgA>%4JRn6(@OjkiEN~61WXdf1W(#TLwh&p*L^hFK z?>DMLR8TaOy&k`v+!y`2#|uA69;e0^f@Db&G*tN#rxv!teYp1Ap%~mF2}3edF|>a# zoISV?#$@#s?wq0han7**7%i^*Vbq{L7&f36#qCa=AqjoD#Uej1pX^r)Zk#rl<}HmC zbJOvGmp;bEBQ7MQL?c4$#jw%iu)m-bgNB`rojdp8=IdtT%Wv1gZFA$Fx1Epu+57RA zmp;ReqqV3fLCu*n1t(}0-*0dxY3mYUG2IM#@ z62M>ISc)z6@%Zku?|~>X-o*>AGC8O)vI=hk&X>Y!t>|-h76ye?VA0(Rpe8?g#Uc;~ z%Bt|(r+aX))QZGzDcHYfKMZCw5~Imc9_q{&+kv7V`-q3*WD2k?(~*Fg~(j-)69 z2GC@&H<>-Du}1VXdoXKAcYM9K1bgzUq0|~+wOU|`2&dV&gC>It7{r3OPkNcs>%{Go zQ}NdJI;`4r6xjt8$jd!0COv8KD#WCuW5_Ryy zG3&{%vANKS$|@^edZZ=|Rb~p)QJfx;3cPyz`54H5fMK9Q4pzaN(HVR5Ym!jJC+3vmuv< z<;dmycKcyelgU+4Q9}e_8Hz|EP7|=qsm9SN5BjFWU`)Ssq{s4PD+q}?5-d|H_ZOS? zBfFTciF;hGQ{cCe{iWkbEr2WR^@->5=5Xl^>b62?R;60(xw>T92o#l9qfbf%bsT5o zP{G3EGRls@NAix)^DZt8+2t8XFo#i8(lUNqt;)joEf5nQO_Re^Ec$Wy5 zziQ+|zaGiZ@Y2U=1aFBDYsjq>LokVSi?|2{kp@*#qai}-{BKbIC{X$|dE(xk7NJ1j zI4zV+WTACAn2Nzi;V3RUzQ=Ayzho0MmXrA1yfNhG7VW|lNVc#`s%av}RUlKtTXO=b z>3xw%rbG3Kd}uxOWVUd6lm~_PNHinXs6q6cW3Y0eb03**(GhwYrPzG(E1XV*zch$7Q|F@*x}kg_AWA4jX*nW8!#kzO z8VT8eLBKPPec;K(+pM`R(55q@{gic2$3NHsKSXi>--B@%am)<)AK5aN|oIVI* z9PqIgi`JW@VJwggQ$t$%`k+eovtlnmQ3e8o=uE!9o0ClaK<~ z_p~6|$VBGu*m4=TR?-=N4@o``2GX8-YGmo$BQ`p>)h^_CVq-L6Sl={UI5ZJ)?lN39 zzAtW?nT4BX48Zj>2jaTvgK_=z{pKWfo+mm@qIwk9x8slssJ0q|;aDfXC_- zNB-V3zanNKbH!a%$JrrP?32yhaG*~N& z5uwuvS+rewwKZNV@N+9FQX;a{!$QNq{Kk7NLaftq1$elrcVc+|?)c%+nPjq1Gm3G$ z?GW058=HjcB)jv-@oH36SHWIygUxP1y@NC(mDZq9AWUz7R;zxws zMdG5?(|Ku)2etKfIGkSe>=uEI+Yge`^kV0p1IWtiC-%_h9xFmZjG2_T2fA>x=!hld z6=dfUbH!*uiBZFzGpHw4?97FZv_L|XNz4ag%m&2z`!9o=iODN0AZm2p9mitiYd#YV z&S89P@Dx!vmUPkykcdYzqwIKHsIs;eFD%)Cg8DGzmeYeF1Jm+$A@~A z9#hWh0cBkU=8ew8{87C`xQHVvA=N=jpHIope=gOGa}(X1z&;cvWE22@el3C1=OxxJ zHtfgzC)Pn>=9f8w+|#i9#t%dmbc4s%8jfX-9*t<)3EBp}Cm=o1PU24^SkrTTn)p-PhBC50 zIX-X_;*{&)_vk=0$XU9Ovh$l0+wv>0d;cN$j4^PyeW)V^#T`-~ra`1Z2e;FTNVNmA z#to+lAK$?Rm*g+N#pgeP_4MZ@wF*tnr3@(+N2V~2!xrixP|%XZd}M3V||h3L?jl2q}|M*HR}nu^do zMb>J~>fb?VkZB9~@VuqG)=6d%wE>$GbVGzOjCj%fo<>E$?`11!l;M$H<*#28HNh1W z9ksDVL!q^`cbUk0^Gh-K#*d(g32RLwKkieVpG>x5D@3+dA zGE9LP=VYN*QVjMLl;eZ1RzV*b1-F0Lzj)kWe7R{a>RIA$|EdS2uTv{9Yw8%RU$F{T zUU(i&5DT$%>j9CsnkKbkL51w&Th5<~?fECMapwW3G-2XljDa-Qofk~R%H2n>W#3_V zlp5%W07ElVFlAUD%1D9z`6Vhb8+lkxO5<8b%I<56Vwq3<0ZVCT^i zbj@r$cKuw$noJn-&a~v(V3cqi5 z7Gn9{d~yEn`h0ws@51VByD|4)YtSuHD@gn{-8bX8A8_03VR-)cb8y$fiHPC%@3?$z z>c|T5VR4Yz!=pw^Xk4{u4PF;wY2rgC(gZ>B{Yel#(d!1U0^j`DTexz@INWvR9Nhk4 zE_Ri1kM}^WCi~Rq#?tI^ytbhn_2nmU`Ps>&T@;AWE3qoS4j*nS!}}|CVA9Y`^h=E+ z4FMdhw&Q`fzQdwm7&d}Ag4vuuy#Pf6`8sK$R*kRky+zp<>keVGlpPP zGLduD5g2JSbE?Df%*sOC@#b1Qv8D{~Tr*reywYm;ZF%XTkIU`CU+470MPoBD_ukh* z{Thkkyt7dRLqnSTi}i)igh>H&TufXoSgX6{v?kI93qL><0*_)^?5cNFg~gvF&nn$d^eQNZtKkHi-bE`;6` z1skc7#MC6*bUR?0Za_rf& z7mJ>`1Knc6QB=k2B0!bhiy@=V!Nb>1#ltr&z$NFBMkdrb6zH9nglnhv#q~sxy*c?f zTJ3<{r^eg~qwxB@3-Qz)vvAkTOYqFApK=fOmn3w9v=5}V@sK%D<2HzovJ{Xa&95c` zZ#jzGW0kn^y#A=Qd*E`q@P{d>c;@Qy7!&Wpzg8a-_c};c(x=p@o^B;-t1EHYg#LK% zk>BCZ_x&3mAJV|%f4W(1abnh#KG^@?dy%{58(i>zU!ln2h12fDwDF_x>>n@0!=#b# zc=iLlvUmgCp&~1f+P76G#M5LQ&pKP7n@XXd`jDc3gtQ+yly;_uR@!QD!^I=eBZ9Ot z#rrvv7Ji0)vf6^>>$c;`+kb=6y%N!f2tDnrRO}+--e8D8QiKL2b@jMu`XD67P@Zf% zljFX8pr902j7h_wjBYS%N!zgPt5l(i_fZ@=1gph^?1MSjxjz@(;vx}ciV*o8D=I^3 zLLAQSVWume_)>qxiDJwgGYIc~y&2iZ?Kp3c8F_~fW6zNjIFNe`eNy9z$Uao(?Ll#A z4R#;M#oi-@7(r#uE45&7oEpP=B_Tb=$lF3taqJ+X;^Oh~w`*}IuLy_tA4XbwDlR{7 z4B~h+pg5f|;p6n(E-wm?pMb_*hC@e-uqXEfoDL6ezh*uL#_M6TyI{B0VAkltq@KJO z(?1m}_Y`6Fuyj~ztw@VEVOWnSoFrR&WY1V6#YG`LLW^;u&O*-7lbAZV8~Rg6E~%(Q zR%$W^B!^?()X~T;b)u{w9~!L|AFtYqqXj3Cb1)wxhY!YY&Kn7{hV5fkh%L*2gPlbB zSC{Q4+uK2GrH<459(g~qBKAq2l9%7)A69P;*1SZLu$q(D{Q6DEijNXrKeaLVK3*S` zrVJ8<%|vKOk0+DjT+*JQ^O9BqIIKw=e|o(9BXnT%d!?KF7k>CBnLM2FDc{CgK;9T6 zAky{c*?iK`0FJ{GSza$!Ktqw`*S;7$iDCQ{*|im10+FN0gRcDY5b)PgTH}_>z;z-? z1uc?PpU`L)F3VPyXH#KHN4gdd)aa}w@OyhUsBzY9AK^%0DVZ2#o;5FIlgVCSMNa{T zDPhoui4Pdc_&E(BNJq|1wilms4&umuF7l&7v0&XE-fkE`P(OHYEc>%Sq@z?GaX)Ei zo)^e25FW3GX6L+VMuLdXYvKfc#>4mWhf0XbB!6jHpX2a-Zr;y9=ltYLeoE;jf4M9o z9-Z^-pUKMCT7OfCACe)z&LFV>mq#3^OhO)92OrtGR1cCl7lXsOJX|)u;M(%FkUzy2 zvJiFi%f(+$xgH!(syl_#xg5^vN^wz^<=BG!^?*<;W$hA9WXwZ8&}#@CY`HDlL_H8bFwz%bNMKrOB?PvJt-CTmBaaQ zHHQbrm-FCnSn#?fYj9bMOQoPR={}XvCIt2;$M=ZgF(5rDZz){zmx!yTnRkOfxsC?s zA=i&rhPa$uHZBM6&BFp+1Dg2@W!q)22-gV_?gbcHulv@iVW>8Gd zyp;lwFvL4`0j5PqBTy)O9?CTjZ;nu5fqu=y+Jc{QPiG^rj%OmoxA+J~wu8wWX$gLf z+)A${BAX-h(22EOzh4)+(7}+qU?gv@Z>2*Lk=wvbiel8UX~Fhu7n8ftN$`_5D$KuH z(E^wK8o6b*vz;AIy+T7oZvJuXE_9*8;MbWE23DZt>RL=He8fyHZE{M3z(r&9wnMD~6roAhewft3FN zOfZBFVfYhMDBOtP-;E%T(_6hR{2cJBkK*-5KN>YKH#7h7z)NJQthF|I{&0Fo&1IA5 z856FB#!u={kYa`^Cs%;FFh9>T@sIa)(fG_oAP@MQ+g6a6oPP@c>GmQl`1>-9z4LA4 zSU6JSR!c$j(*hsDG#c@}KQ3=5P-rW&Qo2{GbR#mt|7p)IE}yaB@w8z~B~tKP<&2za z;M#wEjc>nQjyi=Iv$9gr&qM*5DaMmG&fz;~FqSt8aSHrLcAZIP zh4{jiN*^Y6&4ohCHZnt)7CxHnQ3c3w>f-U42#I(Sk?Baow40RiWe>cGuXh*W&4;eQ zA10;aYvM`rAqe(d7C8Ay;}^v-FXrPrIj@4 zrSLByiRpQ%gT|_?f zAlgh2kqAlu9)4#9p8R4DR^By1{PF+~*FN#>J>c>g!!Rb*h-+V3gIUk6#BGbVBBxBc zk0*q@XPY&8r}BU@RH+o=p$OZ{p`he4N#zQ{WG*#TG$z6z-mE>{V0*2(3x>AD`CkCn zU6>QphII-J?s$C}N~&wH^6?AMFC|jM;c%g4DNYzv_~ZGL@Wp)#@Z`nAG05!1olpN8 z3;*>!svCxN>E(gWlqG>@OiLGo_hM)vrmCo6P%x;P;dQnK-6*Cg2dy2|zE2MPDQxCC~)6EFVZ0_cTilLupx3Cl>j0Dm;cKoh~CX(n7V zXB^&o_705h-yOfb|83-!+c>I}W~V_~{*B}pciFJ_uPrwR`L@!yMC2&a$XxW!tUw_7 zc*4=pC{$b)w%6M@84=;K6Ekf$#o>3+q^DGJJQj**xL-MBnaTLiR~u31wBq^S&z8Qp zNzE?HmcgycpQ94jBtL#A!tWmPJ9m*Z>AQ7GPt0974fp>2zwmG;@XNJRWXWwu2Qz=* zhKNj;K@ptZGWaH{Oq|Ie-gxdT3b24=0fwWg?t6HVYe8ED`=Z@#_r8Eo0L0WKVj46Aa>)Pthkrm=Mh&idyf% zg=5n&vTq9bwQlKqz#Rh?XrO=@Ymb!TgB9DMgAD`X4H!Kz4GC$nm@yy)LwdxcPf83j zlA@837=_GkF&Io?BYP)dRAv(TrpLfjZ-duq!6$3>pw6p8OspAtvEe{6Hv$_|&hys* z?yzM}VAkJOVQ--of1WcKYW{i?k-MSJ{-aD<21|fV3lS!HiC`sM&`0WU^V1(f*=+#E z_cW1(K_ewAhz>#{AAC4;q5_|<-V3EUT9}sPDMf1fV>m5z_sOkX?_-lgDuvEV-yK}K`PZ1pDRd{#(0WuT9 zsNVi>aWt4~EbqoS1`~uyp(L|}vw!mrZj!(bdfO-eXo>x0M2%>`p zKxkxsL&;y}=4ge;lo%PSyMc^+5PM%kz2R0(Jtf{ z6oS7Oo6ZF5(7uN*~!z{1tWS5h|1S zRN?ZOi~K5RQkWRc+q!__DjU98vl&;+p9~evhWR6izb3F9sUVH|*7pZdX{kqfr3D{s zJAtD+^8o&dIU3Q_{OMSd3xAGR?)EMcu7l($j5A9eV5{f%+;H*4B#a%@7ZpV(@S8c~ z(I<-JrBsV{>kJ|vI$nXkw=AO0WTwgm*vJjvero}OFkuSlS*;5?bR3w(MKxA<>q>A= zMvP?8yQR+c&Z-?aKo#L4aG6+evQrXy`Fm_u7YkG(K10?P^q*T57JeA;{@19rS~*bs z?3TtHivxvK;#0Tp59ZllE z7Kt(F$z-I?6QY?~)X3s4`k(#JE6^{Vx6w%?YHtX^lPU21(Q>G(D{;=?o}#x)tR?Mf z^C3c`fKlW3XolmZmH2d9A#OSEEDGg~ElhHMAc0T$TgWHNYmpikA-y)^w&OsR2Zs+H z#@umPVv^Wsj-1($?64xg;VO&{h^{oL5NZY^TX;fRlmLQ+P5Qp(}NY$J(r!$M1r z$;rDbIDSP%1qyPHpsunCWnLN$Z7$sT+j026ONWY&6n5ka7DLp7^C0J_cffqjn`E=I zQvFdHnQQ2SDNF?;*-(7lQCdq*S3|<9sj#2Nwd!_OzU5iMd^#0v+5arv=oy=_zq=*HvJ6 z&v+<}ktp%#knNHD6=FFl&rL4leuj6JIlM)ZiGbDBSd8K5wPk<&oI#xpaAA4`)S zNhW17K9lDu%%;wU3Snxl4dv}8cOY6YEl3biCOzV5IN?w7vrVk#r6eY|ARuXL zN{ioYsHvyfH`x>AHU|pJ9XL>2hl-LKI2|tBFtNA@3y0V|Gs!)!9elA zM@pxox@_lxi7d?{fX}z)8mkM{WV3laEKYJ3*52Hj&cNTQCQ4v&K=F%@o=23rnSAU`*c zY`;pf`+Ue8l7U0dUO=V_ucLNM9XlILWND5@QIILjT?*=%hq97RzFP6P~n-y zTL43pAhM5$ygY|x&jbmO0i~l-tKg~g;{UEX3wO?wem|u%CVFxy#Df{)LdG9HLS9K7 zbv_DhJCW(y<;1iBu~_!VLKK!sf## z;ZTw-sOC<=Pll+{PAA!j^?2}xi%?;)&G`=rg}5`2g7JBL$cR#6>62HZw^@>L zM-!RBC1LPWT~?wK9$SvJWEvriHxM-?vaG#>fD6g5nE2lf>EJ^1b9Y2mPJ4S~n71>4g6{LBKfQsXQ#Y)0e!>vuiiak~gz46~z`9n6PqQb-Pt;D&v zJdZWIt#CNW4sns)2OCUbF7zQYW#;HieDT;NxcQuJnA#@}`3G}E{vM&hxSAbX&(1=F zMi%w)VN4$r%Brg2)ac-@t3fU42!o#AjQ2yXH?xQC6;7Pe(d9wEC^s_1k70GvY6XEy z6xbRjeoKVw<-ZO@%ac8)3xA&77tdThiL`siKK z4cSGtI8kjwSxr4EYMiKadc+eeer95|+M(2j;qG&L;;l^uaFQv~&8R|bgb|5mE!oIM z^oiFYEm3;Chc$PN#e;u*vKlvDIvojWvj2Z2wy_ME$Wq7jBIiUICO!B$PTEMDDahtz zE~=F9+Fh77f=mlr8I~Tj(x}ypq)b|3{d1T1#;uo371v@?EEB(j!KLAS)y%!C-q?Y+ zzuo|aA)FK$jSO6d7EKE-JoBC=2~S))4EJ6*iipV5#%wE^ zms_6fN$}#8m3#5G&-UPOv6HkcwKs2pFUM z$;)4?9gmgPqWHuK>^@qCs+u~OXtEcVkcg;A6U^pFgokUuA2R2na&1NRxjpFIMZ;#D z#fjRQT2xe&p_oWpXRSq?DIA$8@kmdKMG_r#d@~7%@A*-U!?N+m4^)3A@t`EfHIzRU?gqcnAKvW6WTKX97mK(+(RZSA1NO1w`tBXuAAJ(FKs-ITb}t4J|eR3#}HZLaAE0# z(=lamI;SWK&{2&g3e4#SO`FTsKtXcyd0WslzStE;f}!kwd_8#8M3AKMzCd|&#!NmK zq%tru{2r%(TP{>!aCx%g3T8@%mi~`zmk^-31lr(@ME2pmJtuJGgCD>f5i2@?sBo)9 zR%xKOJF)tyxfsB}TzPW|t63CpIKeiuwC7Q52yA+GQUWbhC$#BywIl`#H@6Q{G z+@eY>`aT;*!HiJ@u=&6-ytOWuCd=WdsI%b837HtyI|X;V_&I!9GtA*( zsIGV8{9)bEt49hRdFvaJQ#8~Xjga|*iG!eX)#IyOB{Wznkbj~WDM^Vi_-q(Iau9qD z8@}Fp1iFYwIBQCA$*i+6JSCdy()IIukz^w3D5RlCZnXA>-1A=CRE)d-wHUq9Q^ZT9g_U*a(=7(Ct~rKzPk)7@ zwO%Y37$t_sm3h^;>xZO<>pMbk#&+KHJM*)tmblA~~>R*k#gSc%X6G!B!` zO2wXP9iDjQbKHCR6pTtUAw3}+PrkDPcV0Rb3$o&onH-B=_k4%xeIs$#?14CMNOz=A zhha;AG;8jjxu3fRwgc+ zGK7SmF0{7R6oozm(-G6BA6ya1NOG5mynLj+mF5JfW741@7n_toGh`at)GDYWNb|?^ zfHEc>amh(wx<+fAL~JK2^r;v>VF-FqV^AtmT7Kc5PN=Eex(E}D20dcT2E@fh;=;+p z;We1BC;K2w6vi6#qZM26(ef?Wu=9W@{h~YO;gN|^c>0|sxairX_+V#=nA~lC{Q-;# zFTqo6Eaql-7=mY2T4J72BE zQ+HpD2%QqqG0_M&N5c>v0ey57B4eV&&-osIegS%!+<4^8CAjK^mH4#4M!CwCfy{_T z=rt;_(~;DL-=`75iOftV!(D3(gHFrZSn}@3p;M-Tn@kBkTu4<_BMw!F_ErghFAW|Z zOARiaJrRGJI~?>c>aMPuMD z%Em1ZzmEG}{D@Ow!HDqFrHy5{N#WGlT{v0~gXiA z@Sj(qA~~};Hh5HDOqnqmlV{DOG!sblJkfOG&g#08C+Y?N|97Mr2BxO^a=LrP#G~1J3Ck2dAY9HB}X)`699La0LnqkKwXO zgOHVKM6b~!@zCEELuo6)^$R8no0rS|;+GpRvR^lh=owF`DzM}5apdJ3zzerug7Ihd zB3s#xzyEg`u9`j^uYLAClEZ!IWpKhmorD`Yfwb=jOUOUggcMZ`Y~=5@*CQ%E5pRF+ zDO9!^n8*~_b<&EocrzwYn%oUfD~Uzb$+RJJz~)jQH|H=89?3(w#f`HD^~HVX4;34* z6j~#!HB~s8laFk_>)SmMyAK`3cU$*i@17i(jgk1vH8Y4XdaT~G2dlPcW8dC9^d>Xp z_RFWksMo=blP!I`s2o`XX+))AmiKn~ zh`?h8q$5)6qxM!}@!Ea(VaFcq&n`d~#s9;?35W_4(iHy!p&)+LI-K}m?IBb;SpPOP zErL(>7^Kxk^i9E%`{yBEOC{%}ln&C!atC2&BU9i=sSO3yc2N}voYM(f4XADR`Qu*yM=p%rA~erln~V_m%+Ns;`ZMCeUyJ#NRaWGzmR zd2+0x9yPq<$mgMlMiC5rgc!a-l`^G?_W4R}^CShYaaH zFEvUBh^5UCN`MOxv=DN;a^p+&Zyi#-PmN3dLe9aK?i$mU&Unc!*u08Yznarj1~1={ zN(#a=e)Ff8CiXKQ`4T&eC~ZZns}@`g3ba@-c|>n~a?g2)RMJgkPj)nsIdAzWIr*Fg z!bb_jb-#$XE~JU*$WE-0G8zutIs6xN-k1;7mAxCPBFA9?Fb2>0aLR$QU~okLee5UJ zt0_00JMd8qg$;>yIs%EpPhk0)!7CX`8cDg#A`boYQpc0S86uo6*`JR*D)N?EY5kW> zCURVL_LrCAgg=K1S+EGCml>p`&Bl>iY`>HzZ(KgQk2@SoQM4O{OAkRPeae&5m!gUo z!e0j8Rc5WnyvM)Brejv};c`(NKar)91wtf55j<|hg)2exDd~m|gs2n?h6utHW7)Ay z#n(IpiK@~ct|V89n}+X^?-QjH!sUb1Xd){8mD2P3`JG6gMI-W&@{(OccoTn0so|Oz z?6#{B(i%I(C&%}*pA=8> z7xiW067l4Fq35l5Uk&78nR2E>vsdOd_RX&%G;$CucxSXDR-rz^^<*-1< z2CV89dz%g;dT{D;vtm!jlo~I`G&YkkV?u^nNbnIyZMR zLWQ-}Uq*BP=1xYFYdKuHY6uH-!X*2tfx5Tl{wEhDt5CDS5S=N}sAzSHs4 zs(D3Qa$Wd!L(;tpGA*P%$;}a($V85C@nIG@5xzgTHvFZ!F8oTs?dexmTAfA^vU%$U zC9>dvN{fUDiO8HpFfI5?cfrX0zu@T4DSl^?3ku;a{R{}d7|@)_A&5+|XeMjoU(ykG zkYm3<=l3VNG;^WA@%^15n4>?z$oTV|Qp}V)&2fG|$ptI>Pj~WnkIz&m2u+-5a7+*Z zAB?d11b( z;}1fKk3zNLqbCX~$SX{{|TM2J;ZH?EGJGCjBIBJO>>v$hM zFS<55>6$|$jcgc7zv%f*R?3hl>JN~h z@VTMa^Cz}AV;TGaSt^uXd_rI9apGwd!=I;t>>nwlDL9@=!`mgf6ivgG3YA#LJoPS4 zQb~Do9!*2JhpUy+hh6+W{-abM-ry~jE%09HTumLkd7WiwRMHmGz)-%MulYXdtSLAx z-t6PQXawEJ<&*Af29lSG%CF=dR?Wboy!gRaV0tPloJJ@oQ7gYwK|^s5TMSsX=LEd` zc?TAZOk_pulRm}#WO%JkN-Lls6iMk9eqiw$5UQp96*vVU6AD1cG($t=^`md28>oJg zpn}}Y0%F%3R6c1k(lks;C3u*Okdqij$S^KvQ!+My?`bv75P}JLAE)U*Jq0aL3f5&|wLRR>H9nIt0NY8IbGOuxTjjQJ-Q#3VduM2S(^ZaCCL<(~m%o%A1Dx z19f`-C`VTVwGAx9E_Zre5GcDRCtxJMT*@CU>>_g)&QK_(PJ7q)_jg8N@EzZinx+|G zsL4eay6{Vcj!cV>PeNfdJnkEqm543-PXheDe2df1E_C4+2417AbmIR3CQ84hn#Mcb P00000NkvXXu0mjf%RH*y literal 0 HcmV?d00001 diff --git a/windows/configuration/images/kiosk-fullscreen.PNG b/windows/configuration/images/kiosk-fullscreen.PNG new file mode 100644 index 0000000000000000000000000000000000000000..37ccd4f8a4cd8c26a89a959aba3058817ddab630 GIT binary patch literal 28905 zcmX6^WmFtZvnFV8cXxMpcX#&y!8N%1;ts*xodjKcvEU?x5PS))i!Oe7zx$(m&dizV znp0KXT~+-&04)tgbQBU47#J9IWhFVC_v`C>tNV!f-lLL-Q@me3ceXhz+jC2*FH?R*M5S5@d#Cxlh*UMI5S7G!k_pa;zPRD zM!p76&7iDV^;EVI?cAk1-|&&U=)d0#azB3Wwc+^Fv}8Z(Varg_N#Ur&-iE&Rceszq zHcDl<(oObxe0%bBaJZP8`P%bSpJkchb6E_*n{%lo8#nQT7J8dpDj-EGnJ>;MDVxCL zGbFxj&FDlFKv|fDzO2O#`MvCx7vNN#GV2D5+j&!WbCBft)8l83=Ad4KSq^z>M@XHvOmgg^?dUpRzJ%|cj@D9={$U3|F!_$iBo${ zlzSd_?nX_Gm(1aX`Tv1q)SjOax7WrVeHQ;;`Y&o+$=vw265*#Znk7F{RY4Jz;LsFO z#P16-i6xkkC6eVHIe@U(__xhpV|RgJ=v71BL-bj?2h70>{XdjL{(LO5s3tugK$qFGi<@Y}HT!ew73PZH%fI0&`;a zs_)K4$@Y$o6H{K>lpQyKAO^`4s4wxYf2h#}U@NGdSI@F}9C1)hD?+n(nVF^K{UhXd zKCQr}re?ViTJxGMJ^Qli-qN0lg+X6 zM+}%%C5ErGNC?inhj?f?U0Tt{NMteD{yJl3rs?779Q`nGVfVHyqGft`p&DA!GL0$l zc@Au&)*D3&BZCOW5rV(&h>9u%yDgU-#xo+iMazmI(P9ra8)$p7e>+s096_IFW9;za zcBv5*2rP;8^A!*FDrjZoLyEf!k8&Vw<=#dccW;;ZRd+oSA{!FYA<6y{ie=^4*rY&A zj?_YZ{_+PW?8_y+7=N(lMErc-cDyCV8b--KRhgbg5m$1{#AYOdDHo*1+CWjSKGt?l zJegkD!ofgPgf5aaL!F8N*iQt8wjd2mAw|3R*po-Zy2bpeRZISVTatuEB=OKapTgGV zoJLpO#R`Vl)h;9+2%&$;m@e%dHe_v;kttqt!V|+k;M5|z(lR~kr@*=6;@A+)@eN&# z*A=%{0cx+-)lh+-f%gS^s_gos_;m zM)@xWvezM!NJb>bPVf+i3qRbA0C9%rk6=yTA0S-XFYjvfbc>TzUmR`YU7_0}q03Zy zpFJAiO!JSm)#A8=fSw}vupE}`(tpPal;)V_w2j3z4lKvAuMj_3u*se;n^c;2$0nf~ zdO}o~ZEDp>{iulSvVnZAx-~wA9eg+t<0yOv2^$zp%;FO+$i$z@@(ZQ@JIuF=$9^JK zu^));^8#aasPq|LpEQ`6o8Q+C0`{1nB&K=mrDle@>b1Ra-n>{3Kv}WuOsRlrnQqb?LZ^TRB=Y_diutG2p15YLG>CoMd59)Upvs z0Bity47E7;Us08nB%@q?rJ439)r<7N*LiRv`Tla{_d*sJC4j9tfCvv{Py{P#vm!}E z51gnU5NEv8!9UlnW5Ql8qwM&;{BUC}{i2HhK~K@;QnLjwQ@iO(njZUdzWB##C(f={ z!w9(bA@O4aS|L4AZ^Evxw`MT61E!dF1g~L3n%tL%pAUvu1%U*^dVfzS=Z49iHzpBsa&q?HZQM24We&Le{Cjl(jfDEw7=S6Ifd#>rSXN4pa z2b9z-(r*1(`J`C#P)cg|XtqBWAK%1|#01}X<}90}{?%Oz6`H_oM0*7T#nB?B4zRsw z2r1fX(oH;2YpxTtrCX+1fwA&Pg&+yMA_MTX7?B8tvdY+Q=4ly;!hRTE4lNLc>uf#nEj8Pi1S0ZDodz>1zmZI|Rl#n=z$IT0nv|JF9z&5v&it!ZVv zLBo)<2wzNxHKMnOuzS`wqBn~(KGi=|Bp4Ff$FUbJ0tv2R+I$b<$q@nB^iEOF@SuSR z4nF%==h(!25qh@mNb~6Z7$fNHaejr4XFkZ>`L&>R1<7GfWppW^zA>X&lF_L9$7tu= zSD>oDS3Rws?bI*I6^+dwptoBy%wDS~inH7Bi6dUf6R}NM2vDoBHz7{q*&WC7^*m>3 zsfgeV4l~Z(6UR3SO^rd(X@>;2X-jm!2=o;(BJhJR!=3_+q z6SdKU;;4Wa`T%319J%C+Nz^ZymYiDDTcZQKC=lXz zd2!A71-c}x6?`ia%DrKXHMjxH2D~K_bC6$KWg!G6hzt-L1Qp^Xcn&hFs#Z~cncQM4 z;wv5KG(qdM%G5Hm`R1>X*cqWbt|O;B{f8cAQIEvi-(U-<@P zcC z_;G&TT6N=2F$?;$r+MK6IJFaxHRP_e!mXPx3UC1KU}AmwEJM&HhC_WkgMP^NHv*y8 zO=*_Ub?CEBL4%peBz<0nrO7&aPAnqxOkug^?yY%8%}BD zl{q&zfAw@+!$bFMBGMF|W7qccpl7ZHnSi%nd^IUw(JGo2T(g9W$=op#^Aa0zj_AG* zv9P?vzXwrY*VUn?QZ#{D-LS3UpaSSH=4@vD!=m4OG24;-QM0-hDUV! zjmavOAa`Dx&%R}hda`JjPZ&KhOWFzr71BZ z1ry^YltDtDamxZXve@NISC^m$!@y_qe-SWe^b)qw%*7=(=ry={nl$OAR@vF-fu)kL zD))a;ZjlmWDLDd)i(I0LZJQPx+G%@_4tJ)okuDSF5Lu+xtts)MY&toYzl4eGC>BsR zF8~O-hL_Zy<8`5-mUx?+WC+V1j;n$cppgv|Gk=JimKh34QneG4?5W78V?i^rpwoTy zrtUfu+@ic>lu+>C6mDFLvVQpfoh(H`dFOAVtec=#Dsnl%R(NWsd>J7=7dgW#uI{@j zE->+IqvMEo?s*$`!c6l2GIb5Hux^At|MJRxbNU9{#JTFoFMlYYje7DUBzoBG(nW(D zAYl0WmNP#VkWGlHPL-2bBQ8_%it)Q}s_Ar#`1CE-R}HdV1$|E&QQ*+RpqL)Q=@WYP zR)xp@P1Mh*3}^Jm#1--Dz^vk|H@cwNB&4x(GfTK(U@H=m1IcqBiwDshg^2k|owxtY z%IOvNS8_}SyfvM3-w@mVdKDJnfl!vr^jJQ{y&|Jp*GgEFIK;)HW_)1f^eJt;>Guq? z7JS}2t`K6px^(x#LW%Rb~=ir};*RfE}okOYuAYvpk9Oe}r z{`n{J6`HC|uDl#E{Av?9XJroT`||-{!y-Yy?<-(7<#vRb9ghB)P6uKG2Lx%^vaf<} z^+c{B`faU)A`~H z4P=EfccLC2byC$>mTxaf+rwYKffCiUNozwFYT%tB!q{4eb!z0;_%3l|B?6GW2-<|? zihkkJ02(p-OWryc4#Ke6ydp-LP9BGAE*EpStdFl_an6cU=dcndjS`eOLVWIQGW5xk zqB1=#c+5oY!Zl2XalaT*WuB>f~!FJbXO)F3N(H{C(3J5>8>Qooe$skKM=HIB)C1+B=}ta%QB3sLqat?6eaNZk z-;Y~oiLu^3h;CjK8ZAyboNdea)VN{kTf$=eHtzrBkFeMSa3I3Ohx@Ilmft-I%PNa> zU-sIVm>c1Da{7i3iTr5b*3M*GK?|rAU81{d*#yu}00ap$7r;G1{%&%B0rZ4S6(~zE zE}D1>xsUPncmIm}+B1^9E%U`u5%_(G;LXT|bN$)1n18d_Ip&@)Z)a5A9-8<3=o>?? z;O0AIX0G|3{tc%?Gc%e>JN1;9k7@}9EDULz0^6sSNVhJ~ClbBaFK-)XZNBavtJK9` zO5`WJad3^8-V97s_iDvM*Jc*SHdE9rA2_{*F3zL$MkFga(cqS>4C`DxIxCsYuE_2??L%9ff<>pC_f1esCwFDBNrOxUxyRkl{xdAlE9a zW{Lnv*EZ>LILlRN?nmZoXpIJ4c@TzD)h~fDmJjvr_qO57j=}9u@kTp7tw+da%GP}*!7$zb-NuAwq z!l7LYsO}uMa(eZA1ThB%Oh*g)RE9wqpq%XoYjPt3ONP)EPqP(ANywPc%SD$p6vL1^ zFyUm6P31=?B6U_2H#HlL#_pam2GK!i`mvevr@PpSEql)3j=uz!9J~`eU>JTk!^7cVYfbh9q`HT#?Q2 zrb=NxvYP;ewLOWFxd`N5|571X2;WjUQ&dwsLcPu{-pd4n6tuXy{BwYML=1l$u^90l zL-h5i)Rk`Pe@VT$a^fEH1hcI_LH+0AC{}g4^Kh%Dfp~Ctv0zMZVO@UgrW=)`>*7)& z9R1~C1?WVzNANdl7;Hwb=r?};0VmOn1IcF{5dO|$T! zL{2?U+J}+#zwYA8O{QnHj^i#W8tvwa6tpdHf9S92-kz${fCd+l3iN<7H0+?C`#F2s zuwL$2$i;(OCs78B@h4e1#{O;x19{?}wVsx98}n-p1B#c#mbuAG*!d?~6wgM2PGAr7 z=_O2#B1Z~zzDO;-ym~3-N!VDWA4Htqip0vNDC@mcw36BXS|3_z?vPd(4A*#zL+?uJ_+_^1GZ!>zG+Trvs!i81f729Yn!Cgs%N~e z#LHm#zPirAr$m3=TPjw+QUJLA9i18BZ;9H9iH1RdXz8q8O-dGxVT^ZLy~j|pUOtWE z)eGP9%tctQ+^k354%#w!0{0-t=A8#&Yi1a~{^KK@!30JM+7nqv9Uw<m$ovQcFpyCns&1m zMENJ%!#qF;0acpzUg!ial<%tGef~xO-=TVqvH|4 z9ee?3F_^j_T&~*462(?qCx-}i1~3k@(c#Z6)?j1#A!0LLrxk{LFeXg!JYV9+GiNW$ z7(m0v$FFT{lrfg)Z_drBNNaW=G#i7Q21ggo#2KCv8^t|@Kbnv4R{IHopq{un1VyYLFK z9g?sQ4s({E-Jk0Vww2t4qd2XgdosN(W9XjbOmAuf)$<7LH(&d`t zKJ=#xD{x@wgFA=s_*QPuPDz6pWSGP~xcfKh#ZSmaHU;?6l2BwjwSx_Eg~tn&n!h9I zC2UdS8+uA~;rh}cjIvyWHA_m@3Yf2S+TP1=0EIdl*4htc@)y5)VT6hXB2iGblMfc# z#|$=Ij{Ky>+yuf6CssczPc zdlsBMiWq%WN8;*K9HW2mB>}HIo$!U@LDObq3!klz{lcL%{i)xE?t?H!|1CKFv)rq% z%A&~fIb=y2rOrOQ>nm#z)d+S2oG;Eb`GYPu+k9>QVQFULF?0m_WM{OyemMBXHqpVc zZRsq|J=ZVwt073uw=BMV{VR9IrsR6$u`fLNh?aL7MYt1JHjpQF!F`}vmPn(D*%o%C zM*Xtwl{vVT8@^K-05)GHxfRY)5MT^gNSpjo2{RxU5Fx9>y&rU7{mqVN{BO05?l1K= zwVyDf{xcquiNI+|jeTqij0<~_WEdc*yxiJoR@%qw-) z6}$a&>|O=pEm8v9#pk|}Tlh_re@PO!Ra18FXDLxAzzK%GyMxaCRusj_I@(xD)!#BO z%n@dZsmLuT`;761BKxwwGKV^-zDFH!PcEvsfi9Q7jBNd5DG3uM8EW6v76C1-M&ynQ z*^cmdZsq+5=L;{r97Y(Z>4o=&2eH7npWzQ`QIA8}ePti@Mn~@YRTsM8$jPiyCXVBED8(qFI`=jwE)Xp-j=uCpCMBt_L<2vSO9ykJ{_w?yiQsgNQ+=m$s&I zn!p-0f25M7(|lH}pQs-}$n_h-Cb3DLNVxwL|JC-He2{1WX*9_OvVtF)Ri}-=Yiizj zt%3XaU8Zpp+Q7I*-JzcKmNCo##k)jsqfJEgIB>}+La7U9$&^>8nSJ5$o8m-8_>(9do7#pFP2P0YXXmdTq@2NFfm6^!kz zzeVBt2hEcw6b^rOk!S^{jqxP05w`0*qKSsP-^uS{PCrAy!JJ})Lh#p(DIY`j?B?F{ zgLy?{wySR!!uD~O%f(7!;%k{;m3*HHy!$5UZpy|u!JGi_&*c;@L%~W3G*jR-Xue{U z@Dsw-ePUAM28izS{7;vo~MnB+1EvZHV$RP3Vy8D5qvrjgq+pVc#>Et){mZ~JA`VP<#~8bH9y>2h2<`!OB!Ps z=gHu(02X~#1y9yiZhd++$nEoskPQCifNs$gdw-N49*O$>#NWj6CCocIt5Q!KePJKK zq`+ZK7}~D7?cqSB;nr6Rtq|ZxjEOm0J1F~=E~e%@q#A7*Ww6*LA$PwQ`K|cte)PnI zPIgrZ$L3}rUcm?omvv^(LRa%^*u*b~RxWPioB~P^>_Mi#TXPFj_}{f$PIQU2s1|`h z>vn0PBur({fsEAAhB-111oaP(g**a?hy#!L?0X6HY|F|L%eIo=BHuB!aUHhqBq=Kc z;|EF?0^4^dn*5l;A*2TJ%c4-&#}ppCjZc1gKCVzL>0okkU=PE4N(LB`$&4Dg_~BId z&uYgYIEP=OO|OZo3}@@Bk{jSd4zYh=BX;lo8qK)3r06vHmdU4GfTz7pt5z@qh=yT( z2=sE#IoCSD`jdUpn@@9?zT^3+$=^Bw|JA({E)Ziq!tJFK2cmqCzF)p)c?*&01|3)j zK-G5!p3?enW(a~?>G3jQRZ1V7Fzw^?GrnHPZdu9PYKtzpvksWJrJ$}fR1$pre$J+{ z^S~5QWwGJ??I%BqDJ-*Wb&_!-)&>UHJH)8+{xyip-;m0nhi+Ix#1Q(_id7<8k@lLj zI)i}W-Z(sgkp=BvQw^>cy)F(IEINsv9y7c+#++Yb5riDp+R@Bs7aaw32uZ`*@pkhqJ|a%MdizWrN(>-DA{<$=PO z_2W)n<3XGoZPMkEO_-SSztFHINrP4Lv5rjUQ81!H3Khevk6-O;AI#i)Ws64}%y}si zWynY|#QKx%ay%bvk?Em?e8>MwFZMN%p@o-IV(oJuUgUo=6+YEHyjHyEU#t4tIWaUq2-&y01T3;BIvKU8ta zHGIxFPif4+gWT$`&?PE_)Ks1kN`ing(GzuSx)DvRH($VDBtY|amiwF#^31nXw1M$A zu_n%qk=07F_kDliO2kY0HeYSFfz6q;iF6Oo&8~ta{faot6^u7bBM6EuWE-*=#D$Kw z!&rNMuSuB)5qdMl5|_TsQIUNVPu_JHJN?L_-sfvb5e1kxVDW=A^HkN(DLpc1-=1SZ zn5nYJzQd+#qje0GFU_5lQL6&bvO(zUh<{6&c@1({-~- zcgZghElakO4(x-rH(V9D7jB|IoAnuQFqydV%QqjC0L`LOb6bh$`VsHS;g5J{i&Wfg zgFBXRw$3GK*a{~c{1^NRw8_ILZJ7U+6z#=I;JQ{NrS*|2u9jZFJBvwNqSSEy8yul{xBKy@c0EiOBKZ{+xxxA^!KD2md5P+`t(1Wu1Rs9toxx}O!c zhfb5t2^E5BCAxN(tZ*43b%-Pqu->IA6n5*yB&TRYUu-B*1WD5=gw5;{HJN9B+;`{y zI1kcU4+hSmBFVJZ9@D8W?YEKr=UG@F#@2CBvJtsJ?A_Zn^=E7boe_PnUnua9xcpu9 z`mlDs)Srf0-)PgGagab3wc|Cseid7DS~DJVBkeP;kg74f!Kfy+P7Q4xXhnW)LkD~x+AXx!c`0uA=+5RfN_g_ei3&&8 z{MGnMajfa4VrrI)hCONm4~;*{2`3v$ITx|k#%uH=Iq2msGn;1b??&AD1f_%N`T@vvnk_k2>HpL>!Pa{LpgcpoKgl4ool>Va@l}_>{%nj4 z;x)EzRXmp|)fb(Jm_6>25XF3zFBJ5OO;T8v6J}_!){c5zoh;0MwOcPgOHuUuLe+$G zgh93=5mLc}KS)YAxQ4yQ6Cp&9)`$Pk?6vWIpqOx+{KJbms#Jc?OA>MY1G)z84^7fN&t*9`pDc`{A}eWr@?6eZk_gSYH@k&dAyz|_vp zrcoklUV9>B?HI3|I)8V~F6;tp;FsLR&R&1M!*yNEtSXD0ib_IyS^&js8*wX!vYZ*l z3M#3`^`rheFhF$%<=;DKVb6}K-xKZ~M^N70j-!9mS6^-x`3NjOW$0Hx>F7AP)((~> z;b1`yYk4dP5Zy;)NhUdoF`ifb0x;Ovckd?GxW^S%qts}9?HY_4e0p4FHL}M}x;+ON zofRZ=3I^_!I0F~m6=4uBZbrk&Uk?X2Gz&5R5{HMbJzwsSUz%0DPj0{NvwsH&EszD=0&3=0exXj2cWh}iiTn40;3k8Yt=+X4d~wswWwTL9Fu}ux6htDchA3-8%?#Ty&TWGxV{9U_OmUv z8wv*6-0rL+zGdxd9bIOH*EUTXFU*#->DON?O7wgVL}uk3gU2&*TlDK!Jy3N-A@P-= zWxBRfCfOJ9_H5a$A@+M3U8+kzrGuNKN8V`q(jA5F-3u28`BGOsujU74F_8FGgI%5< zzS5(zqZ+Q5X053RtZ9i39oJP+{A@{*GfN_85-1ow%04V zjpvMUVQnS63*C!7HP?XndhV5mK(!LH5*;=qs_-Xi__>|ESS5Cjgo9kMf zgPiZhwkue3VElFR9y)ox=kQC9;I)kcZB;z#E=y|uSk=_n!IdvIfG@(MG;5qBjtzp@I)&|fDUt*!e zKiW8?IE63j{7wy1HkIBOtOFWJc#0UbzM~QVG&AzhU`>>&wbx7c-?AWlV}}v(q7Dlj z_M=H@O+{me^T^!;ySGo;k9R>4D`-|zGlLqSgR^5%sb>muDv9~IAg3&j-*HN&4gj(g zIpwJm95&$U2UQyd3;`n1QJxzi{O;rRTse*-F`A6FVICOgMw!+TF)ULujN#vsBrDAT zZ84d09Zsv3QR&8SXv1DVVH&?<#KhcNe==jTPmLzESPJ;wEdJXB(H4*{m{agzI}p)z z$yu|_(g>SklitQ@U`!4|NrY+axS4SBw!F#=E%4tBcc8ms;?L_r8m7H$y}Z^@Mz}GL zY6bl&DMkj_*i!CXAog)JcA`Z`m@>KLtk5)cumVlX_g^Mm&HW=o*{W#`$yYOi>a8k%JnjC}LsPrIWwb#PP@fdw8nip(Q z;gZc19pE4%;OM?yKP1vX#l~|pe)F=KS9cO6j2QaI3jgEN0-f0)Lkt4u&`t|FAYsBL zXvj(3+(*Py9{<=3LfCr}a?vsv z7TtP22)Ug5yFMBizl9YlR`fKZE0y4^6ilkXw?_&}%Ck6$et3oRF>Xc}oB6gWFU{CA zf_^FuL*8!`=qHEQ-8#R+N2X(#I5@_aomaFps%EOdtU@7oVj7k#G3HWyp}f+B4RBtb zZKW`)KKMG{D7uh3wvnNBI6WGO<{*=ePcOV#Ck4`>6Rt2LC{b->zHF z;{#!0Ws*ue(_hN-_PP>Nv)Bm+(F#V*%!6~_9aagY)5RoX^TC_bO{mdjiiP0Oz(cRwNv69R@Aj?IN&$#@f#DzHbqCr!0FFv%P zg3GXhpFUJt_9|cWhr0y&ZB{wY{`8VuR39NtEYkL>fFBcN^{8kkvB>&tX?loe+s-0{ z?DlbLbZz&yZH*s}&UN$7k7QGwa(nH#CY?M#flByIIZ#WqQz5G_yk}A-pUPkFLeC$f zX&;`i62G=0Yv4ipM<#K@N`T~^f)T7))E3>^$rU|14vA=IyAg>Yq5?gj*dj~;P}Ayd$NSH5W#IS~8{P$HIN4Bh)65l7Z}Ug3sJNY4a$Bzth?$mo%W8yUBpAd!bwJ*}j|t z1H{`;T7}j&pn&zZVf>iaIV*$JmXo^#*2y`}c}g)GZmBl0rq^fecCM@IEL8D63Rp>U z0`d%pt5C73Euexb`-}5{1p~u0cn@Pb*?XD&-2Ul2aZSw-BiXImiXft}VyAF21CwCpv`!M+g)O6eM^o9977*Jsf1jtDkEA<3x$b z@*G1~Jn(VZ%9}{8qi!o6>j&E#*D{twnc`T;#sV5pz>RfWsEDwjILXpI;WhD2X_vV+ zJg=H@7LBZuFj+Gvoxk;`X6AXd9nWIRyf(pcG+$it2~d zrHNVin8}$!p8BaA;$0A4a~e}9Dw3251#Z{4;uRS}IqSE!xKGX`(&F7C3@6S(*4&^6 zU)1*h1)?^>bRq=W3U6Hq0`CYe{2O4Zb#5}JTCIfWDhoCzh6U=1ZPuSEMlP!@Ycc*6 zOr+EU8X;=b^si&xY7w*2;{-5B>;5%l&z`ZuW;7Z!RLq1sbqF@a;<;7dj~!dwYECW_ z=N(3(2C|b;dZd*=1#Id|;R&*UuTb%9=;OpPx_V&+E~FA?3$Md(E#l}$%Yn)gOB_*f z#}7nmIPGGnD}^dwD1M9YUDQMdhaB zxWxh1{7eav4}w`{eB}v6%E&`rCztur`c3b$Cj1bij21W6dt)GzJgs(>Rd!^U%eyA| zbIYYDtKAW0BSfZUH3AGY&hK_ktsUBMq1*auzcU7jt!2VR>^3mY zLdfGf+_x{XBI*!DY-7i?yU9gSqlR|5B(pGn%6|1o6^ZFRCi#OU8-y+%-X^+UN|}Ki zvL!@>$Y4wO_4LT0>hXcJAZ5F%E~gScB=?VHD>f4Im#ZK0Cu-~Rh_+IJ7haMmPw{+0 za@C_EYzS{glu7el2xZ$Ubs}ZH;^65o&!^>Hj})TM4$ee{2Yht*N*+4&F7cX`X&6M)jf~Br4RIiGI?>`uV zzp>i`Gze;;lC#5C zuCmY0BJRzS_oF{{D~|l0`5pqnkEPW^^Y0w$GuE z+eWW^=&~w%_woJI#cYoWf_FR1I<3w&IR)lcyzM2rB;w#Gw@?XZQy8OUrlCKAFSXnc znz~nYN~+DVhYCf1oRM8!xpJ@qvurMv(D=U*S{meLY3xg3GF10ShdMosPj~;2H~`jK5eG}=W2)-# zjxD1c?FKrAz1IX>Jv1*TGgTH+rxV4QnK)s*V7#;BS# z##}Q`9lkU@d?*J`t}Nr>BPNqlG$KD&vHHFW?70sTRthsFGf~?Oh+-uc19RZ!O2Yn!GP4sm&#WSJA^QlNt!)RCvDvO&h>`^B%NnG8b)9cpmE1leR)YH%$VeS z$=vunv|Zfm$x%HlZ=YRO;dMM`XA{5FKuu&**X^Ed5lLB*+7;EgCwaGX{gpjkZTD3i zta<)>U@(o+DJ*N?Js$UQk|GY^UVnxUMEi@79r%JwKeriS57zYhj0CA_iU}}(nBPAq zOthP<*a_vB9C2_Vm}1Xo-)Maptu8A}J2@201>fUfNUi>|S-jCCc%6OyooQMe$|iMT z_04DcVjn;HeDhJIsqe4cZuEHQ75~&$?0&_mq$5p_t>6ur<=|Phv|gAIw3v*co$sWP zqYV@^NnYcAm-%9?s@xuVjyBzlXgo-=WQf5j-26at@nvGC>}a4EY_8V3=wCcM&t)Xk zEQAI%eh`!#4V_*(rNlM?TD~-%<^oSrf|K9jiYJXNm%4}RRK<(IHP326)WtO;$*ftr zryAu4;jT+OYiHD` z{nhsz8p{9R1hr*4{*ry)Hqul)-wAG@0_t^tVg2{59i!f}mFtf3Jm(K%=0)aPc zY9ROBU+eGc^gYFbOt`n>nUmU>bw_%cyt4-8;iQ9$7v!H!{kSkU1}!<&XI-aT&A&o{ zetqR|^6Lz*>-}@(F(&^b8D6HX;rhy3DBQanRs@+&oCxBEC1ke$?=2Hv$;Fkr|4|A3 zC(n4RkqsALPWI%2!Jbd?7mcS<*j<3Zd1g5u-FHGj3;`y^_hbDQGK~$nd(PZaqzlk< zM=rFY$!af5?i-5)8f&Ig*;oZ)Pu#G018m4slS~)#r(^Hk&6n|$Y0w34PYB4+^JM2U zsXs*ygWTu;A5hFcnO>+5c95bSyWaEI;H49HFeEvMWs|TZo|2&Ce}CqK^G_ty-;Mv( z{RX2gH=62YUjErl?U`FZX-0@~T;36*c;TJfM}hV)LZOYY{!-)u%9pPay#Lu0FmI~G zDxwwsr(OkXi=c)RFCkR!e@w{Xs1=w`!l6Bg7jptInx+PjkL#VdC4k0lsrNimOe11a>qU3TRuYR?uxqQQ))94hej!sfZ{+2ylX z*g8u~dD;?=Wnvs|6CmTg;K>i+%>E$T)swjFJ7!<%$~e%gy&Y-=)+H}r`ONzq5CHRo z)!F|hB?oHaLqZaONIP$<*Ig6+1X$uVCuXD9PbTV`C#)YPI9~P*BLJ_Jt}x*OJC3+m z>W{yHR?2l34ZzbQRh8@LUxG-XzN{Iv8Z#NCVT>)ES3=+%K zfvLYHYJ$qO^<~{%sB}wUwUoKvsdOl5Rn_@xm2~YZ4J)b(!1<-C)n+t;fS0tYPHnAQ zUTMzrvc9d>jd$dX7moDvPA`#FMzquBP;vZQ>+IQYa2VX|lGX}P$nm%O(2ykd3EMNa zw}DAnt{{z__EiOIl)T%v=>-YW^8NVXY=y^~TCf|Ime&G~Trfq=mZAeCgU~y1v3Q0J zMep5|hbCBNRE{#T>@6XG;!Q!RU)&(jH55NF;Z?*C#Ea+J zXiwXftYM1+e9c0sd2fn5=)IKq{oM;Y-T{hSs`Oo&Cd?KVI0?j}WZGC!W`*zgVz zq5O!JT%sYvzdb7K$^R;K&J?b6kIc=n*{ z9Pb>L`8(4HB@4rX=oMtc|NcExLdh|;ZwG{;6&)gh4D~o=ak&+y_nqJI4Gee*e&1{g zG#dr3#~67#tvaeW*KOO=ysDJ@dE5R~2k2tp?D_eTw_chMv6Zb>`3EMj2VRbURasvK zxq`c_dC}+ODph-rhLAFHn5c<5U8;KFa@x@JD3(;|QT9ouSz~9fD%EI*czoNhO)-YPu6_!v2;-+a^Ko?oey&rb#sjk!q(OdZcG&a$d zf0i`E6F6RK<7Om~Tt3PW`cS(0he^C6Vv^c?p$AEDO1UHo??wYhNPnax$@hp*lC;UD z9@shsuz6NsC$p%2^qjR+g_(bl z;ViR)TT%`8GYBjzNGaxHv;>UuwA4)MCxeu%JP1THjJbk472cMErOesWyI8CEP3Xc?HteOP

Djh|mlF+fS z4i_nt`ethYRD<@S`~3#wwTt*%zvtHf;no*tH?hM(^2XDT67#N^7?Y2nOE`R0&kqUz?-)L z)#|P~rRUlM*$>%r$jrTnKQ8e?SRSW{2C*YFOUvgv6U{ADaZ_-_R ziO)0hR616erR$9n3Wo+_epj7~-%?ml&4wS2&eNC65Sf&Lz{ms~j7~s6WIX&L65t&c z3*W=X;1+xY-iPDhb%=h4#~~mp5eJVX(lHK);!<(CpyUoyu(pmeL2U-`lR_4`YtGO= z9{<@LBU9>9 zR!8&T8h-(i+1HV9?mA8ulp>8XhLaa>BJunUM4q`0x8#ekIhqUWm~*gqV14H5R%N=)y8i4czc-GtW{d}?Y70KB$|G;6>=uC>&SI{ zJZTMz$o%8C^ZS+DcNS!+tEm$D%`l6A>iaFyVjM~wmeF3~^UOS6-eW09J5fsB^||OS1agPYN)Eove-Hjs&6+E z@$a)-e!GazqxRT@7-$9qzvJRXwNy{;YQ$$@okW5mDY#sORn{Rei^{<6HEPN)1 zcuW6e@O_5nHTFl;@hQXRw=Q>0##8;*fp?AaOFYZoiHt_`na+mLNu5!xb&e%dUn=qM z*;ChE;`iY7^!uB_=1_`wQP&Ctp%TZW*w%~T8k3C;c877PkmqaN7S_8?wBR;E-!lp> z;Y@t`)rJNfnZ#Vj+-_nA*U)%jX349#uw1xSfqhmUFh5!#N`4+;Mh}a7vMBkj#ogd8 zH`buKsv9`>cqX9tpdDhdoO_PVX)p1G3GuxVJmb!Y z7gbkRD=O0&U{N1LPHyUc5LUs7Vv42^UYvmuAy|M7J60|MSr!p3v!8n_DTi*vMPuy&VA@T z)fLZ<*2UlEStBGN6IZ2le}`~Lb9{4VAa%czrN-dQfvqsf*&V|18GY(3`mcAyuXHw} z&vY-ShMC~8iFSxox8ZcPaVtV6bvL9@U<&#U+XK}&+j|egZ!htCG4X#eLFh@zysfUP zQdFihz`|8}K65-63!_l(jU{QQ5eY!JqX=(ytA@w`H0t4+ezpd+ON}F4SD$kgffE+L zi^VlG4!c70rS8B6$wFdj>8BR=220%OBK&>YJ~C&G(Q}Fm9_P|{gc&~A83WyjJcQ&_ zBI{b6SZ-R5oz{e7=Xym0P8HSTV0IODP#nFpIh=@YMj4A69-H9_)lh4^FnlN6kEBbz zHwt=nHdy3Uc#Y#Oo)`-ZsEMC-=N_^3hP7->u0J@F= zq7<&K=YWwC0fWgWlU+Q==Pg9jPgyjt$=6%{<~K-Gzb$fv>~xAi^a&nrLS|VPD={7h z&>s<3StWpF{1pr|OF^H3+o1Y-EglPmFUgr{n`4-_AyT=FrS!99d2X92r?>FFy30CMc$({#Hh7)tWS}MsK*bN;|6_n!KFJ?r!QkB?kx(@~a|?lgsm_A>F) z&s~ys7*bzjDZW(;JqJJJO6x&1H%4jEHpq)j94n~CoZWUX3`vD)^aU)oj>fYysnq{= zKNUz+D2;F+%aq{+)euVf11R10GZR*->U%Z#_dvSN_eZ->`gW#5jV#$=c0~4lq5*rN zVF>gh&%-J_6SH^O!8b)J=wyN^>DXCdk;5l6`5a!ELf<#a`rgawwTt+4>^{m2Pfc@1 z;(2M*R99)}5Oq1yCo(w;)`77?H+gtxqdHS4t*pTkQ$HMxlNxEbgUJ_?zu$=O z^x`qv@hsMdU&Fqn8q9V&g|9Yv;E&^XJF9)y3GyPZNccZr9-^=VU*)kqGV{TzbOc^G+UBCddRI(&2@vk|0C@QTImZFkw zoedVbVe(jd0bZR+d>v_Z?D>8FqBPE)h5Z!I5#lp)ag|e>d|iEP32~hQpIh*) z!cO8uPM*k!Zl5c6!91qFTyuLvV?%HrmiV5r4op)CEl5rK@;r zF;!iLS>1bEyfzb`NA2-A{UQ7D{`z2?Es;pj6}mQL;^z|a*BZKrb6M&erTQWF@v=G8 z$ojTY(kqEe`~{?mLE-loF+#7g9t~s#aW#V9D=*~0!Zy-s>rj-JNyOKd_-zM^l<_to zrMLlqo@0*O=F9JGM{2ndtfGoT#4rieMS>=wcfoCyjJtb}(BC?J?{=LE(3lA3K zS5vLgdz>YDPojH7?B6W*#VYp`cxeKafW-G19K)F1{|M0HCV%BrNyg9Cpt zmz<3#pwp!5fbO9j?Db8;DnnPSF!h6D+y%HMU4mcQHAJ7ULMpl8)mE<1vs{>SrR8?; zwN1Dj=XQH8ySaaZ{mUTFVhZYTFtZfisZ@WYcW$xv#~QLij6K3&5|M+5Yf{TJznk^u z58!W5{x&T%!BSnt!=`{a=24iW8;EH}hp4nC6Mdu^UYTl%sh$_`0c8qo{)>b^jIJ;A z#u|^4c$tYmhDvfy&+5kN*3feTk5}1+Df@k;wih<6v;V7GfTjuXK=VzcqVIzKY$Ovq9p z({7kKo}FTYH1J{ORbI zjQxatzQ+aj(7nxW@mS%Mh(+}L6!W7Pd>|6nX}X>kWwYSd#j9FLyCcS{Yi(LW1MOrtt2uM?qT zf{AW2#a4l@t;GHw%5R(eor;nV?5$`ToS0ECL5SHo^!-esNN3K3j);RM4x_ zAvB{TrcO&=?+Au!kO_Uilj8RYw3+xkYHt#G^vyafbWRqf9hN>c+~nrVkV zqfPMiXk9!z&Jgcy2*I0cL-D5-!FYdL1m52oj@Op?;@L6!=>5ZbJo)`{JoU{&Jo)Vs zJn_vEJpRpcJpS!UJof!s^c}DfeFtvB6KXuk$Nn1#^xO}t@x*uh>=OLq>qU6>t2y|^ zXVdZOpr!cNA}fqFjl+_lLd^2c!w82Q{9q7|KhHA9Q^WV7&(Pge8tLKP71GKsa+jm> zw`rjX7P$xKLU9Q`nYj~s@nv{!ju(-YO!Mz`iTLNS!r>@XU#-XEJf>ew{0&6>m)l7E zp4|UE$_~GtZja>5T!~n0o$*0Iug(PhkwC)3ky(D&bBL-b#!|+o@O=X9A%1V(h4ZV` zSnHcEYCK$8DJk<{L5lD)%akwweH%siSX*g-aH`93J%_two}h?)ajH39nr4aTr`qC= zi`?XclYMb`cWWg6wpnToerIbGKHM3DPxdF` z3%%oF)YusNEX?=H#b&bItxi@VmO70FS|zGK{L? zszIiBjQ7xM@qNu`7xAaKK=t`@>w!5u4s?G z6Rq*gcvCz-Ru8YwwGt!vu2hf*YQ0%BzekJK!6GN{MOIPx;lNQ0v&z6zV<>Kin&IDD z!?4aZ4o^>@OrJCVk(PL6ftT21;}6rQ3O1VJhbOPJLVRxI<8H7X!wfJ)?}&I0H~z9H z>C;ufA{Qc)EEA~EGeRHAz*?P}+a}_3AhD^>CH~i|U>wOik98g5GX(ibr|8u4Sn8V# z@9V$^t9Ux)F7z5_B^o+7LVHsEO?2H*f{?mSdvM7z zcpqM0# z?@9KpPt9#J@wsu2O3BBmj%y!#LA-#+Eh{O}S>WUl6@LQuhmwVUvB%T!@d`UUJrD*x^J0H-$FfOi3el z@W{Oi_EWudx59U5(K?!?sR0QTA#cqv6#ea@|DEFQv4NXm5SogQc9Xd~nBttOeiHFh z+eCaZzMby7u(v{qL-O;8ZRx zou;f$R|1RNL$oRAJRTcqj9wG&F(<#x#Ai^6_R^R=2uUjvFW~M2B_%oo(&)WLlu@R) z*fkx8(xl7@HC#@s6HR?RvWqHl^vpGQQ08SCorm4Q*;wVCjs^B7Fu^JrLk(l7-WY}N z_ebNqebM+}Qy4~@Cm}ZLGB$W5X;*-}^wovZdTcdwg?Y#cF}Q|H+$zcp#ngNSVFQVc z?;BJQ^ZJb!D}hT?tAHA&$X4_kOQt%Jm#bYpCOU}ar#K^c ze2NqPxX25AClCq7+l%Wmy0M$_4pgtVMz7JP!k^bC??>#(Gg4f2g>fovfD|TD`ZrH1 z5p(jnjj7c+`E4RT)$c_vIm!la%{Ie{e93s_*=LU}>Fs2C0&4aMZ?FiD& zoJTD)U#xvc;32l$4XEx4q>JLYwhOzbfEIpG+0#gViX68QmE~nPoSKgv_GI!~N5JOD zIh>S+dy{aO@%zY!7W!*(Z?qH%!*#TL6mFbPhD^Re^rPrZWh+)Big z34W4l1({UZr&B4B*EZVyW^TntcmiWa8UIW?{c~99EOrxy;BD z8*PIS5D|~uOIJ}**35X+@n#!p9b4+HMQh-|;_$jN%w&-V^wiO%%IX>vm6RhU&J762ttZP|AKgc*SIko4bX$op>I%aw@yRMjTrQCpCFq(t zA`6>nnvqAG6|M5zAe2w}LTp|&g42rN7LyJ0gNfMZ5{~V5L0C_j!v=Go7Lcy-z0FpB zq9i}y9toSU6!;{bN936joVd~iuD)|6h^rU3vmVlkECJqs;9er@-I^$Uqo%aH|1hJi zBD)vnxQJ`X)Mepn7FWl3xfmH7|MHQuW4iNDLqV=`4>i1WOi9)hI@|udg2umGZoI)R5oxLXRqOkJD7ku+l`cG}Yrc_X8{N6+##Zq#dj7hU7kiNuS<`=s~sJ`@Ndb5B(fVB?1rz&ZrC4A z=o|;~HP%D^{+1$#&BFlxAU@nr*onNHn)K`5!ttUh+^QoBhcA0j%@z6gEPqWPTk21yacu#=^+4w>}ed$Wy1H)pG>@U)fqJoHpG&=h0zqzwe? zc>Q<{QBtNeAao%jbA7t1rVf?0^{5bNr1RU+%jA}XyCgNEorJwnhh-JzaFuG*as`k| zk81k%3cgm?AkJlJqVw`9dS}aYAdmdw%z{YE`jpFhk&dLQB&0WIEId@0@5`vHp-hSI zYv{>VOkrsaZrtKZOzWZ)MqL#$L(6L#;B+_{3vG{Jy+;z(x+P$pdm@(EMPq~eam1gM zdX*%aG{QaUB39cR#s=4TtaFaTde;PObc%*kTpkCMaOn}3i&fTPSmY3o<*vuE(C!$* z60<~?Af*Om7nft1Z3H0-Yh9Bt&n5=D{8A`RYec5teJl%0OaidMEfH&-kBQ?FyI6R~ zN-HPFp1pz1PLbG1x^D6~jtyQXu*@C4m8Kbp^rjTpDS z3QwDf&mIgg!Bq1o;Xfx%O=+pfgND?P--JqvrRCnIp|jQ!o2YKS)xs0IY`n3>+#NQ4 z;X>D#oa^{ z!aNXrZGEuG*ad!Z*+{?Mh|#MJG20{@2izi{=NN#c1|FEX%K<(aW$FPuby#8>jZZiE zW0$QTwwt?=UOw2UZ-c{eX(C6DJf4C6o7^znrxf zB=IC7;!nb!;!tOW9(0ToP*5f%_~H7I`0enG2t9UEEMXpV@(hk9XCm#~Wsxgx@)RiYi^(*=4^4KqaVA4_~5f3E6hgt?ScvQ$(3M^ls(d5{pq zr-Z|4;op1W@YiX2h`i8%lp8=Q;S{&nb4NXiZ|XHNgDmjgh9JDX*coBbapHP4)&H12 zA8!i8&?WnEnb??27mgOx;Vi}fOuJ;LzA=G)Y85iczoX|Xkw;!e11&|!s)r;JH7GtOhd#LNSWmO%boG!io-ZbF>~r_6HZyA_+n^=DGD(OycGm9!j*7 zryA0*m4+By=BgOo_c)S{ zZWEm_&n_Ohc}!I4J+dTHIKMM#8$Q|`im3EURHwcjmRw(FKW13RQaFWted37C1 zZ{9*Bx#PM&i(cGKJUiJIg+&j zy9*Tf+x)P6pA8Dj*#KkFCaz zNH|R-mx2U^S8l-G_b?Vwe0;Ik2;XgVhihWKh;Oc9RZ|26N5^B0kvm4LGQvm89I)R1 z42sKZg%vo%;t2k4z)~!r<7NwgvIu>!nXJO2CofT*pM_^&%b1047WJ77yR4ksOI76>Z#2;lLjR4Xy!&X0OM6d$8Ff9{c^1py!_mBma0rq%lRB5PGH@szGK5Ok$b>78#9r zd)hwC+o+54^t+#K6vnPK5X9$dy)>x?*yDQ~sv)*GF7`{V$E}+pN^$snEq*_65k6Y& zj(LXun6||NuTRlMzs;VYTOuOJCw#rd2hYv*g8so1(DjLhUO*BIJtL5oS0pkQufvJ> z)kFgfw@89;T6r3di6L4vg4i&}Vh;^J#Ju)-_=eMT7J=xM2R)iF)NoAazicPdw_ICeO! zIE6ADYKd)X{tN$j^S6P!gYnkDnV_UVhGLUgub+jV;Sy6fr3ue`yBOw^vSHuo+Ql(xf)tb&4gQ-ucbEo%l{S z1~*tSBDCmzqA-wlev74rW;7BN8f8h4;Jo`V7+GSb|K=Mi4lw)C;n(l zX%x^XGaNW1Z51qU(x;?AXFxLb>jlZaG&qUxmYb_vLR(4`LUOC28fuHs6lr=f>MC&Q zMmhev%oAVkkHx#&V=!_ZmH6t^Qlnl6e_y~Udd?XsmpNHc0uUt-)y*k#Uif4@^kZ(D zd1-X(?cvKX)-YOaIaK32BK|*jsTbR9A)M~KBa`uelMUg*xsQUd7B|YJcgvDO4?aIm zA468?N@L6GAC5^S%8-a(L`iEHm7H&{4Tah9TW~mj1(wGyWB;LCj5Rrmv72p>bozoY z!C9s{q~p)iO>yAxSr{KJfGNR*V4YZuo8;)w@oa1h%7)GHYj933#(|^77_i+JYYd!3 zn4P#-jh*gCVH{rs`{P$(n^1(wR`D3R-5ts486s1jXAyxvj9iBuk%cgcxd`JU7odOS z5(1K?JtU3dZ{SxG43T<99eGsOrrI37-Rg%?YYcIb^bl>sbn7Cejs6SwV6c9SWDV3y zaavqjO;$!WjE-K0L()~!_Xd_b#beMqD|n>v{Fo-uTg0Liek@FU&X|@OdZPPiX?N=% zMSNb+@QHDjFrxrvk?S@}3Umgf#=S<-xHs820{@+|0lH3sFm(%pm1hvl+z-MzkZ0}H z;YiL6JTY`9qEAYhSQXXnS+eQbIVK@^Y1l?A-EW5*(kD_*Ek%r3KpdXb*^8_~$vvBH zEJ>GY@cLJyVR}eff4#D-RFpi{LGgHR@^*xsl8o^Y8*T9R98*|(hr+_u4;CH=Vdmls zzwlVxBK3ohB;oCeTQQ4tuwk8D{bA)5LZyx;E)RMa&g{cHj3LK0!%8UjO?Kv*73K-Ae=A|vJEEB|^W zyuuS;h~Q?F5c zA3cX_>RuL}8_(LsU2cSPFqQ1;{JMcYkQZ?YPRv43)=l9z7g#K1l{N5+%_7|+p-*Yo z#47@xF_}0=$?Uc}g)mb?IHC8lRkP755Ix3NfVTtdIPn=&UwCe^H5_>rOA@&|Oi6*x z0t*k_OuJl;z?1^m#$SYW>;-W&k1c@v@rx8mwYXN*goCNYxL$VKkd!7kNUQ4vXI?>O z{?+FGTY2(N-qkV$r4@@Ec{u6uBqf$oij^Z&*So;>IEkc718VCVD5t)P%tFo}nvihr z8hlbN!H)GhmJge_0@xfmivZGvs`Bm&QxBj}QlK*+37xCY?j?7+(RhX;p@y?$weT573m@+oAt(N*BaD9BeuCUL z{~)vMjvH-BJolE?+_29|!%QDW$olj5a61x@p5sw)+?dRx;2PDXJd6Ac59Sdg{dmNi z2KaeRzqkR7QA>60+XH|oYA9pp!B)~}JLz3gU0M!t$&b347Vluc=sBSW`N7@6a(60U zV-bGy{*vm%AnVKpXA>8m>fe$djlvK1Tj)_GeKWg}o|U2Tj0RY^s>j5)^goI|&4(i(Y%t8+JCM_wR9s)cupAN zdEVfI6E;69B_0+&2!9@Ov_;zL{-?O#UO(h#TD`9REuN zlO28}@ptLFObE`4wf=cxHynk0m~p_}_2CW_@JmiXiI!8wCJK>Vv3D58u8)+AL4LFi9gmF-Nuut zKX@NDSckH=M0{45xzl;9R8md z<$%{hi_V0a_-Md;TOwOuY4?7_7kz+Z?a*hW0nB`3L?0o~`Q?6mF~Us=VwBnKV@t@R z(0CZ^{lQ<-2HZIwN-K|uXk+$nxtr{op!;g#f3YtXy+)aIkocm0V1p;dn!xo)mh|SI zNaRSpAH>jsHbAsL+y@*mJpWn(WnLQKg)gvVVXC6k|5@PymeLZD@HO;8! zA+*h?z75JK#r-ybr&Znyyg;aQUfVWMBDf!TVh4ZE{ZUWW9)-zIg1ZX@C2%3p$OQn! z$-O{-+K85^=EtCm3YqyVgH2QL*hr%vLHyA+cxt>EjD3#c)TIifoxO;R^F>HMS9lw_ z(lL#YQ*agME?q(O4kL48_ zkgoA^OFSh}pgA$O0NtZMB2c7=ql6&YFfDLjG8-9UsZ-Cx<1Z24Ns0R zke0@8$?f|QUq+8HmiWyKEBs}?BVM0pi`VDd;k9{6u*DmT9P#F2=X>I<#ZLIgayJPp zT41?59SL;r-IX4Ae~lO3U+skt2=eg*x+b8$_TgG@{AYvTeeuaAe|*06AU@l|2)r9x zrQ=uIL-5VcPy!!Y$M<^=r36!u*xS3YyETXi!H$y zu>DX0wuj|Q$Ce0VD6$_P=+hrbI+=UUv2|@34HX+ZBnCA{ksvqIrRw62f{A{hc8LTmN=|N%r)THbv16Z zj^uLS6xDoBRRO83AdPT_@}(RqYm~sNLhvz{j=bCkuizsemB1^%@hU;Qh=>w+u}vOX zKPT`SRnZOaUE;U8ovtQESVA?-{Ql6fXd8x*+xx;y+UI<*d~5~0|NTIdwqbzr{n6hD zs(yy|Mt?pUv;pjv{OiyDGWa)LZ;1hPeNY=PnA{Gb;}CrUpDTgx4J9`^^j;nM-3q$t z=%L3j1N0nj*g8fSq8A-`>*dEs84(QC$ClvhhIo360iJ0E&#Ljuv4(hIyb+!s&&S)~ z-_K2;BZJOgBsZ^2G{GyAjPRRQ@Y{(-_#GWzooa~RPcc*V zO*g@7(+JazTE&|)jqui8FxG(d`|op%@y=XBygSDb@69o40lsF4_v!p!^Gxus`E32K9aEn<)%ifp8@GeA5^2Lpc&Z~P=Pao3X`^AIFayv7)BZOZ~`Bd(0q?F z_4{FjDY{X(C~>)&_?(~=m*~;rfr8_pP2lkrKOxxSYZJyvd#?W!;DIG=0%bTq6?iYX zHi0t3wnDM+QvzkO_l9x-sf62^dh6h@Q%Yk3GV!~QxyR0$T4T|Yg7K|P+Sfu0Egmh%#D8m<2Ob||Om#1BQu~HYAU)Oc%w|k q2ei;ai-#XF@wL!Gi~l8T!v6zbszL)|{k&%Y0000S#VEARw&5|9wb7 zhX1*cjw8qaBJ_T)twB&V%CUjJAaPLFS0^B-O`*QBCdFSP$3%p?a(e@uX4UFC6scda!HAB(tv~BupxsBehvzxIzxzcMXUzh) z)}&NG-Lk{2S+tC-y6pdZ;Es^l|1Q&ZqMWg#`RVED^eR#Sltf~C`sV@G*e70Ib&TQ` zW?q*5+_|nGK_V~QT8#{e?d9ss%gdINaj35o}1r7usXBr-y3-=F?<|_>qsz;W1 ztqsyMGYc1MC8gKe_6>e|lz=(M7R+qXGL06gecb!8C3b$XRsEeun)=hP8f!?7qVE^3 z7xMV`X_n6A?~r(V<;k8^sJw{tOcl){%%dh)o{2m3sx~ihx8?GfXdE}%k5;{{Tr8C% z%D(4M;!a)k`@3^?{4h}Uis$w;^tPN&%6VF}1ve;CYFMPP{8gHaQt^Yj_7do8uG$OdBw}P&6|9bb-kZ$83KC`P@=#2xz{G*zW^(L>-TmbLpbH? z{bmumO5^nR$M@uq)_+)A0+*wir;=Bbc;BYk z1#l#hFZH&bE(A*XtQ)d|p*6I?PnogIC_gZ0HL>6I?~j+a{S;A@2C?WHC2)lm$$4VD zw|>b?l$GE5n0l*7=Er3wzsOj^);LXqFQ$KkTQ3hrEst3H_n^R95Um_2Kg#=e8 z7rsP9e4r_3m-}a{T&g52qK+zoa=8u@k#TWx&cw6{ak~S zlwCi_SMgP~#e?d$i!XV>C$nCQ!KVYl1wrW#A<<#hePiusD+zTjvr@jo&vd(qAu9g6 zW_O6Ymy?xt$BJsli?xT&4px0BfX^T<7biO+8Nvqd;~0b=-`-rmJd)UtO6hcf?iQ!0 zJP$uw>G2o%Vbc?jn>0}U%y&4?V*v$mNX0m`-`-qGS$C1ZPG%im8t%4Tx&_Ok61@Kn zr_FtL951psM75+{vaL>xlUYi*HTlqc9Av;F* zpScg6g+i|mVuFr;8Gqq){nMDWRo!mk>No!B(e2ws-WOfbwLN1q)s~jglo1Rx61#wL z^MH*~uTE0tep82h!Edj>r%R8@Lt>c3+sQGGIO1hGaYP_) zK=|vRrT54~+{6>{0en$@j$S6s#Nt%kJHiM9wv{W$xq}S*yjedAOy=lBfKGP*zF9n= z6YowrFuh$#^I3I0xS>(Eth0-II=1g53qbW(SuuMu@!dYo7R%q5(OAk)&2?`xRXX$C zoEo2zN_@bO2)?5CdSlstXL zvNio}(zcDC18HbxUBJaIBm-D&r)uQLjr(SQlw`WeF6)x|wYu%~T$6jXh98fVpcw@S zF`DCm_>77|R>v`ltJq>Br=Xl+r;*0p2ZLE6FYWR3^)mz0zL^9jmL4(Nv>5VrFY1cX zAGnMQit1HOY38{Pb%Va7VUrn?e6csUyU_aPQREiOMCI%6Uuai(T>!_+2q}y%6ktFv zE|qa=2Q{82rm!o0oYf%Q5xm-)G`Wm6P`x(#H6@N(JrnoZ)d8^OU+umqykS|lxIG_D8H_L z%QukeL5LvH$~jd8)bl=92NLm*26DhLIx;*wdj5TXRzl!^ShVaS$hF#BX6piW@GJXS z{2$BnL?iP=6$GmWBjdwSX$9h6LShyTSN`2Gs#1aY{lROm^>k2IIA6eZuHjkj>NOJ= zJyC4M$}`XF65WiGK%H1xNH9PtU5q66lGRP1t>pG{uie-`+u8`M07eVxf2@#;@!*}K z;33sM`)_7*F8oqG8iRyh23{TX{kpMdbm2LnnX%$wpkh|3aGI z&RnTTVoqHii`nfi85&L=gm3?MC2^pLi0m#yZU(li8rD4@5Q&g1&-3An)c_%debrEk z(TUP0zh2t;Q97dxeSs^TH7i%=hsWphkrJda4E($*76Mm?Q1ae=K^s)6ppzOXPEI4S zsV9|xIbeBJdWJ`bn4EUXw);a71pbIJ;n;=aP!E2O^@rVhhQCE~XH?Gzi7vQKpyxw; ztGF?WnVH;bmwey`ozE0&1I+_6S=W)pl=2ULzuuPcV_+Y7F8r4L69b2Ky7jV#{C)(8 zwwro&#AA6lM|y2JhI^WPb(}}7IY@2+T8uoNesgg{=?MW{iGq#tPPK=-AuV(QiArRg zwKiuU^$uHWQAUX)=p(3iEIXEt0e%Vf6UejWBeCXFiRDD4B3Es$Sy7q8PdOxQqAZ5E zxtOuA#U9Di<gr!<-|@;r?w1VnpWo{TTd4 z>bb7D1Jvas8@{pqp)Ac@tWK~`o1%IHgsawm zPxAB|@GT^jeC^YYe+jymc2F;}JrC#%>UJaeAG-Zg0i1&2RKH5vo1f!9EPDh;%=(F{ybWhf@KHc3R2|d<6=K#8ZsM`$ z-bm&Zj;>CaU%OQdbx1~n)4wZZ+@gP~ZPjW@U~G(~t(N>vimhhK8DGi#lPj1C(eN&_ zidc7=1jw<>>B5IDv`d&{qQik3zt{l&t${U7Z0$Z4LIfGTiKzTzW1uq4f8fpS5*`j$EVZOsOtt?4%J^jZ0SCUIhcD|^|V$Uu!wji`^H>ThH zou_iUW%P%AQIZH%1carVQhm+e{P%do@vH61a0*^Wmo)SOypq+n90=BE{Av?ew)yMp z)(_FQm$fQM1$MkHWq)SAy)kZzwkhHyiu2%|cA@TBabjZ6;EGD*T#QqlsohQd?$RyN zx^e!WQ2sZN+Sen&))lp0^OsJe%K&b5wDs$2IrTd_3O|QFYTJU(tHFN{|_<48=1<(#0(&f}-DzI}@htP$h(_3s+~Hz2USdODmNUV3j);EGLTx(axvvjuiSxkcKx&tq(eZ?zh5&W-)!e zk~1Ljla8*hE5R%?48k|q*Z40@IP_pPfeS=Nl&HP#AKy20xOb$Z%BTODPVPp#(lpWK z6TVSA?fNr4Bmr>dsBBaXM=uwh%}@SB*-*gbfhrlINcDsqzeAL|-F9Ezi;CPyKO-HU zu?W=fN!>}?_h^pUI(K3~$~TgBe&ru7)Q)1Qdr1KagF1_D3qFNvQji~XQQI^@lj+#1 zglQ-^JeP8|?K&@|x=tccPnko6X`@o)4=sQx8P@8J9(-=l{O!jnIz-EC`1RCI*88^F z#n2hXPZCSHKyTGR$E7KHmjFP+CmIw3;sIGi?T4Ke)PVT9G)zF^VCgOaFqp3+a#d+5 zu#I2zb~XleNGF6Caab8{g&IcGnS#sL77^oyMOIR^Awhghcoi>MDg^4 z6t!#v2MGmwZGCGR#P9m7D)Aw*u5$v+=00g=ezW!y-`>cbuVq_yEpjN}kq&dv$DRG{ zO%ohl;)&OnLs66rUD`2Z$CAaTc1(l8^Ua?BvEWq2vx!F6Hww#93?&w=0UsCBD&I6c zecj~t0FR!O1#z_R#mw*H^>k)=LCEV-`Bi{vYk==r?y&b-mhm8-`?|DEiT$0kXH_dZHM_kHY)Bp>2W0n@9{D`4}y?G9FYE?6OP;ple~u}y#d-khzkt2-1u$rhWd zksM|z9J9ORaMJ;bS;)WYYT#1SK$F=S(?>$sUv)jPJV98uP=pL9H??u=m)+3@(bgQ(4mz; zb@NL6{i6#_PP}!`di$pPjjvjqZz8eeUhojYoJ6QEhUbd8(Dn@wuR$ zeQTzA20ToQ2^glk3F;p^1AWG0kaCdFNdIJUrD0J7TcXYYp?)fAQC2 zoq0!rc_7|!nC#X2(38MyoRS&nF#LhH8i|WXsO~nemf*QNKpA#1?~UG&hK1n8v7iA0 ztU;Id{!s#xQ%IRM-gQ{R7tsXP+fqX#qU-=q+%M2@3zfAn>pVGkM9_XG`CM4P_{0f* zPuh@9V7$kN_X2)3GmE^^n>_yyi!$%Mm|_>2PZxYLc)A!Wo+V;DeU>I3_40?06RVP6 zWdL(G>0bCAMXm#`5^svYZAI&xXT(M#X*m@g71D3}xI>X;-yO$4ecWRS3c#5$GcfSK z{9-g7NcS5rKTPlvw*-BTSFojce*4(YLNr*9FQyz9mJUwpN2N*VO6z2O*o4&^0wOx4<+_k#> zr>S}hzbUpxz-ibY;~V>Xe(M!(=wrc@FD@9r4zEKUi7^VEaJOHjm48-E(xo!-kpZYr<2|V!6!M>wfNd~$`!Kw ztlGf2INBe>GnHT6e)D>-^F5(!KK2}3tZcn{_sJ$F+Pu~#x}>b^i}E@Cjr=Z_CI-c; z|A%`93Tuo>#8$a&XDigLF*SGHC$u;PM?g*v%HR}5oz}Gw+;-dL?j)^kuB_`3+orJ1 zjjP{12pmW?noG_x|T#enDgz%@9!eo^rL)!yR-MS-AV;7goS7ublWw~w>U18eX z!A9);(aaWi@#uqKG69*{N|oF8C9{#yiGId3FFIq)6X%DELlvfqdZpn^Vx zWF1X8junI3e^qz1)u0$6u#< z^l|z-_FOF9-jr_?6A%L7fo{#qWG$DwKTl6f+*;O{TJYw|!(A) z-f6Pz9iyXNNX2_9ePV5nv*BY39_s)gJ4$C>qbT(s;bMkL;$5vYD4i;shd?*wv+_!$ zXRnFXT{>B~*haKP;Ldli+v`(j*tp>a$?^eT8H;=uZ}n#pmU*4V)x_Y2vO9(b@QJaB2xa$4jkR;KGB75nXt;yEl?6XAI0b(+o&acRW%fCt20x zpaXPuIP+dp&^Q%Yj1?7MQU1a55~*?VORzizuEkgx%Ec)e?%h?|l-=o>8RE&d2>AT( zPYV|D72WN;#(@@m+Q2;+5yXRF39Tws;THl^Lms{1qZLQ)N5G%Vp01BWR>RKz;@zRS zoI;Cd?cfGx#m5wPHa^v>sbr{nV@F?hmImEr$1%TI*&+93j|{#(o*7D#Tc~iApjgxR z!+ZPX<=3(uBD(HE{`V#16uCbJbjUx&@p#Zm@;{|e^!=#Vef>KdkKtcxNIOr)J9*K_ z?7mnUnE!xacEvZoAY3A?%7I3q4sl~xvMQv%EosuaNbDlu>0J0Y0`G;rTXqA5IX<+kcRI-?oyx8Tj1>!R zr^xE!^(dKJ@394elASz^D3HMW9P#=Ph@s;?i(r5|qYmi){X2=>lf_HG6w2j}4iFjX za^D1H`7>6|=1dbh6xFrrE~vX7BdKAc-=1NOC`jO;TewP@e0)Bp2T; zgFB9qI6m!qy*Op6hOCpg&^paeGiESJ?fJMQm_@rg-WyyXW39>3_{lbmPS_mGfa<#~ zp&2jf(}txBRrQ&Sv)px_P@4~{;}MUI0WwGGuB!Q*A)3djAI*brLfTNPg+&B2w%Zab zGEcjB7XI`7WEBUyvlY%ahawaqF+`CXtYo~(6odz;8bjs{iDzy{^WoUE&?!!YZcOx5 zXcmq7gZLcv z%*6YR>&YsortUZgf|+p@&|_SBKtjjZtiZR-J2Qd(%%g;!%}Wu~G6weyMl;Y;(RlY- z`_IfvWAoBu3U&>P=W?H&r;>Ccb^rE^Jx>NR{0zIx&%*LfadJw#JKD!n?{9~5k*Jfn z55f@@1wmZU3a&usB0CB)EK$nvws5^##m3Cui4%Nw*4v=cOmdikcB()HI(FDY$=P(iSZj}DjjD9WO6lFM#VtKc>8D%0NYVbBhdL+dUOYb z6bDMl{Gl0>a1mY}JyPOwRsilkke|TowYyXOdPQMQV8**ynN%rhYaBWHKq}OeB7Pn9 zyFvFscM_aG3$!(L__HukWjaWZJaQ+<{@7I>=6GZ$lN9~fpwmjgab2d-in#pQxJV%u zQnb4J99H20@b?0eJ{IIrQHMO4kGS&-bx6TXL0&v4p}*f^MC4wv@yn3VQD7kq7Gyy% zqy6JAScC$7NVA9v#?;3IQe>zCNH+*3w2@&~v}H*W>%rutVTfX2!rrxa@SMV)DzUvf zFf-^FBB25ds{whix$Gl_f5(Q`NK$3e(0uGos3COXQ=UpV;&Gd&zS=tstHYtotjSgl zIE5|ypQzeVU=&V0lr8%38s&?9JcXg~WTe9c>JbI2#vv%BUy2OiKh|-WgIm6^GK;Wk z4*t>qbE!rUwlg#e;Yv?Z(KsX?Iugf7)?qMwvQ$bw>k%xz6kf%Ww*jaKb;TXba<71Z<)_abBbNr zOz%E{n~E~kyiIpBf-PE`aLl%ld7xk~AJz}OFB=_IyH7I}sx6eJel^aHA(dH94Nv_3 z+?2)Q(~_eZAbUKp@U-8zO`8bcgzsX3sD$RfB{9n&_@{j{C|OQQ_@_E(P(V2JoC>l` zzWU@*VYYVXC6&fr#*ycPR=$oc7;xXL zj2UI(Qi;&y3ShwzBJJT%xS>mg-{hd8EH4xV+Oju!L#E1gppBs_P=57`h=t<>@wN&s zKHnir21ZXsQwH^3Qu=}VpUfq-lkMdu3p*Vw9n&$POZC8Mo+rNDeMzT0 z0AeB(94ZWESMNwA=HwkrKExQAARMqnk5gFqDnayuYo;5xiO!50`RyBcjlU`}D0NT_?|;0$MJTNnu+t zC7pd~x7QAfjX@3rDSVPX8#~1Le45PTm}{<`jO1W}jWy}BTU~MA@U!RT%H8aLMpK0l zA`)gvzhQwx`yzf9IvMwtH3~iMu=;hbPxA8?scBge>_1hJ{p>OU$tBVpe46a?FNwaw^{PA<7!cl*G%Sx529b9cBr_)gQJT$D zt^km48q{h`!64v(hwdFxNl`6NI4OwCk~w1E1t(2EN*Y+vrk&g=f4N=%Q2a_l67sms zY$7rsTCPutZemD@dG3xi4%_+yI5YOjQTU3tvOxp@f(?4Z$Tco>8DPu2w?V;0$`^_~ z4!HCyEQfWfC6u4Vagzz2b%>EW&X;+n{W+Jbia%&D26t*`*)M)mK064QA^bSEkq z*p|_-Rz6&e&7OCS+gP4v36oi|k|!OS}_Xq_Se5EWn}GE#Fro#VMiKI`v1V zc_A!Be;N|M%4Xv;Tj`_xQ8J|LY!we)l+VgMZ%B zW?))8zc;`dKAWlcOO+lZ8+uE!C7nEN5!#y;efoIYEp_4O@@R=OZE=Ip#HQoO-LJmi z@zPpLpx!=(tRw}>Me~7f81N4jeQzzT{tJ+7a&Gofw}CO53JU4g>+QE^AMa{^-RziZ zTKmjF%j$qPp+uUBx?r|xN2g;7TK13Jx{G4V329R2Oj4hknAoYPY>`lc=v(@?jMH`d{sLCPT6Vwn zo@iNJ+h{UD=>7R^$Gq)d{5mRw)mMS4*Bl{cCb>Qp(jyhsq8+7THB3p5nktiQlI|pU zN)w?~*r*M|FE;((%d=#@z_9g4cCv}c%8*TD-I*MW^VT|yi9W0BJlx{1Ct|v+Z%h21 zGpmB7VD{l^5f;eXG{x?s<@ZaU_{hcJy#po3&+382!s!)9WHTx~12MU#-5ULr=>49Sy67mTl9U59pa=3g|ZnK8R;@QwN z3ntAvo%G;;Cgm&3(m%6n-XZF&HkES=0)T^i_PuV@Ar8kpq7)8Ag4C3{sze4{H49{s zeKuM=U;xYc=*pk|B7Q$1t8k$NM$;M{Q$p(Y9NLjvOp;}#u6v$-cpUS2N;!E+$`wzm z==4d=hqUONkS0=i(Uqc?Sa%53>{3S)n;q@vww8lZrg-;TIZ*ei)Z6_TUCN^kwM(-GNu*^{ z+U?4W%Ap9t28EO9Vzd7G{^*(xTAEm)m4Pld03)@>8Gudl{f+UIwUe?vA8Qm#Y!gc)P6V+8@b`O6I2!p!Q)cvhoDGM)@Xlb$uE+1P=~1 zDV5E7bMMd@%(xqMNH-&7ADdHjO~J~B>TPMZkUG>e_3MZW{9)@dX_2(XUpqpirO}X^ zWOr_(R_j5HNuJ`X$Zzis#*R1dDOq{3o7onHk`wrUbh^=~4~`I&jK+?p7bt z0@OKb;_LxKS_C)#4rY+3x{9Ew{JSY<8))PZLRJJ(m~drBZh*f zFJktYYKx-=R^H7~*n1W#E2gkiY1mOXoI%7^HAb5^Yn?eR+J_2LMa-_Re%q!*<1M%H z0`pRe5rpy^RUnH5&k>%EHnF~2)6r((F?r9XZFThY04)eah+j0bR}RDD$B(HLAf;$h zV^0YFfWIZg?~eK{Irajc7Z#N=p`)Wip-{~9QOZ7^>k#aqca$?qu&H320~w87ci6RT zbjex3-v6O8$vToMeRZLHo6*QqMdS!p9(9E02{U+QfiZyKGnc!V`)d6UlT*K*@d{&> z>x)vIyVt_l+D6|Bdh(^Fl@`wodUOorxrw6Mi3azcgg`?@#~!xGy39Zk(%Hv{aQ)cf9z@3Swy3nKmcO zQ$kKsg=U~f_0EMKRXpI*N4@Os>sY);7^CRB$>^mV@POF({1}XXj)}%owbL0v%O>z> zY;@ki3>q`8w1;H)DDCjH|Dl&M`DlOC#pxcm7mcXTtbMi8; zrt^8G#Ak{qxuZ3n`W&}N1YaDbGU#8=7i*`aZavt-!VdpAacOla4EkN29qCg-O`As}5kK+vALJ>;vBH#X$Mo5S9+#M9+m$%%k;-_;fBMx`B;o5cIuYsrh~B0JN6FWv!gx7bn6sqbeMAG z`ol@3{XcC>181(9SGQ^gsMDo&b&1CKCUtZSb7W^6pn3f0Do3Z|u?Lv7*J{H$FeQq# z_Gpu}54h5r$I~5mHqJn}q7IC9eZqoraApW#JL(8~;QAZzURCx4lhd8!YOvl(U(nBt z4nltk2DVydS8qP_e4s28FbIych1*87S_Ft3Vfv*f)R61<&h@=m>x%kFyTiFS|L`5; z)Iei2#8bKG1BWF^)X?b*=`mc+7$ugOeqU#WF{9;^RW(7$s#$M`W?X00ubmsP!N8+XyAmkaZvaE@ zxtI(e-jlPmjPM;toj{Is2A%|D9yM>QJ^yz#PTb2NID&k`W41|;-baYQx?#99hxF_; zkI}uCx@XW9E~L(;DJbB$fd;s7d;pwwhkv`Gr8^3NX$7Fk2UAa0QM}*MP}ydXg%`K2 zvx{H_u%@kfGjv}@r`O?kPyG#9SFiE#U=hms(|pfxdXJ)9iP?ICW# z`^SzDA$FYecae3xaK54(NlpEcyFLST`~Xi3I60I9b!Ec>*<9PFk#7j9noVBf{E zpf;(5p&x>`YCa{|GW-@#Q%n#}ba<367>ab*q@30t43i?AL@SG=Xt%^2 zqG+XIkRfP+=1gBKoa_nGF_Xm_9v~m%cy2vvMa=68kOs+3XxIaO{GG@8_x0)v-~J}Z zq@p#FT6p=))JX#1FX^IIj02HRa7H=MWm`p`*lV%Ac#jeOgp%M|=1&Jml31Tn(-na~ z18-WQc48h#22lv)vy4vigp)mj90Zc5zXB-2?^B@0Fr3Q_LVUW&NYr}_>vHN-#Ip4a z+{&B;z@#x)_9c^UIn8~$JB;E$6uzS)O%yI)N`4^B-O>lVCFxWQp9d`iI_{M~>*)=`pBwQ~m99pcDsC5233qNmM( zVE+3o58i(Qe3@aKXWL11uSTVIE>!LR#>o?6J( zF46`?A&B4bOS%D$_zeAejqd4C&F+or6CMODD1qK$3|{Zg7ZRSf+6MU9DJrSIphWWa zK%eg$>Fm`mnc|X@4=k+!3e6kB2LhZ%fZbJ?k(g{`&zRI`%Dy2XOin%0A<~9~evdRI zeh&|xYyqJd-UT3fnXMh7m=q>MuhM%51=rT*0I3c}Hcuq1n)B{GbKHkosoZdNCt;=9 zMlN;km$?5{;fyjsGpA%+6=wJTBtoned3RQ~(UYyvRsLpC1IQ)~woex6L7RHNQ#{xx z1tZI&`^l9VfO}dSe=kS8Hz;vcS)Kv7Y?7^R6m>h-hBva32VZE>J&I~udwBNY%Exq zUyVA!#xk0k8lE`#c#X%vQ3CIJ7&-bF*(Ap`akG8W9`R+-;4$wmum#kThx53}r~vtN z_*X)3AE{zeC%%?6Z69{W>~zM`sqXSF9UYo&SN&Qrn*%bx_%5l=8hSwGu7RhEWZ zgTRXNQIDEK$er1QyYxa{Fv-ZS=%dQ54SPG6>v%BAL~F}A-38DCz1tuhClCaQ=;Tw? zF$UqN-4g>K@>5Q#c8^*M$N9}N6;=#56!s3&q5C-v&#EQn=edX3SE4;|E`zC;pP!V_ z5v!l6-v!=8WF$9p7psG>Z!>95>BX#{sZ4pUtQTz$*y0L)Y@smVgOg%_8nQodk?Hdg zM}|K|(y3-F^-i8F^GEmD4%Hn9#Ywe9Pz_$l!twvfC%?@nDhjLESHl zXc-+i@ZbwyDADR75k%zZEv;Q1kfb*T9%Ch$#~=fqrDFry9;e|0*`f=MT7Cy*X@=Yq zqfisL^;OgP*3zvcoH>UD+t1v6D+H?25kE96H13n2&3IGy(~%G&m&Qf9?&@DKe2aN^78ySN_Fcsy zyZBFy1xagu3Y!s`8C0}Wb<}?$JM$ntRT+;cMs1c{Y1Nt670htl2-QF zNb+s@@TmvwyWvTRStUbO5K$8$joz;^A<;H*5hku|xB5%S#k6<;NU{7qz(&^YOIhP| zH-Xo*`6E~5J@p0?%ph6=YLYkTqU{&Aq!2Pfw)NUXxHp-&d&GU7%0+FU{sU#dA}#Qz znFn_bQ>^*DFw)=~2j*Dv++3U}QcJC5Kf=VMze^K0TApOPE2yed?|{!zvxyH5h@034 zlh?~q2L7(G4xlxm?*6_2q4}4K52E?;p}Kk)9bQFBE9WTJOS~67vYjD<@BY?^Q|<}l z)nq!UeJkAh7X*@R4;$T!iMFb-=yNCSxe!F4Mh{%byJeLDf^~*Kx*m%9M#{+TCYZVo zpLLTDSf$Pg4mj9fjh8e*`BW=1gO$wEBWBGCX!raxg}=bw4?7> zv>D*m)YYXfZn#amHJoQuc$f(Rwgkx86A6jF|iW) z(u0~Ts;?Kb8nH!+jaFSebz|?BmD;Fxe~}G$Ya=E0UFxWi#n#mP?a>qqoLcYm$)I9f z2P6a9_WLOv-Q?GB9wKHTht=bZcpj$jPw##)ev z5-$$#w2~y8kuEEBC4dcBVtF9-E_?}A&)=J|>ye+YD$D(sRn;nsqK3qelK}FV={r7n z4|{O$g+j9<4&JheH#-2xAqIa@IMSH!hT;p{A^k5-oCxxIod_+Bb zj{v1F4>bixjyS}Tqu#nCvPbbgZRE4Lo9=HK)rW9|+5l26e zg$lDgP82{e^=2*R#YLUkEjaUuf~D0wB$hfrOz?b)XkN64B+n@MtoO1dM8qDGk--Ehil_gg?YJ@hl!z9jP zSuNNjhP+wk4s)9VSiab5J1%7Ne%TJ$E5DW2>+=wB;%Nnt(ldEdxGikRrL1u>!8F@= zG)uCZrKK}0W7jNjcdWZIR+TySMxiR6|2Xo=G;^KLbxGlm=)}5z<16f^^&1sVB0aMu z2V#~L>aM_tLi+pOf_U$^cbxYH*Gwo4d^n=LXVtnnIVb6VkD|c;CzklX@g93$uNmKx zi4|Q@|4SzR|M!ybMb~%xJ}%Q5nDN3px_M7VaJrEU2XBjzg*nK4WXGF?#Q&&k)Vcyq7AyU@rJIemI;X z9|HJ);1jxQ=!_Tfz5l52_i^{5csZkYXbd&&6hpfU{>}!HMiTlfeeb3J5Z6yt`G~li zE}YF~YQoz7MsfPyUExf$FuFnfK@Sf9aX<26pU(N`!&xtP%@n#E>fZkbE0lP&wNFRC z_8HfEC{O1(4--}8!IMcr9`IiUwu%lfPgP=ri{|hOHG?e1d4C z7XJ}-y8ie0^R&Zft^(XYs)6$kqJhIPBL5VISPC{|gI+v6Rtc-Kc;K|~tZiN)ue=@- zf9i+5bw|u!9S10*Q!Rp-WB5{94wbP(NstL-S&X*J`+BqLg^bm5$IA6VBO`oAe?Y3TG^iG2&5bZNW8yAmWvw6)c z8~4IvPQ2#Z)dEuHDhqPk8_h0~6Efbk&+qRLwK6w>`-MeG^G1ALonuvB_+at4}6Z|L`CTT6qx?Sj4RP?x32_Jri{Cmw(`!_=c*B;Jl$PD={%Z?-p0_r#7tn8M z_DtOmX=16uQU53)@3ooV4~ZGU(!toCKlbDA|9bWLv)k`IIX;G&=Q6$jszROcL{Dtv zS5=hgo++fK*lQeFx0myyZXdCUTfmTTwo&6&T1o{wqiZ+g6eqAVGLQso^TvlS8&AGG zxU{Ggwj5p%dND0DbSH8~_v^cJ!Gqd4`pp*xa3xRn9ZhzF7@vUnX0+=UY<67JtE>q@ zT>s{!bHyoRNjO85DZBrMQsw;~uc3{HRQ+IK4c(t7x{o(iXvDKcYM+x%f-{i21&<%$ z`d0#-`#DZef91K}cQkJHQ5`F5?%nXszWti_`%e78#-L*c<4D1a$+mibbBB@)`@xTl zEwgKDc{D%mFL#5V*I7Nq{@ocr6HR)OH7(}qt{0mvz&za+(l_9=D^KyU=V$v@l{X?Y zGGctIKVPP;KJL@`OyuOGT6F6L`})FZq$vu!H9)NDHhpRu+}AgxZ9X`(E4=kX{=GN0 z8|J34_R!d!B}6Z%u`16<;T3AXyLl86Ge>Hs{F(o!nWAvz+&!gv?3=kvL%QPJiIe=7 zbtT%qao%WlKU@12d&fD6e=XcqX(8CGaWL#hFzam1gO^l4!7YD(igL%AMd`y zshM2i=VhB+j>mPa;v)-RvZ}?dI-^2Od3*AW-2 zUW}s;zI`cS{XE!%yK<%P=5knnmz9{7e(wF`1}Qc;diRwl8T+Op|At1YxP$P3;3&Zw z0C+n;U-_XeECyM{9IA2Nu;1>>H3D*A8B+OflI)M*wm|>e2@STG9}P~Qf!QWmnC?dL zxURc3{lrYae{}3kTW-^rHSl%M{;g7E=$kXJPldVR+sZ$sWXkgNJ=&VlTp^o;|Df|L z;QLW~BdYWmfo$&B8E%n`Ulqbi=+ejI;0xA%U5CEX;BQ0$iG~Cf|)Yes}%&Y@s_i-TL@i zoL$WGbTq8bIOxZ#L3wprjdGh3hFj9y7i;5wg2xow7U&|=52UU@) z(e1Bmk@Q}^&eL%7=Ur=%q!rjPn6Gbad#>9^*eI~{Me}I>2Cgz{OM{y-vO# zVB7nt?(DwdgV|-U?9IC@J!zl)tKae)y8+8T3%-a@=V>?cgDE49s=Ua?>V1Z|ge}hV zBu9ApvrB09I){%3MvI5Op$t7o9RoospVXuzwl|(F##yKR=D;0fYHkE*(A~3?Px0~6 zK$Rrse!P?@U&d!` z_8jWeF(4O4`9sPePWm%1idQlJ{y9Zl8U9I6UqRa9>JtttBRm!#eT&!a;cHoYn(eLz zj?=yYw+QsynM!X~9kL%UGs3>aP7Vn2VwKxHtxcV_6)B)uBlmmy%|`>@P3@tV7kLDH zu8GOR&J)wF~i?0e#5yQ1y`CK>ScX5|g?;0U`V+EX*uXN(b zVxNB+b7povt7ysz(zuI30+6*P*~#}u6T-?yw{qI-%4zwDUnmix@>0K9 zycf;pv^0r%@CVuY-0k*l5LzlxN`455FBi~TzF5pI_8z46Ka=U$!m1`}}+Jq0mm%D!)qZ~9oQ!q{Z-Gc08` zGG;4UWSp|zK*>U=Uig5F+uNz~=8FD7J6;q%2u9!g#)YeQ$WEVJun;^=7hZHT;&q5^ zo?#U{p3mRqIQE;G;KcpC+L_qzIqI2|NVGLb2HA?Tk`UJkxHVBF)@MKGlg*Y9D=?U$ zcKzL`jb83C68oqvRQ323@rzMb*#A@7TSrCtg>Szi62eGIcOxAlHGtA3B`qORA|=g` zBHi634N?*!F?5F@AR#FX4H5%L!`bsa>$lE2?>c{+^}hcxsNg)$JbT~QweRb5N9`U} zegBbBT044dwuN0>^)jAy-8_qbkYU(}H=S(rBtc@{{jZzEw!|otlHk&-X=Ymy`0<}~ z_)qH;rm^(3HuJY8(L^veY#i)%rzUb5%KJGr0+KqdN$>Y5s~!pb4vt@gFs)2vI_mS} zsvTKjF8Wx*UBsA{8@%Q;sJ|9R(?UhV2?%)g>n&3&loptZaMyJ46Z6_W@r#~96M6am zz`b$0uGl9u)kB|W$B84FXDM7m`X*TQ|8(x9T<&{USz1xURG?&yjZ-|yde!C$UC(A7 zeufaRAO-t;^;afZ7m9KjrihJlm{LBLeEO>808O;njy7sG*bO>+5qke1h+*dQcU9x( zg#$7}w7j8t&6WGqP7gxNDHt)9=F!|fo|-@$kvzD(kMh2(cdZ-`^orN3ZHfQngJ4W^ z#Vc5UL#id7)9XT08?TVG?Qcsqh`VE7a^60v5Bs3}exO$<)?IA^ipUc1Kvdmy2MR47 ztE`O`9S9D(fMt>{od_k*x@|zB@j31j9TVL zqz2mGleA5V*viWvC%%2{F_g0)$|CwKHfatnqpQdBWrnNVK#QX~D)n?7M~>TUt)N)$+4XuzRBO{H;f^mXd{cCpp=uyMbO?n6?Q?^-RiK zqcKrruX4_!H;ej?i4sSGy0ZOTm6@J?COg$I>4fJVI{}mESunHJ46PFTkdXL-2S(9e zh<$C51=^FWdKLHHwFF;L7v&e&e=6RycFNDIYAdyAu<+vqbD(dfZjB4lCv9@P5+TyfL2zfcbkflbH4_tl9 zsJ?RE_$hJ}HI*Epd|KpGTd!+K^Tzcy@U4<{O!vyIWbkwn5EQZ`0>; zbZ?`KfA5>Ljj}(_{Bm})vH3wnS?!tH4m0*TZuViR=B!fs;8xnG{hGAIt!yOZZ^9Zf zQ!I`b7Mnt|O)r^jWNf%OVbYbnGI|ZGm(;>)EY2FnZ!6$&a6MwrO3Jq>jw(fW;yDswzCO_B@cRM4JS8iMIl5qP7FY$?Jv9>G7X>8nBpqlV`lJRHfV@q*;`FE#% zzoDc{nTt5uO13I!V~Dfb2e(g9CfX!*G(GjzGPbHLgfhvm<|J*A+%*@sMGS_PB+3pSsQ^`-whJ$}(oAj3i!bwG>Vl z^|~n+8NXuBeaxAmx3ezgZps-cZwRZhyJL3d)m4>~9Ck)p2O6=myEF+X& zc-#rED=Wr4v|XQ>)i-E&ZmC#^WAs;aARCpZFsc38;-7rg9#*LKo4tK=gtL75AW6v9 zV{22JY*f7$S7ramc5Sl@!=isrB)yHTMAG_Zi1~usBdSnso?VLU3H#NpKCk(4ukv+Q zrGRz6B-ye=EzBk%Dl$BNaq`(<>8FduyL}2kv*}w`sul5z9a(BpZ{Ueat*N=NNNw4e zxvr@-*UeI0%zUL=IlsM{!8NJnqC9b3DG*|7WtZRtGiNsI)b(&==cX-hu=Q#fTVga{ zxET}_Zn0jA|G^_g+AK1nGRNtpLbUcB3S+VCv!XDjZ{N%MX22SZ91!z3sQvL|&S3VL zu-XBeDR_{xcP5%A*8Atai7%cuE#71rNj^?$O`IO)4My5FjV!P zo?YjyN7@=+PT%D26D-B{Mm7p8a0$9^#sxndJ>-7* z%cltM_D|ces9E&&>T3L-38>?|NqXJlRDj$=9@DpSex__p5u^#Ni8I5VdZU@8Y_DHg zh76k{om6kHYsc0l))S#Fk(`M}8KgT8-B<^cSKggfNK`Fpku_PTw0LZ9)O!i=E71NH z6|cn8SY~bXnOj{|SQ_(ivmBmy;Ol@Kd3m)5cPYIK`D){y`9JT(WwLFX-}_N zbmVZ7Z&N+QpGW)od|#T+h4D>vqCpiNSA_a7eondlaPl$jOinoHM|&vXKTkX3E}bC4 zt2TfCg1^F*FqMwVNPMW|jK}Gs^EgZjmh7?j{-W5<=?B@6!_61_+OBU$;iAU{Q3aB)Y!Y@BFr& zQdSu}ARYWeY01*x^G#s#TN5Xd^B~ju-KBYbdZ!!L78&{YP^rhJ(l^TBBExx*!v*%} z@5B;uKQ??kabBM!n811+0F@}MA`qv7cf9&vpWo$zjHpX2{!6UQv0S>_6FtDd;fy5Z zPLS}P@S_{7b66BJX!r9y-^w)r&2ojsx2Fn}ca_(k4#pJoh0^B(z^=WT*iEnN&c%yW zeK-?J=f^H}eHiHHcQUSE*%L;{VU@`GGQsyc0>SVBAZtRTZjwQEdI+G0cys-4VIX3R zV&RQ1kD49CKVP5Qx&E{mqAaUn=JBxrhh)Cn z$fNqhl5VC~T_jXgoFp9Dae5{&IRI4>A&CI}aRVsQQIm7gP5yo-yJ7vi^T}nK>56n8 zkWXA;LZQJ1bEVoJvmb6&!?z2{l%aH+(x|Z*R^=Kw+H@rlP<)psv2k?sT|>&l)?^NI_0{_c`~6p zO;yG%%7K`V3Ke2$y+9OqZfyNK02(cM?Q-8hAcW4mG9i!)w6_x=X|1HBG>!Hb z8u$78ZRUjfzILUd5Gveg3G&Juu9?D)DImjclsgW(=x)xuH%8K#PJ}q?{M>B=6Lsp8+VzV167MuXG&*k4Ui#-?iuDP)M#KEnamk3SiGC|-1r?I&hDTEhO^kJ%hRNPso=)u+CjMzP|C7yX z=>p=VcRy@x0ed3Lb2a=*;sAxP3w?9s338m$e<44gbYAsxI?mOXf#AghM^PRgweA9h z^zS37KQ_eQ0Y^tB_Na=&u$cDHBvGIQ@u}oDAQZIrfvZ&jLgoT*I_}x0#xMAuEee1{ z^WpgN#mN`quK%8EGR9hfs{>D`$FD#9HE4(seZHFe)e*Fk65g`G3{ctChIxm1$34nt zcBMcYfb*K-k24TVA2?j;7IMt>TzyC)A_iH*N^~ag>J1!C z)&uSAFvLIZ#+F9=f;Y{h_e)8hG5{QHMye4}m~P zVK|kO)qQ*?X5Sv57F#xMF zIv-iyzIi@Z*w)SRs%z?t4ySMX1617B%LD}Mbz?EmLp8g)QD`Tj09A8^H+=f=z)xVo z`109pf5AX*pj!j~Q*cdB*xNlmD{_`m^twCj-J7#zy#hJ;RhlGTMV{M^~tZzOceQ{7P0l(X4+3=?aL_|lmM&-Q-#0(a5-y?qy zp4b73Fg3} zlLlxzoF=@G5Zs%qGyEnsHFh2z9@jn!>n+ilm50WjE5QtG5nd4Juu#xXka#9{HfhP( zU263naATL|Hmt`MRW}`L3L$c)VY-1BA)svAVwDy-nm7ya?DaH6AqN;*IIH1Wtxvkl&r=5ZbIPlll_kt((0*Q< zQ&U%`D~ZAbR}K5xk0Qd*>qKBnH|q}w4Pd0aUJfQQ1#bW{i(wVh5@T~dB9*9v8)rXU!oE3qpr=$+dr_n_ znXn>gfF;uoxu~_`6@-H)Q>#dsB%2;#HV{iu-~;Zue`LA0T0-pQQ@}CFxr6tU{Ixi} zZ?QzdZ%g19D8b z=xCyp+7~XChP_{O&$7k~KV{wA_*~?xm^Zn1SX}H(giP$rSYFCFUk?~HorViE!7N4R zg9T4kF`Wmk>nvnL=O#Qay?$%7eJ))4!9A7gko>T+Tsd?F*W$eC^kgoaO(*{SaKldQ zN^kNI@2Rz8TusSLTwMrnlIh$`!gN9E@HIkt7oP)Zo_w9Q8lE^aFlIfSROe^Ng-|Q! zVN*3>vE?M0q9fp{vuPQ5uWzD8(XJ|AU(Nkjo+n<)P&cLdSa=(s!+|$V;XO}8Vt9#m z{G7>vtDZEPtD5R))b{kw zH`$I$Ptm<^BN<^`l^Ab56JL(0n*80k$>c9G`B1+lRi9bc-zN@wTk9gzw4S`Yww`0Z zcKQ7-E{{woPF`?k7vGhqOjB$0&b5{A>r`R86WT z-{_|E@wWG}4bmcZ1$l@|vp${LZ<|%l6FEaill?(isA=VIIC9n3er?=@X+2$GG_HI> z!hHT$oYrgiE&RwBH`wB7tCC^pKFq!Tsy*3=&mv~}k)Kh`#FqyYlMNw8$3RrEsV8JE zpBqmuS^Xk1&@Bks8%}=pg*PUV|L=Rn&DfGbwwb5NoKhJa%dTQ-YH1B>4M_vlQeX7_ zf$nwF`Y>pi-(<(RaQ7$&+JUL@AqFy_y!=PNP>BzVg27 zX-(gRNGh+6@r^#0lt(F(y}$cuk3=9HMsKZFOnqJMSOtsqZT-O1%$%V~Ikjd;7HeWQ&7XeWC(8$8)of=H5{6z<<0d(cj%iS&or2zX))sg*y~<8% zLiP`2aHZY`|NqUe!lB}L3hc=L6>IgsP_F*}z5L3Zo1X=?_8oj#WOp1&caiwXHh@jm z8Pq)h9ZXAH#cmC1l*{sVPzU4Z0-n}Dj?eAIrZb4-1jh=*J|dA9^)$S$Xhk*5u>tIG zeAY;)^DsB#tKuO1i9a(AbO7aZs7a}3?51;`2>Kb#s3j@Lsv1S&6V*v!$1mfpeoWlr zcaPQb8rHM>Bw@-JjLQNdGAIjJLFpTUPsf9bN2z!Tw&Km4E#pabwu2PVp=RHTA6)tt zP?u;WGoNj=0<4n^lDzCS*n@HDC;;o0715=WA2eY9J-ptYQ>(pAvBiCbcOsHhTL8uyh4rNQ>>omhXW2sXT^ucDncbRSp0v0@BsD zoY(DstqUH@zRsXlDt*y?jzaGs0e^NFV2DmAq3xi)H|>k2D(MGxR?0WqnVn63^S%Lq z_<0IP(V0wO>m=LD?d_C50To!in<*zg1PLH})1Cx+Rn^*M3DC=}0_3RpK~VL%hXAM< zNlr$(Zq}Yy3IcHH;qRv_`Lxs#>{@K4bl^s%Q*l`64(OQ{-6V66NT$oL?KJ>&=pZ0} ztOLSSG75AIxLuWqEFh^~z1aCxmIw#j=2~!FZ*CJ*c;Z)kBSQ~JMQ_g$>!32##mC|| z<9SG{9*Re^2JlMBg@w!{6(~iD(!3xQlmfC~|1pwhj6JeZvgZAXd^F`ZQv!u3@;poz zz!c?x8UgvCby^%|I+(zc&GS9k=i>HKB^#)L$&*82AeepwHK7)D4hlCN)w}4z!ot$e zWKXo1eOM71^6Nv%ua3Teg8sbX9a{-d(^{XO2OOrO6K_I&ho*sEcj?mk_C>MgEu-6R zMBTfUL>@ji#qCE|Yh$^lp^<*)D_A5&AjrQ9IC6oYJP)LI`#U!!>U3HJU{)*Qu;^!U z4y~uUry~Rr@k|OsAVF5zHBoD+LIO`qBX8Quk1SM5WaXgul%}3>J8A)U=ajbVWXTjD zgd*@mj^}Kvr?%6>mHj6z-_*%F{NFJXZBG>3Kp@yq0@YzCe?;U8^e?}F#&37zjryq6ajO-J{}t-q~8H{UI; zg`cy$*qecEovSl)$T8rTD@);1i)gf#i0?O=`>SU%v;c<95Wq)q0KxqJ>n9ZWx9#rM z`!r4xXqUe?dSzO2p*hf#X?_jb;$W<3!LtTn6NDD=S$!Orw%}g~dI+5#^9+xTow;Lr zvG*~LyN56~>H}cyu*GN7aL+f3nvg3f$v3o4$v0ssm4cA0cI!1peC0lsa;%W&87Uz>*A{z_KSs4V#8+Xn8pn>m9kgYeG>M z1|VN&Q@VvLH+vlL_+I@>27o(7Ks8pmE!Y~R%0DJu8}VEyE)bK#hh7{GX_1oVhl_+!bS8pa{hhE3f)Vx8p_ zQjE^e+zJTWhRyfwfiert^WNa6=4qmJ36i1;y>~FZ^$nqu11M|G03NFXm|We%f)XJ6D~Bw5)0(gc!8hvRxB!s1G2prH5=;pZl?y?(c}> zViTTe;Cbpm9tmiNr-qOz8XkrbI&^h%Zosb9o54Ba<(J_@v?B!a(L=D(Z$jT?`(19c8iMHok64ZFG(Git_oP_!sLRh>P%D3D z(5~sn+&)JX)V*WLNlw)7y;S1kb3mbG67TX-ZTK-9kt@W%65*US-XBAV+SDluLw@&; zFiINzPmifd%zwuQLqy!QXFh80$1Gb>umcMawPYep6)2r&zt>YgUIf4K z%U}BM|5dFIfR#o(ttS(Q=_BS{B*APjmOz4H-tRiL>p^hcmeu=$ZRelG>zR_2y;4}) ztCQ=C#rHpALs98m0eu~SFT1SqvQfJ&*sWNAXifmg_@J>{!RrbXuCX|mjN6b|(0cUO z7`RM*?Xgj~dU?`}>qFx|6j)>@DDpF;{M)pvO^ktKMj`34)zjCf978Qy2XsRkTD0O&&QHOVgm)hBa{YJ(*9+Bm0$+ifc3H_lpsjTdNd2vT(2AK#;yGT z+`bm1nh$?V&`nwqg^tuF~oQ4qw(raw3W!n~<2e4*cslmoW*w_cK-8 zsQSQU7#C`l;{#}kNR)nW0F&(%Ck)&!1x6-?7;VI- zHyS*y0x=H&FtG*2>>nOUjl?pK#O?s>!Y^HQfW;Y2%%~!<`!lbbq4lbJfR+b!MzFWg z^opnb+WAH%4O~0I+kfh%)#M0JdIgVBlkbRisbnhRBiRJISE2r3$2N?m5_<3YJYIqT zf|zW(eYm6A=5x`dU_(z-PdpUdh{bRaM%KRi5@zB$E;j+}HWJuSk{W7)N4K82`?JE# z_E4O$71%5#eXh;?_QNmnHv?H87CmyYrP`q%K8u`U=c*$9eqYutFfCD|$$oJkz(Iem zz(LLVF1T1hxoBg?8^r{tS>n_x3>(Q5R`*|`DAgEAGT$OVDB@oxs!NW`FSPsn+q)X6 zVEC=YEBt5rb7L0h*Swu8FVI}&expqw{f5H|I4e4DPzM?kn|WsEeYyj%6l$hsY_gEd zkdwW-F=gN|u4mX*{dN>NBqHnv7(bcU!D*Lfnmye*Uh~p4zq}@b{xQD|_ zd;;Mv20BH2`*6NNe`NUA(gRQYtmEztBjO;DpYk8Cz!Zg6DM$VdN!m533zBqRS4s}u ziqf%8;#JW$6DMwa8nXg!tpm7%f_1!Dw~$HDSF|MFnRqoZCO|%&I%urYF4M}OTjRZm z!oulEd^Y6!OAv`OMlnFOOu@j@6YceaQju*Y!DB7p;PD@t3DHv%niYia5majKIrN$n zVwc?dTGHJ@tr71Y#sxT9K@lxW`)ECK`+`=?vBzYB5rz-S48Ohi!pn=KmhAkj0pq_< z%R$&B7aO&r$YJ*N?9qaPr3AqHo`?VqG-u1^Lm7Ox{Z10=pup+P;YaUtynwD2aYU5h z$s$$sF1WSRCvb3_qg7}1QYc@N=J%rs*#c(2B=kq4GKfBM?J6S!DtE80V8!tl9WF0? z_ykb%FE&`@!;l?~Z#8UA*0@6`n7TZ$amISES8v|x^M@FzFCE!I?zh^tm2fqMIMe$? z(a6Wx5~|=k@3-5 zxJS;nx_eB-@W+3L?n1hGlGESu9SR%&QtF7Q@)tu)IPv}G)SfAH#mH>*s-nt!v~1Zt z$Ort)`-SP(OfjAsKJps;L)iDbVMb&p+8>d5=35G~KK%rICq3!#B6w3wZ6P-yuWV)` zp>+t7Kw|Vtjl+g9m+!hKSj4*%(E==Ao8LeE2wsZSL35i2>j=ENm>mk+fr2m;z8E>f z#u_Vtm$oN!=u9*+CH2sh7Oe5QB?&w)ZE6R)hSEPLw($ZFZJQ}4>e|!$;|=}YSM*;> zJ?XB5ruzjBguIB^xT3C8Fur7m@16t^l!W5|9UuDn(LdDL5e^EzX)9Bl?@Y5qu&nue z>qrBwEJ<68l6hriP~)O0_kd4cn|0JF>gY34t1KX73J!CDfz|ID2tkj>@w+c5$o-qa z=oDdWSP%q5X`+RrgN`A08r%Fmc-Y{kMe=vCJ6N-@yw3Uev(MlV3h-le!NMCZ}*b3wzk5e(pKFMj}s&uC$3p_}QiF zj9j)03r>H_M^65F|MZXo5roF5=BkSwE3jc0CG7N%mMQyDPOqS%@XQ;&COSu=7X_o| zB5xYQ#GQ&9R$3GNAXM^M*ZFN`s%3%ko@kPH*T-j6mbYPKeH5CXT|z&QfT>B7tG%(d zigY1qBE-T-63yOn<^xYwr=mUVND)HQ9ge?v1!@M93@4|*j=`CQEj3C*z<$tOM8$6c zpJ=WzwVwDp>NG01zfOs&fDW!AF9M*sAO9&)52$yoOx~lUJnhYv3M}nC(zHz5Nw@LTvgc-8F^XBS)$A{X%2S1|1Ed z-6Knt>r!6HcAJAB8Q)^bd$56TYiO1)yi5Ep1PY84>zwQcv{s~_^O$4vLoj2{)U>r9 zgbk^6`|s8C*RL|Zc?t>oljFTVPRmS!E+cz@ZT_OSfJhLo7@IaU=0cDLptWDn@@t%F z(R#%516)R0*g_yMzg$V*r)t8Bu8BBA3qHp`uB2p8gIc(}5O9}*2`vMdbqG)``cR=y&O87AZ%D)pF zOSO%$hXqp;DNH`_#Je!3rivN5ZxIx3vLrYLB?cK+ydN6#;PmS*HK#tFpD$}IS9mo3 z=PZR){xS}aWn`kqZ$??`-o?OD<7YTsy+&RuKkDK z$0+pYxOqw4eOD1aoSuNqx6Ems!D!uzWRD333S>r>Z;ipu@-feh_rD?xCJY_?xxQ0Hw}h z<;hHD^dVqFwEt(7u{ep0*BShv^KjhEoTzJSykP1x6T~QRc6^1wu8IL)QG5w%{~$I- zgyDS>8psGz#CMp>m-2l9Mqe@xE-XY(rtRn!Q)ZO!NgoCNli6^HbUMFRM;$*hjNfLn zX$@mNQiDK!DB_yU*zeurqaGP6=D--n^&dh;>NiMBnF}P%x}1^CaTu;yF0dlS-b&{< z(>Ud|#bG5$j3LBi6Vr>HQ;fq_#o=r_#IQ(Vc?kx|Btf?@AJ&*PESu9KhRUAs%NGU$ zPditJnyYl-Ir6kjPzA~ey zJj;T@0;51>X>>dnP>sY&qUnh2&9rRD&y{^+L7nmJFC;Lw@hJ4H`_AAYCT-0N?b}B` zML!$!N9}j+N?QbOMn$>od5jL+J9!hBk8wgPYMt+9_n9nWQ%*h8q==4j2#;?vl5D+= z%+3N2$_{@slpzKGGr%y^-PwNET?bM79N|u`)WL)&Eh(?&%pXIe(2Ed=p-w+-++sN% z#oB^CSU#ob%lnAEnyuk+`?CASv$T+#-2{@JphiUth2{?-B7(>&ZY}MYvtqAf&d8pt zho!E2;zVuJDZ0RBUN{o){q)P=(s*)%>qoEZ^{NBc!aq0E2`2SA{^~qOdF15XYNt2> zzD$1n867qy=8?tuihc*K!xHYHb-twqCe(b1;dXvW^SF(B0?{=uFg_$nO}z3pACtF# z5?yXX&XJ({r`<~Ts@2jU{CHFxCB@6b9+)WxJvsMdr4qMUaG$roq)3BJw|E>JYR*Nz zCw(bM7?AyJ$rBNMC~WiL0M!+e3&fC<@6pIHo!1sac4G(8JyJR*{gF2ogeQ3&;!>>T z^d_N^xvf?x0sJQoLh|;{QBbq{Um%XyR3+Gy{czdeU=r1RB6w;wcyTZ*h7&vB*!lp~ z`ZAh?6hzGGMw|(&+FQC4)8d^u(eOR|=q6#u*$Yvy%2{~{BX6m#xHs8o=w42I>#8_@Voe*C@q54IutxfX>Ae4Wy$4 zGvadmK^ZR1{kj2yI>gNbNbOKbpn`sWL_qGE97`Jx=QL~UnHC(WZii)0qDk8MmZMXOc zYeMwh&(9jMv=S$2S75jUC8dCc;sDIX3vaseHJS7MvRq(2Q)E1~N$~rJYIgzyA__D> zqlYwrOUttJ^Yd#r*ctr5pRhm~`(o*o92PVfyQ1Xoh?_|iXxk*hbiV5+WnJ{4s{U2y zA)T$+p_Qk?Ive`eluuXsg(IG#kx>S=@r3%XR?Ix(YHXygu+(wJBIRN#(B5(r3T}Nm zG)l$4q~MLnd+|@GCver63YQGV`%nEt`|>g5Am+@97S2$NLrm5#A1v~xvxcXqS{yav z11}n|v*l@CJZIP63uWh%`BA-ZZP`qQ9dgk)S}leZvUja*Jni>2E!jhls{)#)_#imc zrV&NsI%j`$=MecpzcB2Lfa*YlrfSaf*-wdt1d?|#VP{5MPc6DW9W%R;$GU72LeQO% zybce?a2e?R{4gW|n{VYMGIB)=HEF~gq)iDhAiS&H;%q?>Go*ax)X6pTLld%t3IYyy znU3L(T~E{`Gy?sR{ua(YiHC{5m4bRr38d^ZzrqxHy|V+*v38zmUT1}4sSo#uXJhO4 zj`=zH^vxq^Wy7uO&ePMwJp=cypI?WgFA=ry(?{$H_KO}&0dy@P{)GH&kdoo=KAgkn zH}1k6w9eO1oEDC+EXm8Yp-*WPAA^RlDD=c(iiM|6wKK~Z_C4c?th(oxvC_EzMW>t_v$O!Q%4 z^d_V>3^CYb_kp_~Cb&$9S%;JUcgswlB*02Pjw1FNlYBEw_vjyj4 z-QJ@9(#oK2SMP0rUB~cKC-=A3a}uvM4ZxT>@JDfFdD5hRYnd>23$Govu8q!r2rpMq z_1B_fe*Ktg{L3J>_p-$Q)8E`#{+!d7+2S74r=}JCtD83lj;L{;HUAZ`{7}lTkLCa`?#sc7orjV9K zy3bwX&NUajucKu^tyn)JS-S%+(*B*0*|QNEu&mrhd;p^v-Cnc6i%<=RXKZWzq<1!K zuI(_M>V?DlS?LI0tc%D6#ToG1&ks2h^h;_+uvwQeKxbx0L-iL{;}q v=H7o(dE|_((N6q{=L;d1LI=v-BXfNldY0|^XdNrF~o0S literal 0 HcmV?d00001 diff --git a/windows/configuration/images/kiosk-settings.PNG b/windows/configuration/images/kiosk-settings.PNG new file mode 100644 index 0000000000000000000000000000000000000000..51a433837149143cc9a72ab71104beae5fd2ec87 GIT binary patch literal 25047 zcmc$mWmHsg*Y@dV=mzNq=^DC+?ov9Wm6i?}x=Xqnkp@9hQbM{*x;v!dJ>2*6?fv@3 z2bOD`<#;@E{(JB1+P}*PbyayxG*UDe7#K_ih>Ru-3@kbD!-s+d{0^U<$s6DoSXWJX zDVVBJ@_pb1g0-ZIBn(V#9QvafBJdj331Z+10|V-P{eewk1(CtPm^moONNRf;A7`UB z>rUMa2;|df78DgEa~~3EgySX(4H9#YJ^ry660!cRjF!$K&BUWXLmg5uqD5b>9y99=(>~OvpZY%gS#MkYygF- zASjHMM{pf@F|r2TbQ0w5p}`rw80N@rW$`y!Ei-QS)_3kBkd7hclWMe^ap{Pylkn2f zuB_=sGu!%|uztH4H+CoZRhtcey}^F&Ed~Xc_wn&^%PoOdqOdL_9hB@mRnqVvV>f_a{+jXM&me@uzL`&8kn&+OJ^ghkwUCd6L21*K;Ph=+|R47elOJ zwH5=R8GQDkKiv-xI12v-A-^I1@Fyb$z0qmy<+S6Ws>E4A;^q0NCm2hNm_a2Y`LbL; zoGbKiz>DbP`2eL5^i<1jX`fLg>b(#NQln(^NRbyT#M^&^S~RQJ@;zk_6-Hb zZ2TW99!t%@55dD}!B2}=A-P4X=wbFBhQD^BHe}$YnxAbmmQ&*Ju7&*{j(?ngL4V71 zyS$RPIb?V%;B~RZY0)38UaFeywCp?(Vx8-!TMhgC{$q<(^TSE&^-qN)hJ4`e-yfYy zpfFw?FX>%BnfTw)@4g3nQo4#jpRT6V+z}A%D{JNEKV&*~cLl-sOvqDG82jH@>AZB@ zAF%r6V9EIHW6&3s$;FU{{PlleSI!3WwY&g#s;9wr>dLz~MRyV>b65QFEI8Bvo0Qik z@8!K+d2zRz_!GX^%j4y8QfJNVJNt4=`Q@onwYfSzs_U6*6LGfs5$=pqj?PET%RgB} z+vn?Hl%aQ*ySq|Ef3nrzNNrSP_yf0*RQ%=Xr1g|{B*VU{{D9a?-#XhpGK3vr+W3OX zx5`;x#5VpJ_%e+)X>yY%l9{!-DLyabc;B34qw5eetY4U1TnsYi+K6t!M|jTY=*3nC*!Nan;d%F3%n}c-Ccsl&H)uH^Z`1|`zx%QWhC=TAgfmeJVm-Pc| zgQxqt8{W&mfln8{8kgR*uWm1yD+oS3jS*NSE}kslt@HfrcSGRwZ(2*OFG)?zp!y~D za6CU)k-p#!zHg3)6b-2^X~uIT3r_L+Ui|=NfZT=VeBiJ8BgmcOyTcLGla zJ*t5JqbEDh1sa=4K>@wlh(_n#yk(L~WJrQ)@T%8t zHq(|S+w!RJX_m;3voVoNGf**DRMR-Ahfq>(6GkKO7#VKJ92*k)r#k!|daL8{1|`V0 zY6srD-ypeby&M%z@}aH!6^u-TF3*UhQ=!eglk35aW+$kPekrYj2%Pxx)!cyRyG2hc zZI$lVN)y?DElU&0?QKWw!!W72?9_vKO`1Z;>$s?WDhoI9AQ_BAzwZ1sOo^kN_uS{C zWq0~?_WdW7$LL3&tG$F7E)t&+ z9Y;H%t;*q44wnbTu#VvVm#>{l8Wb%7|aus~7n-Mj(KbWAwSHEn~yo!2okn=8!pNRT{ z+W##oRVN&+0+j{V%&FkOW`6P_Nlj2-*-09xtREtr;(0YSf4)f|lqFy#1Tj`9bK$}< zXcSWjKHqL$XPg!MOh%CwF31`aK5fGtBisttnr`1R*5*y&oidvQDLep0g5wqg8HX!x z`{A@{>0<^_)sJ~|^maMiA*?Vw0=B{WR$13#|KdffRHN=WlK=`!nTZGaH(qpZhqEf; z5m5*@mb{Z3x)L($XU`9(jAk#Wx092V20Ty8vC9DNy=#!5+3lX%&+&yLO$%I!9NyPf4aI`POwX=>u&Fj}lvZ7eBg z{iMlQ(0WfIcE49hWfw7;A2FTpDrpsDg#i@i_a`SDkkYvpP(r_pnB*>JC??t0)(7;W zLifX2Z}uXT`n?xRI<=vk7VaJWf2%&9Fy;LS?(LXmC^~@iZGOs*a1eEG*@Eb*H~pj` zPf@&WWooQg^nKaLne)>$&5KiIV)<5?h>r6G`|B*;aX{;F z(^N|V@7s>s4XR#(QPCU2>>C$0QZ()a-U7i7BgE}rLEk%9T0h54m8eWV1XMX1At6 zd&ozC+Nr@7E!2(EG0v0ahMsSll)eq2%MqSy z63CeFwvr%(QR?HMt1D2SW~}v0{M!P0GIvCY zh!^5P52Nz|YPhX$LqdahNYXEXbS=C@_J1Qr=~a29;2noD1crH=qr0(v5#>=0vyk44 z3n%Uj84}0q`$VO;%uIE=!gvuxp-x@S0~C52B$!%7(5*L8UTZ4e>Eb z=UyDrYKSy_4wngJAzWK`BfT}TY9u6JlH`hq&AhIhadKZeSIqB<6vs$T05f>+POZy& zL~7nN7}IT=3!7Q7@4Z;&S46@mSTT!K#Ay<-!zSA)hFvWvPzs>ev+p_Xra`w`5ktRA zZ+TIoenQiXNY&r#o5%M9<*2AL*^K(Ax2;GJIaVzW^zX??(d83!ZAm1lR|-*&UCDvdV4fbDkbB@piM%bHg3Vo zew8chE@jT*QP@NczTBUZ^Ll^_lKu|sTP%?%nZ4Gz&tW6jrHB0des+#$TB56nBUg*$ zj{@srd$OnqmlVpB}hFIpM>J z21P>NEqRn;m}QTT!8ppT%vgX*vE6KC`l{0Ij89Se_aCe8UZh(J;5gU4?zU4IZ7seu zj@JdrQ~GJABF(qQTtJw6!?Z)*1(7!XTeP<)P9naW9`$i9vj})R5Bpii5aSpDhpTcp z`@QjbAcm|o_aCz>y0zCfkC>J0JN47!C{kNkNFQ`tx*OxK=thvIPhqGWS;O()~0whujV81sl z+9AHwm&I~$eQG-oJs3us&XBU3P!U*3uI#+M+s$>SP<{5s4)5JK04hVR^&RLM9y{mO z<_s8{S^2Hu_b-gWZ|xYUFwrBI3_JawuEb#yn>YghrJ&6WQ6&cY@BFByE0d~jyHGr_ zomj-`z*>O4f$(msnDI!{@57lW zLhlH|ha|+*gVKcG#k2IVcz`(q&!|nqX-r~P9qRuiy7Nwxu;_WejaJ)ipohQY+owlN z7B#8Im=?Mz>9`=5g6mbw8Ek#ZEv7*_U=ihPd7sC+xBqsG+N_8%;Uy}zF99OdAz41)}1Vo7|FwW5=gR~$U*WSoVuO=|GlAa(_Q|q(eC8nG+#D~ zaJ}`k1085gf9@=UcXI>83<1s6A{^FJD_E-ztp|n===hc4aYG9W;H-h zk;nFhAmWY!9Sc|N@vP@ngq$5#cZU8uUJ3&m8v6||G}~j5+3jeatC#pyX7vE?zR?A) z%4vja0Q#yY)Wq)Smfh!!%v!d;qKo?c!(hyE`ttl~zc>{%K=IkoX0^@hb}bl-*Ko5x zricBOhj=EocD=Qx2$)d`SAtX{+*K!S|dSq-1{5t%^6{O+NESW$V> z(>Duo0#rblj-C-;^czv|)yazRYt2JMMTR?GZExK<9_Hx8m;?TaCki;D;KRzA`-5-x z9l!w?0;CnjHRE&R>^s(xTyb$j;O=BprRct6CilCV$OneQ_02eO5HPp2haw_V`qq?O z1LHjgJTeF)i9u!Zh0=R3Ki}hcaUDIXr$Llq#P6_siM6~NMrGvW!Lp& zE!7G8@$c_{a5~J_oBAEJd&dRr21qyy9_8Rvv z8y+y{(E2fsQ3;^Le8%r)t!~5hSoN|#-oqXO>R`q5Ooa~m=0KdD)GZ*%lGUk=VZ1aL zw!Q<+Js)_q4zSFm?0Bq4F;b1aZJXCa$);a+GC$4wOiGBniq2Q1pC;nvVzby#j?1x~ zc)k3!r?$DP=G{1Z)SK&n&+HWn4_sFaO@d5< zcBJS7Am$1o1bvSqjQHsvoR(s#1b@-4bb8P&S|dKP`sw)<*-st1Y80UN5^4JZc^kjR;Y zpFbc3koLz}ROVBurgPEXHcQaQ0LMfeQmXq>@T>zh`nHf99TU;E|$Ff28miZg$6AjI36s6 z%IVy)^f;O0as}Xj^A^`&%;^C@hA@7qe?r1AwD z!&l(jEz_qO;sTTJsndd0D)R*FB-+AGuvdZi^}+VZGu$aTuZ_CRWKo1_Md618ev|~% z!~5&Q!$$%ZvID%W`C=s^%z-v+SFy4z&_H6K%(6o3cB+ZkC~(+L0J+fjIA`?Pr~y_7 zo&T@zWixO%%K~0alimnC3*aI*{w;l~t{`|W!w2e~4?f)F%Q_>4RyAD7E`g*t46l6@>&2i%>KG4)m`LIK3wn?q9pH&tl= zRs%({TDChJ=$KKIzGp$JQP9E{=@2@<$BoY29G{9#h>ZpcPvmszSV+wVWxylOQiE;b z_H3C(VKXov90tgAM@R{Ji`q?>F(u|1YsnSmy21H`34cymCb){W&TeQLvzO`Ndqg{KM>`0J~MdJ4E?svF$M8h^5cw0a^*@qu!`%~YX&k#$E( zm6-I*jU4gDHw$(y~M1+-sST2uvP36otkU1~`N);w-)7u|4bh-2XKUrOTo9 zFV7F(YD>)O|L{-g^i(cCalqO;@T5a5s@wl5>ZNNiZhV zFLz|13?NENs=+tYn5Z`CRP03t1MXGB9sw-JrvwSM~n-L2N|;h*;tP-lVevs^2a7I~uYIWV*-HKyp= zRM#?IUq>E=YyfMtw@}dh+Dc!)@--e;;*6bYI1}xg9xU;_gFUISA(w`b!dP&{TK&)l zQ)Ywnskk$n*mmm7zq|g?;ugPu3ydAF4JbDqzS4o?%E62RT{EN^O^oNqAVX&FnAk(* zT7Bm_ns-Id6-<$; zUo%QGn}0B%j=t-=J>Q(c?|%HF0Rj|Il<{A{dmyE}!z-76I+*=V_80KA1kJjkMO+aL zdHYYmnN9Mn2_-^hY#G22cp(G3l~sL2(kfMrktcVCeicIKjdavC!^^o^@w-`hr`z;} zEX)@1)PjKj>oqS!<++K^F<(rNu9e08uLqR5CdcR z_q&b?$yY0IoD$h8p2}+KM)_=r0bb{fnw+1XI7kcY(P=B>Wi&_h{U3!hiy5J7X$p0Q z+X;{@d_(4Fw(z$*%xh(mseU%G#T<9_%7^lsR|5!eL%-dh7}S5*uYa}qhEp$ojr2Xo zS;)3DswHGu0L8r_wuO?*T&A`r8Tk~JqvN*VAI?xbnDOIKgj3p14O+Ih*)A+fU_;Hj zXP~vdm1AjG2TVM6pmw&Ca-4_b=ZXyAa5%)mTcb}^}pMQR3v>gZ-%@R5X z<{;gAGLNvXIHxpJ1K*-J5iQlqQE{Lz%)A7`gT`-0(zs|p0-nWze7n|Yn$W~Yw%BCW z^#nm&3FN|ab9tE_25uivnIX6)1_@dp>rkbX`c|Qj$EDse*jEfk2}Rc^QgHq zZ{eK%wZaCQS3PH{=A70DkX&xdfDzqbu^}%C19r;Lrj~J7QU&kR(epl*aX`999C zZK{ytt^m)#rx)74*bA%-(y%ics{w0Fbm1M8mq*?C4~*pw+YS{57sP7w`4VW4nxl|vV0P{JC=Yk`V>Gfy8D&Y#;jHp|DaCn|V)5K`M43Tf4i9mHKx-+* zr7@DdebO}6jUla{#)o(^{($L(MjY4a?BW!U!2l|@MX-N^1)abV8a2;jc+$^C!I2ap z+Y#Y6zGspvFxkiWG9yze^%zH^1OEuvRxN^=yZW`4OMksMh+FO}+sXdXC32YNv-}-z z+41E&dm1C$UbKTn0utf2!w1B);9oSE6i5pi@$8iI=5T&mGX5(raA%aOh>%R}0%M-) zo*iR-2PMRPegcW`qG>P6?(kkB%V{hrVo9*a$)HIWt|1+NV;Zu4P7=}5idwkrQ}O!2 zR{|+QyQfhP;*eET{h&V|!)a>i?xb?9De$mqrX0DL&>t0uI`zBYCzVL*nco53c{T2=6Q4Wl){X}n_L-D5eAI(bSJw8E zdUF((k5X!!K&^c6Jff6?uMLua7%bP5X8*L5=4HEt-R>{>K*PK*N`-Nk&(c4bK{2TVqHacsu5iN1&e# z&(hO0+TPV@!Q}bHe;A^KSnJ3eUq}iqouE#`Itg*AKPutdC5%p^QHs>{(ta(=l;3J*Sb(k z5fY>-k8IItvD6e4@fM99v%6-+hSb4I(%QO{IETz33I&Z?{0&;h2t4=jTfd_pJv35i zXfv5Nyv*q)hQVS%OjBNad-&P>nu5YVseQS<9H3zQ!a!cA%rBg79|Q-xf=4P=WuR zYPg&E##S~ztbHDBEkR^ZQ`+i5@Jo_>moVGP{*8hE_hlHbFqEl0iU^sCW6(zM+0;Ju z*#1An@TpY=5`(4gTp$019O!o+=70-nVnhE24uk^+%+-`C){9ScDWi<1{OZr~Z;uoF zlNs0~Je362D3UR+6@N10v0D7|FQDL_4{s{;w`GfW+Cu;alRD!le-asbl!8$vjT(2R z!qPH0FxnK(!VP`r_(HtW^cSaI9Qi$z;T$fyjNaOmGCpk56autDgb#lF_2wL8 z{?5I_p{5QTXk3x{Wr(tjR;=3L@uRlR7jMAig=_?|$x!_6Hxh1e-GIha{cD?tLjzm$ zhefVrUlE2^VwD!$^fh9y`R8BmL(NlYfsNv_yt*juBAlveoS8uHdU|bEjdSG_@uC zK6Ht*A17d~VlJG&8A|Gq5#Jg107h#anu7Kniy+pR1=%<$d0u$KsE<`Ce5PH2mUCig zr2AnLiHf{4zq@SuA+oezvTPdMjKzk3H9ca{6c*SLM+a)NnO6n9XiaD%t+~E2r%K<| zV$Y`Fi$*J?mLPW%A*FqIg9qaNVtUI#pcsr0M&Xf0D3VLT?3A_yuH8;h9eyA#SAf@4 z`sre`cFV;*bsoP)Ot4RkM2c`)Qk!UfLhW`T+qRXP0Bc@{1KJN+K~fOElZq~#kZhPn zkBJ0JY9mF9Bok;7k1_d>;*JgCL8ZY8WOToLh*y}%B(;_7TQ2M^>hV+URBRtXXSTPl+Q`x@9Nd~5xQ*@+T0u#(UkaY*2+}2 za1=5@!!HREgFKd!e$*P&>2Qn4FZ3&JF3(ZD@|n=zWWcWVCYhNcT4kF`P@74@w=A{6 z?_l5{$Eks5Xi~d{w~TBu3ar}d32e{#K#MHrR?oMR)a<aafj zr7K$8MDAH>O-pQm<1!?EY|l4id+I6?>ERLM_P+7?{&4qXD3qNM(nF|rq2O)ytJIIM z`7OpR{+~HnLcOm7`tt)s+q}0~qpAI!!MHqwQA=hw&i@vyiG2Tk0)M@G`3iP+eSW;NIQSj#ov`!TFp#tyRax_h13K_nxH z&HwefLDM25e9mkV<_c563-xY`1I1GEzng#C4)6+gyRLw%Rwiz(U`81_k>2-dH1<=i z560fn5erGCdvy7n6=K-J6ANp~&x&z6 zZF%kk&XdAnh4gAHToIY+Zio?{hwr>mf*!e<4LmWKRta&-hP6ET`P+KF?(cO&EbllB zFF!sfRr$E;M`$t7%0-WJ3(y)kbTip+^nE}TKS=V8q^r6~{tVbpGaivO^A8E~7>TlV zlQ&UC6))>^s}Yhc{SCSw1Xtz3Hdw%#jn(60h7GKpk8F!`D7ine*VJq|N3=P+1FYV- zmQm_kqpQ?}v1pPz-OlZ=?+^Gw!XRy&K* zu6V*SgzkAW?;U+S(|%ul0j+YwDHKUCn{&w%lORikAZ$#0D6E$RA>cDObKk2=-YqF` zR@BfV;}RmJxN%2gbLH`FDnh~q%{;+4{_$uriEV!XQ)`fnAXtZe8=+;<$41$Wm{g_R z`+B;9$aG#ltmM~}MrFbGkw5Edv>T)f(I#NLb7vKic>XzFV&Mlg_&%wxCxRF6!pFJd zAAxm3BU`y%pm>qgii?VY1QIsSX|eIyfMOPGNGO)%CNkF)6SdZf!Z(u0jKV5v^s4gJMPaJ_>(NEXoM~%nVG`zrF$*tul(tQ=4j@(!TE2rXB2Jh= zTCrE?Y{%z7K~qocd^Pr{OjE)6V=06GY6_t{E+2fW&LM|UFaR8fn?*vVfNwlV zAHz3+zaSDQv5og6wG#t&GZn=Yo${kY*$s*O_baEJFF6f2fEj8>Vd(S=k(9_kjMBe( zC*cMM+5d`Q(W!%)mCj0cvw@6E2Ahs^jqYjxY-cE|$IOe{TZEN;Vvf_wG=#4IbD&NH zu~oq?{0ORk?eC#6H27Cl>lR7SlUV?s_8c!#>98v?V8K>(*6fT0KH7W{v9b^&5sf)@o+l;px^V`Ul2P?kfiS)>Wi7Om^tAt1KnOR(;y==bn#UDfy%?G=ZgmjA2sv*zyBk}G!;wUTl8I_9b|nQSFCmXMe1>sD7k)NTPijS0SSq= z%u#bp+;JupHERnYK^Y8Y2@h36(q(@Hq3V9U zNfJjw$?R%;B!K((VVcY_kYD!M3+q&1+<#E~yyy}EumUFY+S6bex6?sb`{tkJm$v-e z1eFR?)WpKE@DPw>!h>T6EvtjvCO{Y-DsO6Ji!7u&(r6_xiqgS>>adQ{HEtgE4_BCr zls6(u!EPH^3R8?}#QmUn&q?U7wcHnzi!V;FRBwGoTi4(>qkNMU1lx#h;m8PSaB#Fq z@bKK^;N?t@Ae;xi9bXhnG=BBEsj__0NQ(?>EAyPFPBGe7w!{rc`hYQCowiOc7v$#c zV8!Xw`zCB+Nn#)vf4>1j4}qWeJbycBo(D6Cg-gb!wn#9~@MO^56+TN| zVohd#*A$zYCn-;pWE(O(m{eRY2O6v&Z%&*-JXph3&{pFZluSiTC$kY)L$XeC%%lfq z^|y^zMS?p@gm9b|B}fxTH~skQ?_@&GqrLW0`PbVBMv*5>7)B9V5LlNh*Uj-mI~$@1L%7Vn3GL1{=78FIsV zlH`~fpzODw4yZAQV!b7Y3cfq3JW(%bsuFuiIUF%a$oG_`jjBC#=Y+#DV4{ToQ@LBO zRGAmGf>ofRHodijLfzz7r;f)K(Syk~DRGIe{{-4nQDAdBLR|_2;^mw0``%zJu?`I* z*)HNWeU?jx(s$19O|0$_5$l;#%KJ~jBV42AYcMnz42ApxIl`fad3?F*@j*#tcpvB? zCBze${+-6sb4>K6Y|94sqgZ@WBtK*j9x000lnajQ=Y;__EqgtZRe&xFsyhl-Dv}~R zLp`rP8X4agH9Kqs%n;>?!F?2M7*rWc9*vnUA7x%kUTEH4nNSSm` zkl!7ji#fi812npfn2xa5ercEvlO<4!))7Winr1WS^AxiJ-re>KFFBa%v^(Ee!X_CH zq06-h8%&!W>ua{4Tne{EWQ&+UWT7kf86_MiM=*Ll zZ)(nsVw}l**lZ;8GLz1ZL}GWya*=3fQi2*O?P(t|(MH}cDSQmUWLDdv=rVay+HF*gC0{h#A8?9^wbwE65U7f>bt0>i*>d7$a6MV07 zDT5f2+yN2p2hIYcjeto7#(f_us|)FLp78Bdj=a?b#d2$H@l|Y#{5hpdfpKPV+&6$B=8`cx6`xVF&R=El##%r|46^m0hcr+mV&b#Zof#gsXA6LuKo~p2)_+6 zgn|I^zvyo=*!BomlW$}GcQgL1)4hI4VUogvdt28%mr>U>*Kk#ObAc4qciXMEx;Bim z^aD&zK+^XiVR&lAWtg4dM5(LI>vE{Cri$h#z|xjIDdk(AEbAcXRX}^p-@L#7)6Ld# z3|~Y@I0rlHe8!%84XS)=MU8(*q0cou3#!zs`E*l>X+{wm)aT~AX{`c#i07~%en_id z@h5|1wgP6BuEsyG&mypz3&K(!RHKoVR_(970l(T-qGqhH$n6J<6XyYo8+ z{TqH9fttM7?cG3bQyl!mxB8#rjhT@3gS+)$W+l{B1Ksi4;`kJSslNR!F>N-~;ul3! zu|tGVROu~;)!-tYZc?InM@0?cmpU_?q9CWOIErUj^g0O9b`Ooh`s7Khp} z-%5c8{$Qdo?EXBoPB~>ki0F^ZyDmRehI=s zSi?He>@C1@w}I4FaaV!OAq0wx{;ugWXQ7%ZO>c%asbg)Sw6i`wJWo^4Z>(>ho`pZ3 z81nu6rdb?mywn6k>}<|ES7)X4^eJjtAx^7AdBU9m;GwPS8o!YIs3nA53$su`vgg?u zNiPg7xi#}@QyiVgWn@X|NVUJPvVZRxx4p0&D}0hhtdaQHf9h2FAYL_#c-{7)0hZ@=xgYpl&nCj1@{i z8vP7`)9s?+DyO6f8nrX4k)aUwsC-8>wLX#?OM{#EZX(jMV9EG5Q{@usxYu1=NS|F+ z>@PytG9Ma^l$xB99<%cyz888>71x3Qx{<3JnB;gyk!&rDMFH7yt}1&qNesmS*dNXL zB%CA@Gr?EJvsb-xJvhH!&d35!hgzSc0Z7n6|xtJ=2G6$E(DJK^WadC}I z`sY}4tr<3~sV1nws4%DT4}f_H-za_#2Bhxq+Q_H-uPAS#Gmxk|H<;;{+L)uS30(19GG^ zqD=#lu&7W}9gOMU;^(+ncZ^1EZ{hKliJLDdCx__3Tiq8fMN+?EP~+KQYA_hE+!QNA zxWYHZmD!|qdxI#QCFCA8V~f(+#nNm_mLUR31K7myFq5dgsAfE2x$$<#uS;5y3|7^|2D$TBwedul2!nw7*)bW*=@m}8sEiE=KfgPLv08jzz2C}O3U z%Iu$(Vj~PP!;Q5EMC83e`=^3C!Sn8Ms1s6S^-d#WkT9K1FoW%a=(q=)hYmy z6^p_DaiIS9{L26NH>~hfZyu!QYm`p2)m0)r9EHDvER92MDRTLjcn)ZzffK&{@Sn1V$Y23C>Un-+#Ts$s6TC`C;dt;qbGf6Bln{X`(u zxLo@a`}e6hkr4-b8^3fB_Sqd7b>(d3-XgZF%l-OrfjwO@iImIQ!&oFr<^7P<8``Kx zm@VB>+llLuu_*sr*{mM5h@T`% z&nW78HgZ%^s#k%z=vxHdJD~{Yg@T%q!y?%IK$eTgu?^%C)+3=#exhDJv)wqi05Oku6*GIV-JnxL4UEs#c6L2?2l;1O(0kx3MiolY8-{er{%LAeu~ z^il1k8pAA3tiYVYn9i$`7GYcg?0qO5iGrxtuKN}j_IwXoV`^~sJtOH0hBCsEC8r(9 zB%0|4F~Q+`jo}Xg6y4A8Qu8{K8amyoo-#QRG8WE%2x+qTnW4dyZ#7Hfn*n4bL~0?a zAHq7Ulls>xl8!JF%fLUSAYf6{@>dp`NuwvW?BW_L;U!C;b-=SR9Tyj6u=YjRGMTnw z0zj9T_-|!=-Zp{%jZ8HdDCMm4%^-QzM23ZhPC*FZ50PvN-Cp_2SeM=c6;fex(13X0 ze@*58t4A8%$A?gap~QBo#0(&mFaaFa;}uo30sKMz*X+}Dxt1&SvltM;8BhlX9Ztu^ zhO9Ah`Rjw39)Q5cUj@(x?1iBQ@>&3guAQ1$(Y6{r@ zfJHTm_)C^>Z6SsOkYY0fAS=w*sMTsUfFqa%WAdW_%udQG2S(GXx4k>Sa7HxE0DS&- zPBOyr=OxD7Elw4k&j~&sdfbzKRjGO^jL{H({#eaQXuF z2=%10xB#dcN_qr<0SyavY+8`Jd^J<;@3F)mol-zd9O36RJ)kMhWJaqXHxD4`76ve% zkiTm33>f?Ozy)>#JA)GE(ptbpwp;xN5N$OJA2LH;DX*u&O#o6Y+`a-X-k#(YU52u~tulQ@_k5%tQ{~X_o z!EqqJ$KDEL_qYKCV>g~B$u*ef@)~#QdH<=MAQXcH_h7mlPgUf+*OE#YNYzLWe`RlE z`%UTY0mK^jS}7JRf?NgNvaG%u$W_0F$taG?3`sW)th0-sLtiny-(fO=V2@vjL}kAp zfq>%SB>;lTlCf_gQcJ+aBV$JP+viP8nC;~Ou+~f{q%?%-HDXo+zy(ksX&Gt}C#ow< zM}bsVdn2Lz$`k`9a1vx*xCaD0uf$(%bYd=Z=+1XwlLfZB{0qeE#E$?V*epdycLH>| zXkX2o{~h2F=w;3TaMV!NRnEZY6|AeuPFI}=R(dryj4B%ma_Nt_lL-qw&8Qu}# zQ>yP6vD{dO;%@SXs#+ilw@@QS4CI_9KTm^*$GIUgaZ7Q+Hk^I z@;=u9c_AGykmjME{%5O;OTO_8J?I>5dBJp^z`h~n zcbVEyvi-mYG8j^>3ZVrNb4pYfUlc~04)P@67DP)8w!6(UnY$$8Fe<{Q!pdG}zFI;u zJeA%aP;6Zjwj?HKQoyK2<*F`+|~OLHuphw(F!8=aITKNT014(9>)0nfYO*O*D)M>$^jL|9W9r2$y= z6yl&)5R;(%aOPVnE&IJ_VMTmUBoN41dlaA!U2HD0Yq~5;9`<}$lscbbq z0$3J6(rV7Y5)@;rqfXgM(MY`O<)X%7!rPGdPEf7TEWkF6kNt+%2q_PkUHBY%?*dqqnsIGPC>$Dk>6x|w>iabq+Zvl&uTjuQEt%jLRoxmY{iQ&( z?eStb0-S|KHwb|5s+-b3i#11#hu(&Sw1i$cW>=aj zd*aqqAmLV!BcoAUpxv>G4lAo6enna?0se47NnThRe(%jLlShl6h;{?vo`l&17NnU_ zWC(b&rqB(_R3V4oD4BbG`d3_WbK2ft7IFNrG{>7IGQ3KYBoW0wdOo^?rb&Lk=pYOq zA%ows;--1_`};%4AfG1ETDz3F#|h=! zt_9KI2l78vvO;B4dgT#HFD1EWYwswXr)<5xGLSEyt@r2<1d*d!KfCUZ&O89^RPpq* z?NU{RXFEu-5n!@y!h+MnFh~l_WL%~jM1eqwx0+Zpqfr?f_6D#s{n`f4sF_|86&s=W z;W@rF;Z1h-1+8dV)`!-)ReoC*QR$oHYgmCCaDcvwZbwpDD!1q_{oLoGA2~(&a!91S)&g?8mrhjIt%D2Y_~_9Ych@F8X^HX=mknjxF^d`M9VaP)*tnp z4$4ap=CC?8&dQ&<(K$v$?@oifFn1`^IFy20FaU%)_67IR!TB{n#8Ui|A5i)U|t>{0=jD*Rm>=Q>(z79IR$;6b4ujoMN7Q_W>VP@URB7#f0$CE95=>`Lg( z8k{axN*!OdJ_JI~DXpyHl|U6;2Ry;wD?%)!ibs_nW9y>=S6n}0 zTeAS5v$c1FJosqCjoct9z!ze00)Xo=PxsfXx0N)_Zs{Bqo6FyTq`*FN=_}}8Yn{b8 zbPl%d9NL=&h5>W=-R5tCKo(;cIM!3aN0>cfSaVZ&K;}+fw9gr+ciwizLGTynv>0Ir zWJefIs+kS0LkSXsIEhI(LI!vklAY zIx`_#5Nw~6^ON`~IJgcpvneeBp#dM@K$`(WV+(d4@Vx8Uc&e83zE0lWW#WvQF5YyW zK<~aHcNt|zZcFt|Af#jNvQ2%>UKszdn^DA?LQX#YBk;G<%JsN$?m!{iLse)uiPi}2 z5gF@EW!QsjEdRBs#6eM|&>^`KM7&gJo;l0b=?h|MjEfzU7bn%Rvm!m?JC_Uw>uy(F zL5X+XK(gm5qpna{5QmR43wcZ-Q=~K&rZi0RB$?z|#W1UDu=O(#EPqWsIRTLwJAGBi zwx!Cb?X? zCipuhc)s}!pIvfJ_~oH2k7q(mPT;?nqiL=N(++scg@U zhy%u$w>eJTsNOM~GP2Y{?K|qiAgj$lK3fs*4EnJA*F4I7mh_gOPQn!9@rXTWM*7|6 zPm6(A@3qYKTzin`<|4Umo%FgOQMT)MK?$sVSaH?vtx9K5)uw~)K}DPDqNAw0@gf>N|Est& zjfeVw*SIbFzGe(&7zQn5otZ3SpHW#t`AJEOwPeed##(kpD9IL6XhC~Q8wx{cQXypD zQY3^d=l=fB|Jga`$vF?sV_viQ&gXky_jO%wdT8a{lcQEi*f=*{_cIzc}WJS-LUgb^pF&eUa zu^lF~$kz%ydo=|A#fV#-fChW+xw zh_nxQ-%K_0ZOvtQxpJ}^BZkx3Sy>OaTS)OC!>+NHg`}RX$}=D!99k!sAVrFUElJDa zc(3a^q#)JjR5?Ql)+fJqCA<+EHRV3Xs6eHvkX6XkLsMQ%8k)G@`ZznqwD6-_+#`+V=WaI8IY|%~eDg66D%nf|ZH-^%3)Clt>zB&@G60HOxUZXV=L< zIBlka8J62dbm>WXsf+@ua>O$r!z|W?F*7F$Vl#0(cZ7mB3}=tg1Y7bRe|Q>re1{B9 zyI0_>x^LuG?Gs5GUmUjH5Em{K%6i&~oeNPVnUJH(J?5^d@{x>$q?>{{<&&A0KWul4 z`t=qiQdc2B1nJ{Ru$B4j zEpVNN-Wq6`M6E)-XzI{b7uT5eOVT6~PE$PRvQf;Sy`0)XCzbj781lN7`nF4@7j-&) zrg98r_y}Fq?(QGILI(9mTg98bKR-rbOA(#&UD)2g>$)kUg;6(iMeBgSXgC0K77vT! zEX)t>yAnw2FR3@hR0IlU(02^&eQOXsyL8+CAo6H@y46F*a}P1v3W%+0*xK#DU`U-*$vYI#hF6U4gX2yEPPLr z9y-M^=nT)(DG8=~6`7MuNz+OAV-IY6(!AT`*l>lQ+1wjaQzR@@KFuE=V4J$&kX@@W zj-EuvXg>+ztly=j>$_Ep6YbiDp+Z$9m=k?AFH&Vu8ZTp z;t==F5UOZe!Q*@HhN%9c*QXh7v1U z=-d^-GiCM2^qF$MsM;ltgl4bPyxlkhnuF0*25voP$MjYWo`^wNWz9hCl|A9pnnuJ^ zC*w`X`%4V5E)1D@^HqvmfG~$ z%MaU2Pm#t@pVI%#?~08TSWIc5aq}}|Sns*?rdJVmlV@Arb)1#FsWHWGfu~oIQ{cqg zLEaW}6eVf&qv|zzl_BeOk_HzBl~hcWZRW3x^ccT^-rNDCEDbI?+QE|E2J0v7+y!*5 z$iIzr;(r?HeE-{uxsBfGqhGo1)PIzIGbVKB%Duu}sot>JUSS`~3Ao};i)iD3e)9HZ z8W4q?jS+i&Ky@af-pcZnh4a8sJF%tR9^WKFyJ20thufw`vj0SZHeS5a%@T6Hh!+LWq{dc z#J<#|VklSl;7ssFG~3@%rNVphh4Q2CXm8OrO#}51+$&k_31lvFE-_CQr5Yvm{E@BU zBU+cRExB!gBwEN{XYiT#cDG&$8q5(G|E6ZLBpOQ4;OC!qZ5yJDXfEHW>x1HHYeB=1 zfHcp&vA@B*eGoCMO1u&%!U(p+(w`y|l=~C^{srDaAdk6Dlp=w|4TJs=$2wqgEY2B# z)NC3GLi^)K%l=50AHFt1)~8uAS@C^Hf0l5%S9j45La;&2ZoPqI%&YQ(Ae))5PpTDo z4bHDFj7Go#sw)rTuWY~o_(US156ssB%)A4y91cx}aA%5H)ih%58@Xio32#c=|L8a0 z#vWv*?U1CC+)(&DWsvDy?{Sc}dx>HAx{@RGp)acKJ4U{yMZf8C_lFl~VjLG2o#tZx z5aQH+F1AEA^u7nsMx1QlsPIAO{)GkP6wwaNS^slmX0k(F&?n#k3n417guJw|MuCr| zSgEmREmsC}I2e+)>4V{0Z69paI!gZOW1oCcIdE^#P&mrAnw+j1z+~fjnB~6PF14-) zrOxcjpbRZ=WE`a`?j8wnlFX4CB6EZsA$dlyJEsUe62SJ?I)u3xdQTX!ljOK8@MBvg z^p8y4d_2mF9%yg>QwiRy1b&A@m09vK~mvZA- zq#nPU@Hs&zgGGM3r#Rj62y4PSTeDdv4!a(6&Iuo%B`}3WzY@?!vVhuZ`mzx6RY^I4s(9S6lJ;Z}E`rpZRvxZuiY;ubctyROGu$g)(oipKCj<`zyjNE}yu~Uq5y8WX$-F6(#By-U0a=yC*PyW2S_N3aW!fEg0 zUav#YKxnqE6@%_Uz;@m-E5cs!2a_FNqTq2^_WlVCsI3P&@6REGL;mY-&bPp19>Rpa>D(-8CM0q_e)=a3Ta@rA^?TC$EDKx%|6>@I z|L8Z&ZPj-+%r6Qi!%0t*+@B(1ynIxA15U$qq?&utXzn%Vr&(~sQWR;+9+JZ;KwL|Q z1#{_2`6AxX$owa<^E|6jPefd{_b6f^9Tv+%^GnySW(+PAstc!>tdPI;~-={{&Be3m9^qn_1XWa z33yD8+7e1e^uD-Bd~x;Lao%8a9hw2d2-gG_m({bS8{yIL%)?Mc(re=sF{C&C@V{3Z zSLA@pM@r~%9WUX5VGn_yUPLyQ6>5mt*C~9;!+Sf@)To0`8Tq5+FK>dq7Kkt-t+;j# zT9=DDD?f&P;w(Rkr^db9Gz zQBRM2ym$M+-CJMiONiH$3Hsm#zM63%Xiy;xXa*KpZi_EIvs*s1nP(GoJ>L(l{CjXf zMhaCTl*{V(XMglMe^2*g*`N;ob24|7IQmZ0B5Y%2;=5i#$KM@-RbWlE=$-ulYaRkr z^ca2EC>G_&4s<*R=RV;6EF57pBPNsIKdJn;X`*tcE5V40w0r(w^Z6meDyLi_(%^=?>bULrs!Sh@Keb17edM z{T+(&aSQe;MxHu*GN)r*c@oV6ms9S<0zYe4T-vxPDmqX9v@1OWm4Jy$dx$znO`+oXVJrXH zD?vw8^;KVjXj};Gh3c6DwhRwgn+xsP@hE3?Pr0yJfhlEM0en+j+qto&7+kn2sUj30C)79XRdAHeZvGVDf9c!>F@%axiA$ke5#9b)Pz*N<7yO z5_k@@gzuU$6s+OE$wF~a)o5B$NT;cws3_)$ve_QaF*CdrAESG89{g5$i+zH-XKKu! z0wibQmE!pYhkIe14(h3Ay;YZ2s$(VT$a z2*n>Zpr0adM$L~Tbg^Q%DubtsV=v5!c7scvE#P2LG-@I=AK6Zv@V<6k2(cANge=wR zaq!JQ)>?7nryUqiaPk>%6D|7GM>{6~srF7S-H_>hOJmD$*hG8bB2h_uc>9;hLCDFL zUp)Sj-DGMjDf+b=_ptUYnT-l!(zD6GZC|u9u|iJk_PhVZ-0%|4<-&Yc*5=&9`Ag@^ zYrSCp@?zSvTON&xiW;90$|Z8*OHBa#s9P=FvG|dHzw23A)%&xv1BXX&hQVfLA=4tr z<|fz~>T32T;|#VbPybe@#D^n?MbTY%z6!|1DuE>= zaVuWe5wm@76s7nVQ|3L5`5wJtUXBo~pDRY91K-7*Sx#D5PUpjU(HzU^at5}oiGEI~ z>A3FzR=xF1WAw(K@rvN7?psXVGXrkl8v6KXY#x} zX`lm7n;zdiUjjB=Ek5lQBS$RQq)UE^QD-silsgAE&aT>>*ooz4_#fIljbX=V!S9aOOI66sVE2O+~g1KjpuM&R*_habOB7V z*0hq;uE>e_EdCF2$=6{lAk~ZGr?3iDD<)IJd%ECeb=`x_y|=j)?t*v9^viZ#;#F1< zXZJmbqHL*1Ny}+Wd}iim7UU|;3jCzVR|DqS5HOTG39=r)V;jw)7+IT_OjwEeZ~w0N zekw8LOn(I=HI#_5(N3ZHhKaMkp9Gb)Wrc?uMBIidqJ_vgwd_%)AB8MQ}@L7{Z<@S z5%kF7b;xe!*~rG*eXglX4cos#ajQsdY}uSE+u6b?&VtZI^^a_=QO&!qBxw<83L!(O zGix#-gq-yLwOcC~B66YqXTKC=LYY>`mXOM3wFg(Li&3%)Vn~D9*Z;SpbO_qE|9eiI z+NX!H=>??F8JAZ^wHY$vgzm-RY(sBC-GQxX`6aK(-t-^V-eW>O~{VP6-mj{`kpL*=KdR0$j%D%gh z+lm&DqOtP&zjhzW>mTnHIs>!M!Fi8O7}kG%Lv{qAvtD>3{U#dN9QC)WU!ov~LhZkF zX@^SB+O;3sY7J_r(uV?jxrewP7c~|Wguv8h?b!aYd^6gm4EaNIYHk^1tVpBJriV5S;sKHE zgxQg03H|kP@1kAD-%V<>&+`nC(7Ak|iRfg&kBXlyGd%iyZ6ZD_(1wj{d0j#|cFwPa zQ{rOs8GRE2QT(((IoqHxaa1(dcDn*4BYA3J=zI(j*R>m`eC?qX%cea3uWq=Acv>Z; zkCWv&n7@fiMm<%v6Sh8SRx2)?{aoPhn2*QnsUiyANBsCsE}!^6vXeC-_9RUSW(-k| zH^KZHJ%*Q)u1z?yMak?L;=Gw%(?7l7EiU|VWNQu#kCnJ=?xwZ?C6$chZZo47LrC*) zVo#xOH)IhR={0omse83@j8YiD_ZHunC~UUg_@Dx!7tAJ`5eC@V6^RhApdb#jS3iV8zsEYl8_NFx_u{O9&Ca0Hp{^= zCV0#7zt4jYUUjRrMJexNh$IK+aIw-W!&c^qa@HrCzNr>~rEQs+b<&p8nQJjNLgHn2 zK&HuWY?OS^+Lo6tyUyf@jHfT(9}jQ}m6SX$&Dj5`(h;wJs#{CnyA$&n#w~r{E{gLl zggnUqtHPuMXr_neHlM0E+z6WRr-nu!s`t2*TdjsZ(80j-{L;ZPkwC+z;t5c4t?P)A zo>F^4M31Wmyu^JQ3dp$_q=GgU`~4kCK^H(&bGp>FUinw`KLPeD#))uD{3COp2yz#j za~m3q_vGNHlKb*6RxjBE4*${f)6ML4+yn-O9qGi^VD@FXzhjFCmF_Wv#Ct(-8o a`IDLQM8)l8GyF3KHmaqqMU~mnxc>l#(l+h@ literal 0 HcmV?d00001 diff --git a/windows/configuration/images/kiosk-wizard.png b/windows/configuration/images/kiosk-wizard.png new file mode 100644 index 0000000000000000000000000000000000000000..160e170e5c6c47564ffe6e2bd9501a427f583301 GIT binary patch literal 6624 zcmbuEXFS{QyT=nNw%EHUf+A>3QMHQl)0%BjN{C&ppw!-Kg%lmst{PR;sy!lR396LT zXvD0&_d4JH&V&Dxa~_=6d64fbuPgWWzOQ`lalNnWjx{p4!$8YJ3j%={^mMgMKp-&i z6%hH4K663YdOde| z%sDUx0&#omX=&W|%~;C}GP-|I-`z^r2dC?6EWhjq1y?0U#l3QtR?yjT)R>rfQsz;> z(?u{~+3>Dzt~Zrgi@C?`E_Oq1_WneASK`nF$#MC5sh!^V;ix&p68gErO^b}0jBdL@ zautXBtu~+(F!1YEBOii!S0$Uhmpuv5~z=F_MFjl673QhTBchDK`A zq^(gwDdYlPkqJ^$-lh!|WTTe=g&WC!1W{|Y{l|#*ui;gPc63PHOH`j~g>MB0FE^(v z67AD{>g|DU!i6Z+p|mgAKpJ>3?eMOw=u1exly?kml#9Q`VltUvj75R$Jxp=3R7QZ` zR`r`uWv!^VdrOM7L2?T3XJM+u14(|y)$6wJ+RSe3)=uh7Hckz@=J3VodwN`vq(>1d zW)oykin@yibP>#BHhSR}vpUGf_g$nBlTxt#N505$dNR!s{?!3y{EylOq(4ZQ@S=tvWK<~y2JQ5?Z@jk$ zVK>}&$wA{(I*$c5sXQ$ z@*JW|D8#KiXht)+qC8Jj0@V$8R#V)Aci_~@@AaZQRD*lSEabumxBFj4giJR1-3zWx zprwVsslp1nSLYCzskhhfAdS9?u@2Im3Vv9NFAPG~`Q}0@Y#f$3YP{?sy=BMF+`h4m zvlO{o%Wosa?hk~GQ|`VXe1{GB+gdUEAkZQ1ggwmI}xEcZ$(Y9Y*tYh2XT z#77B$s<&tk4iVH{>x~$_-jH;p`o# z?rW&|aW!xL_EJDW& zCcDIfb`T1Yf}>E(*!P49$>(^6X)c{k2atZG{BpU1GF#|wg3apBg&A)TJi~_P3}MK> zX{3WLO+l4I?J;8s4|F&BalT4;5o7!I^J!F$bRwLY9V2(P>RvzlBL97zwDL&Ls-?9a zk1zo)rh1t9dXro>->yoC0>?gTM)1>~vB*^tLXRRXwPr;Y?-bEfN;bB|cn#7{bP&ZR zxjq(%A|_B=yHHG$2`RGH{+G&WQ^S)PI*KN*PjqD-)2`jG+(;1EJOy8SXUbPqLvTj( z*&(wS=%w?=O36;5jOUFdkaep9IshbTh4%@+;EUk@W(%5hK5cr8%TqyLi$DuU80#LP zE(pXc{gQMB#$a`a2Lj7?QrBU;d0Ig;5375ZZOy^zrClFBs?X+VzKmsei{{S{&W`JG ziGO5G#O)EXIunQXI9fIB2BsrjC_+jd@GHl|FE&4I25;h-k+F4sJEVn&h_5{H$*`Mh zSe%x89)j;+Q^9G}(sFBL>siY^YHiZXK%m(z4vd0k{AQOi0T{1ybnOWBPNuW4?~MKv zSvdx6_~=k6*m_D{f&{U@33ix~V<$JYLEbhEV{}ZQvXQ)tEvNdBKAPT}HKQEFCKb}h>%w2`Pw7A#>j zW!2^lMoy4WBNgkOwOY!6F^!wSQxsT#&g|U;aw8#mY1$>8Hn~=Z8;D>R>HFOf@{$p9 z#SuALP|Q8K>7WI^`(<>25H-yC)HpY(23Yr}9HFbX5)$NG9 zfA+L9>#brJJ=55%k)JA~$5U65$^am=PkK_{u^+|We(fX&-)s#Zrra!nG_&}FQ4gDt z_4`{Z^-hk_gXAc}rcw6B2|qF>V78dJ61->VLa>%)`dNCg`P1gnX_i@q3o}QTUiwV& zk4Hm`ITL+*h3<$>QJ=v<60m^->p^e)5za zF%|r5Z(+qT(igO{PsHAQxD_vXnaJERM!AyE8BNm+>)6S{(jrA@O)iIr5)s{R}C*%HnJ;HG29MyipGwcllCNE{k;xT@*-1_Zc~>afkBh1eLk5A>qRrkG>OK0p$G zF#^55-}Kk7y*)Q2b9Z?5kZ#HRy~=8Q^k`tg)bav?i+rb0vt{?ydR4ox_97E%tFgW>+cnuKTBsW>hQOG$?vU;aGoD^kO5T^wcy8pr}d6Hm4TiOYNp57pe8CK90#q7OH_) zJd$80H0ns57D|ze-yBx`jAQz43TS4$P`OE7O(__|EvzO==J13ghoFCW(9cYQ{8b)p zge^N&#f8-HfA!Kj1do$JwZ12@od08RxPj*%Q1O{^F4_dV5bZD#m5#L3V1+~ z5YD!s6f%_O6*9m0ckyUUZ@t!CeVi`EaW2C}`jVE1V*>Cn#%0IXRb;=6neJjqhRglJ ziX%8QBa}i;`jjT*7rEdm$O4eh;gVs37BEAB?N0L>zJiegf^?yR1(7x+wTZA+Vm;?{ zZ$0JTc6wQe{@~orizL?b8pxf)f2Ehm(sgJ$Bbo!lRzi&awF#w*nFt%#C~&WEs2xhG zL5=`arAo$yq%fbi-pT>o0=#9doa|XWio)4=r)=%3_58OHyd`$(z!bJg{ufzo-tq#S zID)fm_|}ffmW5hQdIVGECOI%`xafCp zMPnjchZW+cLfqbDKDp2cuK`hzqBg}EZa&QesIx!XM&?Stn(VjFM6@7MkgD2fuu zAyNubYv1MoX^3+HD=QcA7sCHT&;Ji&S1Xw;mq(Dh>f}7$hIqhIXz_*-;)0#jIEOCx|uj;zMU9h8dWY@MnoSRjI1LUerLAOQ&in+(=Y+20!T(o3q8lU z=3a3)uOZBA1|MH{y_#?5g@^jQ9=*Ii#ZfX5LYXG!HZ1-sl^&qYUFxWT*HHrkYH?!( z%$qx3gicExtx~_~aG?p=%8AI0p96u9H5|AanMQ@yr`DG^=jGQ;+nnHqVOkHTxth{G zYfOFnZ0?c-ci|Rx;3oCJ{OmMM8{?cy! zduYc71W((qA#u0sk(=Gs7JnvL7|1~gdQL-ywiX!waTPjQj?*E}Kc6uPl+mnUHLQj8 z+rRQqp4a27QLb*Aw;+&U|~tnuu8Z?b<~d zvH2*cbzb4~)?cEO8$I|X+awN90&jvh10mngsc(8^YrVCq7BZO0*bZ?c9$o$Av5%%P zbzGoHFT~tSm^DX^3Yqxc)uJ!nx1aHA?%1 zdjEE(`QZLAkwCYB97^@j#VcJ~|ACYib#iwM=+Dm%u!5^vg1mINa4$0s@q?6|qVdS;nOyggdgQt-B3ocBV^Ii&8+A#3i*Dy(t7 zK5CgF4||6>9F3RWZegx19 zd(!sirHC)tEn)2MUJgx6MEuM*t608G3eTquQR_o@-YL@!3_-G)o)?G{RtO%) zrF8oAxp+#lo!{5WaAc+b2K(jcOvU}*?3m3~p3(08T#gmXufCRu@h+GvYCd(u#})|S zWBv=v8L+>AFJou)Rhs4#e{I?hBNM{fge%0&PFmrGrYzed z?L|&?qUw?q- zwxwQK>&C$8daL@}&Qe*$F7RbV9wglnmkRHjD|Nu8icqHS(+;NNw;rIry|}n$*U!h9 z=zMeR8HfwJGR7C9uaB5eP3&5c#utBIR6mflardgF!x7_1Cu(GUw>Wv~8;<$@T$(>o z8TE|LR(T@1UyW`*eWPXAs(Q%pH9R&(_&&G44!LOvq-V{WuoQW!?LPW`JxM&*Jh4B|=>dCH*n7_V`7EZ{^@{_S< zW^6oYwo8pJ%)4`RlIURjfoE%rMsZNN-_RjS<3?NappepNXb-bm+BPiW3scTu*!n99 zH)}?|tOB2;b|4ecbUO&2g(hEZ)N)3|-OtV26GEvz;*o8Ay;IC1n@}CB!K>O%opo;SZK<{*7y#0B0BcW%b<&~UfSx=UJx6$qrhn>lCG^Zp zznBXZst9Q{61+aH5u}pnTb9t4UQhb-WGO9)x30y5E!Rb&>6^Q(UC1NqHp6-+_f}H7MFMOl&<- z`>fgxh&D2*@Kct_usiBF%YI2S6Pw}KmD=oQ{=}jE8ViP4Qc4&uzzy4Av;*HoQrZCx z^f!>dZ@g%P!s;-E_pB6IZUeOhI)s#&bmImSJh_#@+;5l1Gp^FO`Idks*q4w09_T&K z=70e!daiX9tkR!Q?-4_# z(T8(^(8K|0e0^xOSJ8G+-Pxql?=c{c(3zx>Srd?wV(>jSQ7FDK*WL`C?z*vf73&`Z z)0#thDtW9rUxS;ILg-!HoMm)zN89G39wSl8W-!J#GVKQ|JmvZZ`J)fr%3^0G*0^wf zD_rQ%k12!MM+36xDM)Liiy>^_otUhR(kfw#>Y7a_xU8gP`F6Xc9^Sjmc(NL!mmweO zEiisqfl~5l@nZWlSz+^nbS#O%K0c4hdDi7wT;e16TwjC-t|wu?@kB{%nxQGRhuFQj z*z~oB?}a|^75}@0uYfotos%i!!G~49o#5p3qZIgN8>*|me&?}D^ow`XTdu{W@-Iw& z#(MUv+wG^V?_*Mf94{8znzLHz085!r@Hu?)oS6ycu3-ZVogoOyyjqWG5n5vQMHW~#)T+2$|=sOB9Qe08r=7oQ$V*93G< z#BcJpZcGSxpc~kU22>w`VMCMx_O6Nkv+SvzyO}k zb~fZnHw3*Z2fc56oCUS^(qQ92*H`?JjGfkWi4Nd5{VZVxK?0$4e{?o~Aa>v!>!k=MEdHSO1kj?%@Q>+SludU#{E0n`7e= zFMlXgc+9b8^>urgJ!Hxw8U~ZW+e8Eg*Sy0^xV$w=TKC|pOJ2gixI}LnhA9ctAERzD zR(MR0nJq(Qep#zZ6u-z&&AyGj(Hf4DN(C`%;Alg7dc?5M@KvX~;vUs{j|{`M|Mk-t z7LjpE8|G=~E5O^euJ+5;VKCjmt>wq2H`$|&nUpr)l0l62?IKoo0Uz756&*KA{+FvB zH_t!QVCg$V4d2crTV?2Sbu9mIw3@z)$gcWmH&V)ye{?lXg>vBcB{oWQkQ4qV%N^eP z`BPb;h4o~@d{Zd_XOFH3gdyl;^RGJOg-Kj3Ke5J3Fp|vbXV{hNjmxE!OA;76WyNv|MCK^}5r*B=$rM9mk%965h`&kx zhdL$ZWAv1&-=h3?ot?F9nsORWbMk`wZU(6@*%#UspPl{+w?TK2kg?shp4%KT+sr-U zrmDc-m-XX6EX`$vWc>_S&&}yxQ0vfDr7HPSky|SWK6|HlZ8B`Ae|&n%_iuoUZI@6e zYq}^S-yU^f?3$Zsic0wAqlhxSl8~CswMXt*Or2V&9+;(AW8=Cn(JCFJwjD| zlhg()BpQp9l6oEa?AsVpE_JO(a3Bh477vy@R_D}1Teke@M0S`3snlLyG3}MOLcTG{ z@S#F!JlreGiVV&Ay_e^~UZF$R0xKK6NIG|~DORbZMfz*htEAjC!2@qaa5Fy&MX%AY*%IRI{FKziB+T4kDu@c#l2 C`jN>1 literal 0 HcmV?d00001 diff --git a/windows/configuration/images/kiosk.png b/windows/configuration/images/kiosk.png new file mode 100644 index 0000000000000000000000000000000000000000..868ea31bb1a9167fdd32d814f36d29c3820ca255 GIT binary patch literal 4352 zcmV+b5&!OqP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D5S2+pK~#8N?VX2P z6H6Dy`E$Q}EkH;m1d>P-3kXO@xhP`Af=H9DQj{WsT~NFhKm}A31@-%FX3Sj{k}PBs zMDsq!eWvZ1GxJV4v%A5#A2Iwc(97lc*mzG@Pgh5mknWD|-s`;!^9wTD2%rs}X!h4a zjbnGlWOfXppo`1#JLA>_tJC64bEFALwWp?7Q}PbvegFPl777pOIdtF z1cfdx+po6Mr!05&Bs<-0Nw7GQ9E5F2ww2`-StvZLtgJZ9icU16pIQi0BlWhmw8=s- z1cl`C<`9-f@zLF)@0GqK~Ms#C-Zoaj-^~}jLr)y7dFTrMZoVmF<*^B$qCS%Vx5T42{s#K=Ss@+um!vtbuzo_7X;z7Me2Q2-<|&oXi|*p)SIjGHMwa z9>HeXCYqoV#f8PmmgEdi#@SP6&z(89&E)hsEXV$m!V=jY72-GyP=fslzcgV-Lj2$H zL4*RVeu+C0HR;9*`l&^aG1!ddu%iEH#EslFIWZ~Y+YL`Ao?<_(kZ~2_*g06x=oiJ8 zG1;t%)?i{%+#kg&(WDzHvI>(nT_adaF)Vl4TrEv4vO%Fh`Q3l*e(~=M!v8-1m!tFe z*ftOj+0Un*WAm#Qudtt1_*%0Had?mT8htnV78e&kEq?mErN9QY8B0q`GUd~!rO!(u z(GQA|)z{mH{j@?hC=|q;hDE~V#pU90gcv=Bh~k9rQe1sa`dXo0{Uupf%ZkddnNcX3 z;A_n)#Ic%@@qXdGOxSLC|NcFLlvc=iD5$wSQhvm4vNI0YgwoyV;R|{=r(q1&;5x~* zo9&cjfywk_YI4;=Ni1X$sw}I-=3rdX5eQxek)|t6=yf~Y(HBlT96!D+eZhLwDv-wIhSy(QbKv)mdTpq1BnrctwEW~yjXvh8LgP#3Z zDB;+EpUnAzu(%fx76oM7mvZU+rBp}i@v7r8X-zHPR%BvRLlbr~@<`OnWu`Y12a+X= zi63R5UWVSs56WS&qO^i7T-gy5ZEO{!T<^ZlBEwQ63S%Mj32VuE`!-xI#h3ugUzgSR z>VwFlPc^w3_)FqQ!X@sQi29-730%H-87^!7sgZFXgetBw?n6ss%Z9n!pS_>y+}Ymw z?CCQ@Wa`N!rDM}J46=F zm;HVH=)@Ue_KO98(++C`b&*Ry((fW`t+0OJLye6p?{hR<_H^~I-Z-sJQ3glmYKweT zpyqOZex8#CC8-yM;%eS)79(l%T#98aOnm*2=`=3373^DXHf2&&wzY2Z zWmbf^#GgvBr(8I90l^(*qOfBLE(dQ8UaY%#{_J_O`g{8oMFF7Za%E*DJ3X7FoAG_B z<`nJ^-RpIE#nDU6<IlTMlWHGI`pq1gp=&_#-oSI94aa(%JOEB&W1`aDT)F>%_YDa zXAy!JzCD%*;R}_cC~8(oZzhHyp}2 z#2zW*KS45U|d)M9=90qd9QpP;M_25tuzMzMp$yuVJv?91payh8b+e`pfT}`f9 zD9Q4GozdWu6@ckgTv#mQDlkaBDPCyiN?4|q*H0c^ak0{ACxK3pd?=h|52iFXQ@PAeXj8<&|xkGmR5SAR$*_Xou42!As)Wuxt|GDxU2H67*Qm zw<7_PLe`FjNW{7P_U#*|MjH8a@~KQ(jfP7N9;aum?;`-&%naOg^vEO~Fm}Jh0qKDCkdhbbF8E7^12muq?+=~TN2-a+N`D5_pd>qMH1JK4>FNyb-$yD$q4i;IggNe7JOvZYaelR&SDfPi>KCBitC_?-0@>qV5T zweLOjKz-x7?@880Yg219xcu_v3kxiZexNTOgLBDU-0QSCmzI`fk`5Tlr8tw^8NHK} zkyBYJood>ZyFZsR<A4``HV!)3bf0elWJ|X1mku#FHed z=5lywSb0d9Xxp4{@6g~7dNf=%H#WO$uJYn?&GG=EcfPEusKOU*sBe(*)xcu7q8{C6whN1>^HghC4dp$%W1aWxfb!hMy|)H#$s~Q)S}u*k+BKH70f!kn zp-tVH(c=>Lhtn}P-ne!{CjA6sjpdi)5m&-8^(Q#Sa96T5dGX^093SwzatS1zR_Bqj zBe=C9F?w8r&h}0`AVlNMijO(q6183JT{6{&*_l~(4t9u+Hu)ulerzq5)32v-EV(PB zv^2G>9p8Se%O!wL({2-nRg_kU*%?(XS>N;a=TRTNgHYwi{M`K9ySe#!wm9-rrQ7Kau7O<2P!b0{&`*|vBNALP|7wrbUcMxsX>dqC zU3;327O!#CTt0jD>{!*Ys>-U6Qhl@GM+EnL6beqeJ9i$;!!&MU(Aj?ay&miP`S3I4H(7L`nUkU#D65R0XH{#IY0DyfH3? z7yc`Qkzojz%U_o{9E)F#{o=q*;qbrw_oXf_b24+RiPn>Me*6yhYug{ zyGRjPTPr1pOIWnA7Q@2fayue4mx3^y6#OOS`_*K(kZezObEERofAHoY$1ji5MG{!|O3zY$oN$mqG|@at#sG2INu< z>bZBDIkW!?n46mu!%@aVK`c=1SKCK#kKP`+ZJ?lVcxbpFuYglyes2EI;7}y0=xpnR z$o1D))>YUpD=O>h>e-Hh<=F3kjv5kz%S}I~2#&L-&RP;IOnOVaMg57afp|OnRy0Az zRfto*xS@LAU!8E-T=?kQMX(l|u^jvTAA^U4=m-wrGHx7Zre|0o%<*PCM6MhPH}M&F zNW6F+_)Nk-=yY10oJk9E3o1)1w~JscHe)&Vi^k|dn#9hkQl;=*JQ@Gq^ntmO1 zE`cZ2!{~nf`oG^H|N6jMZ1%dmGOiE8KT!YT+CZE>c^Z>gEm&ijoif!>Ouw2IO^|UF z6fVDg`{qt@V}$q>?sfszVzb-nR=I#k_z;Q2Wkc) z#^nZZwfQO>RFqc8_-26X6^Vg@dEzN72*S(JA8wA;x7ueEII%YcAOOS~l`EyMpEy7(hDjwI#F&~O9|=s}x5g<6t! zC&`L83x!L-SVMaxp6f>rSc}b`6pxG>4Y+J-XgYK9jOJ^jNC>rr|DV0Y^>p=AAE`Dc zm=ks+loXcKovGXCudbqxPm7=G&emZqHbZCi(P~;D^ZsDO#s3}eP4U`I%71Mj=DYYM z@UM&~kDdrqu^G#;f8F~cE5H`_NHF--e&W3fb~E_=j8xH~-UTCI zFw?BjYeb^$!E@cJC$eOJVHGI>19EPln8eS>aV|r&AYq4flx!4s|xdytblqMK>X$q8F zK>`9hD^O5{-R9uQ3N<{*OM+wHX%vPgAwsDd*7yoSh59@wjdQV(JW+wr5?l%?iA0G4 zBcyl&B*i336jP!S8G=bjOhL*B$p3*sH5X$d^R>_TYk`p(wg`fgL{Ycfo#>V&axOC} zAqWD+q^MMi00hEUIs~c$aqx=*3|f|_T~?=H0Ol$^N}wJL%rRC|<%2-= zdQ#`$1k`stgPN@)?5oZtrS73-#t^`GB3X`z%0NXN`6+AbT z?U$@RRSaNMF)T}CAdG|xQz8^Gsfth`MwL-6H`0vBr~o`a*G=PWoJ-F!z+D*(F*Ir7 zTy_ei$7-j{Eb4TaeOU(VU>2EH9yG4f|8%Ti*ZPlaR%kMEBt`p@u7+t}i&+NtpSIq^ zy$91dMeDY(fb>4ipMvq6NpMpxR$~TE|Bq;)za^cg%I`1y!P@?R6YjT^wonc;3zke2 z_Du!#EiO|HLI1l~KleJ27Y#_VuamsrgjC8rZAZ$z<7tx1R0@fTMT{WW2&TkwL}emO z2&0h5F{zS~VmL9S!e$NVnW9DSUw=~hFP6!`&0y{I9ZoO$U@-mKU>#uMF7Q&wy?y$R zB2f^k(`pQswC|d}$ez1A+Vi5!`~CIn-Cax4YfFsJ6bjpv>+&|vo0mCIz*a?Vy^=mL zt8A#?3vHwZGW@RZ;l6ZX_Hr@RSl|5Fs^=QM`S$znL*As}UBvUTf7o}XdC1N#j5d9H zet!Ax%1@e!o9F6(7S0) zC7Y5$}6n85>U;JslnV`}bb?+ov7dw^3*F20U9*p1szr+lntp z9jj9wST{TM_DI;dtcej_d^<7PIrP$u@Qj?O^iIXV8*Nfb z53F@4cPV%Fhip3kf&Rmg%Slm3Pv^{kIV<7p3;SO^_UIzlt>CRAy3Y9ck?OS->%IzW z6nW~#I>gzj>B?s4DLl$Tc;M)Tghl@!_K4hz*46LGrA z@REi%hPYr&30WLLW_jy{2C-%!D8>KgPCcJGKsi{73@U=@HHxw#> gk(&zQgYVAtn)2iN|GoN4-=8sEdam|RYDw*X0Fnu^`2YX_ literal 0 HcmV?d00001 diff --git a/windows/configuration/images/set-assignedaccess.png b/windows/configuration/images/set-assignedaccess.png new file mode 100644 index 0000000000000000000000000000000000000000..c2899361eb0b062549e32ff32705fdfc059eca0f GIT binary patch literal 7012 zcmY+Jby$>5*T4}3>FyMy8x};mq*J7O=?)j^Q0W$tP-5wpMml7H1(xo{1!IrlYZ=KSuNSY2%u0$f^LG&D22==V^KK2$=W2a<@Nn75jjL&`p^()x1YkhKaQ+1e1ep!3QoU; zaq4xQdcm5+VR52wS)Ql@ihIAg%db3&7EX}-t}^8GTV#gKcXTG4LK5S%!$6FXHb*^H zxRb(Qkv=xOPZ4+HBk!H6FT79oiD2Hro$uvpr(fXFYP)1k3to5f--)i~%Zv5pl594d5(pk@^4=7JAFYd(-b6V9v{^^_WapGVHu_xWM_k&Kiz<; zd`)J^csnJEK-UiQPxckkR)tG={WQA%45W?%PGu}MI6`Vx@gaivsU)>tLZ}Q4CLYy; z`0A?LFuOA6pQ^j7uvtbE98@txaF39PLiqo;>pPdME>VdBVE(-}Xy`_(&fg=WwE znxhgaqSY?0mF5UDbF%rpqmRJC2&;jfX8SOr zt6`=kBP~sw5lM5MrLCDOMRWA`c4u&W92!IN3~7KFOZmsZz~KB$<1_dUS$cfG@e_JI zlk@!|ez422ioCG-{s2p+ouqet?9BEJzlj;E>2PnH?>HxIp<=C`u5m<9IbjI`%7$I`TXGtptikE0Q_E2nLGL43Le&*V z>&?wYD1;z_BXWxAb7I{m1YEkT`dCp;Dd1Gmbk1BV$J^>nfSo;2MuAVo4!h;mBE?lh z)P~BemD~@iTZJP0%J|0`tsy3hnYrL^iZM2B{BMelxdJ6I2Dzxdg&Y@nV{VYfl@xWF zE`EA#8dYG8#?GKEO%;y4z0D$3$oaUtQLddP3aIz8(Z5))5qrG%?QdS*bp5;?EK3(` zn_phCp^c|9!FSL+N?z~5Ki`(Ag?(5{WHXBuV^|zs!u>KmN#O@*xjCob=3T$fWGBxYpKKxYPX`_AkBMUEZOVt-p`R_ke?6BjsF;{XcBv z;(B)~d^UK*?UJ6)Iq_6!kh{8I#FY7V?`~HZgqsBvCY!~H4-xzl%K^U@^ujb*eAZil z%m75g&r1jLkMG>vRszvnEnR=a1aYXz$I~|p7A}O)1h-7Grwo(KrMEmc6kCD+;WK;l z>Mq8RuwFPql(j!8iV*|@`VYY+w)8_cswRlDv-LhxIKxE<%zU#+!Q5nim=gW1&Mlv0 z$QE3i^skxw^5sLAX-(hMdO4Smyq@ybxK~{`55nlB6|EXtDTB|@f99t^XYHTlwJaFn z_6aP2jR?6#4QVD2I#h+zycmImZv!FvKh;`7=L59Hj1mVAA!qBfiKSFY1NXjnOzHQw z7-QzN@4N3W-1G&q-|b^w!nz~LqHyxtpG-5+7btqki7hb{VDe3U3mhY#^m-!s#4nUb z%5Cxe>&{+v?!2=+rv=G=19#COOcuNTa%S~PQCnh@?0nv*MEc4%AUXB+{i6(mSFP{-o8(ZJ#mEGiw{~f|mq;``>eR-HdnlDcvhxog#;> zvf>0Hlw7w8o(LlDWQQqY!k()=`5EEXXja>-lpHhUDl$I%A^rH)kba``2POTadlP;2 zYwazLv0j9~C!Hxq6vbzZDVQ9HCosMw1|V_NU;a#9PshI4>5Y1Z%@^Xw_1My>ZY$S! znTq}l?kRtSoa-xQVj)G!klg`XM$n$LS zYppISfHe-x@#LQsuJ+&naaQ)7w=9M!^+;77eTCf)v8TN9&w$7q&Ndx-5qx9H`K4Rd z&AH1$rBRC^$k;C)>i9gNUq3E`^&|B0Gl~+d34+T;!3DO?3}7dcMH%`>zpp5kxT3V&ruxDGX)c|a~}qp3o`iWy-U=Vdm-JH zO~zM9%nskedM0)7*CP~V#+MlLZ11XuCrXiro*_tv^~5g?F2@Mv5a!Jnac^1vZuX^^ ztwt0qNpzSObYhW^mgX#L)RmeRD={7rIj{E}!|^SR*-u3e+<#BcaUkXuaTjm7cvASGmR-Q8z{Ip-AEINoDBeG>i|yC6rbwuGxHr8sw0Yx7VJrf?GhJ zhrsr7!O{Bs^FS?Ic)(Wu`=sx@BbS$F024XB(m-9otw$QBF+JsgjV0FGW46jBVbB@P z-`E$NT+of%LMQS$TRmrIPQ^m)CtE~K4#089KF7P+r7(+mQa54+#q@)HhK+0A)J&7w zbjL}ueL&r&Eo#2qx-L79oHHc#S`x5m)9icXPgE{{mA_9KeN_dBYD)quJ`F=>WN*fH z{qaM&!^`~IIQFz~;PyOx30-25;LnCX@Qa+W(&zN((ij*=TFjwL9_`;NzHc=C24>vy zT>75Yk`~&6eCoHFK=pWGBDNAZG{nqrv)0$siiyTSx}()FZhQlSg~6xWo_{i5O1ck< zBC2xgf-R*EUds95KXRMbhSqmIe8Z|Sx3R{pPUzYm?ijd^`K(q}RMd%gE;D7!fN?xk z7LfU-!|W1X1p~jcyb&2?G$a9F{%A|dv;f52Ioixd!-Vot2~s}8x;_n@j7HvJ-B?3l zB)vkRmr=fo31zGTaEvQe(ZnSaCIV&q%aSNMD)cR29RwD!BV9 z+dF<7LBn?a;JH|2ij5;1TaP{e^r4m(KCZ8sOp3idhoScTR=Up8=)+bJo|GE7;|8W z6;i4`R;}pA_dnUc;WP8&2DAou68eiK74J-1>Anqhe2$?_$%ZVcS9|j$m?iaqBc)S z*KDN!eDa26fE!@7Ne7q4m7bmrXXyl~{b4!zn20D9+0*B*)|ZKzwfJYKTc1jB`BRHr zzF6Ja4#uj=gC848Dc@!fXUwpLOU3}mHD z5*fdE*GwPo)dhM?ItxM777$h1iMd-(T73FWs_W9u9Ie+wT^IYf0pad9$u{rTIOoYM z+!rvG2<#}IYl=r3Nd*0}7mzlMSF#xfZ)%^TmpW>^y!irKM96%2?p)H0m#Kyn@8foD zZhSEh*lE*XB`rCPU$N~P=Q}!?3wSnS9H2_QMAcA9v8?SIEjFsnwl_ohGJ3B`%A(u$ zR9vZ7WS*`0YUL2b3!upbwI7J`RU}MN$*QwsyynQu(?DR85ZKQ+U;0Eki-9JWajVK+ zg`Unb1A6H$Dg+?QC6=j>!##fK=1}KyNnCmnGldJu%4w`-ZmH?eNJc)ixCT9uuZ^i4 zm>I$i6AN)61In#+d4k@A?UEdME?P9!q%dP?(`yA&UQ&&_->@abqF$umQtUcHMzl{q zS(@imx3<7AO#ZV~?>KY$wKLc+GGtYYU32)EMf^%BElG0+)L`ePxc?4;Kcw4LM*gTG z2+5$#RnhBR9EWtmTiFkG%kHur^L*=dpCrCs>Qxqgou&mJZ7yF`BC{kxWCWQO3{RJg zOykH#IXahOc(j*lj7S5QSk(T!Dh>**tbLBGogb!s#d$ubJnVdl>=P>P?`XJYfZp&Q z+7&kjPbBv9L~IA}5>@!5fdXsUDuPEB(wkrn#XCDKWZke3c+Qa@GS5~e$EVZ>@H6v# z`djYe{Hk5Ai02-~O4m!Dm!DX3kJiy<0$f%qw#&tyQorqyGSB3m%IEX?cE(sc8V)mK zFyA~oevaLKRRE@WtKgNV6f(v)QWltgSSHTDRCZO>!`6Ax z_1h>U9e=NBiG{9t&`;BJEL_l>TA*OMp2U*Y_s`x>(n+n3uz=_4Ezm zv{k7(PZT#POR5|RJ!S-v}?$wH~uk#-39jymk`t;fb>eX;m zpu1OkDokcyMRjKT0x}@178)}!DoAud$2v`5W(~C`W66!wMUmaD;&bi8I^KtsI) z4mt+&691Nho0$$sWFY%f^KGlN*)y4EQfJz?bq5iESgGh=sBgJ=D>f-;@Px$%vkKu> zZ)~m|kZiC+Hf|MM2JDrB;n^AF>O)8Qa_aUSS^Bs$-g`W_Zh@|O-P*o26?i$sa^btx z%oo$i3*+sf97xfrPhggc#HX3VWBp@EqDeb2$TOP#pgB(_Nln{P^(0)!$M&RN)xJOp z$5rwGi#1q`G#1L=sTugQ_)vHcmg9z(*_XcxPo@_y7~d!@E8}cxheR7?XgSlj#IYLf zngp5nqV`D4<+*v_xKyXj6h=L;$Wkhv5`r(~SIcL8D0M5tk77OtUDcrY2haoRJ^J_j z;@=%VG7Py}w>0z+8TN?G%u&hzQC*h`QwZ;jk4=k=J*sEsj2sLuV9{1IP8yy80iasa zJo#^3|9dp@zpA@~PpSWf$7oa!Z-B#!KcfEhoF=siHoQ1}QSvIeFF6)gwsr z;okCusMFz&VVb9Q&%abJ4@Y?>EAmbI@{a?=MSoKJe7%qWRvqhHb7;5{m_ zNG6^Ued`SEZdtr%&SaoglVD7DVPng7)= z=tjx>=49U|ggLy9Ct9}nR;V0mW%^uRGTCOeiZ+2v#p5kmoQpxBX2Ew*5Z8r1k8D7d zY|)W-^vf-S4u)18`gM<)T*50atZ`2SDvG5d(~y1qIgmpdLU6JYPtG4r`bcqzP+*zW z+&IK_qtbC^x2yX`gtjsrVpWxFFyO~28sUWr;~B7?1=;GF1SnZ)F|MohXR=RO{i*Kq zidHqa%apbFRndE?6HFjUl$P&3N4LPw|4H-&5@o8nY8t-9Q8~dKSxG5CZzLA*zN&E! zL3Z3mI8Au|AXbZ^KVbchG~c=iqr&_6Cu4ck|TF}BG_<7M14Jcv3r7_XZk2iuDz>r}=rFL6>W;>E7^_Sr{^M-52>KOYSnCk?={y54B-)|}59U(a(m+Z@_~jrRU{_ofjOXursf`SoNUGUA zh#-w<@YgZ3>Dp-RQ5I#rNHy5+P5heE zyZi>pv{A`|I|$D|iJ^S*pH#r|jdWhhX&|KPK%0xns^(><@7 z*z`njkSQq-fW1=?XCA+!VkiH@6mFa`NwnDfuyWAJBkvp;GAMlp9cvuGanbAzUltun zrqQ7Zr}M7Iq0u~2h1TeeOcP0#xe zJ9F|gL^rLoPND7IU2ZcDV&DPK5s>+GkgkaruIGMh&Bxy-Rs#^mZTA`a+hML;LVDM zvHGuP%QD`#iL)4Dd4zg6w*u@3@I~0+aUeFQ?$(LNj1{+c4Iz@z?%>-!98WI9mno0T8 zk(zi)E4SIlK=id`rdWYS5|aElC6<8X6j^KhB=IQt#?Gho_xu2dj(yd!MvAbMuwRNE@ zw;j^a?|B|9<}!bS)5d6%3UOnkav3!6`wuI?{+{q!l;-!%Yt7;3WDGGgfK2tn$vTUy zt~<-3?gzO|`Hj?-Z#zfkTO*wZRCg{D)0i}s1)qDe%=yj*SZ2ycFv?a1Zd_v{O2kQK zvq}e$uO=5LJQJ?6c76=rv)P6w+}a?wX9br68k<$NO%kwfvI<_6!0VNtF?tU+-iDhl z{Os2u$lqfY&C&h}2`VnsB6uH_ya1b7J+0ox6oC0FAha^S_h)Xt8E1Oc?ZUqVc8QB{ z<_2)cHaD`GI%o#Mvn2g2cdh+$Wwc~}srPcUK`L*jD4yj|@Pxi!JGqP#NZvKG(&ecs zz_FZ9;^gKTZiK1Zf+~GYXaHk(D&JEXe3h<4jB0!Xp3MXCG)j?BSdr8X61-QZv!h6c z5R15jw8ED9S@Cc{PUoGO?xu?>@lT&;Z_K{cJY5kDqPV7A?`aXC;_Fr2nWPgtasJ_! zK>LG^3P3a1PLx;P}^%knH*(X%R;JZ`}+mI5F8PLw^t4iAWd04TXb>)4D;{f zH)>LyNc;+&NJ3aPGiuBs96JJ%ag-3j1QfEQ3YmA$awsJMGu!DX`PprEuaMkHepV@p z;oIS;GCax$%3&|GhTEV>MHu&A@mL`6x7ojNlYGAoy*M&|sLyP)-KD=G3cZSzL7jyF zGet`6>T6pXv;MjB$%QNaG^&~Ur$Q6$D(uIEvP{x<-E`C?7@C@r_RDGo>kt0}fcT|g literal 0 HcmV?d00001 diff --git a/windows/configuration/images/user.PNG b/windows/configuration/images/user.PNG new file mode 100644 index 0000000000000000000000000000000000000000..d1386d4a0dbab1be7f85cced673cb57a9fc7e490 GIT binary patch literal 2312 zcmV+j3HSDiP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf2%SkpK~!i%)tY&z zO z^6Aqj^Vk2$kt2uX%a>2elqnIKRC|K05U%!MY{P^)hzJLF&KXd2KEtM-*mNsqLNV8_m%zxU& zig0#u`}Xa!d-ragJQL5FHLD8s1B<}|@V+ck`}XanSFc`Dpg;lhABmH&@J*XG$*x_y zbY~H4+eDcj3&4W5ZQE9c4)R5V;XPZ&)coP2h?OT~Vd9r-`_)&NH zPr~kFW%K6ElTxKhnNjz+-mXWF9?7UtqXNO}Pm?oePCY5cjvXskuU<8y?r|mj-o1M= zVZsE-l`EG<>r?^ZxZCvU)8*2oOJ>v^aZUZzt5>?ydGqGg$eoIC{JnhnQkE`VD&@0tMD}2b1A?i!4ZYuNh=TG(f)vH&#a>baYK6BR{vSpL0Q>U7d*hCe+ zckf=ga^;E!k-r6mKYjXCHf-2nMxql@I63yZb?dCAh`$R8o}D{)%KiKI%}8V-3SYT$ zrS5dHv$15roC(Beh(!kBckkZStc-HeCd5$EO_CtWQ+{%hhZB`;g2`XIc1TM{*sx(zs8Atm6L|mry;QAQRi;gw7D#?*N-(iv#foWC1Oz0? zS|)4jv&li`&!4Z&jc`JQZ{ECF_UzeXEhQyL)~{b*CQh8Fzb{+1OwOG}j^M6>dJ`}UPHXU?eq5q!8< zU}^x$%)^Hds~dFf+EuN@27DHu8RpGOK=_jlZbKwW$r0guljcoOKs38=&bok=AM=_92gzD0M2=pC!L;WOF&RjXF% z@2y(3QZuyy3wz?k3G-Vz0pXV~U$z#>G4pEGs_E-v$BqR8SS*;}&6_v%b3rf{S%n3%7l1VX98~zQ5rFjAPxw8ndAecGPo`(>&=ED1MVR^x*a3Wu% zknb0E&G9RaCwg@8U`J>l11Yo3%n`8YU{ttG(SWIwr0m$SL#kA%q7MY{-DsbKDH0R< z_wTRgI&CDIEiT90gR$e(5x``(Y}q2uo;}mdtV4$mnkQgg1Tijhc*Z!#moHzg_mN_9 z3fMAr2aecak|vyqBY<`^{yt*F2u)de7RK(Zt17rHBj3l}!ScEGd=D(pU0Qmn=X{c(JoJl(c%{Cm!vIqG%}Djbs=FkpaA%$A7} z$$4L%bvciF=!%>_e_q=|m>!i_?b@}aR;^n4cg|Z({rU6fk|$3d9kT(8PfA?0Xi+m_ zg!6(N8FR34mLr;EXwjlY+6p>#>XfWszg`9N8BU^vc!D4iymRNy(yw1X9j8sqJ=~ip z$m7J=xN&1hP7zQ^ZET}3;5`t8KQnP2Eb^?4qy$&O>?v5d*i}rM*W~nA2R_cj3#`D+ zF&Gc#gJp#$QUT$7kW(io0uv`lA!gRBSy~n%E>=2>m9a=H7!@65DepmW43EZMA!t^t zSke5JPKa=PG7+4@pN`A6ZQC@7@nWt7H7@5VDDD@YYI=n^)vH&}{FY8Yc%3?R)Ypv5 zdxrb47?KcteCyV&YGPht4irq3lFgep*JID`t}`dDh7B8i(#3Z`!IzwKlHJ0`{X#r&9tbpT z+SGToMwUpr9ElL&4H`7i3Hyoe2xoPHG}UW48V;66;z4ch$Nijp+O=z^Kf?(T4!wK# z_SNjeRrrb*#}bQ>NFv0&^xX)MJi~L-!3hV;?bxwn)YBxSz3eb(&>+3R>#pI8?3Aq{ z0~2R@UfqU!uoimt(aPHlI}SV(r#ayjvND@bL)djcu>y zemA%o$7s)NuWnz;i zO;S=kJ58$X_3NDx&+%xiS+hnH3hHWGM^+->(~TQ9mPwN)nGyGR5)M4hr6bCbVY@fx z7LF`L4<0<&wNHoRSvb%_qB%$p+-9FH9!wQ~X3^Q@NZ)jDi!b30Pww}F( z!xTwhxw>`hrU5rm5)uy7yldC4l_N)vs0q?XOSCd`;JrzrfRknD(4oExmPjNl+=1d` z-@bi%(IzI(b~>uKLOge18eE7aRc3eTzI5u;NiSR9%W<$KJQ(`o$B!SEix)5IH=O93 z1(&LhOE_Y=uoA@4!J+?0+sV%t@ZFLW;o(psK7RaI^8gmXF<;^Wu0gOWS+b<=@bBWc i2v0?l6NXbBk$(ZX!hff87(2EA0000EE700001b5ch_0Itp) z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf0t`t+K~!i%?U_BV zX+ao;Ul$z}5-No#RcZ-^M4=a@==>fkqT?U<0Z1eoA`%fFL5M^UUx|-G&ONj4q1tDk zeK?#u@;=GRnmyYtmf6EQGrG5T=tcSS;V%h?lNAmpD;!Q%IGn6-I9cIvvclnH<-c9e zozG{QPNy^)ji}r0qOVjc(O@v3VzEf6R0@5GL;|h^kK7|ztyWa2RM2j>+tlfFaJ^V8 z&^MpYF?yeo&*$OMXcVr*kB2**PBfWJ(C+nmRIAmf*=#}rgTX-cdY!`IFck^~^xcA% za3sRrgU{!K+-~=q&1Mr{l&U-)51xxeB8vC5>OCB!#@%zSTrNXm(u-H=EA)CjT&L5) z9|`}@$qI*)6%HpW9PTICY&P)SZU?^=Q3(mDad-KZ$zp7U!dD;!Q%IGn6JJ=`-3A|5$4L_sVxo6V?Ntx__Xq>R+k*T39@kp
When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

A single-app kiosk is ideal for public use.

(Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

A multi-app kiosk is appropriate for devices that are shared by multiple people.

When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) + +Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. + +There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions. + +| | | +--- | --- +![icon that represents apps](images/office-logo.png) | **Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md) +![icon that represents a kiosk](images/kiosk.png) | **Which type of kiosk do you need?** If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop). +![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. +![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. + + + +## Methods for a single-app kiosk running a UWP app + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[Assigned access in Settings](kiosk-single-app.md#local) | Pro, Ent, Edu | Local standard user +[Assigned access cmdlets](kiosk-single-app.md#powershell) | Pro, Ent, Edu | Local standard user +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a single-app kiosk running a Windows desktop application + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD +[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD + + +## Methods for a multi-app kiosk + +You can use this method | For this edition | For this kiosk account type +--- | --- | --- +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD +[Microsoft Intune or other MDM](lock-down-windows-10-to-specific-apps.md) | Pro, Ent, Edu | Local standard user, Azure AD +[MDM WMI Bridge Provider](kiosk-mdm-bridge.md) | Pro, Ent, Edu | Local standard user, Active Directory, Azure AD + +## Summary of kiosk configuration methods + +Method | App type | Account type | Single-app kiosk | Multi-app kiosk +--- | --- | --- | :---: | :---: +[Assigned access in Settings](kiosk-single-app.md#local) | UWP | Local account | X | +[Assigned access cmdlets](kiosk-single-app.md#powershell) | UWP | Local account | X | +[The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X +Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X +[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X + + +>[!NOTE] +>For devices running Windows 10 Enterprise and Education, version 1703 and earlier, you can use [AppLocker](lock-down-windows-10-applocker.md) to lock down a device to specific apps. + diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md new file mode 100644 index 0000000000..b6fe2acd42 --- /dev/null +++ b/windows/configuration/kiosk-policies.md @@ -0,0 +1,82 @@ +--- +title: Policies enforced on kiosk devices (Windows 10) +description: Learn about the policies enforced on a device when you configure it as a kiosk. +ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 +keywords: ["lockdown", "app restrictions", "applocker"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: edu, security +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +ms.author: jdecker +--- + +# Policies enforced on kiosk devices + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. + +When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. + + +## Group Policy + +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. + +| Setting | Value | +| --- | --- | +Remove access to the context menus for the task bar | Enabled +Clear history of recently opened documents on exit | Enabled +Prevent users from customizing their Start Screen | Enabled +Prevent users from uninstalling applications from Start | Enabled +Remove All Programs list from the Start menu | Enabled +Remove Run menu from Start Menu | Enabled +Disable showing balloon notifications as toast | Enabled +Do not allow pinning items in Jump Lists | Enabled +Do not allow pinning programs to the Taskbar | Enabled +Do not display or track items in Jump Lists from remote locations | Enabled +Remove Notifications and Action Center | Enabled +Lock all taskbar settings | Enabled +Lock the Taskbar | Enabled +Prevent users from adding or removing toolbars | Enabled +Prevent users from resizing the taskbar | Enabled +Remove frequent programs list from the Start Menu | Enabled +Remove Pinned programs from the taskbar | Enabled +Remove the Security and Maintenance icon | Enabled +Turn off all balloon notifications | Enabled +Turn off feature advertisement balloon notifications | Enabled +Turn off toast notifications | Enabled +Remove Task Manager | Enabled +Remove Change Password option in Security Options UI | Enabled +Remove Sign Out option in Security Options UI | Enabled +Remove All Programs list from the Start Menu | Enabled – Remove and disable setting +Prevent access to drives from My Computer | Enabled - Restrict all drivers + +>[!NOTE] +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. + + + +## MDM policy + + +Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). + +Setting | Value | System-wide + --- | --- | --- +[Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes +[Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes +Start/HidePeopleBar | 1 - True (hide) | No +[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes +[Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No +[WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md new file mode 100644 index 0000000000..a9fa30337a --- /dev/null +++ b/windows/configuration/kiosk-prepare.md @@ -0,0 +1,81 @@ +--- +title: Prepare a device for kiosk configuration (Windows 10) +description: Some tips for device settings on kiosks. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Prepare a device for kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +>[!WARNING] +>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. +> +>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: + +Recommendation | How to +--- | --- +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

You must restart the device after changing the registry. +Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. +Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. +Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** +Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. +Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. +Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. + +>[!TIP] +>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML. + + +**How to edit the registry to have an account sign in automatically** + +1. Open Registry Editor (regedit.exe). + + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). +   + +2. Go to + + **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** + +3. Set the values for the following keys. + + - *AutoAdminLogon*: set value as **1**. + + - *DefaultUserName*: set value as the account that you want signed in. + + - *DefaultPassword*: set value as the password for the account. + + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + + - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. + +4. Close Registry Editor. The next time the computer restarts, the account will sign in automatically. + +>[!TIP] +>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). + + + + + + + diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md deleted file mode 100644 index 4627f16d24..0000000000 --- a/windows/configuration/kiosk-shared-pc.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 08/08/2017 ---- - -# Configure kiosk and shared devices running Windows desktop editions - -Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). - -## In this section - -| Topic | Description | -| --- | --- | -| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | -| [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | -| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | -| [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md new file mode 100644 index 0000000000..b25eb4e96a --- /dev/null +++ b/windows/configuration/kiosk-shelllauncher.md @@ -0,0 +1,201 @@ +--- +title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Use Shell Launcher to create a Windows 10 kiosk + + +**Applies to** +>App type: Windows desktop application +> +>OS edition: Windows 10 Ent, Edu +> +>Account type: Local standard user or administrator, Active Directory, Azure AD + + +Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. + +>[!NOTE] +>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + +>[!WARNING] +>- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + +### Requirements + +- A domain or local user account. + +- A Windows desktop application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. + +[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) + + +### Configure Shell Launcher + +To set a Windows desktop application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. + +**To turn on Shell Launcher in Windows features** + +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. + +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. + +**To turn on Shell Launcher using DISM** + +1. Open a command prompt as an administrator. +2. Enter the following command. + + ``` + Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher + ``` + +**To set your custom shell** + +Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. + +``` +# Check if shell launcher license is enabled +function Check-ShellLauncherLicenseEnabled +{ + [string]$source = @" +using System; +using System.Runtime.InteropServices; + +static class CheckShellLauncherLicense +{ + const int S_OK = 0; + + public static bool IsShellLauncherLicenseEnabled() + { + int enabled = 0; + + if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { + enabled = 0; + } + + return (enabled != 0); + } + + static class NativeMethods + { + [DllImport("Slc.dll")] + internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); + } + +} +"@ + + $type = Add-Type -TypeDefinition $source -PassThru + + return $type[0]::IsShellLauncherLicenseEnabled() +} + +[bool]$result = $false + +$result = Check-ShellLauncherLicenseEnabled +"`nShell Launcher license enabled is set to " + $result +if (-not($result)) +{ + "`nThis device doesn't have required license to use Shell Launcher" + exit +} + +$COMPUTER = "localhost" +$NAMESPACE = "root\standardcimv2\embedded" + +# Create a handle to the class instance so we can call the static methods. +try { + $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" + } catch [Exception] { + write-host $_.Exception.Message; + write-host "Make sure Shell Launcher feature is enabled" + exit + } + + +# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. + +$Admins_SID = "S-1-5-32-544" + +# Create a function to retrieve the SID for a user account on a machine. + +function Get-UsernameSID($AccountName) { + + $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) + $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) + + return $NTUserSID.Value + +} + +# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. + +$Cashier_SID = Get-UsernameSID("Cashier") + +# Define actions to take when the shell program exits. + +$restart_shell = 0 +$restart_device = 1 +$shutdown_device = 2 + +# Examples. You can change these examples to use the program that you want to use as the shell. + +# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. + +$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) + +# Display the default shell to verify that it was added correctly. + +$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() + +"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction + +# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. + +$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) + +# Set Explorer as the shell for administrators. + +$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") + +# View all the custom shells defined. + +"`nCurrent settings for custom shells:" +Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction + +# Enable Shell Launcher + +$ShellLauncherClass.SetEnabled($TRUE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled + +# Remove the new custom shells. + +$ShellLauncherClass.RemoveCustomShell($Admins_SID) + +$ShellLauncherClass.RemoveCustomShell($Cashier_SID) + +# Disable Shell Launcher + +$ShellLauncherClass.SetEnabled($FALSE) + +$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() + +"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled +``` diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md new file mode 100644 index 0000000000..68dc1a807c --- /dev/null +++ b/windows/configuration/kiosk-single-app.md @@ -0,0 +1,244 @@ +--- +title: Set up a single-app kiosk (Windows 10) +description: A single-use device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Set up a single-app kiosk + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + + + +| | | +--- | --- +A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) + +You have several options for configuring your single-app kiosk. + +Method | Description +--- | --- +[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. +[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

This method is supported on Windows 10 Pro, Enterprise, and Education. +[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. +[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. + + +>[!TIP] +>You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile). + + + + +## Set up a kiosk in local Settings + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) + +![The Set up assigned access page in Settings](images/kiosk-settings.png) + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other people**. + +2. Choose **Set up assigned access**. + +3. Choose an account. + +4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). + +5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. + +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + + + + + + +## Set up a kiosk using Windows PowerShell + + +>App type: UWP +> +>OS edition: Windows 10 Pro, Ent, Edu +> +>Account type: Local standard user + +![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png) + +You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. + +Before you run the cmdlet: + +1. Log in as administrator. +2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access. +3. Log in as the Assigned Access user account. +4. Install the Universal Windows app that follows the assigned access/above the lock guidelines. +5. Log out as the Assigned Access user account. +6. Log in as administrator. + +To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. + +**Configure assigned access by AppUserModelID and user name** + +``` +Set-AssignedAccess -AppUserModelId -UserName +``` +**Configure assigned access by AppUserModelID and user SID** + +``` +Set-AssignedAccess -AppUserModelId -UserSID +``` +**Configure assigned access by app name and user name** + +``` +Set-AssignedAccess -AppName -UserName +``` +**Configure assigned access by app name and user SID** + +``` +Set-AssignedAccess -AppName -UserSID +``` + +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + +[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). + +[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). + +[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). + +To remove assigned access, using PowerShell, run the following cmdlet. + +``` +Clear-AssignedAccess +``` + + + +## Set up a kiosk using the kiosk wizard in Windows Configuration Designer + +>App type: UWP or Windows desktop application +> +>OS edition: Windows 10 Pro (version 1709 and later) for UWP only; Ent, Edu for both app types +> +>Account type: Local standard user, Active Directory + +![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png) + + +>[!IMPORTANT] +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). + +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. + + +[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. + + + + + + + + + + + + +
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ + +>[!NOTE] +>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + + + + +[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) + + + + + +  + + + +## Set up a kiosk or digital sign using Microsoft Intune or other MDM service + +>App type: UWP +> +>OS edition: Windows 10 Pro (version 1709), Ent, Edu +> +>Account type: Local standard user, Azure AD + +![The configuration settings for single-app kiosk in Microsoft Intune](images/kiosk-intune.png) + +Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. + +>[!TIP] +>Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). + +The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. + +**To configure kiosk in Microsoft Intune** + +2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +3. Select **Device configuration**. +4. Select **Profiles**. +5. Select **Create profile**. +6. Enter a friendly name for the profile. +7. Select **Windows 10 and later** for the platform. +8. Select **Device restrictions** for the profile type. +9. Select **Kiosk**. +10. In **Kiosk Mode**, select **Single app kiosk**. +1. Enter the user account (Azure AD or a local standard user account). +11. Enter the Application User Model ID for an installed app. +14. Select **OK**, and then select **Create**. +18. Assign the profile to a device group to configure the devices in that group as kiosks. + + + +## Sign out of assigned access + +To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. + +If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: + +**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** + +To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. + +  + + + diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md new file mode 100644 index 0000000000..d46cd63941 --- /dev/null +++ b/windows/configuration/kiosk-validate.md @@ -0,0 +1,94 @@ +--- +title: Validate kiosk configuration (Windows 10) +description: This topic explains what to expect on a multi-app kiosk. +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Validate kiosk configuration + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device. + +Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. + +To test the kiosk, sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. + +>[!NOTE] +>The kiosk configuration setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. + +The following sections explain what to expect on a multi-app kiosk. + +### App launching and switching experience + +In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. + +The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. + +### Start changes + +When the assigned access user signs in, you should see a restricted Start experience: +- Start gets launched in full screen and prevents the end user from accessing the desktop. +- Start shows the layout aligned with what you defined in the multi-app configuration XML. +- Start prevents the end user from changing the tile layout. + - The user cannot resize, reposition, and unpin the tiles. + - The user cannot pin additional tiles on the start. +- Start hides **All Apps** list. +- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). +- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) +- Start hides **Change account settings** option under **User** button. + +### Taskbar changes + +If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: +- Disables context menu of Start button (Quick Link) +- Disables context menu of taskbar +- Prevents the end user from changing the taskbar +- Disables Cortana and Search Windows +- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace +- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings + +### Blocked hotkeys + +The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. + +| Hotkey | Action | +| --- | --- | +| Windows logo key + A | Open Action center | +| Windows logo key + Shift + C | Open Cortana in listening mode | +| Windows logo key + D | Display and hide the desktop | +| Windows logo key + Alt + D | Display and hide the date and time on the desktop | +| Windows logo key + E | Open File Explorer | +| Windows logo key + F | Open Feedback Hub | +| Windows logo key + G | Open Game bar when a game is open | +| Windows logo key + I | Open Settings | +| Windows logo key + J | Set focus to a Windows tip when one is available. | +| Windows logo key + O | Lock device orientation | +| Windows logo key + Q | Open search | +| Windows logo key + R | Open the Run dialog box | +| Windows logo key + S | Open search | +| Windows logo key + X | Open the Quick Link menu | +| Windows logo key + comma (,) | Temporarily peek at the desktop | +| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | + + + +### Locked-down Ctrl+Alt+Del screen + +The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. + +### Auto-trigger touch keyboard + +In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. + + diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 74cdfe88e1..9be99277a6 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index de93d13008..876d2a663d 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 08/14/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -37,7 +37,7 @@ This topic describes how to lock down apps on a local device. You can also use A ## Install apps -First, install the desired apps on the device for the target user account(s). This works for both Store and Win32. For Store apps, you must log on as that user for the app to install. For Win32 you can install an app for all users without logging on to the particular account. +First, install the desired apps on the device for the target user account(s). This works for both Unified Windows Platform (UWP) apps and Windows desktop apps. For UWP apps, you must log on as that user for the app to install. For desktop apps, you can install an app for all users without logging on to the particular account. ## Use AppLocker to set rules for apps diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 8e3162d8d0..7793d23b83 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -1,5 +1,5 @@ --- -title: Create a Windows 10 kiosk that runs multiple apps (Windows 10) +title: Set up a multi-app kiosk (Windows 10) description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 keywords: ["lockdown", "app restrictions", "applocker"] @@ -9,29 +9,29 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 06/21/2018 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- -# Create a Windows 10 kiosk that runs multiple apps +# Set up a multi-app kiosk **Applies to** - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) has been expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: + +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: - Configure [a single-app kiosk profile](#profile) in your XML file. - Assign [group accounts to a config profile](#config-for-group-accounts). - Configure [an account to sign in automatically](#config-for-autologon-account). - -The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. +The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] ->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](#policies-set-by-multi-app-kiosk-configuration) are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. +>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). @@ -65,7 +65,6 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi >Managed apps are apps that are in the Microsoft Store for Business that is synced with your Intune subscription. - ## Configure a kiosk using a provisioning package Process: @@ -77,12 +76,12 @@ Watch how to use a provisioning package to configure a multi-app kiosk. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] -If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](#bridge). +If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md). ### Prerequisites -- Windows Configuration Designer (Windows 10, version 1709) -- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 +- Windows Configuration Designer (Windows 10, version 1709 or later) +- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] >For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. @@ -161,7 +160,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Classic Windows desktop apps. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. @@ -479,10 +478,7 @@ Provisioning packages can be applied to a device during the first-run experience -### Validate provisioning -- Go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device, including the one you applied for the multi-app configuration. -- Optionally, run Event Viewer (eventvwr.exe) and look through logs under **Applications and Services Logs** > **Microsoft** > **Windows** > **Provisioning-Diagnostics-Provider** > **Admin**. @@ -496,147 +492,9 @@ If your device is enrolled with a MDM server which supports applying the assigne The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - -## Use MDM Bridge WMI Provider to configure assigned access - -Environments that use WMI can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the MDM_AssignedAccess class. See [PowerShell Scripting with WMI Bridge Provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/using-powershell-scripting-with-the-wmi-bridge-provider) for more details about using a PowerShell script to configure AssignedAccess. - -Here’s an example to set AssignedAccess configuration: - -1. Download the [psexec tool](https://technet.microsoft.com/sysinternals/bb897553.aspx). -2. Run `psexec.exe -i -s cmd.exe`. -3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell. -4. Execute the following script: - -```ps -$nameSpaceName="root\cimv2\mdm\dmmap" -$className="MDM_AssignedAccess" -$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -$obj.Configuration = @" -<?xml version="1.0" encoding="utf-8" ?> -<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"> - <Profiles> - <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"> - <AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" /> - </AllowedApps> - </AllAppsList> - <StartLayout> - <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"> - <LayoutOptions StartTileGroupCellWidth="6" /> - <DefaultLayoutOverride> - <StartLayoutCollection> - <defaultlayout:StartLayout GroupCellWidth="6"> - <start:Group Name="Group1"> - <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - </start:Group> - <start:Group Name="Group2"> - <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" /> - <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" /> - </start:Group> - </defaultlayout:StartLayout> - </StartLayoutCollection> - </DefaultLayoutOverride> - </LayoutModificationTemplate> - ]]> - </StartLayout> - <Taskbar ShowTaskbar="true"/> - </Profile> - </Profiles> - <Configs> - <Config> - <Account>MultiAppKioskUser</Account> - <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> - </Config> - </Configs> -</AssignedAccessConfiguration> -"@ - -Set-CimInstance -CimInstance $obj -``` - - -## Validate multi-app kiosk configuration - -Sign in with the assigned access user account you specified in the configuration to check out the multi-app experience. - ->[!NOTE] ->The setting will take effect the next time the assigned access user signs in. If that user account is signed in when you apply the configuration, make sure the user signs out and signs back in to validate the experience. - -The following sections explain what to expect on a multi-app kiosk. - -### App launching and switching experience - -In the multi-app mode, to maximize the user productivity and streamline the experience, an app will be always launched in full screen when the users click the tile on the Start. The users can minimize and close the app, but cannot resize the app window. - -The users can switch apps just as they do today in Windows. They can use the Task View button, Alt + Tab hotkey, and the swipe in from the left gesture to view all the open apps in task view. They can click the Windows button to show Start, from which they can open apps, and they can switch to an opened app by clicking it on the taskbar. - -### Start changes - -When the assigned access user signs in, you should see a restricted Start experience: -- Start gets launched in full screen and prevents the end user from accessing the desktop. -- Start shows the layout aligned with what you defined in the multi-app configuration XML. -- Start prevents the end user from changing the tile layout. - - The user cannot resize, reposition, and unpin the tiles. - - The user cannot pin additional tiles on the start. -- Start hides **All Apps** list. -- Start hides all the folders on Start (including File Explorer, Settings, Documents, Downloads, Music, Pictures, Videos, HomeGroup, Network, and Personal folders). -- Only **User** and **Power** buttons are available. (You can control whether to show the **User/Power** buttons using [existing policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start).) -- Start hides **Change account settings** option under **User** button. - -### Taskbar changes - -If the applied multi-app configuration enables taskbar, when the assigned access user signs in, you should see a restricted Taskbar experience: -- Disables context menu of Start button (Quick Link) -- Disables context menu of taskbar -- Prevents the end user from changing the taskbar -- Disables Cortana and Search Windows -- Hides notification icons and system icons, e.g. Action Center, People, Windows Ink Workspace -- Allows the end user to view the status of the network connection and power state, but disables the flyout of **Network/Power** to prevent end user from changing the settings - -### Blocked hotkeys - -The multi-app mode blocks the following hotkeys, which are not relevant for the lockdown experience. - -| Hotkey | Action | -| --- | --- | -| Windows logo key + A | Open Action center | -| Windows logo key + Shift + C | Open Cortana in listening mode | -| Windows logo key + D | Display and hide the desktop | -| Windows logo key + Alt + D | Display and hide the date and time on the desktop | -| Windows logo key + E | Open File Explorer | -| Windows logo key + F | Open Feedback Hub | -| Windows logo key + G | Open Game bar when a game is open | -| Windows logo key + I | Open Settings | -| Windows logo key + J | Set focus to a Windows tip when one is available. | -| Windows logo key + O | Lock device orientation | -| Windows logo key + Q | Open search | -| Windows logo key + R | Open the Run dialog box | -| Windows logo key + S | Open search | -| Windows logo key + X | Open the Quick Link menu | -| Windows logo key + comma (,) | Temporarily peek at the desktop | -| Windows logo key + Ctrl + F | Search for PCs (if you're on a network) | -### Locked-down Ctrl+Alt+Del screen - -The multi-app mode removes options (e.g. **Change a password**, **Task Manager**, **Network**) in the Ctrl+Alt+Del screen to ensure the users cannot access the functionalities that are not allowed in the lockdown experience. - -### Auto-trigger touch keyboard - -In the multi-app mode, the touch keyboard will be automatically triggered when there is an input needed and no physical keyboard is attached on touch-enabled devices. You don’t need to configure any other setting to enforce this behavior. @@ -756,3 +614,6 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont - Under **CommandLine**, enter `cmd /c *FileName*.bat`. +## Other methods + +Environments that use WMI can use the [MDM Bridge WMI Provider to configure a kiosk](kiosk-mdm-bridge.md). \ No newline at end of file diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index d77388e0cb..1628b1c866 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -52,10 +52,10 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

Keyboard filter is added in Windows 10, version 1511. As in Windows Embedded Industry 8.1, Keyboard Filter is an optional component that can be turned on via Turn Windows Features On/Off. Keyboard Filter (in addition to the WMI configuration previously available) will be configurable through Windows Imaging and Configuration Designer (ICD) in the SMISettings path.

-

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Classic Windows application on sign-on

+

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=626676): launch a Windows desktop application on sign-on

[Shell Launcher](https://go.microsoft.com/fwlink/p/?LinkId=618603)

Shell Launcher continues in Windows 10. It is now configurable in Windows ICD under the SMISettings category.

-

Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Classic Windows application.

+

Learn [how to use Shell Launcher to create a kiosk device](https://go.microsoft.com/fwlink/p/?LinkId=626922) that runs a Windows desktop application.

[Application Launcher]( https://go.microsoft.com/fwlink/p/?LinkId=626675): launch a Universal Windows Platform (UWP) app on sign-on

diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 0ee82de1b3..6857cf8aac 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 09/27/2017 +ms.date: 07/30/2018 ms.author: jdecker ms.topic: article --- @@ -31,7 +31,7 @@ For example: **Troubleshooting steps** -1. [Verify that the provisioning package is applied successfully](lock-down-windows-10-to-specific-apps.md#validate-provisioning). +1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 17162822c3..9979020ba7 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -82,7 +82,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![step one](../images/one.png)![set up device](../images/set-up-device.png)

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](../set-up-shared-or-guest-pc.md)

You can also select to remove pre-installed software from the device. ![device name, upgrade to enterprise, shared use, remove pre-installed software](../images/set-up-device-details-desktop.png) ![step two](../images/two.png) ![set up network](../images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](../images/set-up-network-details-desktop.png) ![step three](../images/three.png) ![account management](../images/account-management.png)

Enable account management if you want to configure settings on this page.

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](../images/account-management-details.png) -![step four](../images/four.png) ![add applications](../images/add-applications.png)

You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) +![step four](../images/four.png) ![add applications](../images/add-applications.png)

You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md). ![add an application](../images/add-applications-details.png) ![step five](../images/five.png) ![add certificates](../images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](../images/add-certificates-details.png) ![finish](../images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](../images/finish-details.png) diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index bacec7e70a..9f7712c5d3 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -20,7 +20,7 @@ ms.date: 09/06/2017 - Windows 10 -In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). @@ -35,7 +35,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate - **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app -## Settings for Classic Windows apps +## Settings for Windows desktop applications ### MSI installer @@ -61,7 +61,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate -## Add a Classic Windows app using advanced editor in Windows Configuration Designer +## Add a Windows desktop application using advanced editor in Windows Configuration Designer 1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index b05f6637ed..c0cbd3ed3f 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -43,7 +43,7 @@ You use Windows Configuration Designer to create a provisioning package (.ppkg) - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) - - [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) + - [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 4bbbf8ad10..2a331f5839 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -86,7 +86,7 @@ The following table describes settings that you can configure using the wizards - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) - [Instructions for the HoloLens wizard](https://docs.microsoft.com/hololens/hololens-provisioning#wizard) diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md new file mode 100644 index 0000000000..c0fdbf85d4 --- /dev/null +++ b/windows/configuration/setup-digital-signage.md @@ -0,0 +1,87 @@ +--- +title: Set up digital signs on Windows 10 (Windows 10) +description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education). +ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC +keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.localizationpriority: high +ms.date: 07/30/2018 +--- + +# Set up digital signs on Windows 10 + + +**Applies to** + +- Windows 10 Pro, Enterprise, and Education + +Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. + +For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. + +>[!TIP] +>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). + +Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803. + +>[!NOTE] +>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business). + + +This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience). + +1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps) +2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app) +2. [Install Windows Configuration Designer.](~/provisioning-packages/provisioning-install-icd.md) +3. Open Windows Configuration Designer and select **Provision kiosk devices**. +4. Enter a friendly name for the project, and select **Finish**. +5. On **Set up device**, select **Disabled**, and select **Next**. +6. On **Set up network**, enable network setup. + - Toggle **On** wireless network connectivity. + - Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network. +7. On **Account management**, select **Disabled**, and select **Next**. +8. On **Add applications**, select **Add an application**. + - For **Application name**, enter `Kiosk Browser`. + - For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed. + - For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business. + - The **Package family name** is populated automatically. + - Select **Next**. +9. On **Add certificates**, select **Next**. +10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage. + - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. + - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. + - For **App type**, select **Universal Windows App**. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. +11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. +12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. + - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. + - In **BlockedUrl**, enter `*`. + - In **DefaultUrl**, enter `https://www.contoso.com/menu`. + - Set **EnableEndSessionButton**, **EnableHomeButton**, and **EnableNavigationButtons** to **No**. +13. On the **File** menu, select **Save**, and select **OK** in the **Keep your info secure** dialog box. +14. On the **Export** menu, select **Provisioning package**. +15. Change the **Owner** to **IT Admin**, and select **Next**. +16. On **Select security details for the provisioning package**, select **Next**. +17. On **Select where to save the provisioning package**, select **Next**. +18. On **Build the provisioning package**, select **Build**. +19. On the **All done!** screen, click the **Output location**. +20. Copy the .ppkg file to a USB drive. +21. Attach the USB drive to the device that you want to use for your digital sign. +22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive. + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md deleted file mode 100644 index f2f227fd8c..0000000000 --- a/windows/configuration/setup-kiosk-digital-signage.md +++ /dev/null @@ -1,487 +0,0 @@ ---- -title: Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education (Windows 10) -description: A single-use device such as a digital sign is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.localizationpriority: medium -ms.date: 06/05/2018 ---- - -# Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education - - -**Applies to** - -- Windows 10 Pro, Enterprise, and Education - - - -Some desktop devices in an enterprise serve a special purpose, such as a PC in the lobby that customers can use to view your product catalog or a PC displaying visual content as a digital sign. A single-use, kiosk device is easy to set up in Windows 10. (For kiosks that run more than one more app, see [Create a Windows 10 kiosk that runs multiple apps](lock-down-windows-10-to-specific-apps.md).) - - - -## Choose a method for configuring your kiosks and digitals signs - -**Which type of app will your kiosk run?** Your kiosk can run a Universal Windows Platform (UWP) app or a Classic Windows desktop application. When the kiosk account signs in, the kiosk app will launch automatically. If the kiosk app is closed, it will automatically restart. - ->[!TIP] ->For **digital signage**, simply select a digital sign player as your kiosk app. You can also use the **Kiosk Browser** app ([new in Windows 10, version 1803)](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers) and configure it to show your online content. - -**Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. - ->[!WARNING] ->For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account. -> ->Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - -**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. - -### Methods for kiosks and digital signs running a UWP app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Local settings](#local) (for 1 or a few devices) | Pro, Ent, Edu | Local standard user -[PowerShell](#powershell) | Pro, Ent, Edu | Local standard user -[Provisioning](#wizard) | Pro (version 1709), Ent, Edu | Local standard user, Active Directory -[Intune or other mobile device management (MDM)](#set-up-assigned-access-in-mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD - -### Methods for kiosks and digital signs running a Classic Windows app - -Choose this method | For this edition | For this kiosk account type ---- | --- | --- -[Provisioning](#wizard) | Ent, Edu | Local standard user, Active Directory -[ShellLauncher](#shelllauncher) | Ent, Edu | Local standard user or administrator, Active Directory, Azure AD - - - - - -### Other settings to lock down - -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: - -Recommendation | How to ---- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

You must restart the device after changing the registry. -Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the logon screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. -Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. - -In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can log on the assigned access account manually or you can configure the device to log on to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic logon. - - -**How to edit the registry to have an account automatically logged on** - -1. Open Registry Editor (regedit.exe). - - >[!NOTE]   - >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). -   - -2. Go to - - **HKEY\_LOCAL\_MACHINE\SOFTWARE\\Microsoft\WindowsNT\CurrentVersion\Winlogon** - -3. Set the values for the following keys. - - - *AutoAdminLogon*: set value as **1**. - - - *DefaultUserName*: set value as the account that you want logged in. - - - *DefaultPassword*: set value as the password for the account. - - > [!NOTE] - > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - - - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. - -4. Close Registry Editor. The next time the computer restarts, the account will be logged on automatically. - ->[!TIP] ->You can also configure automatic logon [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon). - - - -## Set up a kiosk or digital sign in local Settings - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use **Settings** to quickly configure one or a few devices as a kiosk. (Using **Settings** isn't practical for configuring a lot of devices, but it would work.) When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) - -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. - -If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) - -**To set up assigned access in PC settings** - -1. Go to **Start** > **Settings** > **Accounts** > **Other people**. - -2. Choose **Set up assigned access**. - -3. Choose an account. - -4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). - -5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. - -To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. - - - - - -## Set up a kiosk or digital sign using Windows PowerShell - - ->App type: UWP -> ->OS edition: Windows 10 Pro, Ent, Edu -> ->Account type: Local standard user - -You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. - -To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator. - -``` -Set-AssignedAccess -AppUserModelId -UserName -``` - -``` -Set-AssignedAccess -AppUserModelId -UserSID -``` - -``` -Set-AssignedAccess -AppName -UserName -``` - -``` -Set-AssignedAccess -AppName -UserSID -``` - -> [!NOTE] -> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. - -[Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). - -[Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). - -[Learn how to get the SID](https://go.microsoft.com/fwlink/p/?LinkId=615517). - -To remove assigned access, using PowerShell, run the following cmdlet. - -``` -Clear-AssignedAccess -``` - - - -## Set up a kiosk or digital sign using a provisioning package - ->App type: UWP or Classic Windows -> ->OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types -> ->Account type: Local standard user, Active Directory - ->[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). - - -When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - - - - -[Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. - - - - - - - - - - - - -
![step one](images/one.png)![set up device](images/set-up-device.png)

Enable device setup if you want to configure settings on this page.

**If enabled:**

Enter a name for the device.

(Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

You can also select to remove pre-installed software from the device. 		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
![step two](images/two.png) ![set up network](images/set-up-network.png)

Enable network setup if you want to configure settings on this page.

**If enabled:**

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.		![Enter network SSID and type](images/set-up-network-details.png)
![step three](images/three.png) ![account management](images/account-management.png)

Enable account management if you want to configure settings on this page.

**If enabled:**

You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

**Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
![step four](images/four.png) ![add applications](images/add-applications.png)

You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

**Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. 		![add an application](images/add-applications-details.png)
![step five](images/five.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.		![Configure kiosk account and app](images/kiosk-account-details.png)
![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
- - ->[!NOTE] ->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - ->[!TIP] ->You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - -[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md) - - - - - -  - - - -## Set up a kiosk or digital sign in Intune or other MDM service - ->App type: UWP -> ->OS edition: Windows 10 Pro (version 1709), Ent, Edu -> ->Account type: Local standard user, Azure AD - -Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a KioskModeApp setting. In the KioskModeApp setting, you enter the user account name and [AUMID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode. - -The following steps explain how to configure a kiosk in Microsoft Intune. For other MDM services, see the documentation for your provider. - -**To configure kiosk in Microsoft Intune** - -2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. -3. Select **Device configuration**. -4. Select **Profiles**. -5. Select **Create profile**. -6. Enter a friendly name for the profile. -7. Select **Windows 10 and later** for the platform. -8. Select **Kiosk (Preview)** for the profile type. -9. Enter a friendly name for the kiosk configuration. -10. Select **Kiosk - 1 setting available**. -10. Select **Add** to add a kiosk configuration. -10. Enter a friendly name for the kiosk configuration, and then in **Kiosk Mode**, select **Single full-screen app kiosk**. -10. Select either **Select a managed app** to choose a kiosk app that is managed by Intune, or **Enter UWP app AUMID** to specify the kiosk app by AUMID, and then select the app or enter the AUMID as appropriate. -1. For the user account, select either **Autologon** to create a user account for the kiosk that will sign in automatically, or **Local user account** to configure an existing user account to run the kiosk. **Local user account** can be a local standard user account on the device or an Azure Active Directory account. -14. Select **OK**, and then select **Create**. -18. Assign the profile to a device group to configure the devices in that group as kiosks. - - - -## Set up a kiosk or digital sign using Shell Launcher - ->App type: Classic Windows -> ->OS edition: Windows 10 Ent, Edu -> ->Account type: Local standard user or administrator, Active Directory, Azure AD - -Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. - ->[!NOTE] ->In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the [Assigned Access CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp). -> ->You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). - ->[!WARNING] ->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements - -- A domain or local user account. - -- A Classic Windows application that is installed for that account. The app can be your own company application or a common app like Internet Explorer. - -[See the technical reference for the shell launcher component.](https://go.microsoft.com/fwlink/p/?LinkId=618603) - - -### Configure Shell Launcher - -To set a Classic Windows application as the shell, you first turn on the Shell Launcher feature, and then you can set your custom shell as the default using PowerShell. - -**To turn on Shell Launcher in Windows features** - -1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. - -2. Expand **Device Lockdown**. - -2. Select **Shell Launcher** and **OK**. - -Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. - -**To turn on Shell Launcher using DISM** - -1. Open a command prompt as an administrator. -2. Enter the following command. - - ``` - Dism /online /Enable-Feature /all /FeatureName:Client-EmbeddedShellLauncher - ``` - -**To set your custom shell** - -Modify the following PowerShell script as appropriate. The comments in the sample script explain the purpose of each section and tell you where you will want to change the script for your purposes. Save your script with the extension .ps1, open Windows PowerShell as administrator, and run the script on the kiosk device. - -``` -# Check if shell launcher license is enabled -function Check-ShellLauncherLicenseEnabled -{ - [string]$source = @" -using System; -using System.Runtime.InteropServices; - -static class CheckShellLauncherLicense -{ - const int S_OK = 0; - - public static bool IsShellLauncherLicenseEnabled() - { - int enabled = 0; - - if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) { - enabled = 0; - } - - return (enabled != 0); - } - - static class NativeMethods - { - [DllImport("Slc.dll")] - internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value); - } - -} -"@ - - $type = Add-Type -TypeDefinition $source -PassThru - - return $type[0]::IsShellLauncherLicenseEnabled() -} - -[bool]$result = $false - -$result = Check-ShellLauncherLicenseEnabled -"`nShell Launcher license enabled is set to " + $result -if (-not($result)) -{ - "`nThis device doesn't have required license to use Shell Launcher" - exit -} - -$COMPUTER = "localhost" -$NAMESPACE = "root\standardcimv2\embedded" - -# Create a handle to the class instance so we can call the static methods. -try { - $ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting" - } catch [Exception] { - write-host $_.Exception.Message; - write-host "Make sure Shell Launcher feature is enabled" - exit - } - - -# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group. - -$Admins_SID = "S-1-5-32-544" - -# Create a function to retrieve the SID for a user account on a machine. - -function Get-UsernameSID($AccountName) { - - $NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName) - $NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier]) - - return $NTUserSID.Value - -} - -# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script. - -$Cashier_SID = Get-UsernameSID("Cashier") - -# Define actions to take when the shell program exits. - -$restart_shell = 0 -$restart_device = 1 -$shutdown_device = 2 - -# Examples. You can change these examples to use the program that you want to use as the shell. - -# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed. - -$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device) - -# Display the default shell to verify that it was added correctly. - -$DefaultShellObject = $ShellLauncherClass.GetDefaultShell() - -"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction - -# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed. - -$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell) - -# Set Explorer as the shell for administrators. - -$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe") - -# View all the custom shells defined. - -"`nCurrent settings for custom shells:" -Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction - -# Enable Shell Launcher - -$ShellLauncherClass.SetEnabled($TRUE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled - -# Remove the new custom shells. - -$ShellLauncherClass.RemoveCustomShell($Admins_SID) - -$ShellLauncherClass.RemoveCustomShell($Cashier_SID) - -# Disable Shell Launcher - -$ShellLauncherClass.SetEnabled($FALSE) - -$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() - -"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled -``` - -## Sign out of assigned access - -To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account. - -If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key: - -**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI** - -To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. - -  -## Related topics - -- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - - - diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index b1547d99cd..db8812512d 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -30,7 +30,7 @@ The **Azure > Authority** and **Azure > BPRT** settings for bulk Azure Active Di - [Instructions for desktop wizard](../provisioning-packages/provision-pcs-for-initial-deployment.md) - [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md) -- [Instructions for the kiosk wizard](../setup-kiosk-digital-signage.md#wizard) +- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard) ## ComputerAccount diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 744ae6a3b6..0f63fc68e7 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -13,7 +13,7 @@ ms.date: 09/06/2017 # ProvisioningCommands (Windows Configuration Designer reference) -Use ProvisioningCommands settings to install Classic Windows apps using a provisioning package. +Use ProvisioningCommands settings to install Windows desktop applications using a provisioning package. ## Applies to diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 2f7f8216e2..a9e588a6f8 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -93,7 +93,7 @@ When you **enable** KeyboardFilter, a number of other settings become available ## ShellLauncher settings -Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Classic Windows application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). +Use ShellLauncher to specify the application or executable to use as the default custom shell. One use of ShellLauncher is to [create a kiosk (fixed-purpose) device running a Windows desktop application](https://docs.microsoft.com/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions#shell-launcher-for-classic-windows-applications). >[!WARNING] >Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. From c312dd20dc4b358299a8d1c492b95da23dbdda8f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 30 Jul 2018 22:41:09 +0300 Subject: [PATCH 22/34] updates --- ...endpoints-windows-defender-advanced-threat-protection.md | 6 ++++-- ...ubleshoot-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 4df77c291d..9c0dfce001 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -119,14 +119,16 @@ You’ll be able to onboard in the same method available for Windows 10 client m Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: -- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to ASC. For more information on onboarding to ASC, see Onboarding to Azure Security Center Standard for enhanced security. +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to ASC. For more information on onboarding to ASC, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding). + >[!NOTE] > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. + - Servers monitored by Azure Security Center will also be available in Windows Defender ATP - ASC seamlessly connects to the Windows Defender ATP tenant, providing a single view across clients and servers. In addition, Windows Defender ATP alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support. +>- When you use Azure Security Center detection end response capabilities, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). >- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 99e9e5c8c6..4b175b3338 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ Support of use of comma as a separator in numbers are not supported. Regions whe When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. -If you want to store your data from Europe to another data center, please contact support. +If you want to store your data from Europe to another data center, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). > [!WARNING] > Deleting the existing Windows Defender ATP tenant will also delete all historical data and alerts. From 3c06afe9875ad82fff960313bea663f49a2f7d2c Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 30 Jul 2018 19:53:18 +0000 Subject: [PATCH 23/34] Merged PR 10197: Removed documentations inconsistencies in Policy CSP topicis --- .../mdm/policy-csp-accounts.md | 7 +-- .../mdm/policy-csp-applicationmanagement.md | 16 +----- .../mdm/policy-csp-authentication.md | 15 +---- .../mdm/policy-csp-bluetooth.md | 28 +--------- .../mdm/policy-csp-browser.md | 56 +------------------ .../mdm/policy-csp-connectivity.md | 37 +----------- .../mdm/policy-csp-devicelock.md | 31 +--------- .../mdm/policy-csp-experience.md | 12 +--- .../mdm/policy-csp-privacy.md | 41 +------------- .../mdm/policy-csp-search.md | 12 +--- .../mdm/policy-csp-security.md | 28 +--------- .../mdm/policy-csp-settings.md | 7 +-- .../mdm/policy-csp-system.md | 31 +--------- .../mdm/policy-csp-update.md | 50 +---------------- 14 files changed, 15 insertions(+), 356 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 64e6764b0a..7b0ad06974 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Accounts @@ -248,9 +248,4 @@ Footnote: - -## Accounts policies supported by Windows Holographic for Business - -- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection) - diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 39cb905194..cca62e37b2 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/11/2018 +ms.date: 07/30/2018 --- # Policy CSP - ApplicationManagement @@ -1050,17 +1050,3 @@ Footnote: - -## ApplicationManagement policies supported by Windows Holographic for Business - -- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps) -- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate) -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - - -## ApplicationManagement policies supported by IoT Core - -- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock) - - diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 1b134ed0ff..a09d57f3d5 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Authentication @@ -312,16 +312,3 @@ Footnote: - 4 - Added in Windows 10, version 1803. - - -## Authentication policies supported by Windows Holographic for Business - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - - -## Authentication policies supported by IoT Core - -- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect) - - diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 1fb3b009d6..c46c7c823a 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Bluetooth @@ -439,30 +439,4 @@ Footnote: * The Surface pen uses the HID over GATT profile {00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} - -## Bluetooth policies supported by Windows Holographic for Business - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) - - - -## Bluetooth policies supported by IoT Core - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - - - -## Bluetooth policies supported by Microsoft Surface Hub - -- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising) -- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode) -- [Bluetooth/AllowPrepairing](#bluetooth-allowprepairing) -- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename) -- [Bluetooth/ServicesAllowedList](#bluetooth-servicesallowedlist) - diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index cbc9d1bf0b..94bc0bf1bb 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.technology: windows author: shortpatti ms.author: pashort -ms.date: 07/18/2018 +ms.date: 07/30/2018 --- # Policy CSP - Browser @@ -3974,57 +3974,3 @@ Footnote: - -## Browser policies that can be set using Exchange Active Sync (EAS) - -- [Browser/AllowBrowser](#browser-allowbrowser) - - - -## Browser policies supported by Windows Holographic for Business - -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) - - - -## Browser policies supported by IoT Core - -- [Browser/AllowAutofill](#browser-allowautofill) -- [Browser/AllowBrowser](#browser-allowbrowser) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowInPrivate](#browser-allowinprivate) -- [Browser/AllowPasswordManager](#browser-allowpasswordmanager) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist) -- [Browser/EnterpriseSiteListServiceUrl](#browser-enterprisesitelistserviceurl) -- [Browser/SendIntranetTraffictoInternetExplorer](#browser-sendintranettraffictointernetexplorer) - - - -## Browser policies supported by Microsoft Surface Hub - -- [Browser/AllowAddressBarDropdown](#browser-allowaddressbardropdown) -- [Browser/AllowCookies](#browser-allowcookies) -- [Browser/AllowDeveloperTools](#browser-allowdevelopertools) -- [Browser/AllowDoNotTrack](#browser-allowdonottrack) -- [Browser/AllowMicrosoftCompatibilityList](#browser-allowmicrosoftcompatibilitylist) -- [Browser/AllowPopups](#browser-allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](#browser-allowsmartscreen) -- [Browser/ClearBrowsingDataOnExit](#browser-clearbrowsingdataonexit) -- [Browser/ConfigureAdditionalSearchEngines](#browser-configureadditionalsearchengines) -- [Browser/DisableLockdownOfStartPages](#browser-disablelockdownofstartpages) -- [Browser/HomePages](#browser-homepages) -- [Browser/PreventLiveTileDataCollection](#browser-preventlivetiledatacollection) -- [Browser/PreventSmartScreenPromptOverride](#browser-preventsmartscreenpromptoverride) -- [Browser/PreventSmartScreenPromptOverrideForFiles](#browser-preventsmartscreenpromptoverrideforfiles) -- [Browser/SetDefaultSearchEngine](#browser-setdefaultsearchengine) - - diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 26bd1f5d3e..cd6e49f41a 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Connectivity @@ -972,40 +972,5 @@ Footnote: - -## Connectivity policies that can be set using Exchange Active Sync (EAS) -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) - - - -## Connectivity policies supported by Windows Holographic for Business - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) - - - -## Connectivity policies supported by IoT Core - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowCellularDataRoaming](#connectivity-allowcellulardataroaming) -- [Connectivity/AllowNFC](#connectivity-allownfc) -- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection) -- [Connectivity/AllowVPNOverCellular](#connectivity-allowvpnovercellular) -- [Connectivity/AllowVPNRoamingOverCellular](#connectivity-allowvpnroamingovercellular) -- [Connectivity/DiablePrintingOverHTTP](#connectivity-diableprintingoverhttp) -- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](#connectivity-disabledownloadingofprintdriversoverhttp) -- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) -- [Connectivity/HardenedUNCPaths](#connectivity-hardeneduncpaths) -- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](#connectivity-prohibitinstallationandconfigurationofnetworkbridge) - - - -## Connectivity policies supported by Microsoft Surface Hub - -- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth) -- [Connectivity/AllowConnectedDevices](#connectivity-allowconnecteddevices) - diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 46a6862046..05c055a478 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - DeviceLock @@ -1217,32 +1217,3 @@ Footnote: - -## DeviceLock policies that can be set using Exchange Active Sync (EAS) - -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordExpiration](#devicelock-devicepasswordexpiration) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) -- [DeviceLock/PreventLockScreenSlideShow](#devicelock-preventlockscreenslideshow) - - - -## DeviceLock policies supported by Windows Holographic for Business - -- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword) -- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword) -- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired) -- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled) -- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory) -- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts) -- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock) -- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters) -- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) - - diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index a0a6355c06..47b5293f9e 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/13/2018 +ms.date: 07/30/2018 --- # Policy CSP - Experience @@ -1396,7 +1396,6 @@ The following list shows the supported values: -<<<<<<< HEAD
@@ -1546,8 +1545,7 @@ Microsoft Edge on your PC: -======= ->>>>>>> 785954ffa54220bce4c3bdaef580253b43197a5a +
Footnote: @@ -1560,10 +1558,4 @@ Footnote: - -## Experience policies supported by Windows Holographic for Business - -- [Experience/AllowCortana](#experience-allowcortana) -- [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) - diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 23a98eaa7b..ac16face75 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 07/30/2018 --- # Policy CSP - Privacy @@ -4844,43 +4844,4 @@ Footnote: - -## Privacy policies supported by Windows Holographic for Business - -- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) -- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) -- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) - - - -## Privacy policies supported by IoT Core - -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) - - - -## Privacy policies supported by Microsoft Surface Hub - -- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed) -- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo) -- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) -- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) -- [Privacy/LetAppsRunInBackground](#privacy-letappsruninbackground) -- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps) -- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps) -- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps) -- [Privacy/PublishUserActivities](#privacy-publishuseractivities) - diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 90d61b4f33..f51a32f819 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Search @@ -860,15 +860,5 @@ Footnote: - -## Search policies that can be set using Exchange Active Sync (EAS) -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - - - -## Search policies supported by Windows Holographic for Business - -- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index 923b4a3d8a..e0557a49ab 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/26/2018 +ms.date: 07/30/2018 --- # Policy CSP - Security @@ -664,31 +664,5 @@ Footnote: - -## Security policies that can be set using Exchange Active Sync (EAS) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by Windows Holographic for Business - -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - - - -## Security policies supported by IoT Core - -- [Security/AllowAddProvisioningPackage](#security-allowaddprovisioningpackage) -- [Security/AllowRemoveProvisioningPackage](#security-allowremoveprovisioningpackage) -- [Security/RequireDeviceEncryption](#security-requiredeviceencryption) -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) - - - -## Security policies supported by Microsoft Surface Hub - -- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature) -- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot) - diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index ba5cc1e9ef..6400be4c46 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 05/14/2018 +ms.date: 07/30/2018 --- # Policy CSP - Settings @@ -849,10 +849,5 @@ Footnote: - -## Settings policies supported by Windows Holographic for Business -- [Settings/AllowDateTime](#settings-allowdatetime) -- [Settings/AllowVPN](#settings-allowvpn) - diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index b7f8fb114a..63649af40c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/05/2018 +ms.date: 07/30/2018 --- # Policy CSP - System @@ -1194,34 +1194,5 @@ Footnote: - -## System policies that can be set using Exchange Active Sync (EAS) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Windows Holographic for Business - -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - - - -## System policies supported by IoT Core - -- [System/AllowEmbeddedMode](#system-allowembeddedmode) -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowStorageCard](#system-allowstoragecard) -- [System/TelemetryProxy](#system-telemetryproxy) - - - -## System policies supported by Microsoft Surface Hub - -- [System/AllowFontProviders](#system-allowfontproviders) -- [System/AllowLocation](#system-allowlocation) -- [System/AllowTelemetry](#system-allowtelemetry) - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 7f6dde9d31..8bda477361 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/18/2018 +ms.date: 07/30/2018 --- # Policy CSP - Update @@ -3551,52 +3551,4 @@ Footnote: - -## Update policies supported by Windows Holographic for Business - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by IoT Core - -- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#update-autorestartdeadlineperiodindaysforfeatureupdates) -- [Update/EngagedRestartDeadlineForFeatureUpdates](#update-engagedrestartdeadlineforfeatureupdates) -- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](#update-engagedrestartsnoozescheduleforfeatureupdates) -- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](#update-engagedrestarttransitionscheduleforfeatureupdates) -- [Update/PauseDeferrals](#update-pausedeferrals) -- [Update/RequireDeferUpgrade](#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](#update-requireupdateapproval) -- [Update/ScheduledInstallDay](#update-scheduledinstallday) -- [Update/ScheduledInstallTime](#update-scheduledinstalltime) -- [Update/SetDisablePauseUXAccess](#update-setdisablepauseuxaccess) -- [Update/SetDisableUXWUAccess](#update-setdisableuxwuaccess) -- [Update/UpdateServiceUrl](#update-updateserviceurl) - - - -## Update policies supported by Microsoft Surface Hub - -- [Update/AllowAutoUpdate](#update-allowautoupdate) -- [Update/AllowUpdateService](#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](#update-autorestartnotificationschedule) -- [Update/AutoRestartRequiredNotificationDismissal](#update-autorestartrequirednotificationdismissal) -- [Update/BranchReadinessLevel](#update-branchreadinesslevel) -- [Update/DeferFeatureUpdatesPeriodInDays](#update-deferfeatureupdatesperiodindays) -- [Update/DeferQualityUpdatesPeriodInDays](#update-deferqualityupdatesperiodindays) -- [Update/DetectionFrequency](#update-detectionfrequency) -- [Update/PauseFeatureUpdates](#update-pausefeatureupdates) -- [Update/PauseQualityUpdates](#update-pausequalityupdates) -- [Update/ScheduleImminentRestartWarning](#update-scheduleimminentrestartwarning) -- [Update/ScheduleRestartWarning](#update-schedulerestartwarning) -- [Update/SetAutoRestartNotificationDisable](#update-setautorestartnotificationdisable) -- [Update/UpdateServiceUrl](#update-updateserviceurl) -- [Update/UpdateServiceUrlAlternate](#update-updateserviceurlalternate) - From e798f98e366defd8df3a4cdacc0dd6ae48b2356d Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 30 Jul 2018 21:31:20 +0000 Subject: [PATCH 24/34] Merged PR 10202: Fixed formatting issue in Policy CSP - Experience topic --- windows/client-management/mdm/policy-csp-experience.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 47b5293f9e..55a43ec5ac 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1545,7 +1545,10 @@ Microsoft Edge on your PC: +<<<<<<< HEAD +======= +>>>>>>> 3c06afe9875ad82fff960313bea663f49a2f7d2c
Footnote: From 1ba4bbd001d2e66da4ca248be240d59bdf041645 Mon Sep 17 00:00:00 2001 From: Stellios W <24645566+TheNewStellW@users.noreply.github.com> Date: Tue, 31 Jul 2018 10:17:13 +1000 Subject: [PATCH 25/34] Corrected policy location GPO location was missing the "Policies" folder. --- .../security-policy-settings/allow-log-on-locally.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index 7dc894bdc7..bb487621e3 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -50,7 +50,7 @@ By default, the members of the following groups have this right on domain contro ### Location -Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment +Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment ### Default values From 031f3dc71e52fa33160c184d2da8ec49fe0ae56f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 31 Jul 2018 11:36:20 +0300 Subject: [PATCH 26/34] update to troubleshooting --- ...windows-defender-advanced-threat-protection.md | 2 +- ...windows-defender-advanced-threat-protection.md | 15 ++++++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 9c0dfce001..a1dd685e8b 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -128,7 +128,7 @@ The following capabilities are included in this integration: - Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] ->- When you use Azure Security Center detection end response capabilities, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). >- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index 4b175b3338..f6acf68af5 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -65,14 +65,19 @@ Support of use of comma as a separator in numbers are not supported. Regions whe >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink) -## Servers monitored by Azure Security Center automatically onboarded to Windows Defender ATP service - +## Windows Defender ATP tenant was automatically created in Europe When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. -If you want to store your data from Europe to another data center, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +If you want to store your data from Europe to another data center, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). + + > [!WARNING] + > If you decide to change the location of your data, know that it will require deleting the existing Windows Defender ATP tenant and that it also deletes all historical data and alerts within the tenant. + + + + + -> [!WARNING] -> Deleting the existing Windows Defender ATP tenant will also delete all historical data and alerts. From abd5c4ad390a51cb15a5b1e3cc5efa8ad1b91449 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 31 Jul 2018 13:54:41 +0300 Subject: [PATCH 27/34] remove support link --- ...er-endpoints-windows-defender-advanced-threat-protection.md | 2 +- ...troubleshoot-windows-defender-advanced-threat-protection.md | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index a1dd685e8b..aaa349670c 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -128,7 +128,7 @@ The following capabilities are included in this integration: - Server investigation - Azure Security Center customers can access the Windows Defender ATP portal to perform detailed investigation to uncover the scope of a potential breach >[!IMPORTANT] ->- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. For more information on how to change the geolocation, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +>- When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. >- If you use Windows Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index f6acf68af5..c6e68b56e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -68,10 +68,7 @@ Support of use of comma as a separator in numbers are not supported. Regions whe ## Windows Defender ATP tenant was automatically created in Europe When you use Azure Security Center to monitor servers, a Windows Defender ATP tenant is automatically created. The Windows Defender ATP data is stored in Europe by default. -If you want to store your data from Europe to another data center, please contact support: [Open a ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). - > [!WARNING] - > If you decide to change the location of your data, know that it will require deleting the existing Windows Defender ATP tenant and that it also deletes all historical data and alerts within the tenant. From fd986cdec42b2ef1673be6e4acda0b28fa7ce6b7 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 31 Jul 2018 12:39:51 +0000 Subject: [PATCH 28/34] Merged PR 10221: Added Authentication policies to Policy CSP --- .../policy-configuration-service-provider.md | 9 + .../mdm/policy-csp-authentication.md | 188 ++++++++++++++++++ 2 files changed, 197 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2a6faa8bbb..7c699b0382 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -365,6 +365,15 @@ The following diagram shows the Policy configuration service provider in tree fo
Authentication/AllowSecondaryAuthenticationDevice
+
+ Authentication/EnableFastFirstSignIn +
+
+ Authentication/EnableWebSignIn +
+
+ Authentication/PreferredAadTenantDomainName +
### Autoplay policies diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index a09d57f3d5..7578533727 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -11,6 +11,8 @@ ms.date: 07/30/2018 # Policy CSP - Authentication +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -34,6 +36,15 @@ ms.date: 07/30/2018
Authentication/AllowSecondaryAuthenticationDevice
+
+ Authentication/EnableFastFirstSignIn +
+
+ Authentication/EnableWebSignIn +
+
+ Authentication/PreferredAadTenantDomainName +
@@ -302,6 +313,182 @@ The following list shows the supported values: + +
+ + +**Authentication/EnableFastFirstSignIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Auto connect new non-admin AZure AD accounts to pre-configured candidate local accounts +- 2 - Disabled. Do not auto connect new non-admin Azure AD accounts to pre-configured local accounts + + + + + + + + + + + + + +
+ + +**Authentication/EnableWebSignIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). + +> [!Note] +> Web Sign-in is only supported on Azure AD Joined PCs. + +Value type is integer. Supported values: + +- 0 - (default) The feature defaults to the existing SKU and device capabilities. +- 1 - Enabled. Web Credential Provider will be enabled for Sign In +- 2 - Disabled. Web Credential Provider will not be enabled for Sign In + + + + + + + + + + + + + +
+ + +**Authentication/PreferredAadTenantDomainName** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark5check mark5check mark5check mark5
+ + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Specifies the preferred domain among available domains in the Azure AD tenant. + +Example: If your organization is using the "@contoso.com" tenant domain name, the policy value should be "contoso.com". For the user "abby@constoso.com", she would then be able to sign in using "abby" in the username field instead of "abby@contoso.com". + + +Value type is string. + + + + + + + + + + + +
Footnote: @@ -310,5 +497,6 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. +- 5 - Added in the next major release of Windows 10. From b90846c10866584ef1a76ed2c77ea62d0ed3dd7d Mon Sep 17 00:00:00 2001 From: bertdeb Date: Tue, 31 Jul 2018 08:44:12 -0400 Subject: [PATCH 29/34] Update getting-started-with-mbam-25.md Training Overview option no longer available as per Nandhakumar Thamaraiselvan (Quantum Leap Consulting Privat) [mailto:v-nantha@microsoft.com], SR number 118072318635562. --- mdop/mbam-v25/getting-started-with-mbam-25.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md index 3513df82f6..a7ba39d226 100644 --- a/mdop/mbam-v25/getting-started-with-mbam-25.md +++ b/mdop/mbam-v25/getting-started-with-mbam-25.md @@ -20,8 +20,6 @@ See the following resources for additional MBAM documentation: - [Microsoft BitLocker Administration and Monitoring Deployment Guide](https://go.microsoft.com/fwlink/?LinkId=396653) -- [Microsoft Training Overview](https://go.microsoft.com/fwlink/p/?LinkId=80347) - Before you deploy MBAM to a production environment, we recommend that you validate your deployment plan in a test environment. ## Getting started with MBAM 2.5 From f451a5ee5549fae1ff5283dc4b5370cdd41d3d30 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 31 Jul 2018 13:40:49 +0000 Subject: [PATCH 30/34] Merged PR 10230: add links in prep for IT Pro Center removal --- devices/surface-hub/index.md | 7 +++++++ devices/surface/windows-autopilot-and-surface-devices.md | 6 +++++- windows/configuration/wcd/wcd-policies.md | 2 +- .../windows-10-start-layout-options-and-policies.md | 2 +- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index b819e54b9a..06b5ab6450 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -51,3 +51,10 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof +## Additional resources + +- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history) +- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/) +- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ) +- [Microsoft Surface on Twitter](https://twitter.com/surface) + diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index 3550f35fd6..cbfbebde41 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -49,4 +49,8 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e ## Surface partners enabled for Windows Autopilot Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management. -You can find a list of Surface partners enabled for Windows Autopilot at the [Windows Autopilot for Surface portal](https://www.microsoft.com/en-us/itpro/surface/windows-autopilot-for-surface). \ No newline at end of file +When you purchase Surface devices from a Surface partner enabled for Windows Autopilot, your new devices can be enrolled in your Windows Autopilot deployment for you by the partner. Surface partners enabled for Windows Autopilot include: + +- [SHI](https://www.shi.com/?reseller=shi) +- [Insight](https://www.insight.com/en_US/buy/partner/microsoft/surface.html) +- [Atea](https://www.atea.com/) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 1ba48ada16..6cfc8d6141 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -439,7 +439,7 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | | [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | | [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | -| [AllowautoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | | [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index a1482a0a62..54b19bb5d6 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -29,7 +29,7 @@ Organizations might want to deploy a customized Start and taskbar configuration > >Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. > ->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). +>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) From 1d2ce5037b509f24df00a186f92d4c77d78db8f4 Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Tue, 31 Jul 2018 07:18:44 -0700 Subject: [PATCH 31/34] Update configure-browser-telemetry-for-m365-analytics-include.md --- ...figure-browser-telemetry-for-m365-analytics-include.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 669ba4bf75..c1431ecc28 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -1,5 +1,5 @@ ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
>*Default setting: Disabled or not configured (No data collected or sent)* [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] @@ -14,6 +14,10 @@ |Enabled |3 |3 |Send both intranet and Internet history | | --- +>>You can find this setting in the following location of the Group Policy Editor: +>> +>>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_** + >[!IMPORTANT] >For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID. @@ -43,4 +47,4 @@ - Configure the Commercial ID: Define the Commercial ID used to associate the device's telemetry data as belonging to a given organization. -
\ No newline at end of file +
From f61e448c5e83782bda0895ad0a372118b80977f2 Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Tue, 31 Jul 2018 07:30:32 -0700 Subject: [PATCH 32/34] Update new-policies.md --- browsers/edge/new-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md index ac0e768adf..fec779b736 100644 --- a/browsers/edge/new-policies.md +++ b/browsers/edge/new-policies.md @@ -22,7 +22,7 @@ We are discontinuing the use of the **Configure Favorites** group policy. Use th ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor: +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: >> >>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**

From a92ea4363b1186e766a58874847502c0de84ead7 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Tue, 31 Jul 2018 10:50:31 -0500 Subject: [PATCH 33/34] Correct spelling Corrected spelling HYBERFIL to HIBERFIL --- .../types-of-attacks-for-volume-encryption-keys.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md index d7abb90fbd..d96b30a8c5 100644 --- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md @@ -85,13 +85,13 @@ DMA-based expansion slots are another avenue of attack, but these slots generall To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device. -### Hyberfil.sys Attacks +### Hiberfil.sys Attacks -The hyberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hyberfil.sys file. +The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file. -Like the DMA port attack discussed in the previous section, tools are available that can scan the hyberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hyberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. +Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it. -In practice, the only reason an attack on hyberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hyberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. +In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack. ### Memory Remanence Attacks From 5c33ba500faba34718847b5504e0438ed006508e Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 31 Jul 2018 15:51:42 +0000 Subject: [PATCH 34/34] Merged PR 10232: issue 1380; plus delimiter for kiosk browser --- devices/surface/surface-dock-updater.md | 4 +++- windows/configuration/guidelines-for-assigned-access-app.md | 4 ++-- windows/configuration/wcd/wcd-policies.md | 4 ++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 6141054da4..445be071c9 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -121,7 +121,9 @@ Microsoft periodically updates Surface Dock Updater. To learn more about the app *Release Date: 26 July 2018* This version of Surface Dock Updater adds support for the following: -t.b.d. + +- Increase update reliability +- Add support for Surface Go ### Version 2.12.136.0 *Release Date: 29 January 2018* diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index cde506630f..be13c0da3d 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -59,8 +59,8 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. -Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards. Separate multiple URLs using ``.

For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards. Separate multiple URLs using ``.

If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index 6cfc8d6141..113e7233a4 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -290,8 +290,8 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | | -[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | | +[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | | +[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). Separate multiple URLs using ``. This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | | [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | | [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | | [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | |