From 747d8fc83e4f2a7812b2d3d232ef56e00da55203 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 14:24:38 -0500 Subject: [PATCH 01/37] Added VSC deprecation notice --- windows/security/TOC.yml | 12 +-- .../hello-for-business/hello-faq.yml | 2 +- .../hello-hybrid-cloud-kerberos-trust.md | 4 +- .../hello-prepare-people-to-use.md | 2 + windows/security/identity-protection/index.md | 4 +- ...-windows-smart-card-technical-reference.md | 18 ++--- ...l-smart-card-deploy-virtual-smart-cards.md | 36 ++++----- .../virtual-smart-card-evaluate-security.md | 22 +++-- .../virtual-smart-card-get-started.md | 18 ++--- .../virtual-smart-card-overview.md | 81 +++++-------------- .../virtual-smart-card-tpmvscmgr.md | 20 ++--- ...smart-card-understanding-and-evaluating.md | 37 ++++----- ...tual-smart-card-use-virtual-smart-cards.md | 20 ++--- .../virtual-smart-card-deprecation-notice.md | 7 ++ .../tpm/how-windows-uses-the-tpm.md | 2 + .../tpm/tpm-fundamentals.md | 28 +++---- 16 files changed, 126 insertions(+), 187 deletions(-) create mode 100644 windows/security/includes/virtual-smart-card-deprecation-notice.md diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 9f840b293a..d2d1fa36bd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -385,19 +385,19 @@ href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md - name: Smart Card Events href: identity-protection/smart-cards/smart-card-events.md - - name: Virtual Smart Cards + - name: Virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md items: - - name: Understanding and Evaluating Virtual Smart Cards + - name: Understand and evaluate virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + - name: Get started with virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards + - name: Use virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards + - name: Deploy virtual smart cards href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security + - name: Evaluate virtual smart card security href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md - name: Tpmvscmgr href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 982ee0f388..a4f6503fc1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -196,7 +196,7 @@ sections: No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. - question: What about virtual smart cards? answer: | - Windows Hello for Business is the modern, two-factor credential for Windows. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows deployments use Windows Hello for Business. + Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. - question: What URLs do I need to allow for a hybrid deployment? - question: What URLs do I need to allow for a hybrid deployment? answer: | For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index ce118ce681..7af93f033d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,10 +1,10 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 11/1/2022 +ms.date: 02/22/2023 appliesto: - ✅ Windows 10, version 21H2 and later -ms.topic: article +ms.topic: tutorial --- # Cloud Kerberos trust deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 0efcd603a1..5eb87bbe29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -16,6 +16,8 @@ Although the organization may require users to change their Active Directory or People who are currently using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up Hello. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + ## On devices owned by the organization When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**. diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index c42735cfe2..dc71f52903 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -16,7 +16,9 @@ ms.technology: itpro-security # Identity and access management -Learn more about identity and access management technologies in Windows 10 and Windows 11. +Learn more about identity and access management technologies in Windows. + +[!INCLUDE [virtual-smart-card-deprecation-notice](../includes/virtual-smart-card-deprecation-notice.md)] | Section | Description | |-|-| diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 9ba3ee5da6..d5912c3e8d 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -1,20 +1,12 @@ --- title: Smart Card Technical Reference (Windows) description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma ms.reviewer: ardenw -manager: aaroncz ms.topic: article -ms.localizationpriority: medium ms.date: 09/24/2021 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.technology: itpro-security --- @@ -44,7 +36,9 @@ Smart cards provide: Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates. -**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. For information about virtual smart card technology, see [Virtual Smart Card Overview](../virtual-smart-cards/virtual-smart-card-overview.md). +**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware. + +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] ## In this technical reference diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index a29f378683..717805b3c6 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -1,22 +1,16 @@ --- title: Deploy Virtual Smart Cards (Windows 10) description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Deploy Virtual Smart Cards -Applies To: Windows 10, Windows Server 2016 +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. @@ -24,7 +18,7 @@ Traditional identity devices, such as physical smart cards, follow a predictable ![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) -Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company. +Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. This topic contains information about the following phases in a virtual smart card lifecycle: @@ -71,7 +65,7 @@ A TPM virtual smart card simulates a physical smart card, and it uses the TPM to - **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users’ computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee’s possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. +There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md). @@ -85,7 +79,7 @@ Because the administrator key is critical to the security of the card, it is imp - **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. -- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card’s security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. +- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card's security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. - **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used. @@ -99,13 +93,13 @@ TPM virtual smart cards can be personalized on an individual basis when they are Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security. -A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver’s license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an “enroll-on-behalf-of” strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. +A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost. For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md). -High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user’s computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. +High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager. @@ -192,7 +186,7 @@ Certificate revocation requires careful planning. When information about the cer ## Unmanaged cards -Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user’s credentials and he or she must re-enroll. +Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll. ### Unmanaged card creation @@ -222,7 +216,7 @@ Another option is to have the user access an enrollment portal that is available You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user. -The user can import the certificate into the **MY** store (which is the user’s certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card. +The user can import the certificate into the **MY** store (which is the user's certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card. For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure: @@ -246,11 +240,11 @@ Certificate revocation requires careful planning. When information about the cer Maintenance is a significant portion of the virtual smart card lifecycle and one of the most important considerations from a management perspective. After virtual smart cards are created, personalized, and provisioned, they can be used for convenient two-factor authentication. Deployment administrators must be aware of several common administrative scenarios, which can be approached by using a purchased virtual smart card solution or on a case-by-case basis with in-house methods. -**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user’s choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair. +**Renewal**: Renewing virtual smart card credentials is a regular task that is necessary to preserve the security of a virtual smart card deployment. Renewal is the result of a signed request from a user who specifies the key pair desired for the new credentials. Depending on user's choice or deployment specification, the user can request credentials with the same key pair as previously used, or choose a newly generated key pair. When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards. -**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user’s identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued. +**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued. **Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific. @@ -262,7 +256,7 @@ The card should be reissued if the same computer is used by other employees with #### Card reissuance -The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card’s privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled. +The most common scenario in an organization is reissuing virtual smart cards, which can be necessary if the operating system is reinstalled or if the virtual smart card is compromised in some manner. Reissuance is essentially the recreation of the card, which involves establishing a new PIN and administrator key and provisioning a new set of associated certificates. This is an immediate necessity when a card is compromised, for example, if the virtual smart card-protected computer is exposed to an adversary who might have access to the correct PIN. Reissuance is the most secure response to an unknown exposure of a card's privacy. Additionally, reissuance is necessary after an operating system is reinstalled because the virtual smart card device profile is removed with all other user data when the operating system is reinstalled. #### Blocked virtual smart card diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index c2913cb244..4b82db2473 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -1,26 +1,22 @@ --- title: Evaluate Virtual Smart Card Security (Windows 10) description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Evaluate Virtual Smart Card Security +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. ## Virtual smart card non-exportability details -A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn’t require re-encryption of the data. +A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn't require re-encryption of the data. The following diagram illustrates the secure key hierarchy and the process of accessing the user key. @@ -34,7 +30,7 @@ The following keys are stored on the hard disk: - Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key -When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user’s key that is stored on the virtual smart card. +When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user's key that is stored on the virtual smart card. The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index d29782a291..acfb1609d8 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -1,21 +1,17 @@ --- title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10) description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Get Started with Virtual Smart Cards: Walkthrough Guide +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index 22c293e635..ddf67cb799 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -1,33 +1,22 @@ --- -title: Virtual Smart Card Overview (Windows 10) -description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz +title: Virtual Smart Card Overview +description: Learn about virtual smart card technology for Windows. ms.topic: conceptual -ms.localizationpriority: medium -ms.date: 10/13/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Virtual Smart Card Overview -This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft and includes [links to additional topics](#see-also) to help you evaluate, plan, provision, and administer virtual smart cards. +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -**Did you mean…** - -- [Smart Cards](../smart-cards/smart-card-windows-smart-card-technical-reference.md) - -> [!NOTE] -> [Windows Hello for Business](../hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date has been set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows 10 deployments use Windows Hello for Business. Virtual smart cards remain supported for Windows 7 and Windows 8. +This topic for IT professional provides an overview of the virtual smart card technology. ## Feature description -Virtual smart card technology from Microsoft offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically secured hardware. +Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically-secured hardware. By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. @@ -41,7 +30,7 @@ Virtual smart cards are functionally similar to physical smart cards and appear After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain. -In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user’s access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established. +In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user's access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established. **Client authentication** @@ -49,7 +38,7 @@ Virtual smart cards can also be used for client authentication by using Secure S **Virtual smart card redirection for remote desktop connections** -The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer’s TPM. This extends a user’s privileges to the remote computer, while maintaining the principles of two-factor authentication. +The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer's TPM. This extends a user's privileges to the remote computer, while maintaining the principles of two-factor authentication. **Windows To Go and virtual smart cards** @@ -59,11 +48,11 @@ Virtual smart cards work well with Windows To Go, where a user can boot into a s **S/MIME email encryption** -Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user’s public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. +Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. **BitLocker for data volumes** -sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user’s hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult. +sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult. BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive. @@ -71,7 +60,7 @@ BitLocker can also be used to encrypt portable drives, which involves storing ke **Signing data** -To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner’s identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage. +To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner's identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage. ## New and changed functionality as of Windows 8.1 @@ -83,19 +72,13 @@ The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens. -- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with. - -- Personalize the virtual smart card. - -- Change the admin key. - -- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario. - -- Change the PIN. - -- Reset or Unblock the PIN. - -- Destroy the virtual smart card. +- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with +- Personalize the virtual smart card +- Change the admin key +- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario +- Change the PIN +- Reset or Unblock the PIN +- Destroy the virtual smart card **What works differently?** @@ -107,24 +90,4 @@ For more information about managing these capabilities in virtual smart cards, s ## Hardware requirements -To use the virtual smart card technology, TPM 1.2 is the minimum required for computers running Windows 10 or Windows Server 2016. - -## Software requirements - -To use the virtual smart card technology, computers must be running one of the following operating systems: - -- Windows Server 2016 -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows 10 -- Windows 8.1 -- Windows 8 - -## See also - -- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) -- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) -- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) -- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md) -- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) -- [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) \ No newline at end of file +To use the virtual smart card technology, TPM 1.2 is the minimum required for devices running a supported operating system. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 521d0afec7..2b7bccd7f5 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -1,21 +1,17 @@ --- title: Tpmvscmgr (Windows 10) description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Tpmvscmgr +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + The Tpmvscmgr command-line tool allows users with Administrative credentials to create and delete TPM virtual smart cards on a computer. For examples of how this command can be used, see [Examples](#examples). ## Syntax @@ -26,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to ### Parameters for Create command -The Create command sets up new virtual smart cards on the user’s system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card. +The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card. | Parameter | Description | |-----------|-------------| diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 0475663ff5..0d76c7ea47 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -2,20 +2,17 @@ title: Understanding and Evaluating Virtual Smart Cards (Windows 10) description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards. ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Understanding and Evaluating Virtual Smart Cards +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards. Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. @@ -55,7 +52,7 @@ The following subsections compare the functionality, security, and cost of virtu **Functionality** -The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user’s virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. +The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card. @@ -65,7 +62,7 @@ Additionally, although the anti-hammering functionality of the virtual smart car Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft. -TPM virtual smart cards, however, reside on a user’s computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user. +TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user. However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised. @@ -82,16 +79,16 @@ Additionally, the maintenance cost of virtual smart cards is less than that for | Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. | | Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. | | Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. | -| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user’s computer or device. | +| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. | | Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. | | Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. | | Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. | | Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. | -| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user’s computer, which may be left unattended and allow a greater risk window for hammering attempts. | +| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. | | Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. | | Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. | | Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. | -| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user’s sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. | +| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. | ## Authentication design options @@ -99,19 +96,19 @@ The following section presents several commonly used options and their respectiv **Passwords** -A password is a secret string of characters that is tied to the identification credentials for a user’s account. This establishes the user’s identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. +A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. -Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user’s password and impersonate that person’s identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained. +Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained. **One-time passwords** -A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user’s OTP, the interceptor will have limited access to the system (only one session). +A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). **Smart cards** Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security: -- **Non-exportability**: Information stored on the card, such as the user’s private keys, cannot be extracted from one device and used in another medium. +- **Non-exportability**: Information stored on the card, such as the user's private keys, cannot be extracted from one device and used in another medium. - **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions. @@ -127,7 +124,7 @@ Unfortunately, this additional security comes with added material and support co To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers. -Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user’s possession of a computer or device is equivalent to the possession of a smart card, and a user’s identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. +Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. ## See also diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index beb70ccddd..3313e66348 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -1,21 +1,17 @@ --- title: Use Virtual Smart Cards (Windows 10) description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them. -ms.prod: windows-client -author: paolomatarazzo -ms.author: paoloma -manager: aaroncz -ms.topic: article -ms.localizationpriority: medium -ms.date: 10/13/2017 -appliesto: - - ✅ Windows 10 - - ✅ Windows Server 2016 -ms.technology: itpro-security +ms.topic: conceptual +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Use Virtual Smart Cards +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them. ## Requirements, restrictions, and limitations @@ -96,7 +92,7 @@ If the operating system is reinstalled, prior TPM virtual smart cards are no lon ### TPM in lockout state -Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner’s password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. +Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. ## See also diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md new file mode 100644 index 0000000000..3301533e05 --- /dev/null +++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md @@ -0,0 +1,7 @@ +--- +ms.date: 02/22/2023 +ms.topic: include +--- + +> [!WARNING] +> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. \ No newline at end of file diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index d1f3ca2437..845ae2eb42 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -62,6 +62,8 @@ These TPM features give Platform Crypto Provider distinct advantages over softwa ## Virtual Smart Card +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index e6fafb1224..d459f59799 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -34,23 +34,15 @@ For info about which versions of Windows support which versions of the TPM, see The following sections provide an overview of the technologies that support the TPM: -- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation) - -- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card) - -- [TPM-based certificate storage](#tpm-based-certificate-storage) - -- [TPM Cmdlets](#tpm-cmdlets) - -- [Physical presence interface](#physical-presence-interface) - -- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization) - -- [Endorsement keys](#endorsement-keys) - -- [TPM Key Attestation](#key-attestation) - -- [Anti-hammering](#anti-hammering) +- [Measured Boot with support for attestation](#measured-boot-with-support-for-attestation) +- [TPM-based Virtual Smart Card](#tpm-based-virtual-smart-card) +- [TPM-based certificate storage](#tpm-based-certificate-storage) +- [TPM Cmdlets](#tpm-cmdlets) +- [Physical presence interface](#physical-presence-interface) +- [TPM 1.2 states and initialization](#tpm-12-states-and-initialization) +- [Endorsement keys](#endorsement-keys) +- [TPM Key Attestation](#key-attestation) +- [Anti-hammering](#anti-hammering) The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). @@ -61,6 +53,8 @@ The Measured Boot feature provides antimalware software with a trusted (resistan ## TPM-based Virtual Smart Card +[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] + The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. ## TPM-based certificate storage From 074733d33370cfa7954e187f8d6f20664b850339 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 16:22:04 -0500 Subject: [PATCH 02/37] updates --- ...ackup-tpm-recovery-information-to-ad-ds.md | 32 +++----- .../tpm/how-windows-uses-the-tpm.md | 46 +++++------ ...lize-and-configure-ownership-of-the-tpm.md | 31 +++---- .../switch-pcr-banks-on-tpm-2-0-devices.md | 15 ++-- .../tpm/tpm-fundamentals.md | 80 +++++++++---------- .../tpm/tpm-recommendations.md | 21 ++--- .../tpm/trusted-platform-module-overview.md | 16 ++-- ...m-module-services-group-policy-settings.md | 14 ++-- .../tpm/trusted-platform-module-top-node.md | 19 ++--- 9 files changed, 113 insertions(+), 161 deletions(-) diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 1f711c3493..1f2a9067e6 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,30 +1,18 @@ --- -title: Back up the TPM recovery information to AD DS (Windows) -description: This topic for the IT professional describes backup of Trusted Platform Module (TPM) information. -ms.reviewer: +title: Backup TPM recovery information to Active Directory +description: Learn how to backup the Trusted Platform Module (TPM) recovery information to Active Directory. ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/03/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 11 +- ✅ Windows Server 2016 and later --- -# Back up the TPM recovery information to AD DS +# Backup the TPM recovery information to AD DS -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - -**Does not apply to** - -- Windows 10, version 1607 or later - -With Windows 10, versions 1511 and 1507, or Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) \ No newline at end of file +With Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 845ae2eb42..f886cc3480 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -1,30 +1,21 @@ --- title: How Windows uses the TPM -description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it to enhance security. -ms.reviewer: +description: Learn how Windows uses the Trusted Platform Module (TPM) to enhance security. ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/03/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # How Windows uses the Trusted Platform Module -The Windows operating system improves most existing security features in the operating system and adds groundbreaking new security features such as Device Guard and Windows Hello for Business. It places hardware-based security deeper inside the operating system than previous Windows versions had done, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a PC that contains a TPM. - - -**See also:** -- [Windows 11 Specifications](https://www.microsoft.com/windows/windows-11-specifications) - -- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) - -- [TPM Fundamentals](tpm-fundamentals.md) - -- [TPM Recommendations](tpm-recommendations.md)  +The Windows operating system places hardware-based security deeper inside many features, maximizing platform security while increasing usability. To achieve many of these security enhancements, Windows makes extensive use of the Trusted Platform Module (TPM). This article offers an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows and the cumulative security impact of running Windows on a device with a TPM. ## TPM Overview @@ -32,17 +23,17 @@ The TPM is a cryptographic module that enhances computer security and privacy. P Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user reinstalls the operating system, user may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM's features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly re-provisioned before it can use all the TPM's features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). -OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*. +OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone can't achieve. For example, software alone can't reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly can't leave the TPM*. -The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not. +The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others don't. Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. Although having a TPM is clearly better than not having a TPM, Microsoft's best advice is to determine your organization's security needs and research any regulatory requirements associated with procurement for your industry. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. -## TPM in Windows +## TPM in Windows The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits. The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security. @@ -52,9 +43,9 @@ Windows includes a cryptography framework called *Cryptographic API: Next Genera Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware. If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG. -The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively: +The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers can't offer or can't offer as effectively: -- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. +- **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. - **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. @@ -64,15 +55,15 @@ These TPM features give Platform Crypto Provider distinct advantages over softwa [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. +Smart cards are physical devices that typically store a single certificate and the corresponding private key. Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. Windows can then access the card's certificate and use the private key for authentication or to unlock BitLocker protected data volumes. Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). However, smart cards can be expensive because they require purchase and deployment of both smart cards and smart card readers. -In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes "something the user has" but still requires a PIN. Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. +In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates "lost card" and "card left at home" scenarios while still delivering the benefits of smart card–based multifactor authentication. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. +For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. ## Windows Hello for Business -Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name – password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. +Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, username/password solutions for authentication often reuse the same credential combinations on multiple devices and services. If those credentials are compromised, they are compromised in multiple places. Windows Hello for Business combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. On a system that has a TPM, the TPM can protect the key. If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Windows Hello for Business lets users authenticate with their existing Microsoft account, an Active Directory account, a Microsoft Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](https://go.microsoft.com/fwlink/p/?LinkId=533889). @@ -126,7 +117,6 @@ When new security features are added to Windows, Measured Boot adds security-rel :::image type="content" alt-text="Process to Create Evidence of Boot Software and Configuration Using TPM." source="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png" lightbox="images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png"::: *Figure 2: Process used to create evidence of boot software and configuration using a TPM* - ## Health Attestation Some Windows improvements help security solutions implement remote attestation scenarios. Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. The simple security assertions can be used to evaluate device health. diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 0fa4cfb623..de9ce89cdd 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,34 +1,29 @@ --- title: Troubleshoot the TPM (Windows) description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). -ms.reviewer: ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz -ms.collection: - - highpri - - tier1 ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later +ms.collection: +- highpri +- tier1 --- # Troubleshoot the TPM -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): - [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) - - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) -With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions: - +With TPM 1.2 and Windows 11, you can also take the following actions: - [Turn on or turn off the TPM](#turn-on-or-turn-off) For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). @@ -45,13 +40,13 @@ If you find that Windows isn't able to initialize the TPM automatically, review - If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system. -- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it. +- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it. - If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. -### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11 +### Troubleshoot network connection issues for Windows 11 -If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: +If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: - An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 6e27cc9532..adcf3d0a31 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,23 +1,20 @@ --- title: Understanding PCR banks on TPM 2.0 devices (Windows) description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices. -ms.reviewer: ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # Understanding PCR banks on TPM 2.0 devices -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices. A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index d459f59799..e9c39aac9f 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -9,28 +9,26 @@ manager: aaroncz ms.topic: conceptual ms.date: 12/27/2021 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # TPM fundamentals -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and later +This article provides a description of the *Trusted Platform Module* (TPM 1.2 and TPM 2.0) components, and explains how they're used to mitigate dictionary attacks. -This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. +A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus. -A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus. +Devices that incorporate a TPM can create cryptographic keys and encrypt them, so that the keys can only be decrypted by the TPM. This process, often called *wrapping* or *binding a key*, can help protect the key from disclosure. Each TPM has a *master wrapping key*, called the *storage root key*, which is stored within the TPM itself. The private portion of a storage root key, or *endorsement key*, that is created in a TPM is never exposed to any other component, software, process, or user. -Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. +You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys can't be migrated, the private portion of the key is never exposed outside the TPM. -You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM. - -Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as "sealing the key to the TPM." Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. +Devices that incorporate a TPM can also create a key wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as *sealing the key to the TPM*. Decrypting the key is called *unsealing*. The TPM can also seal and unseal data that is generated outside the TPM. With sealed key and software, such as BitLocker Drive Encryption, data can be locked until specific hardware or software conditions are met. With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software. -For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). +For information about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more information, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module). The following sections provide an overview of the technologies that support the TPM: @@ -44,22 +42,22 @@ The following sections provide an overview of the technologies that support the - [TPM Key Attestation](#key-attestation) - [Anti-hammering](#anti-hammering) -The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: +The following article describes the TPM services that can be controlled centrally by using Group Policy settings: [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). ## Measured Boot with support for attestation -The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. +The *Measured Boot* feature provides anti-malware software with a trusted (resistant to spoofing and tampering) log of all boot components. Anti-malware software can use the log to determine whether components that ran before it are trustworthy or infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. ## TPM-based Virtual Smart Card [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization's computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. +The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the device. If a user needs to use more than one device, a Virtual Smart Card must be issued to the user for each device. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user. ## TPM-based certificate storage -The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). +The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal). ## TPM Cmdlets @@ -75,59 +73,53 @@ TPM 1.2 has multiple possible states. Windows automatically initializes the TPM, ## Endorsement keys -A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM. +A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it's never revealed or accessible outside the TPM. ## Key attestation -TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM. +*TPM key attestation* allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM-attested key provides higher security assurance backed up by non-exportability, anti-hammering, and isolation of keys provided by a TPM. ## Anti-hammering -When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided. +When a TPM processes a command, it does so in a protected environment. For example a dedicated micro controller on a discrete chip, or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that isn't disclosed outside the TPM. It's used in the TPM after the correct authorization value is provided. -TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur. +TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys isn't technically practical, so TPMs have a global lockout when too many authorization failures occur. -Because many entities can use the TPM, a single authorization success cannot reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic. +Because many entities can use the TPM, a single authorization success can't reset the TPM's anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM's protection. TPMs are designed to forget about authorization failures after a period of time so the TPM doesn't enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM's lockout logic. -### TPM 2.0 anti-hammering +### TPM 2.0 anti-hammering -TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. +TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. -For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. +For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. -Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. +Attempts to use a key with an authorization value for the next 10 minutes wouldn't return success or failure. Instead, the response indicates that the TPM is locked.\ +After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31. The TPM leaves the locked state and returns to normal operation.\ +With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM doesn't remember any authorization failures, and 32 failed attempts could occur again. -Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. +Windows doesn't require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated.\ +Windows requires that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. -The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. +The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM, and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. -In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it is used to reset the lockout time. If the TPM owner password is not available on the local system, the administrator needs to provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM does not allow another attempt to reset the lockout state for 24 hours. +In some implementations, the TPM owner authorization value is stored centrally in Active Directory, and not on the local system. An administrator can execute `tpm.msc` and choose to reset the TPM lockout time. If the TPM owner password is stored locally, it's used to reset the lockout time. If the TPM owner password isn't available on the local system, the administrator must provide it. If an administrator attempts to reset the TPM lockout state with the wrong TPM owner password, the TPM doesn't allow another attempt to reset the lockout state for 24 hours. -TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. +TPM 2.0 allows some keys to be created without an authorization value associated with them. These keys can be used when the TPM is locked. For example, BitLocker with a default TPM-only configuration is able to use a key in the TPM to start Windows, even when the TPM is locked. ### Rationale behind the defaults Originally, BitLocker allowed from 4 to 20 characters for a PIN. -Windows Hello has its own PIN for logon, which can be 4 to 127 characters. +Windows Hello has its own PIN for sign-in, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. +Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). +Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). ### TPM-based smart cards The Windows TPM-based smart card, which is a virtual smart card, can be configured to allow sign in to the system. In contrast with physical smart cards, the sign-in process uses a TPM-based key with an authorization value. The following list shows the advantages of virtual smart cards: - -- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. With a virtual smart card, the TPM's anti-hammering protection is not reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors. - -- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. - -- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password. - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/) -- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations) +- Physical smart cards can enforce lockout for only the physical smart card PIN, and they can reset the lockout after the correct PIN is entered. + With a virtual smart card, the TPM's anti-hammering protection isn't reset after a successful authentication. The allowed number of authorization failures before the TPM enters lockout includes many factors +- Hardware manufacturers and software developers can use the security features of the TPM to meet their requirements +- The intent of selecting 32 failures as the lock-out threshold is to avoid users to lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must wait 10 minutes or use other credentials to sign in, such as a user name and password \ No newline at end of file diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 6207a1192c..49ae107749 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -1,28 +1,23 @@ --- title: TPM recommendations (Windows) description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. -ms.reviewer: ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/02/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri - tier1 -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security --- # TPM recommendations -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows. For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md). diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index f484ac475a..edc509184a 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -1,19 +1,19 @@ --- title: Trusted Platform Module Technology Overview (Windows) description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. -ms.reviewer: ms.prod: windows-client -ms.localizationpriority: high -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/02/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri - tier1 -ms.topic: conceptual -adobe-target: true -ms.technology: itpro-security -ms.date: 12/31/2017 --- # Trusted Platform Module Technology Overview diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index b6ff1df198..beefbdf4be 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,22 +1,20 @@ --- title: TPM Group Policy settings (Windows) description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -ms.reviewer: ms.prod: windows-client -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 02/02/2023 ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later --- # TPM Group Policy settings -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index ca9f536057..fb8113bcd3 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -2,25 +2,22 @@ title: Trusted Platform Module (Windows) description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: windows-client -ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: paolomatarazzo +ms.author: paoloma manager: aaroncz +ms.topic: conceptual +ms.date: 02/02/2023 +ms.technology: itpro-security +appliesto: +- ✅ Windows 10 and later +- ✅ Windows Server 2016 and later ms.collection: - highpri - tier1 -ms.topic: conceptual -ms.date: 09/06/2021 -ms.technology: itpro-security --- # Trusted Platform Module -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details. From 6e84400a3ce18609e0a68113d0a61937978d1f5a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 17:08:17 -0500 Subject: [PATCH 03/37] updates --- ...l-smart-card-deploy-virtual-smart-cards.md | 25 ++++++++----------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 717805b3c6..31b8132479 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -18,7 +18,7 @@ Traditional identity devices, such as physical smart cards, follow a predictable ![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) -Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. +Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they're lost or stolen and reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. This topic contains information about the following phases in a virtual smart card lifecycle: @@ -38,12 +38,9 @@ The TPM Provisioning Wizard, which is launched from the **TPM Management Console When you create virtual smart cards, consider the following actions in the TPM: -- **Enable and Activate**: TPMs are built in to many industry ready computers, but they often are not enabled and activated by default. In some cases, the TPM must be enabled and activated through the BIOS. For more information, see Initialize and Configure Ownership of the TPM. - -- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the storage root key. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. - For corporate use of TPM virtual smart cards, we recommend that the corporate domain administrator restrict access to the TPM owner password by storing it in Active Directory, not in the local registry. When TPM ownership is set in Windows Vista, the TPM needs to be cleared and reinitialized. For more information, see Trusted Platform Module Technology Overview. - -- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time. For more information, see Manage TPM Lockout. +- **Enable and Activate**: TPMs are built into many devices. In some cases, the TPM must be enabled and activated through the BIOS +- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, it's recommended that the domain administrator restricts access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, the TPM must be cleared and reinitialized +- **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer. @@ -57,15 +54,15 @@ For more information about managing TPMs by using built-in tools, see Trusted Pl A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security: -- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. +- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. +- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. -- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. +- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using Tpmvscmgr.exe to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. +There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using `tpmvscmgr.exe` to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md). @@ -75,11 +72,11 @@ During virtual smart card personalization, the values for the administrator key, Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include: -- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued. +- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued. -- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. +- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. -- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card's security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. +- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card's security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. - **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used. From d4349a185bf7e1c13ad0724b26e61a113f50f24c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 17:11:57 -0500 Subject: [PATCH 04/37] updates --- ...o-hybrid-cloud-kerberos-trust-provision.md | 249 ++++++++++++++++++ .../hello-for-business/toc.yml | 6 +- 2 files changed, 254 insertions(+), 1 deletion(-) create mode 100644 windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md new file mode 100644 index 0000000000..ebc0397734 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -0,0 +1,249 @@ +--- +title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment +description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. +ms.date: 02/22/2023 +appliesto: +- ✅ Windows 10, version 21H2 and later +ms.topic: tutorial +--- +# Configure and provision Windows Hello for Business - cloud Kerberos trust + +[!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)] + +## Deployment steps + +Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: + +1. Set up Azure AD Kerberos +1. Configure a Windows Hello for Business policy and deploy it to the devices + +### Deploy Azure AD Kerberos + +If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section. + +If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. + +### Configure Windows Hello for Business policy + +After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). + +#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) + + + +## Configure Windows Hello for Business using Microsoft Intune + +For devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. + +There are different ways to enable and configure Windows Hello for Business in Intune: + +- Using a policy applied at the tenant level. The tenant policy: + - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune + - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group +- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types: + - [Settings catalog][MEM-1] + - [Security baselines][MEM-2] + - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] + - [Account protection policy][MEM-5] + - [Identity protection policy template][MEM-6] + +### Verify the tenant-wide policy + +To check the Windows Hello for Business policy applied at enrollment time: + +1. Sign in to the Microsoft Endpoint Manager admin center +1. Select **Devices** > **Windows** > **Windows Enrollment** +1. Select **Windows Hello for Business** +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured + +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png"::: + +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. + +### Enable and configure Windows Hello for Business + +To configure Windows Hello for Business using an *account protection* policy: + +1. Go to the Microsoft Endpoint Manager admin center +1. Select **Endpoint security** > **Account protection** +1. Select **+ Create Policy** +1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** +1. Select **Create** +1. Specify a **Name** and, optionally, a **Description** > **Next** +1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available + - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** + - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) +1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available +1. Select **Next** +1. Optionally, add *scope tags* > **Next** +1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** +1. Review the policy configuration and select **Create** + + +<--> + +Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. + +The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. + +### Enable Windows Hello for Business + +If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. + +You can also follow these steps to create a device configuration policy instead of using the device enrollment policy: + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. +1. For Platform, select **Windows 10 and later**. +1. For Profile Type, select **Templates** and select the **Identity Protection** Template. +1. Name the profile with a familiar name. For example, "Windows Hello for Business". +1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**. +1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**. + + [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox) + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). + +### Configure cloud Kerberos trust policy + +To configure the cloud Kerberos trust policy, follow the steps below: + +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. +1. For Profile Type, select **Templates** and select the **Custom** Template. +1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". +1. In Configuration Settings, add a new configuration with the following settings: + + | Setting | + |--------| + | | + + >[!IMPORTANT] + >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. + + [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) + +Assign the policy to a security group that contains as members the devices or users that you want to configure. + +#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) + +Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. + +The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. + +You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. + +cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. + +> [!NOTE] +> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). + +#### Update administrative templates + +You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. + +You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. + +#### Create the Windows Hello for Business group policy object + +You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). + +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory +1. Edit the Group Policy object from Step 1 +1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** +1. Select **Use Windows Hello for Business** > **Enable** > **OK** +1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK** +1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK** + +--- + +> [!IMPORTANT] +> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. + +## Provision Windows Hello for Business + +The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy. + +You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ +This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. + + ![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png) + +The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. + +> [!NOTE] +> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. + +### PIN Setup + +This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: + +1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device + +:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: + +### Sign-in + +Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. + +## Migrate from key trust deployment model to cloud Kerberos trust + +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: + +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business + +> [!NOTE] +> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. +> +> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. + +## Migrate from certificate trust deployment model to cloud Kerberos trust + +> [!IMPORTANT] +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. + +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: + +1. Disable the certificate trust policy +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context +1. Sign out and sign back in +1. Provision Windows Hello for Business using a method of your choice + +> [!NOTE] +> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. + +## Troubleshooting + +If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps: + +1. Open **Feedback Hub**, and make sure that you're signed in +1. Submit feedback by selecting the following categories: + - Category: Security and Privacy + - Subcategory: Windows Hello PIN + +## Frequently Asked Questions + +For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust). + + + +[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises +[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module +[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant +[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd + +[MEM-1]: /mem/intune/protect/identity-protection-windows-settings + +[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services + +[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e +[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f + +[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index ee40135695..5dda6679a9 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -26,7 +26,11 @@ - name: Hybrid deployments items: - name: Cloud Kerberos trust deployment - href: hello-hybrid-cloud-kerberos-trust.md + items: + - name: Overview + href: hello-hybrid-cloud-kerberos-trust.md + - name: Configure and provision Windows Hello for Business + href: hello-hybrid-cloud-kerberos-trust-provision.md - name: Key trust deployment items: - name: Overview From d1eba7942be9e58224e648c59c0ac94455ba0ac6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 17:17:44 -0500 Subject: [PATCH 05/37] TOC update --- .../identity-protection/hello-for-business/toc.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 5dda6679a9..fb0ad0ce58 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -26,11 +26,11 @@ - name: Hybrid deployments items: - name: Cloud Kerberos trust deployment - items: - - name: Overview - href: hello-hybrid-cloud-kerberos-trust.md - - name: Configure and provision Windows Hello for Business - href: hello-hybrid-cloud-kerberos-trust-provision.md + items: + - name: Overview + href: hello-hybrid-cloud-kerberos-trust.md + - name: Configure and provision Windows Hello for Business + href: hello-hybrid-cloud-kerberos-trust-provision.md - name: Key trust deployment items: - name: Overview From 80cfe3d35c083dbbc37b39ac080139b0daa92fbc Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 17:31:11 -0500 Subject: [PATCH 06/37] updates --- ...o-hybrid-cloud-kerberos-trust-provision.md | 6 - .../hello-hybrid-cloud-kerberos-trust.md | 180 +----------------- 2 files changed, 8 insertions(+), 178 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index ebc0397734..2f5c77dc3d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -234,16 +234,10 @@ For a list of frequently asked questions about Windows Hello for Business cloud -[AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises [AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module [AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [MEM-1]: /mem/intune/protect/identity-protection-windows-settings -[SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services - -[SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e -[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f - [TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 9ff6844d93..a8ea65e53d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -69,187 +69,23 @@ The following scenarios aren't supported using Windows Hello for Business cloud > > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object `CN=AzureADKerberos,OU=Domain Controllers,`. -## Deployment steps +## Next steps -Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: +Once the prerequisites are met, deploying Windows Hello for Business with a cloud Kerberos trust model consists of the following steps: -1. Set up Azure AD Kerberos -1. Configure a Windows Hello for Business policy and deploy it to the devices +> [!div class="checklist"] +> * Deploy Azure AD Kerberos +> * Configure Windows Hello for Business settings +> * Provision Windows Hello for Business on Windows clients -### Deploy Azure AD Kerberos - -If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section. - -If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD][AZ-2] documentation. This page includes information on how to install and use the Azure AD Kerberos PowerShell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud Kerberos trust. - -### Configure Windows Hello for Business policy - -After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). - -#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) - -Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. - -The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. - -### Enable Windows Hello for Business - -If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. - -You can also follow these steps to create a device configuration policy instead of using the device enrollment policy: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Platform, select **Windows 10 and later**. -1. For Profile Type, select **Templates** and select the **Identity Protection** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business". -1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**. -1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**. - - [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox) - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). - -### Configure cloud Kerberos trust policy - -To configure the cloud Kerberos trust policy, follow the steps below: - -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Profile Type, select **Templates** and select the **Custom** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". -1. In Configuration Settings, add a new configuration with the following settings: - - | Setting | - |--------| - | | - - >[!IMPORTANT] - >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. - - [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) - -Assign the policy to a security group that contains as members the devices or users that you want to configure. - -#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) - -Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business. - -The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. - -> [!NOTE] -> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). - -#### Update administrative templates - -You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows client that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the *Passport.admx* and *Passport.adml* files. - -You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows][TS-1]. - -#### Create the Windows Hello for Business group policy object - -You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). - -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory -1. Edit the Group Policy object from Step 1 -1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** -1. Select **Use Windows Hello for Business** > **Enable** > **OK** -1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK** -1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK** - ---- - -> [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. - -## Provision Windows Hello for Business - -The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business *cloud Kerberos trust* adds a prerequisite check for Hybrid Azure AD-joined devices when cloud Kerberos trust is enabled by policy. - -You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ -This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. - - ![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png) - -The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. - -> [!NOTE] -> The cloud Kerberos trust prerequisite check isn't done on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory. - -### PIN Setup - -This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: - -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** -1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device - -:::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: - -### Sign-in - -Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. - -## Migrate from key trust deployment model to cloud Kerberos trust - -If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: - -1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business - -> [!NOTE] -> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. -> -> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. - -## Migrate from certificate trust deployment model to cloud Kerberos trust - -> [!IMPORTANT] -> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. - -If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: - -1. Disable the certificate trust policy -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context -1. Sign out and sign back in -1. Provision Windows Hello for Business using a method of your choice - -> [!NOTE] -> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. - -## Troubleshooting - -If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps: - -1. Open **Feedback Hub**, and make sure that you're signed in -1. Submit feedback by selecting the following categories: - - Category: Security and Privacy - - Subcategory: Windows Hello PIN - -## Frequently Asked Questions - -For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust). +> [!div class="nextstepaction"] +> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md) [AZ-1]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises -[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module -[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant -[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd - -[MEM-1]: /mem/intune/protect/identity-protection-windows-settings [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services [SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e [SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f - -[TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store From e477bb26b1ca82ee844addaf83d059bc9cbc452b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 18:00:43 -0500 Subject: [PATCH 07/37] updates --- .../hello-for-business/hello-faq.yml | 2 +- ...o-hybrid-cloud-kerberos-trust-provision.md | 50 +++++++------------ .../virtual-smart-card-deprecation-notice.md | 2 + 3 files changed, 21 insertions(+), 33 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a4f6503fc1..8c72724ae4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -196,7 +196,7 @@ sections: No. While it's possible to set a convenience PIN on Azure AD joined and hybrid Azure AD joined devices, convenience PIN isn't supported for Azure AD user accounts (including synchronized identities). Convenience PIN is only supported for on-premises Active Directory users and local account users. - question: What about virtual smart cards? answer: | - Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. - question: What URLs do I need to allow for a hybrid deployment? + Windows Hello for Business is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business. - question: What URLs do I need to allow for a hybrid deployment? answer: | For a list of required URLs, see [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#microsoft-365-common-and-office-online). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 2f5c77dc3d..9adc5f4432 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -29,8 +29,6 @@ After setting up the Azure AD Kerberos object, Windows Hello for business cloud #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) - - ## Configure Windows Hello for Business using Microsoft Intune For devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. @@ -41,7 +39,7 @@ There are different ways to enable and configure Windows Hello for Business in I - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group - A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types: - - [Settings catalog][MEM-1] + - [Settings catalog][MEM-7] - [Security baselines][MEM-2] - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] - [Account protection policy][MEM-5] @@ -51,20 +49,20 @@ There are different ways to enable and configure Windows Hello for Business in I To check the Windows Hello for Business policy applied at enrollment time: -1. Sign in to the Microsoft Endpoint Manager admin center +1. Sign in to the Microsoft Intune admin center 1. Select **Devices** > **Windows** > **Windows Enrollment** 1. Select **Windows Hello for Business** 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured -:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Endpoint Manager admin center." border="true" lightbox="images/whfb-intune-disable.png"::: +:::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png"::: -If the tenant-wide policy is enabled and configured to your needs, you can skip to [Enroll in Windows Hello for Business](#enroll-in-windows-hello-for-business). Otherwise, follow the instructions below to create a policy using an *account protection* policy. +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy. -### Enable and configure Windows Hello for Business +### Enable Windows Hello for Business To configure Windows Hello for Business using an *account protection* policy: -1. Go to the Microsoft Endpoint Manager admin center +1. Go to the Microsoft Intune admin center 1. Select **Endpoint security** > **Account protection** 1. Select **+ Create Policy** 1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** @@ -79,36 +77,18 @@ To configure Windows Hello for Business using an *account protection* policy: 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** 1. Review the policy configuration and select **Create** - -<--> - -Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices. - -The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business. - -### Enable Windows Hello for Business - -If you already enabled Windows Hello for Business, you can skip to **configure the cloud Kerberos trust policy**. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy. - -You can also follow these steps to create a device configuration policy instead of using the device enrollment policy: - -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Platform, select **Windows 10 and later**. -1. For Profile Type, select **Templates** and select the **Identity Protection** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business". -1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**. -1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**. - + [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox) +:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: + Assign the policy to a security group that contains as members the devices or users that you want to configure. -Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog). - ### Configure cloud Kerberos trust policy -To configure the cloud Kerberos trust policy, follow the steps below: +The cloud Kerberos trust policy needs to be configured using a custom template, and is configured separately from enabling Windows Hello from Business. + +To configure the cloud Kerberos trust policy: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. @@ -239,5 +219,11 @@ For a list of frequently asked questions about Windows Hello for Business cloud [AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd [MEM-1]: /mem/intune/protect/identity-protection-windows-settings +[MEM-2]: /mem/intune/protect/security-baselines +[MEM-3]: /mem/intune/configuration/custom-settings-configure +[MEM-4]: /windows/client-management/mdm/passportforwork-csp +[MEM-5]: /mem/intune/protect/endpoint-security-account-protection-policy +[MEM-6]: /mem/intune/protect/identity-protection-configure +[MEM-7]: /mem/intune/configuration/settings-catalog [TS-1]: /troubleshoot/windows-client/group-policy/create-and-manage-central-store diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md index 3301533e05..dea207534a 100644 --- a/windows/security/includes/virtual-smart-card-deprecation-notice.md +++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md @@ -1,4 +1,6 @@ --- +author: paolomatarazzo +ms.author: paoloma ms.date: 02/22/2023 ms.topic: include --- From a19cc371c62fa7827db17d4bfa03e5f4bccbd441 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 22 Feb 2023 18:09:37 -0500 Subject: [PATCH 08/37] updates --- ...llo-hybrid-cloud-kerberos-trust-provision.md | 4 ++-- .../images/hello-intune-enable-large.png | Bin 80342 -> 0 bytes .../images/hello-intune-enable.png | Bin 74741 -> 0 bytes 3 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png delete mode 100644 windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 9adc5f4432..888a64e3bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -77,8 +77,8 @@ To configure Windows Hello for Business using an *account protection* policy: 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** 1. Review the policy configuration and select **Create** - - [![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox) +> [!TIP] +> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Identity Protection template. :::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png deleted file mode 100644 index ef991440422d1dd79aa35b236976470fcdbeef60..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 80342 zcmb@u2{c>Z_cyE)ozQQ!Ra$f~R?!-32vu#>tQ0l3RYQ!enV8xtRYlDuh}Kk7)LbI8 z)z%OMK`Kb7AtEA(BqAhl`fdCB{hxO|&%4&U-uJF$$-O!E-gEZZXP>=4pS_b{ZmQ3F zQ1~Dh7ZGZExc2Pb&&|1l)_-2X`L`>;LjM{Ubl^0BbF$Z6*F=|#t2X7( z_WgaF^8=4=*#>ZNosjtTx68mne3grfU1D%u_fDwO@)S?Rv7oK4HJ(B9VxGN6|Jf~l zLwB#t?sLP-!s;-Oy>m5B-#slT+rRh7+6LF5d%A1qewe-b0le^Z-`>m8Pj~BHx*9v^ zb*3k}05{<6rUvUNjh~~mqbCQpOIMb~Q_0)39DhexaQ_ibH~u}$3wtMO{+<+aWx|M1 z*y1k!KUc2qk_|DyVfS)6`1?3^$#C%RXY>90r+581k>2}1+U(vP`nS!&UAwgYetup! zDG>>B|1tabLdJp2%F!&tG4oo(AocPG$IBlL_ml!io0rw2HeR0wG?*nX<0Rs%&({3+ zJ+3!LS8tU&(UsL(9vp{BfVz@J(;_ulX?tW0f{hlXb@%-35A}jIRFVpAOkYI}99EC8 zX{~}55tmf`pK*!)X<}YsRUTF`qC?Rt4>jb4eY0ut&(XWo3iZ`%K7QdpBe+^#@+55P zru(>MyQxO`(~ci{V(@ua3Wkk~A@yh)X&pK7)tM!^rKKNvBlbH2qv37o?DC z2OYv6i-8Wu=vX!bu8!xd&m#=(baIcGJ70)%C6NlUvg9>G$eB8-5R9+I`QKL1K4 ziD-kdeDcqy-_pLjg$oBCaGS;VrD~Ez&r$G^|0us8p_*$(Ds4LM?g`~>DXMAt-gbev zaaL!u@JFW)AO#;n@DxEX7k;Szz<($Y@}>R=WburtC$sM*0~I`n&>QKR`CE3kCYfbcY6{XlXNF+KBwBVvJIMOA?<7ZTF|=~1-@*R0@oJL# zIE>nKlChYM>;nb!4=|Ck0Cd1loeU><_=FrI#B`!*9fx)Y>vkO)-r+y2Mz%-dI@#eP zzWsMv{Er9lE-KdJLMuPfqu*V4fehP@m706TuagG$BltD{tL2joS}(JVhu#)bHX_*Z zgh=*Ovk}Sq@-Ok^Ij!9=(4&p{VBT2B`&8MKs3}58f`+|7}#C#?$Iuc%Q?JQn}Po&p z76RlvTNt*xIU{Vkp!tP4SkhS8^* z=X(;&x)nOAvbcGLZ)IM1LN4Ak8gH>=QARr8ogi|%3sOeC-LdtKZ|jUkOEtTHol;>H z>_w}vs+6QI<$Dg8Nz+IZQb9{2slHS4AMCX-jhber+63`{$ijPoN9;>2TNSc>(Xp9# z{v)=9j7*u8Va2zDPLnGIWL98-yk$niauPRD0e)p_PSeiwCQwEY52gvn$mW+J7VEai zBVI2Hv%|9G9ZmW}LZ-raCmKysZt%!4fAYboKhoH&i7NX$f$a055w|4Sc%UWP(K$bN zi_5?4LFN+eu5}j*B`ybeWD*h$1OojpQs3NCjf|_Guz8{rYlUzfskXOCOG}&EK%MFV z`}JjoV51Oyu$k}RxdpIas*ajp*8BI;3|FdW*qk$4xkM!n3#wWEQLDFdIwIcII{EP*{hlP-}1%5(;F+fFfBC^^UqtHv*!`*!Y0Ll@iViLFf zh$#zf7QG;1eNEpDobCL$!~sMK^7n*?mkQF7MWPW6cu2M@BI-2_pD%U!@}54{g*)%h z#Pf?~S?N?~5KyH(CE1RWXxyWsyue`tH%-r-EuCWPe!HViWyw=N5Bz{cZQ*R6dXa`I ziJD|IB}$YyUh;h+r`m0<7$teH)>bwsjse*T{_m z%bTixEX&rA4s+i&h8xiiC@lqvs5=b^AIT%)A)tXt>EU5Db_m{a0luiF#&`P4nP^{( zxO;wN6B5+2vUO@MH)^L3pYFR8v(&iR`zpJi5sU>#DZNXj3K2wpdfhN zXFNv4F`vG$;mAc^u$1I0x|5BDS#;FKX?cfBxQ&aePL@!YF)wmW2P-YxIechK-Bg9L zXXoNh`$`BUU<$RBN6jNpD|GZ*9e2F*>9xTmKmYGS?!8ZTn0r`gxfq7 zd?QDrDVfR`C5^Ip-?%zs-CWuiqq_S$;bDXl!8QOzC8EZTdd!mPI2DARTHuaHsV^TR z;=)3(Va<1{t*yR)OTO&${DzL19H=M=D0^fk{LFosj^1aO%!`>flXZI&)RJWH?RvKE=tu$!Mn$jIR zwFbeY{;lfs`j|DBb##ry!smn8pQa8=pvD@qF&LQ{DW=GA=! zh<*25+z%)39M#gj7b^uh?WS;cOraxu9qnvC*Tib>Rqpq zNloK1_F8-drT>Azg{2Qauq-uPgv(RssWK&a0N#|jKR{p4h*uJAhc_{ryi;+fXY$hE z>=@;7*YxLw(r*ho>TQcW>mVkq-%Ii)jR!w+6$mLR+^ymDq8o{4%hSTW`#FemRLabhQ$? z08IJxW@N-=eGKf^T_@I_{a(_f3OUb?NG>u!NiJZP1S5m8RvlgGPW}{iG}Lhd6K!eR zzRV+_L1aeW`}%AQbV~^mABWkhM^}cdwyupk2Cz0ZH{9!)Lzt0QzgkMyP48*8& z;0VpUv5G zBD(Ds>{|+%&r8L7Umn-V-C1NgMG^Lm!$N8fJU}T8&nF^v(u?$y-^`%Qv{eD$sg)L- z?f;V48`{zsVcBqT@v=sTH1%y2s}UOQ&_2066c(|4#lUdO$h6$zTWl>x$sSom`zY!w zhO1O^QdK*!4P-z#o8Uy=o=Am)Bkir@%~=scgQ)T3tj}RT*Sbs;mgCAG@{wD6JM3Gd z*--+*#P&w_dhU`k6|MfgV>o;KB{|YZ`sCalJN?crl@91-HJ!ZpI*+?~;mdD=MA2`6 z&G+eiDv(TH8yy$`M0<0I-nZb6G1{x6T@o@zJ{bx#j$E;&B)vMW!}18f=e1d_5wzs} zC1k3-AQ~R5{59BPbFziPSok>W1O{H)E`x*{Hu+4rd5%HQGg=@6_*%oj^7%K*SR-F; z{Q0q#D0VctC$_5#5kcHpS|c`As}*ekwpmQFq&bqHbMz@kW1%0{4b>}0Z5QmqmWTA) zbX;1Y0gi;E?8h!H{S1cx&@~z7w@(|q$9u6)@c|GDi@6X(ODZ? zgG5yc*D@{oveE)r*$=)J$7mTj+=H~MaE6q%9P9Zsg30IQj-K)#+y^S zF{qY`pcR!zW7D=BCez;fpmXF+reA#|2_V+T+F{Oh%_I6ga$F73vDWIgEh^gC_`us> z62>SS>Sz*n5^#cEtI1kR@v268x3k1U9On5X}Pmx=HhPsfeS&>g;Xw`33IYyiNZ8pzvXX z`wDd*5Y+0F;{~3p)^;Z(Ps)i^k6R7XMAktM(w22X?^>jYWV>{sj7Kwy^erXA z@V>Ti`JufV_oW~Y#|{K*%EKa$+i}%27{}8L{l?#wmOBXwYQLG_|dg2)GyGHEh zB>${Q51(A;Ix=1?wO!Epfx>Ohwfn!q=>_>PUys4XL8tNg-udk{;HJ}2IfoCQ_Rdq6 z&}ucXorGkTeXaYIum+|sNOS|(=fN1K9$j0Xgi;tdeQ#pcru$|l=9V%=$e?X`Hf z-Ve~mhK)XoeXWIrz&#it$~oeGD_v=1X576X6%x(&C`2p99B1UD?Vjnm^FZ2r#f3ue z|M^WDe>1)r7lkSShiqvbV3U^ch18i}s8?a3$Dl24ORa*B)ld%}<3bNNnO>@pFlj(H zL@8}v4}IiyAH@g6q*@>|J1IW+XQj{_GnPMV=gR0TtUm#VK>jJoyd#?5ts8s z8Hl;~sAlupJC()8N>T@el|pz?S`!|b6Fl*hLD`Rca^$qm(nKvRqQ&2${K1K(^02xfwN4C4LZ4x zI#sqVQe<}m^w^Ot$33}f;6u%RIJaK#;%b*z2M8qNuHRu@^!ah6wfnf-IEu$oR3r43 zCz>xiQGN;7{4#Is!&{D-XAGXPR1bQ`3AY{?);D;L_QE>c-1F{d-Nwk;g9gOZ{qNAY zrFU6m@ZF8BQr`3)d0$J93|yJC<+wwx-=~zXKphdNO1tc&m!1#8{k_J;L;~Av>y_Fj zhFWKX%mAYsH*s)KGf?&*X4VeTzu2iY(X4~qJ7lNW4avGRRDcez|4Aq-P=-^dkh{AR zvf_snFT+AeX&>3`ZoEp>0e6N9yc{((Lwbis?v&eA=c?QAk)~EA+Xf45I($QWWvon6 zeDU^&H6nIKvr7+KNc)HXTD^(60VHKV?3a;*zDk@g!Z>`Q7A z4XQ1)3pTxNZX<5UYnZ<8-}VexIBvCXrMrBTz=6DDTad_KAMHM}O9 z*gD(uz@fRoa=XTt%bJgF1(zT&T%rKQn;w|{OPh$b{#bvriC zV!W9G1v#@0s>IlAJ<8SW3e2SFr> z2w-=!=ct(l#|>fV5VPs$Q<5_dm}$vy+!K|Fp--m7Pdbbdlt1zVbB^OrDuw{^?_tIv z+@D*;z}p&5>n?@2$((`5pF!&SD=(d91KM5RgXdxZcgkR2`@ zxiaPNMp;n2|MNP9#f=NgCaA2KP58nhW5W1btF)!>kTaroMs3^%kDl2&6j?{rrk)gy zT)r%j2X$nE37G|grsfs=AK^3%@oAJPE6bK_L7?*O7C{TRp8Q98W+E@Rd?D~vgt$r<|Yq$=U1HahXYjwXZ&9ft3hkx06e!|Jeo_v`ZIFQi3 z)X}A}f&$*$plyG4ECmoFp&^tQj@;n6Bm@nQRNI zKhO)JExU$$dgYVvm73&xif)Il_edGh4}sobu&u1XO2_6heuCDxhD^3&aLd<8?N6~p z4!nGp4I%@`tcIJQ#1nEQ`YDNhViu9_i+t5IF^FhR5Hj2VR6=Q9(Zp1?+SFjNGu!fx z%j)B(Q-}TF)KbD*XcxMi!lM>mk@jFNpaNnLAHW!_Jo43N*(QG9( zo(vGNZNSW!mh$!L8W_MSn2k5yY!`+ig{abTAqnd4C(F z_1+5T0sZA9>f&6`zJlGZ+0JK^gjITJZ(*#zs>H;UJ9j)eFlOK6DZxV%yQF5iG1HZh zkgx!jw{Z+=47=pDRC{N%-l+3V`JLOQyfrx`fv@xsy(7Fe_ru}(dBXB46_BHWw!EZMBh_-5 zvSAnO7qtVOKWD&-{m2nooyR4fV;_YszK!qSM47QCVq3aT$+6#sM8h_i;yNZ*tBp@40t_O;wMBbo>kH&5Xy|M8=Q{3Qq3pa4G9=fulvlGNqtfp9#K%I z6!7xmB(1EgR5y5?M&ghWz8fPpe#6B%>Nn-Ain^RKy2@16*^KEI-W|M!a9rcDq%6v= zBe@kbsTR%m1AyiV4w$CiZJN=CM*t~|I=c1&RV=M7AbWXo9d`PbL7jd5xflhB{nM0{ zcBa@R*ZZnfY`tU=9eES5vPy~dMhdnA5^?Sx@bs@0esz3Ko@jA&_hy=5hwh_(m7QWI z_*Q9q`>CV{1gSp;HXch;d%@w;QXHyg% z=#GqF9zbuzsnToHZ zjbnh%6YkXjolVGgV~^#R3!2YaN34H8ii_)IBKJH+n=x1x2XZ2)a%i$xa>cd!Qj-Uy z$A6m`<~z!0&Lh84k2>Lh?bxkTxtbHrl0A4axPrZ^U!A@G%>%-J8eh$MOj9Qn_qX5; zsxdRcMzmnEVQMTSD#JO-3D_K){9k%+LD~D5M46iJIqIqFhDmmf#TF&Kr90iJopm8} z-|==i164nav^~pMnG~kW^&i6X?DW~Hzx_J)eDYRq zcsv;gXH;&x3^{==plCO|N+!V*q;iV~U6Az@{isa;sLoht5`*z@V0=!eBqLwt_k)l9 z!y!_?`Lebdb*_jLpbO0xdYT20X@}iUI$2o{uo|!Ws*aGyzhIosm;0FsmTcz>{Jt-P zLnmJq^+1M{0A?D|Fj^GaX?39UZmMSF)<$ZHQT7SrX@}<2Hl523qRw!A?BxCC{Fs9q zdB1NiyvvbaSm4k2RnUBY&&sfzSLAN5vWH1o4QqY4GdOh;O@me9J4wl#*9)3WQaf>P z+QB)z$uymA<1Xqv?Lx`hgG*C^HaV+pW)`k#x~R%(^Yn0D(UQ$;^$C9P z+H{w-UU*aWnUtMnjREJ7UO5XZ?tE7>P}smY)5na`7VWj!RPAmWOx}U1Sw3_XbI(W3 zeGV^Ge;E6RxR;XO9eM_$92+9qUQuHz?VPt2wg=aD-yU+1=72~Bth160*Gc`*r3LrV zRJA41)Eg_<>FQ3`Vv*~RXj2IyTejyJz$;XEK;wpJwo95vct1JwM&TD|t5gm^a!1s|55NKZ)^ zsd=OF26>-}$3N9?a>7*dY<=W?y4rnLw>q_ne84LYjBaV|n%F_C=R<_-Bsu&;Pje+4Z-ZH3#T4P(s z)N!cgq9}O!jV3YPBZcuFcEA9i35;kKci8@!Lvw$1w41}8yWXD4T~BG%kML?>x9V~> zPH{l}h&KQ8F$=*KS8FUNw2~8f+7AHeliU0H7e1Hs6g#p@gI|k&sRgR%kMg*FLF&(~ z1=P_Vs|DtW@H~7^JX?X28}@N)-hr<#fOANaUy&ud)&J`2366ww?&$f7M&-8EPRS>| z>-0|blhSw_v@%K_zt&zIeN{LV@!_tXyy%w--TJsbVO4xGe&z!&`5TwKxaulaaXfr6UcCQFD{BV;iwI)V0I>_@n=99J>VA=!C^tu z3LX6Y{o??9g)j2Mm&$2($5o?Q5x}8$&wt@ezPtWR!}M2uF8*WZ|7KnkZoJ#e`+I)4 zxSsz%Sk0G1wJu$Ai$g`Ue=#)93x{Jl^Ldk#0g#rJj5Sv7=`^R{3)$vMitZs_*W%T1N{CQtu~0fEeXBQn5S{e-kyhN^IKqY?7EM z1~okhlTT4ji2=p;;kVQa3eIwPmiagBrDb4M4xyR{pxM{+aq(aK&!~HCxN3C6$vp^H z4()h?{Pvc+vNM+)v>^+=yYAIB+ecC!a)G87lbd#j5h$&r+(Ik zke!48;SFK?Oao)dzeRhMkcsEQ5*W}YTMQo!!>{H4NP4KjarrjxAIi=z-MA&_H9j?_ z(JBv^d6FjlMXEa^7;gv?SxL%125bCkz%mwHD(@OME3GnYJoWhJtyHAgiZ8U@3u1Ca zTle1=m}BPDW5|k+%Mai*8&=L_R^CyWcS|k-^$vtOD{YrnqkF9?47$efIYA&(J6}J! z=u$I?e7ZG*KLLq>NZ9BoekX$T=Js3ts?AwosD}%y`>#)2>3i znqiF1-z;>{JWrI1T{Rs#I;CY?>~>1X|NbG^XjW&d>ow1`D(1EbgZ?6Fedz+M`aQ`Y zV?Lm)r~64tFTN)jT!h_sbgJfgtbqzJAjEHtx%c;4G7Symn`Sn>KMO#+;&D)|4Xsl-^twFJmyYW(i&67stW$z(B5V_wZ%wWL8RV z2hLtPA%0o4IUN3Q#9pWS<&DRR?|t4(c_4sOif862Qu7P?kc^NH!~d|<((I{RyCepoHSP*MDWEo#s} zo_ZMOulXok1v2RykL`rN16?po?Yk1TeJZ_9dDQ8<{=2pboYTS#QXFBw zo_cPLt}#(B7VMRew$a~67cH$$-+&Wz!>AzU=HzyY&Nn-96f#U5hp9mdGX-1;AhTXQ zwQ;;j_E3QKnuzU+jXl711@0Dw`ymmW*uDH@;4)TrEea9OvUS6B025k*ecKz-;f_dV zUfoE*$N^+{lggO^W4o;GO{095N1_MwsF>9<=8y)9#bnSy2yuzQprvS2l*Pla$s)y1 zPC9DnEC0@eGy~J*BfGY?rmGh!6@hjQ9Dirc1(;Tv^T?$=LZbr>Oq$(4dVrOjvq$Sx z_PKVyJ}c=RV%W8q5V0|&4_BGdE4j~lf4k`6os?s(!>mG*1Eml?Aahxk@3C0wVjss<1GFuy*Y>=( z_Mv~J{pi|(6JG>FHle)|Qc`$XUgvfd6JPdfOrwO?7mP)G_rdk0`AmS4&ogc9i-_iu z97gM8bWOztk#iS9-FCa)WvtIjsHj+-J9ln5>uE7O(dA*2P=}S1y}Co*4_n&Bj8q#f zX$bg}is3u4gv=+A?}}TO)4wumx<4kYrFooa2oyO_DM-nB1X7$&=ScUqk+{{D;{Iv; z{F<(agrf07c5cYSIW|DXCeNPzyETZp&K}kpmO#`nGlCKZ>Ayse>fO z*9T!+X`bhR<#o~Q+o^MA^KZcg8S@&H@A&yjwr1BwDbD7k68WHv7A$%Np&XRtcn0a{ zO1hj8#2+ciPmQ>9g0K;UM1-USQo^_vTXSr>`z_O}T>V}P3ho$bJY)u%lXl_kzk^q3 zsYius^}Z-T#EY2u=YuYk_7220yG|C>+KP9$!2Rt22L^JcTZW6$(^ zM?5}I^gM|YW~&o6Ml^qMGVx^^^fk0He}z!1AqrTH!Q z6Nn?s-S6*K=f>K0JPlymz7%g4Igi$!Cv?asfqM4P`7@2E^&_*ku&Zu<9x_F~wZVbi z8r(z|lh78}VUWGxiZp)*Rjj3IY0H9%0innsdY7 zM{gvrWW=_Z^>zzph50^G7QNut9ult{!YbZ`pp^X5*{|AfW9~91vM=e0h6iRP&yjuzYX-vS0qoeZNePDShn){MBW_g>dL2KP;C3v8D9U^Qwtbw)sx zIG=NOEBWH&oDlW#d#HnsYusUisKiWbN8HrhlQsH_bbW;_f_uGB`4KmfL{YPEeY5ZH zPWjfy#qhWva-GVB&uyI|wLmVWLI8{opX!S_vxILVLIU}En=1+iUziAGSj(0vQ+NT@P754PL>Q*mQMMea-`jV~J_dXU=J87Le?YQVxr}J#D96 zuHyF^U&@yWP3r7#O`VEI#KP=<1PJybJGLTLpZlUpP5g&$2wFC>bNLV$y~j%6RSg^%#v zKF^Kt0o0$kdw@7;32p9*tg@G1lRSK)rM=m&=CM_^i5lVF_p#nI=RJ2el3!#YwgpIT z_#ec(O)GtGvEjN0()nx-(_(+dYrnoB>!`cjDzW}n#_OnzO-Rrej5#&!lzc*6m(uf~ zkH*lZj=9&ZQ7)hC@ct%d1iNpdbURrD9@91E{$X-R_3ERkO~sbCDF7A&S*JRJSqR&_ zXqgqY#2AZd+@P}C^f3?BvAch2G!?Mbu1rV0lW(~lj+uo>ZM&r~UM`2^1g_evEnOs! zN*c)A2xx41zTU?pI`FStt`bto;%)b->+85m&+a@gK&G({nBsDWEXpAqjJ6r7`5mdyigMGPHt-*3jnpP_!=Vv3;A#(ckAuOGRL zJNrb#B3`ZgV$E>$f?3@I*VWHjM;c=jmtC?iKkgk2MIblQ5UqI9W(xNb1F{9KQsM_T z<`pFR?HWlqLKed19xK*DMvdoqr&t5en)K+Aq!;%4uP_f{2IUYhJ`3Ie@W zybSeHuCfv!ciR8!6ki>m6>HZty!N|GCdDQpu!!zl+oK(mGPG0~U{qU#Zwm8DQAzU( z4F(zK@6k#P6Z>A_>XFqm%uq58d-LH`O?JU9qn^1r5!;Q(7z$%ea~%r6HU>-#fZccIbJ?49Zu@v!;%P=kYw*a+XoEBblO z@WuI%hmJ8j;!*3Zkx6j|8!au>qrZVp!^C?tu%eH8p`7@(@7F5eZvt6M^(^ynBR0Mz zq}921ESs5Tlqjua*h?xP*3C_e+!R_=z6*RVZCAVI8@(-J@Z&*s8NtV{!Zw;Q*`w%P zy7L;nU11@oR8_z(zc?HzA=QmH(p!uY8E(ztcQJ9)(sRnG@e?&GLg3{+L(`C zy@J5T0<`Jk246rf^X*+E4B?;VUXkp%(wbluf{@Y(tLmuh7W-RwM$3V;hfVqC5)z$L zVcgm>3*I&aNtXu^DVkOOZX@h@_e1^RGL_otB^VcNj!ssdnqwJhfo?f!Swls%Y=7EF z*mnIqjl3wth$Fi@*XCMwyC+<8s6hW{{f#?GfAJAV%F9S?J^6a z35)@(R~GY{&3-!{d7B&Ko}a&j#0z|ZK{~DPaKMDR_Y5D!@JENt?t-Lso!}ji4br${ zxC6#44*o$8TA*P7RXenGC|&g#`@9}zDYv}NcOYGH+S3a@fH!3F<@arcd>cqB(XEJ^ zvujKqM({la5@Ah}x1MG}5>8&sZd46epSBiKygP^b z0oKCT=@N+R%4jfuG-NwlmXTaBIoC#VRu{&eHSQ=q7lUIFY|K+@K7mqQW4SiRswliqxX znS&ui=-;*4`yuaNnF*?JG|l*6x@t&=gqWF_e0Bpbeearu$vgR0E6KLwQv40ozIMBZ z&xC#79Y#seoJ$+HodfTyj5VTIbGAkOf^0VLhSsDqTX{9o{-z`P<`>c#^(v=Rz{j4_ zGQsbOO|Oj}D5f-<^py;^Jq4ulh&=dN6%bIl;q48{$-O;1vp%!_lj#@sj5v9atl@x- z&@sLFZ6j@AAh_C0t}RTzWlozI5q(1Hncco0!TnB(3mqlplbGe`-1 zfL%}v6`^Y^L}Jeh$kSzciqwuc3Fn4sSE;;{Kls)S^!yP)<4fyJ_vBQTVB>4)GV#}< z_IRWDC+-W~Z9*ZTzQ+Fwge${*o>OX~wEURsMpXo3JuNr)!ax5ESl+&UIt`ncS}Eyi zknXFvRF9X?_{x(LUVLjC4tH$}>t3o}$Mnuvm^X|4e$1l>MI2v6QQjac${Q_54#?T) zwc7j>c<$u@X@$l{j@0Bnr)rn`{yQpgMWbI;X}=D}blVD>qEbq64HsTS4>^}QRP2f`-L4vO>RM!Yqy1_mK{Kcr9uA#d>b?zbeLK+ z78-A=ylzzqELG61PB;u4$G+Ml?I7zcd{JR@^8AD(klm|+1!%OV zRD4g4iYKVd%c@E|=z`UnY2^z`t$DXe;_*fTstlno7Wt5q1s$C4eA*i7VC&7iNkBne zG;Ldqi-IO-nd_awsXhkK*P#<`*t;iX@Ywa(Wt|s!?rJ}jx1)4d zvV@e}x?img)%mpIORpsqscGGeJok0uw^&^D+jnpJ&-dn_F_{+-U-<+L(BZuO4Nd6% zmC`A!%@Xky+^plkj4`trCc?qzZl;LJaR4uxkn(%(*Uz}ijGlEgg>_Z?&75rs;Jhhh;w&{jubPY;Z5)Bm%9|Cj1Z_gv&2Zp?&jO zsR{U|+2b=()CmJAhORYc{(h50LSU-~X0*wqX=n7RX|pEWJ*#TysDeUwFT`oT!|=CJ z?M;ae@cq)_BmlCpz)bzL&G;$T@EQ=ESOo^xsZKnk(71;S+W|n}k?~K>WgRB;c|dT7 z%gLQJL(6wveH22;iZ=8JXbgr-r8pUr>7nCI0BqiQdduUi{)_i#8HcqmcX4v*e%H8t zN|1I2OgGN;sU+Fo3M^7`-8M6tBS1Q`%QR>ii{IUQ>qP8HB@s97lwX*|ID1@UPFCD5 ziZd?IvK^~&RsgH|DEio`ekX|NcnqHTm6r>&5gyT`OuD*rNQ^m>qnL;YX)3D|UJ#uE zqPH#6$|lfG+lKU=5lgciRd*4Qz{&A}l_^+%-PO+?XLwB~Bz3mmzg;mTTIqS3O}P0C zrzsB`U|OCMjb-PbyXI?2IL0-kX9g@^wbPp;Oo)fK(XKbgC4(if2YO9DdHW3IsLlEk zdAaN% zsWUY7Z9$~IQQOyvE_%;1Lklfzek>NG^fk90VEPfBUhe&!+M z-iV8YN=2~W7Qyoxai%(L)2(ZTkQ86{Jiu>wKStno!Jf^A2IcYadmS6e-WNN_QxZJM zqNzG`QkDw==s$h8B8MzGtTcQ>v#qS83}G;j$g%N3%JI&CRlFoCZE93^HOCQtxtD~q zxb{d;7>CsB^EaJd*(m5(@0IOu2q#uIKb-#bq!jLlYhNdnK`;T=ouYSw1YQ!gNRc{0 zOLrh2qB)=|c86C);|>Rte3-1ahssGReiNKuvw(#7IgN6N7%v)Qsj|lK+sotq;jQiR zHEPGP5fl@ULE$}*Fd=~mKU|hAajKlRhKe)uI`gEmy*V95ZZK-i^Qvy1va{~04w_qn zDRr&|6iHx&=n!|G^IM*m)wqQ3GHDs@L!aPJu5$K8s3QWnAO)#sVJWB6%4{NKalRAYr6?3?9_y!_9v!9WoNPa1=FthO@6EuLI+JErh+GY zhN1aV5hJbxnq(~jn%AdaXm9S3sd48@>uTei(~i!5haIAKsHKkhkj25zuQ;U~A+#2^ zeql-lQP$C>Gqmt3FqAdRzn(zTNNMPFfT?avg}rC5@KptTv*&XMdu#V=ND@B^dz@jT z`0J`IHIXJ*-Ldu_I>I^r0ARxj?2YRTEwxM@K6#;Od@Y)vo; zBYBuZ3W9*8|4U~GShN<`DS8CPdkV^KQWXNCz{n%qsD zt6~mRoStiVUGzx>>^ozfZ|+%zz(=hr$mUqX?f8MHMw^!I1^((im)~{-9WL8BqtG{= z73QECIkwwaV0iXP|JRtZ`pXIpnKJy{r{68ZyVUs=#9Ml|e>`cY92pA^Nk(Y- zD#dQTw)riByi33E#EEbB{qa~b9+A_ybSwWt*$=rVJMCU&%UTiUTlry4845P0Q9oL5 zXxvcFFad=iQYP4Gcujh3_D0FfMgS7v-rIVm#9ld~gUw=^qy&>@R${TH$PlTR5PGbQ zsX2SGC?)rd6R1&BWhMwrZf8OdpHl4`@kR@ikXn>i<7H4aAB?hPkt5>kB2DEAn&d&I z-kTV8iT;@&WxQI0Vs(|zd&lvM`SuPhG9Q&T#=+UOMS-%;?QO-SrH0q9$4>p`TDb}v zx&yd$?%i(#Wa-pUUp93`sGp^^g;ADIq}C5;AWp@}vRxaZV8ci3_58{XzXAbxhw2Ya zM>9!kC{D6nx$A?xOW3zW;xoIWj6GO|EfLVRK{{2p3V$V(%lmYXb1bX z+m2P+>vK7O|4+6`i4Dh)JBLV4xG(~&^TRn4PWxZJ3*};PJkvjl=M)yTU-tKBF0TFm z&D;53{lNbZSuwgTb8~ZtL8q_&^S_gm_;|A)1ds*V`2Q{K=FeDSv~o2=pn$C7|NY^E zu<2Ox=WCo;`|oi5dvpT%kA1-+rzK$H+QzEB{nrqv}5M9jQ@>eowhvDj1)z{IlLofY~Zy5`$hT* zYU?csY9*Uf$NVF}AD~5bFtm$PFEiJZUUD<3Zzq#Ow|DdZ9bMr=gc%nEFT4tzPwt)B zn4;a8`Q`9jbZ&PzcmBLdacKAOH-zx`a$ z$s>G5ladGCz2bkxu#*ntl-~++>I<66pR}T&#AxcM4Hmp#xSK~)^^XdCN>D)VilATw zyKj`SA(P{4u9h8JV(d+QXgsGnf873%ac3~6M-k|It+w@Ub>UP`kgvxD>ndpucbduh z0grJx(L_N7)d?@oHk>oYNq*H&$wjwEGP(21?zdo%t>X7GOkZG2j0EeWtDS4$ld@J7 z4>3WG@Lm5b|M;tg5(rKLpg({^lS6X?Mrl%+=7ihqdqw5`AZG9FV`VB)rwIR z+I9ZtaoF=WUtI#AR5r)3i^*u`=&1(6qqT2>M%S)AUB>1&Lg6dUpf)dL2wdjT^rv0G z(TYp}S}(<5!V3-cY2F-;@6=!puaPF2!L)l_e`n-MEhlPlh7*+--U!R}*<`kXot<4l z{5|Etu{ybx*W2GY1&Qhb3*8(#c)8?S(XQ64kfGsA_3lVoR;`e_e=(tPDYy^8F|KVE2k!U`WgQTahZm(8xcGmO_TEuV zZSA)(io&q~iWL-40Rd@B?}&&9NEeZ=(usg{lF$?d5u_Js35bA53DR4rN{3K{NDCk( zgb+eaq=j#B&hh=d;~V4NaqqbM4;&+o?CibvUTZzieCC|b6IiJ{i@}iGnrX#7`kiEP zd%H0Yr2D@aDxF>p7*&+ew7X4U4co)ENDdE02h#5+5;oY|V-300A(P6q-`4F-)gjZ{ zHy@Ika9Qdsr9B{eNJcDE$33D5M&ylRq>_IP`q3jDHg?in5$dHmbS@!hxHhr0p9G9O z@Yf$>y)D$Kj03$$9ALPTfY(|7X!Ub@|Vd@W0{X{0{?it}7`C z=-tEKzAZL;XFPzLwAt(B;+gBSvXiUpbQ~zq;R`G1A9#>8^=YI5Dj2_Bci2|V)HLNX z@G2M>9PBBhaVii##eKT-=C~cZZ76L|-hK9MHD|mfW5Nxi*y7@w;!J1xigdwERDqWY zQ&(hK-dQ)#a6sVE)TC>8zJ7UYwz8wdrOg01yR6q(%&jH1WX}-xmd?+9=Yz1cr{+`I zr2{!*h2fFO6(N$ki6_{NVp7M39-n+y2uNi{ z*_7#Rjn>U$0EJnavB%{-X^Y;&&Jo8tEpEBBB8BJURbc!UWtn1*2e zG-`zTPo8^-x?R57@7x>C2LKs>Q@x9(alZMI%B(i;%F_j^_lI?3`Z<>j8&0f<)Ji5! z9B@v>CE|>i>;h|Cir`ITD?z04PR6*OBOeC3JZ$C?;1sr0X^%HEeJ6x;Lv4_9kTW(K zGVxbX%+-cDLc+z0XCq=^=2tbhXZ5S0-{fOI*h!~l(6))9j$i?P{boyP@JUyqFc2>w zKTLzr=$38O?%y}UU0J`qD7dw|j+tBNAD`THA0#aV?Vj)!mPv!$vD%x%oAyC&quwRbBJSnxFHj&p)Z!LV1i=>ZplUywpu zh&a0;*#h_47`yYie>lr*V|Fzj75sSmG9vb?n72#7wck=}LFI*vV)AoIGDwvCm7S=Z zF+-6}wMPMK`SEa@S|K?DecCOVam2J1cF6hlbE5rP-;i`iJ2jSP@r(LwH9@q)V?QFs znyP@D9bJ@wk^ye#!6On1nZFS}+I*+Ms zrto)rxOEETwo78oxd9WV-0Zk|F=QZcf7>!Wl^#0u)mpupkdxZ22l6w8YR~zdrkZ91cvv zGHk%g(3v3&5BS=qASV%#Sc{>O`ipq&T_DQeBlfH2RJS}y;&$WH4e$HjbRG4t=@|Gn zV9{*1Nok>cK<+!oT52t=UOqAr(ol96N{vys)$cKz`;NiI9`jMx!uE1x6OAf6Tc{RJ z>8r0|V2|PPKJf?uK(9DGy|yWmfKS{7 z-Q!A^^oe)B5+}+t(C;>%-edP;XAEo00>HowrqhvY<0VwT&`r&B-mY+qmKF zbLY2Vvs0&qg{3$uaG7Re`Fq)WaCsh#6mL86>$NPG=hnL6pSsc5+`I2<%Oc2i9mAtJ zL-FOS0xG3WC6MZF=rN34#azRN_5y{Yr#_%tu!X3F(Nv$?V{3}y&vo`Kq}|RbV2&g1 zL!&%D+f^QoF7Zo@xct+s7wgeqSb6fpMI@U!Ut8DBeE*+mM@+V#M{E?gVj4CqlhLh% z;pQ0Y$;W7q;=8R@PKEmgn;J4i--e#(8(|*E_(O`Dem<2I4SK)$2vvL4wkEhOKXQWa z;IUCd)6aXKd`&ifYY)4@Mh&Hf;{~|4ldYX5ivY*(ACoI!=}%6(p>aKgneJFq0L-%l2YVQ8UaTIDGX$)@0nTLhrbe2bNxuM$|Kv z!|O~(&`P2lf?9?B*05FnTu94S!T6l=M(GdC4-@R( zmW=bVcPPWeGG+p;jsLJ$O-1eOZ4B!6;89&pwYZ2iWp4{96!xVD?sCohCD?fFWa++F z(U|-E7MHdDaqstpRllvdq@1(wDQ{VLM6veXX_!G-(O&x^{H;FxXXkAwF<(c199yw& zB0uIWnmgu0$$VvDzco!uOSg85vLKFW1Za9-3dILv*ydyofDHd5k^Dmhb>How++Q)Od+H>bPfyN)4VjGtdZ?~FA#d_3vvUFdmn^J_UK zYL1}vw8Y9IS@oEh?MnKZ<|xzJfc@~-R`2+4_SQB_yL;CP$uTJ0c9LiDdEyGDvS1St z-Bokc;Y6BRc%8JiopGHu4koA*Qf4AZR#MPD@AwW;@yN2ABJ00?bgi*FYHsF&OSC^( zM>4a%Ex<(L*1enpB7c^0nNlUoKDVOaS#y(*X*M=C=&(vSXonrG@Xu!KuI$djbX{kGiCY&dm<2JCHj$j29%9k~{rw&RAE*g))&zkUGKz)%g1GdHAen-`}~9 zI_8cDznr6(>TQpJEKj&6^J*Q#7|k{;?PjlkNb;MXX1ix3^2Zi-+juYz+P%X>+g`+jC z8}n1&FIYVfFcv_YoCO=RuJj(q!$MQZ^$}ZYDLIgXSQ5Cq8oHGjN~`x6BtCYPlf^$$ zhD=1!>IfA8tb&mUUPZwk9E&|&Pv*SWnvbn-%6K}Alw>DAs<9Go$|7yo3jTBx^l#Xf z$0q06`fcn9qI)-Y9ml+|7WS>BwG8$Gy+xVIl9HJ5bxWfSu{n z)%As(aA`I%Se1md;8s5W5W9E$Rq6#W`<5K&J|JU{gZzT~A-g4HrRY#xVEb&}6Agl& zPvhBwiOj17iJfk*o>}Oq8tj({u=mMdwaqBu==I|$E2`kkVo=kh=BuQJsInImYD`n^ z5NHxM9t~U;m^^AhTlOK#V$K@PsFp1Su;C@;-jqZgwm31mqsYtq{k1c@%;L^4=4Kzf zom4(`B(B#!k8FgA!o7Ym=z(4yuZs__U`kFuH!tvFixd_-&z^0QiFHZ6C2 zjb(e&bjVd+=IYvXODI~IdmBo?>-~7Q?UOKo7}dc%_n*{p-d_r!?4hjfP0*3!8{0#~ z$5@ZvTo>KIh6Q^RvbHF<3z*nQ&Zp6*qq??S4GC+bgXU2ts$S@13H#p5;-q@Fxg6=J z4O1d8h>?UZe3iilFOO}ZQwH52skB|0^)%{qAoq`$!E&Il(TiWZ+=#s8pX=%GuiH31 zD!Vg>*b1GE^`S7Pp;{WF)@fWdbZhvuw^~bIAFwwER!~gfn%%$GgjXpKAHA$N{Y8rU zU1PuMsCO7sc&%TAMQqFG3&I%xVXgCy9cLg2-3~SskB0fE_D2Qi8&pM$?e_;UhwR35 zlH)$QX{>)SD10_-^%a#?wEv=jKlnO=mu!;!K-RNAsDhYCyvT~@Q(rsH$^F~&(fI>iv4N{Iqb7tV#PA0#=I zz$>HjR&XW=dA5$i?%n%l2X8=c#^kcej=gjrW~hl#bxUMCMyb`LAAd!&n0o<~X?PR3 zqdeADM|o#k{3Et95^@TK%s+EeULtz<(xqjhRb?)+A!G^0L8N%f*D#?EWk`#9nNNnV z_nZ!dF_-05b5_!DKV1KkLH7qwWb{+Bl*LCBXPROL-30e0=DG({>6)6UX+??v3Hg|a zr=vNfw2wEvFTC0*>6>F!L-1sSt9`0-GiwQ2=UPf;bEo5nDW$Cz5 z+GvD5-%qJKv32^aB>gk>4Wr-8uHWlw^DMV#V{cA{x?Q8Ef3p(9I^-3`!?5F18?s_o z%RYO-;xDVrw01?jJrkDvVHf1tJRYCVePXBsS?ynHk3$je{s}zEv}XC(*?`7e<4+Q@ z7?{acDs_y`Y2TZqc42m2t>}%`>qjho2m*qkD}czgLHR7#amI34As$LkX?ajSXJ8@2Ib4vo*@3WNYkw-OTt&0>2|`!K{||jn`VC zO_;7a6bR|4W$|+u=0rl5A#aI^G-N(oYA&uYA2y)g|Uwe0jl~5nyi!*V?@`t!1vd z<+Kxg-99Y6mC^@JEap*(B!S3NN&pbRf6fRr-WsH$(2eP0g0g!{MEqx<8gV_7!MJ@s zIAmfpYhnvMe^STsd@dgv7d=4Kg4YtgJ>l$n7k+4SWs~`8Ef-y6IVx$r1FjV^_ zQ+$-zx*^4DT^3L+0r|zmZy50S!w7xAkd5(FkxH%NBDcB7!l1Stizlb4qef(sF9aQ5 z9Vbptg=s5zO^5gWuFvfp*>vYh1elded$U|8$4nNl6Cuvs2q`}|N%p_q)nIj93$GIw zbEdo%Uge42H8^IbXu=7f7B{KnRby=kRJ*5Cuh%RRmS~BC?QWeG;DDJS7Y4$_yywL< z#$)-r>?0HSCeTAIS+i+>#dwkHMOGmOJdQ(xYd}-Dl&rE;nJAt<)XY=x?8}n5f|lLR zW)SK#haFZl?zQ%CF>Ww1@BIe*MczDDWykaj#H!dhn~8Bg+u0Kutdc8Yj%VshA$kJH zhHIt9ykYatjEHLQJhWtY>$*Nc5-_s~Ny-U#`z8J`S`H`WBHeJTxFnYog9>1t+l} z*K|nJ%^6oy8JeKS6zTh?I**M@77tvh;XgN5o`HNHFi$&FYIzCvexdx=i$K*o@GHdk z$9%R<>^*w3BhFHOzGitWuLI>dwtdrhAJ@npLVV95jV?+f>MM&YGUQ&?2v~p*P;s|J1-WhUr<-P2VvA+sd8iQ;+y5g=jJxq-X_}j zV@#CEX#teY^*-ATn1Rj}^1M*og!F|CkN!(WFvZ2qrRVCwd$%(KED7FTT)j*T*=?K) zuyz1yG=zO>Ls}FgC;r~xf2^Hr%*{=T+c*hnpWh5rzMODjo=d7Fjm+FN&c)o-sobgc zeyx0NRkU=UT{Nh95VdJNklp{D@^Il`AS=bVnqfuwrq5L9jfzk!$;aDm-+l4#wIe#0 z4ozl+@xZV|;qYytXvVbBWszxPMbY(VXGjL(!!HPTAQt(1o-wQ5TkQV7^Sd_`ew2Q8 zV4+C6C}^_}|F!3nE|O1tJ-Rb-I-vg|lvK#~X}?;2wlplN(?WGQp3&;@wY<%1+Jpor ze?)XtE=!`^I$vjxF*OmwwfFEwYaI_)6nV~UnV0L@j&|Y&@-jcf9w&fp{nq(WPSy6+ za1iR(>yN^-!?__^*cN2xZ(34EkWYRGlMe*7`usIDHk0ZV$Bk6rH@0vKt}AIsy}L91 z){)ydDlBncSv&5~9#_I#D9J8q{+8RC-E;L3nRUx*%7EZ3Gsjuh__YnPFmlRn- zMyt<_!hhM?7gvn`MdW9Byi-@7f*1@Co0>}>SnpTw4z~C{ZvI!?O4fk4iSzL?^&UEqHLL45)zx!pX$Nqt6&;B{2+>#qsD3gi8z34B-Y&|HqEZeDbz}PSiq_5{p zTk)6od0m2`7pi?K3a@@T1Cz(5h5#F*!ezrG?ACU&BOxR0aA06fUA^%{Lv2BrlEP`pr6w2tt65vhUFqRI}qwk_1ZQ`NUXzFfd( zXZvof4_huAEavw4PsL`7Vw3|xu+p?R4LB2NP zeLN&g0If1}IW)lf%1?6dQly#dT>=I*ScLCHa|mOylu{;5*0#F}MXIyVIG{@F{O)S3VgedxKQ7?o3F}AP`7A}!Nr2D0#OV%m7MmTety42f zh8fX2n&-bA=xtev3Mq1^$v;-Na1jI_;$lf*#UAeV@;5HW7>Q`(t6 zVtz6?Ie_x6@lYKl-WQNwY;bi@@9@wN{Am7P{7jm6=unBy2yW!Al*usZuU*fsd9T{e zIpI*Pw!xhd;r0_uQh)Xe(a%R_wkEK}^BwLgSvTB0#!{{aDQ6ZUcxSNpIyTcW zF>;O#9nJen0{e(m9<1{Idxi1x`04=PQ0Z2&>?=U8w8IvUuxpF7)E(orzbm1dh-W9J8ftbGb3C z(?zi&OZ4dL4fZd9QhOpf?bW%3)DN_-4W*A}#?ih_7 z0y$bY1k^jb^BI=p7S60~c2GN^1L%-B_Rd;Inf)=>h7Lfd(~j~P$~P7*?FBXB0|&HZ z$3ZBEoM-f>PdtVv3>soP&usilq^BF{Fs2J!aezg(^v@7tQxZkm3Yzv7PeQ)}+Z`ZV zmzXh)Ga~vpRTZH;=DTmP+#f(Jv$sMpR8aX!?i)Y0$ie;*Qak)@BNx5kTDN+y)PkdI zHe%VhYixr&X(dws`x%>rL$t{sVLM$QU=2cyZ}8DijzrHCUn2w&NXr|*tF%X$X%MUy zWYTnzS<=j*a^Ot^55PDPK?k?NNQ1zA= z_fC4rrW{cB?fZ8qyb2Pe%C<~~5|?pL<*!E*--_y5?JWJuiD;9Q}51%x60+^$|p!UFi<-y>e_|DZ+B z|HfzK-_!hGyHowIcz8#xy>=N)6z1$@%XZ!#aNjiF-6+4IL1pZX8Sd96od=*%?EjzI z0c0L$6CE$~#sog7)mubzxKx5fJ@(m-sK6Sn4`sW61^kYK@6GWANpT~Nu(KSnG-aT1MUm5Az5Heu!}^HZ~2rtV2Si?jKCnNZ-Ci) zyXCKMQy#)cGnCEvMlt`qN6-Wmozj;_A$Nx=7YNE~ zGkooV*R^lW0JCz5mvthBG6p;}%Sn&4Is1S3OS2|m#KfD$XCFXhvLf-DWs7XA0q=%f zbmdW_-lp#hNSWJ!cWcv^p;7`YXljq%u6KMgCUVbaUiZ3?WQ)DF&C^3~$}O_4k-oBK zIJ*)WJTv`fn8zxeR}lD#p*@23!2Kg*zP&u^5%-w~ zy8eE|eO-8ucRMBEzz((6sJp6ysg@i7wQcS4hCE%ko~7im$LXtN+DwuKu6o>Za&ohw zMFjU6Fh7HUrOtk@sN))CQ3Be=zOmV*&90@8r2-O_mW|D)=Rb>^ zT#iO7gTmF5kH;qbVD#AVM8+cbkJ1gewq@LqP8jQ%U+{T(bU}IDU0`}qB2iH}RP@x* z4&@#yKz@e83+T_h{<7@GVlhnEToSN2O_mkOO)8Q-Zx3&39+4Ulv(C27mmc`}nRXj9gP!=)%tG-ja4c@n_-HMz6E3NaSUBB^Gi`KbHRzJwiDg zQ%QF?UEFzHald8$dKD~a2f>2G^x(&izEqBy>SD~bwKpwu5XeR1+Fe%52vdDf(r7sq zcmm5>Q0uW?!w>-v^pdg})m?4N8BBC{ZYe3LPp5FlCcU6w&VhHB_81m|c`?pjHe4H6 zo41cZcx~x9ELZ~C);iZMz|=rbEM_XsJ0pxv*mzecq9u3V$9(&F6leJrr4eBzBc;XQ2Vf`hk!|CUWBAc= zYFu|X>AFQvP0RO&x8Wh)^xq6W-VL?1YHNQEx8zT3b&0pEDI#R2UNIE0;8#q?)rzYz z91%dCW*gGB3ruJ06^W=df=yt}w%de@gImsS+0j@Dfls4L#NBR{tlYr_%$w{Z*!QbS zxf-l}AIv8FQu7v{=NI=uVvnFk4`6uqCT{;Z>h_3Zx+Sg5N z0t~02VZ9zKdwm$=>lXF}fKJkI8`ewaxT)8(Jre58AsqWyT(oWACTybhB=huMXh3gb zYwsy&w^GGLVv6@GkG=7EYAnP4sr^06OzhUhMbf86(g zR7Zu@oh;s?!1n^{%~4dhrYX)8&*rU54tn&x!6 z6?b%?G~bnFy^(cx^Kp#6v|UJ?^Ky6`jpEB+)7t8*>aUA-Grj`R?0J56pL5|xouMdU z@ipmsJIUFZ&){QCZ|s}-Nj;6&s*Oj4b4!z&x7=_+Kc9EubQ7&XeZu-#?Z_Dc*8N2x zg7TmjcXLXhdITE7pzRka@Kskd%sr>l`7FWXKP+7jjIP%x3TuqCla=wXJBUE|2kO^CU#(V)^kWaBI1(w36Vm2=o zT9+zUsw8JW_C(;vSXC+tk+#fuv5P(iNA+MK)RkOY__-rHMPW!-wej8J163T21^ld5G@z%`N6BL&+DF4E{rO zG~avkW#U#K_T68T?Z0B7>cceouftFrh*-xw6kTdbQjQ?@V>{3ZrGb7jI9t#3m-LL9 z*_sL68@5Rnb``lzb%|vo_5QWGQ9v4eOT}7hmmVg(e_G{!o{;K>ULdtOEJEKGTwZDy3C=$CJab85=fG zYFM`M&Mn7Y;|Bquo6+NsKs1>&>jzR=bSHu-_o=5Bx7<6{XcEtR3EOV7i*m=m8PNyW z7PQY?jsNoXwO{Y}hW|*G6XiBu!K9_p1cyux8Y=?zCW7?w?zO9ll#cA?6I1?>M&%1j zA#W$WTs3J`7+tB26qau3U1?sRxXwHX4bo20z)PA0x;QoDykFs&jEH`}%^i11L!h|sp*lQrsMH097NtKf&Og)#Ro;yU@g3`P&u=W1J zhV82deqaND>@Ae-7-S&Yr>e2H#aJ+ZDElhIkCC+#eqOZ{2TR}1beoXSrmpu6KSfFw zLXT|O)!)bHAfol*n@&+nN0{ccqt?gQSx&~WTJSpX5T)ro>-o$v3OVm{#v>RKC>t;z z*WDLk0hW_yG%e590rg_G$L?+(su=MPZZ5oy${OE@?j_5v!*Av><3i&YM!d(S5p#EL zkm3a5pI9WVk_D^^B>V!)HS9XllLHi|_G~QIY2(t5m#%(W17(%77nnvG041^-2xV+R zm#hOrxGQE`$ET8Jv+cF zIc~=G9c4lC(B5M<;-YNY3gvMvk7j@`XNVk))JYAwID@^{@2nf-2-12 zEP_StH$lHdLh4@Y*we~Pbf0a($>QG7GoAR5+_IjCZtLRSX+fMdQ?e} zjcm@AxJ``jVP_1}AxKSfV*6@RxVyxmS&E+kW+&VYNX(&$Ps-OOj_=B?{UG?fGT*PE z86KuI_jbvyk6-L4@Zo$w>+0Vi!Nac(E4A{{#-&S2 z`fziTS%&Rb)Se~aH+fwPRffwKQ)CR(pJL0Xd?QHqzkL~DDJ z-Xd>qYqg<(3D@o}unr*Ht8UqQVS2_uG=`tAPfGeo;#=RY`UO>Gl2@S$*W+Y7=4vHg ziy$|DHKkV$&FiN37s~_5O;m|(kVa8L81Eg0c3K}c~ZPw?NN#}J_nVEqhqGxSJ?Sw&}UsvO6 zgFAe?Umi~)tyfWpCcENKh^?1<2S%??@9$*z*EX_1j?!iD4D?y-3u_*z@kJ55a+HFkpkJBs9%fKM~>zZRqpwnLrGPy?lUFnuw2E4V3vpW9+SR zn|UyDQCL5V*Aet5d-BTHzkLxfO|6}pAis;O7?*zJ#XU$C`(BX0`787!+q2fqs|9DS zKe#z#pYD|iWXB_BiwyiX{+ol}nKA3jMyYDQ=n7@Yc-|khm%t{fwL`&cAnPx{wR#*z zlDF3Dqt6Kj#LF}6Bhvz4+=HB7a>wcfSa`>u0~5`l*pP-HI=VC&(9F-?a&ttq8U$JO z9qYAAx3pwqbYl3la^J?yR@;X5l>Id09R6CeTfAAdyMn!?8(cE)T9;d)7$Xfph7LBq zhdv&Me?M&rNxsd=ANJQ&x%AguV-J;$B1WBu>=mM0c3*`|*4|&1+QjL`bQ;~zs&tv~ zhqd4t_CFuwaWk&KT9_|#_sGiD4V5$AvF-gEo|tHWcMOR02y?d}Dy#}sz`o>T0{QGv zcmfz5_znw5W~#cfO$u@G8U-2LfupJD->huX0k0Gk9p6Q8>{sm)V`8ApV2=aG?T%;^ z=gRl@oGUW@{q&r-pJp0^g`4+MVE!RG8Mm`$EWdx{Y);d^A!`z=Ar`=X@8C<|xa}sB zc_5WI^*F&a!3N}`e`kjp8?I%vLZEiZo;+spib1CT?*!6>qe11o?v@ENN$J_&`Rkn) z>M~0jcVSlQs4##EdAf9uu^$+Z{>QhI*DSg4e|qw2sQnSq(cQlK{~(b2@7BEktGu7T zm@Z(ZXidzP(BTg83)x){znNS%Ycu#q!E@Urp8VQemEvQJQsM~i9J6wpx+*0-*Y=r;Pf!Y!@0j^%_tBd2gI+yV&C%bFjKXk6KUjiQ4?ks$b zbPK}BzB+a*@Ud)68$1_wo$mgBqa^X8*e z<08;MF?Y-mS_%3@u*tm0fGXwR`dE9~cPSv}O$u^OXx4MT-;DSYO+p zSZIumPUPHuT3DTF`>^a&1oNo45`d<1g}M*$W03sXA?lZL=rKf`mj%ZzJg62=*sf8` z-nppcSCu@h(sn__+<}7XT7+p*Z`rh;N(LLi#zH^$6BdtSk*(&2JJ4j)_+bB%=s z4X_Z`C}mjV^kHxO#YrfhqqL4QX`SYU10sZ;TZ>kpQF0Q*5`QuN4_E49oj)qfBoSwVwGJJ;&_n>>Gc61zQ>Zh za6n@?*CRbyhFyDs%2!;<)k$AuN|p@5fw0jJsOs$MUDPY_N5);)^#F8?wYy~HxB3RO zJZOIX%XD5%bs4-ODWoz8w%4*n6$@Xk#?Kx=%R9c{t3bNQZZbNte0^z|YAjrF#F#hND`Q7P3H(8$9 z-tly9&H)y3S-X^BJ;lXxVmW^&ZZ~TlR{dqzP5_Cx0Tf?Z$DpbNBYz-|t6purgjTGd zK$p6LK-skz5G5g{O8|1T1u@Ov2C4H#!FEiA6XQguDnA?)-vLNv+K=}Rg!PPta@j7P z@}|etRiS}3&h{o800Kqx@bZp$1m}bBXJj5I&X>+deGk8|a|8$OLK3xIFL4q}s*S3( z?Mk#$kcXKcfXRvpid0&B2nB}wb1T(Jc)I!)N5ViE?1Ke)qG;U(>reI3A8Pm%@Mh1> zoZg9P5~x%ha!O~c=y4OlV}*dlVP~Qa*ry&wg7siUr+lzS)+mO$@aa9~d<&N!>35F2 zc&iy8wn1YSA6p6Os1|_v3LQIkEa!D3qEfFCY0N%MtR5`3a=o{p&Bz!3XQs~T0IVM7 z+UD-=RDN@CUC{{MFoud;i7SiOkj3~0x4MINl~A}3`RCV`lW$alt$jK^q`|UXM@rOy z#I&c1^2rAq0W{QR05TvYzRG-BnTY5gkUY>025>)_ZI8iSVwU^X)&|EUbJ{;0#I0>R z(=km;Mqp?DH3X-dwFJo0_3}a6*{yTgIzu-HcP!|A{k!apP>O3xfqSBrX`7@bJ zfbWd4>AU&W6F0QbPUjRQrz{TbE^$xH&fbvh`F%hxUuQpk`l_*&e>odVYXd`_(sLvF z%_WDo2gvrip1y@TmpN>`M;hd4HJ*fLcR<<<5^x<|@`0PdsT%btPP_ULYLwEpLy_hv ze=Y;srOo2mJp#Os`f&`q1*#7>%O}cncYr7P%sOK8P@X29&|;EK^#Y4kYH0DIo0Vt3 z8qN#2n%Lm1_%{^Q)YVg|3Si;%7*rW6`=R|5=lSoQ1eF}vf|rmD4c8ZvX4k|52>M%Y z!~hL#Of>Up$=R6Rr`N^;{`#3^MsLf62v1RJH`1zhScqs$3!Pxdua0_USnmhb(AJie z{`Bt&;}!l3DUTs@u0)m+v%A8RLOOcvhZ4rjkT(o>5YJ(4>s=YkA^5xOoNwz@!6t-($;Bv!M!eHBm=RuXO$8)U0 zS)0Q*_q>88v#^f`kiw>xNGSN7`}b4+tGDQr*aY6a#7mh$-iKCh4UJ1 zAD56x#o7P;Nx@x(*WhR4FOROLgETWJR%8F(x-bZnIvM_mvVjWh|75oZ!9;W^2or~w zEyHvxa!X@YmZ}G60A>Di@+RJ{ECtBcY0H>_UT934t-4AOq*pK_r7vJdZ{AhKe zzWf(;{u2DUQl1&WZ=DOsSk{CyMctyxY}hz!lA$Z+}$# zJtqIkR#H{a82>~03+-uY=s84{$(rc{K}W6`=->Ns2G4<3tH5QzsI`-5(rgzKUoCD^ zp=c>LegjnqWO5&_>U?|#XZ&l#*`ikCSL3sjW8v)wEuleEbkT#Z^*4;Z{49LdTJHSQ zpV}oTZdqZbUn3d!S6G}Q-!l{`CuX3L^WWbAKJuN#2!EG^5vv{bo?~mU=kXEmNOrnr z>EYVxP7nyK$7Kab8M%HFf)W+fv(@>ZC}un6wA-`fVQ$ z)xO(`;Zp9Yn>bb=d!8G9UK|mo9e)TaoMqh`wMR2Y4{z=fb|iUW-3t4xV#|na%GQu| zA6Bca(;%6bz5uF(cSwa;sQ~R#LSi~F=FdI||7*Vw<^-$a%OO}?E>pHK{%X|y;E}<( ztaNYHD`5EU3sax5=#YI$0?Jc_qt`C|>fX(3_%JWj?cTdxgj>UjiP^o4JLg^7&YsLJ z{zz&2d%0Eaw+KoV*J(a8i=7{&D)>?@Rob1#zU7csF1)ixC{b$58!N4J9u7B~+Oi9x z`ffa4vhK5XNAgjjUvXHe+J7A7K=2!HoBqt^$2OaiN-<%NbI?qrIF~+^m%e_PM9`;= zT#WhoGh?$o=>Tc<#;nuaZVl8=97YoQg4cP)l=^Y_ZZlg-qenK{Kr6J zY5a03w@QwAjUFr@hpZc=WfLTSu@XmaKB2fi|NUJ=;COOw_KRnC?M8`(OTs4@d&N9H zkzRO2){dfoBWrJr1DeN-QOqqnDA8PmY1cXA_I%Hd`L?BBnBrXjM_VoNDuS3+qEJPy zUQKx{oYP6jBZpCtyYya8RIm7 zO_VLIGz=}I6E0>StSEXmJn`Mhey_qwlbi>byQlGJ-NhTA4{P(K?x@E%()mW#L*8~L zqjBATM*_DG6iKF4=6&imyJNV3(X}2wfQ-&RY}o_#kGyqD@?pZr0eO``8IhE_r=V34 zV|mLYH<)r4^U-YHt(+vhSNedjvsI5%Gv%_VwY3_|+x^wj?PlKXueYj2)Ml!ow`58m z)pKG8-pAVLYCcF)=o=Pi$K@q?dd(NUi(3`D=TeF%R70Q47gBt04(|jCjmjA$jCl|Q zBxfrAg)x0ELfG8BBgO~$UkIcWu206DQ{-|xI^i|f8GyF^{!Wh*R-^jJk8i;BzH3;q z*(kMtRZ`5p!nHQdKY1fAyQF!nr7jr~ASm0A+g{-;o6tFOm8-|(3aN0$qvBG(J?L8E zr2G0K-pk#V1HPN2Ya99PzA_$-l~tFMp5QSnwBAU&fGzQYb@kDDmVjs)9BZc=_e*A~ z{C13;>KP^&f_|L~7eD5z%!$Efi~%&h>^kgYotU)BFDvbnnbe)I_PtZXr<#4tEH(Q* z-&;H(^Cj(=HS~l2O+Xt4FL?2qwSXu_Q=HQuwN3oEx^K`mTo|B;spRVzzIQqqjV+xc z+(IM-?l6yR+pE0B)2`Ozjufk}f5dYmSjCH)wxojgp(7Ou|Csp&Jpft!`p~{)FBatX zeeV3Mm$+xLlgy*@apa?XyBqu_a{H;>DGO1=VD<1+!*}=KCHQU+&R}c{OK1ESH|z^6 zrO-Nmx^G5TVUwo?X#zg`R8Xv*RZ5>Pwy3<}y^;O*{p0Q-4XiQ!WQ z$5N%%8tvIP!%-H($H{B&Y0{W^B*M^My)NBXfLMY3&m8j2-`=}Q6#^>BqvP`v`gg}v6s zziRz!?khX})1u1!Pd0Dh+R5DU!8eg@eI`b^P_fbzt8w_UPGMb^dXD;#-C# zRJX6mXr;35_6GW=nbW&{_Mu!rDX3kUj&VM7rHR5z66|B-#-}2 zut4@7giLzl|J3NMfj8W|*U%U99|9F~wT!#2dDr&KDS>dW7?fxpx9DBzXe+79@%F}0 zW=;PX_lNVlu|mquqr7+;x&`2=L04jDY@ZhZApH&1{|M9Y{$~6A17-9<_@N;2>kymx z;w|X%hyW|6rF!doHpycWwamsD4g-`BaU-ymWDiauk0=Nsr&J> zs(EX@J@)O^4WyXVFJYJYjdAfvN2>bA4F?kp`=b3AJq;8g*S?(rY`p^?r$V#wze!IA zD(eXYiG#i+z&s&d5LGwea_BgN;?#7^6~oc3;bgM%Iv+HnQ1Q^LipjE3r5Ein8{x}S zQEltvpUObR^k~=tH6%^uT{)xQko&bfwrhd8&>SBQx$CuOuv(?2h>#6`#@QLJ{di0g zuO?NZ_PqAnFaHfqe70(+??x(5B2Lg{t6hRVnbR$4mIU4*&|JwWtMJqW*?)aR-f7g+ z|K>EhOUVxJR^(snJrv^>$d!bWT8`~kOu0`weoa){iYK8f>_-V@qc2blUW!)(I$)5g z3RB|S54UT1j9vMSu6JR^8o^(l z+R;7);D7SkFGAZcVe_2k=Ry)cg+)b4XI7e4yJsIb7#)~749Z(p2X9p3U|I~!mmTIE zKPUz4`nviS&43z?r~gEx3ug5oee<${lO&U6+&+#2gFG>StwRq$2Oy;sa~$Adlk@y+ zVilF=Hq%N;0ipZJ?I#nYv5FDH1Ng7Mp}$vk1(e(fiDdSbt(a8y71MzE1K{FmrMNB} zSqborZY-Sz{VK@WZ1P5yEtLcWIyOFH=PoaMNq(au$qkB5%~=_G2l(Z`iG~3)N2kS> zG?)#)CH%+%(`o}X+LvlUEE;dKm3IgU%H{d{T~-(}r>JYER8ZgnQnF1%NoUp?KD!s} zw*LY*t?<9>0QEC*0Jd}W40Rfd> zg91_lL^>o8up%g6p-4w*QbX@aC<4-(5FikG2?0V&LQ8U1(C2yIv(Mi9oUdKiw|@8o zb0u@lHP@W?827lx4VXF&U2{_yGDuto;LY#rJHU#yo0)2=l;+&28V$SY*NBGoe!1Sj zDV+D13QH~H(%0lt9VY)A#{>$YX}JUD8{tgwG)7xZcpu1 zz@M`j=ozG0!9B;eN_t)fSoIh$54#gz{nk@EvR-oYega(L2+CDG{b~Pd zaa9G4hgI!fnSW#E(pqRu3v1YYQ%OBCHGUa%`*}d}*sbfle~ft8lPb8#EKIB5rZ7h< zTn2dZ!GH8#08wr9oa&E%=G(k5$4PrrB%x6|@Kx1I4n4CY^a$5KU8_Dxt3pP2DtGbv zcl;a09C-2iKUyT&fByb|s{`Smx%0pA@0Py*xit_+qD7Y0y$^LzKkqCY zh-paw(;EFZWDoRe+-?%~e*}%CRCg$!2gH9DUl&d*vG?KgpP9i^CicL(=lw6#aMz#j zUThB4|L_qh+1#U)*`%kW_3t9W`lgaYpFf&5Wh4%X7>XRB3gQ@(7`i{z(o zPkwgEpEcwXC`kL(0=d73kK=p~(0Tmhc)>cv^r&I@9~%V}w{YJ^mb_`@0us*s;Cs@sjfinz?CB{%pYR^aq^J zFR(RNvV8JzrcQk9U)Mbr22b;;E`NV7qdhW)U)j(h$timq&YVO@_ta34MpOpVF>Z(~+XzEkpkds9Xp-r^2cC;>z zASjq5VL3_Vcdp0!#vE(fc|X^KenI1lki`mUhV(Cpk6(T z9X`SD$34)VX>{aMke5y6o0IH`KfF5Un%Tk}P<^8H0dJXPrRxAj4%CK)IU_=qAk&)t z$5`>>@g2sIo`^4LEf|9VRUrz=onkh;@R~x5$7E@@BZmS!v1TsTIcWjq2gI(GAhVEZ zH@g4`MzkDzipLH{^G00G3zR+8ZtXS*SumUaDXurJ_;eU9Sc)%*ywZ?3kFnl*^s%2a z+j{{Ha_Dv(AeRzcFTsh^UGy=HIq}fr(k9W>nvq8NR(X)uUFqS2D-SHAu0RY0qU2=V zZ^d5qvW=)rJr5lN%F8HkVh$>OYX_=yz7o%9T3Wr3qr?}?>zUqHh@q56ua`4{>d0bk zMt4Dc|H92PI=<@tS&<5^x86jrhu+(~eFRdy-hX*{Ao)b#p5k`sm=6uCOZ==LH0S-* z(29}B+v#qZj1lj?^6-Z@<#Txxy|-+Ud*y6|`m`FY^7I+kr)aS2_O|ta>v&ZHv?!J| zxv=U%_oePP%h1b>Z0r9c#?J?GLKSs4(-MI8cE6KBr`i?ketxH3@v(m!L!?~BOzuPu zoV|WrJ$A^|XWLUr|K>QNQ&vnLK+}Q;)9!6$79_J;Mi1vM-XFa2u|XD3A+#BH$~hME ze**Z4ypn0dr^MO4NjMK}ep57cG4o0G%8}0jpFjxL(|4>=v8u4OtVpTyU%sXVR{pLn z3BiW~gNsx-aa4U;#A{BQD7n=))trc&@*ww+Z148F8l`q6Z4H@cEL)bHyZr1%;Bvdh zWt5U4dwtZsGhfrH`na z2#r@mUD(hN^hbpPU&7>Eb8>=I_%Wi$RIBNVN#i=?cClk~x^CNnb=$U`c5vZ@f}yu6 zHv!x`46NczB+vqYSexYB3^P&J-p`_)X^JpSw9q<5J4ecQO z9pk%y0v;k-)ZFW(XJnH;_|R30VMAu0+S|+7cYF>MJ|8ur|li4 zAC+Re1;S^WFc9%@?N8akXJnCRo91pyWl0uIIG@`7Voy8crVnPXMd;M+_PfgGpPIg0 zapYjFtXQHC(p2ApfwR-LD)8?U>egbJ~r@hg#tN^phP`M@l zr9jE5H=aJO0HRo#GaGfSbN;VDlm|58Y?ePUHS^hsL!^^wScfu-_zZC+2` zQ#qRiZmvuM7eBiR;r}YRd69ojqqDH2Ay^S(U6XvGpXT;dAVPJsOax_bUxI8Z+_f)* z&|ugs-z4?_BBQY^T!qWcjNQVj>UD+8B+3ozOg6^_oI4At-QVmXyi`mkPgjIA$NEmr z6|JNJ0Imz?=U28i_D)kx!1r0^O=PW-wY8hF;ZI_YnG&hv>q`K#)|!0czUVr8yIJ`1 z8OCmfq949RWgvDYfiS829l90J+4X9=``l03hN*18ULX9-+Bk_$5o*JZdT5 z=LGAywt}EAp54>+!Hd+w3`v6!k$BLetxK75Bnv)xbinIRLuDDQ(7pLpo2|~*CSLCSI9Cev-(9ZehNK2mW3a= zUdcVGt-SP#l$~?B>}GRwX>;peg=R=BpQwtdIcnXy3=jrrUZZG}F<^(jOBU$@(mF|y zNk$3p(TL^AW(|A$j9a%RN^lp{C8b$cwh5zU9RU^Of2|`L|FOJ^yU=u#PxXm*xFb6b zPhY;*YXPLqp8OaFaDmpzKUib3c<{OkvI+#CoQip zTt!Mgw_86kAC>d9yj#)?S*i^v23GCq(_u+~S8{BjL;s_vZLv{g;#^qLjtAe)H8l4b zevFUX2l6o(sK8L_B7c@H9ho4h=~&IJHB3T7-=Fho*b5_X_TQv$C ziu-}uY7o);R#&LV=ha`jjk(Y`QYe`6@wN$_JC0?v{1_=&Z3m(PrlB#*mjDH6x`1b> z*F1G0ENWY3$u6!du3#Y)XY!xhqCIT{cX=ZjEFOoQyS-UDpeM~`EB4*;^M z`rngR_vpn_!pEy>+7K~;fy^O<9ERYkkWFCU1^Y_8%2rDxKH{=Ns(Sh-bEsk@$?w>@w4uO#dC4{}`W4@%+w2Os~pKI2=eNIybn?tV&asTF1yplza7PYd zHrg838=-XlFbuxa!8ETz=tL&Z=`LMf@Qq!|3GGqjme{D4`(ofDE-MI{v*NVrG_Xcm z6kbxwrhdnt93Qy;g-osfEo*D^Z(#cPKfdb!k3N3Aglo~pIK?;3rI7lgEJMXRCnV1K z%I}He;5gyWEhjHuT)w2G&qV#`?TBrpNOZ&9bxegQpT)jhjJsox5FT4)C43$-#HZM8u4m>x7-`E_ax?hX6NY~yi47l9_J9ud%5Y|GN!>m|07$=9nLvB2Ut(aZaq6xI3e*rgsq8uHKTJm%sc;l%(6UOVb5f{;om`U-ZzBJIXrHtwzoS^UGz1Clu2>qEee`b2~j;%%4 zlxD3GF9`7^W|%>$jO|8@QjeFo{RkN@{C>H%q7VzzNgL-{JkKecik?~QvkWaO`+Lq; zwagBTv zb&@gJGo3lYm_{_mU%40k$uHgobYHZ}q@B*DQHR&tJg+*B-NH+lJ*(#0c!yi#p>#$V zmAj=gC!x$bvH*+1Vp52*v>AFt0t8viKOtnoBtu!{^qB(UDqzC8T<-{pDXxYNC)m6o zr0}b7{LrNgrsrGJXUWajRM3!bBpB=6t)1=&xTFFXccIMg#Tf0_OmCdfH|YLNeRc2(Ut1?L177RUW7D&oVKaQAJIgwS?Cq8ck z_^s^*Rh7&$mm_hjh!H|1$Y+!XuwC)hh|||H&C0j~?$7MQYIZb*3_sY+@@7znXJYsU z(ZftyF4m>pfEqkWClmOxSL=ap8dF@$#rr?-y7Os2c(@iTjwqFp6+tNzqUB|Jg@s}U zfxG$_#~iuo zcO_||{x z-%M)sFk&Y6%bbDtw z?^h%r&+6EVLWrbpVX1`AYJSQC&-sDuiu#Ji1GydTJZF+>_uWpqN1)hVvh&+q+&YI& zx>7yLhs9k_Sf4xDiY2vQ1zvl+1blE{!O$hGH;b7AyG`lVqy%Io2&rAwx6_<7g@~xw z*he1Cc&0XSh&?0z#N=+E2&lWuGC0j`V{LC-e*TrwhH0VD3~GyjBOGDSdUrUu7`j~T zN^PU?cB!%&lr|{CcMw>UJ*<)T5byDHprrAlF?nbw6%Z{TAcVWYf|Et(EiqHlQheoG z%gye9@($c{xi}~95(;S4z47CM${{+yfv+B~n>5jdJ+|`d(-rBe40~=H7^L?#NQTx` zlz+v*Oitgxbm=tyuw6m5&5D?oR1oYYycma84)Z$c}AKBErgoxOq3~*aR6$tF;J<|#Zmi2Oa_G{b{%b7LCN|m{J zIA@)FrO58|!?-gQGyCL6ZfC%EPQ1!Qjps?$KwB!)7 zg7BPNf}u=ZswE~TDdlv{%`E6A_@O(oNBS z*!eG)f}WXYXO>Hs!0_~i)~T67)%_y0c$c{YSvw-3N6Rk5WP8UMZ-ksW;yj50m_U1E zmT7B)3hgokC=l%wnJsqm^~LbdB=|Ac&10Y;^|R$Bt@K1dI(a*xeG1>(iy(794B=)( za49pL3Tp4A9uVMCnm}9ct@|YUb&+~XIN|Z z&c_Bt5do>*D`^gz%IZ0?7gN)$J*=!3Gq~LO z>B!#sJcibVWrSt>6+OaJ!;y&0{>&P}p7x+s31~)RfquHj(BQM1QS_4^WiPuMD_CZx zDo^)9)7H$V!%b3JdDQU@p=zrxTSgj|LZ+FQUcuOt4(P>~F@nL;-1|6tKCpo3ZA zg73+XU5UDd2RB zZR+}2WVQ8(QvM)zR^doniEMW7vLG0Aq}mlc>0Wcrlyf1xH_QMD1T&0g!1o#Bl194W zrRq~M>A)_`>?UzAaVSq^Y~*Ie$A(Cu;lP*!Z7gTfZTm`?mz&pA`&st^oxGTg0Zm=$ zS0w`!dBeRYHtz;Q#~~lHEms^BOi+LnTtZTEC8ETiIMvUq%Mi*o2A&n*$PZWmxD&VF zKI1|_nkT9x=k*d(rH?u2+#oDY-!W4_)0Ob4|K9S#Ic>35)^0@$bg&t71}f)NNt!lE z5lXu=Er${5iX}_w<^Tp1UHK*q|Na-7*B+ohRaGu_DfPnI6nVtm0A_L|C13dek$p=yAN|fU3!@QFm9pBlc;a3?!zc4x)W;^UB;YVxe=9e3(qv z+@YMuTZO=5s`gf+SNPWT5}F)q%|Fl5kqs3PcfQCwxPxlqKJP_AGf`bBY4 zz?ci{DR-4aR+~EZeQe~vp*c{d;GeCW{IUAXBSr0n27zn;pJzPDI~hTi6JX1Z+H;? z5(lxAn~?S@S*KMpi(itt2+vVz7H(4eubjOjIm{Q5w4;E_emzcF_%9Cv!0g4a;_gJYAu%GgaCJ!vX~dhl9nAh({jj=cn-R5m?O!nRXRDx*D~M zTzvnDw)d(QiO5&CzBgrXj`5|F|Hkg48I5>b)#Q-Rees!{T@o8c-?6`ge4g7r zc=K2gai#;2n1k^>@yOYAuwQD&#vGhzEd9&G$bOfh-?%g?VJk7KoUY@g$p5o^Ru zeN@fBc#~e3Z4{KdMpT~*(VO~cHnJ&@w^7|T`Eccuot5D+GH=X963R27)VDGBM=(Q^ z(REgMK2Ftl<3bTBP1RZFkmy>~Gxj^It}a#~zUq`d%;$)`1?xjc{{YQBQl~b5`ayGp zHo4y#bFahhdX^OTaZ2%{m+665>_i_U?lsW+15QT?m_2-Won5QcHS5NqI!ABo{4rQP zI$Coslz9;F9*A5)lr}^ren;ltD0gZe{cBO?F&B(Vwp0*U*i7tjmyLd=@}u~t zwOfXvi>bkSqs~0dJ5QUAYdLBhkH6hqervYdvoyX8V~$I8yD)+BvCoqCz3Y~LQnR+Fi6VMV#sveo>6UM3#O3Wfz1_Ky^J7vFE3fSK_iFy|<{k!b#gILVxrcLp9A5D(4o zAxf&`nrUyHPqcewkt31baicksFiQeey$-0jz~>pR$0}wQLR*qQO(`Bykjb>f``1fk zr@M`F_@i3+Mn(O$oVORfKCtMSKh^PuYJwIPZ$U?nh`)OTbPh1u8)PW{S#I6r3|Pax zvZL%y^s+Nv9u>U|%LwRh2tyMA19+K9UE@c8b-a{E3k_^I_;fv|EmQl`dYginu+n08sy()?mPR_ z)r&xDYT8BXexnOjPVS=+Yt%zqoX3Upo^?(aJ*9e5;d<>q!jtlxVZhYvKX1DcAbD`a*D#80tWeUIl}Zp&pdT5J2_Xb_S3K^w;?PYWM|-T@Mc2!7(HL`%`Y`f17s97yyBC zNcg+Gd@Hlfg@M00kZ0SF*B@19Uxi;75Ed%`n)4gg#{mgpcJv5b*S0^?!N)72Y#1OY z$d0pTH0Q1ir~t)V*H{gjhR+M$#^mn&84*dIU9Ab3cHdfa-UgIBJi}z~d&d9%5MwB@zP?@`OtiywD{Q1);U|N$ zr^}Dqg=wWz`FF1}hPJUm`P$Y=MqTL&Mq~-Zq#!qlS?}a5TfCj@EG(KD8y{+Dyjxyg zW+P|z1%%yYW&Oy(0-I2J-=U!{PG*8OU+^1Bc6PQs#Ptq5w(a5gW&mQeBCmn6fWq?( zx7JPbEsOj;qM1+tEQ`X!QQmX!wL~B}NA8A@CJrH$MdDRb&z9lR?y_+2etF@ap&K@L z2i%TdSO#igNiT8J!F=Z^l`A1wCKZhg6@J_dGR(aOU`7||bjBu*RY5;_K`Zu|bUz({ z$KHSI5>BNypSLBdNc)bqy8aR*22oKZAAed}ZFD|-d38`PHE)0-YDSm{9`l4&6dv@6KX}D;VFIBYF2uB(#9BOT3uXE)4|G9!3rj|1eh5RH>;*S-_X(_mx;s zp2EFlBh&b>xzp2KR=MybWP$fWC?>OgB7QvL?GmgeCi5l9XSZQgI4q~EUg$-Nw!;<_ z0O0_gD&O8zysH`0=i`U5h>Fl9_df%AULhe%xW(6?WU2X2_7!4(Q4DY!;jrMGDx`_7#i2as zl4Z&km5-qo8RbsjucA8CN|IL-0<`UB-;`7?WxL9BiatG9WpZ%q=h@KjSy?TTgeTXZ z<@yA1l>&}eW%w(^dg+tQHcxC4pl*{DTrf6t7)4XRv4Hs#mQGsE3-!$!qHbC1gqy0B znDL|x1MXmOrTStM6O+tilKNiV$M5hTJLbJI@7_P|STb}x4h0nPB{l2o>du5HExcWT zW-xeFY{phL4~Kpg9#^7NcJnkdpeGFPsQ_3EzFF<7z}i|Noa95ISa6H>^=2qjwtRlX zHBQ;P3)z}(yM8Q`;NaNsLmZJrl^D=J;74>8nah9A=_R0mCq5+#qZbuRO zEz1HjT;)frOxCbtEt{(da+%=Kcr1nUrQ3C{iCbRp=*;4trmD=prjt=Di_hi?KI*`` zUyA1>s&{VLU(YECrtRWfvl>NnRq99A-5}PX@l&jFa)#rbW+d>?IWY zUjMkJcz+BgU<)`bSv4nRiuAUY_!vh9pCoN_c+TIyUe{Ko-W&<}5L~!TkFbf6r-2J6l7n#GRs?A^~f#jkKJsyri#}#c%G8jevgNSjH^eEj) z*GG9BLx>*)7#p^K<=lOsRDpCJ`;=!bd)^bb83zlr0RpweO{4bhqFls<&G%CV0H42q zf82o)sG~q~`PA{ElYU_3*hLXA#`}J@O`BI}wMVc}hU!{X8NzGhk}oN`dSfK_Bx5us zE|cZ-IA`cf4+69Kawu0WF93Olr!m{66xW8w(&WHtur5bBU=IT{7QWXgY&qWB`#H;| zY(A1}320#GnoU~AP$H#Grm|t@J+d6`iyej*yk_=3g&zL%zE@rAB5|OaO+Lm`sz*mm z?&>iJ;{$lNqu~sk+LrxGGhbGQRIKF3^Z~8X=qt6N%xCqG#)_M{S3`zw_1KpZ$ZQ)m z@NmfEd`lZ@KfH958@>8I8-{KlrqDtHigvS98tps&8B7N$CYNY9G*U0?N?MR(FpC6?SfbPcRe3aQgOqZpL;03>t2!1Ai| z?X^8mwMRbwj*`)=JHtLBC={ ziv(Dfb!;Augg?yY`ZW4j$NS#Oqc`8qOX$CrCZa8T(|?#M;C)XXK{QhGM22(jx}R#HB1|@|MF+RS_p&q($MTca$i)@gd{W{zpG3%S zEIu?vy`^ocBBh5^8d!iO+bmY9r>FWDTbUGx0!&U4HJaZ{Myk&BPRK*O*^#?eKIoAGyQ02cwE_RMqc??5MNouy%=7V z7_jq`ho(Y^$oE7ZXUa++@)uIO9V)8wP~s|NFy2deu?|D$#D5wo<7Y9oTzHq;1z4v0 zm4VS*uAY7udovHp=*wplNw4qaugGr`Nq&%{$}*$)@L3;Dj#bCW(e}pszo`izmf62U z+5c)rkq^LfAaqsD0Ya?0qcmUF1pTfh(-#QZ*YhlzZe)39xMA{2Y@4R+o>xg$4s~3G z6VDd7oE^pc+*Vh66`(npboSkR|C#J}j;dQwS*Ojv$(gBnfM~mV(Zu` zds@aKOooaK4@j`wdIVPuIwp=Bokt?ujmq@O@l&tye7H7JOq%^?y7K7hS{DJi$;=^n z2S30;GH3)lzRw+B?jwyuGc3cJQZ-dOSG9e*G;f>Ad1Qfi^~?73fJ((zRpv4LbH3(Z zeONyGW4p@=^j{CtU289>N70E`Sf$DNsbSHYr-bK?z+4Yu0^coI}vA`C8VO)9hQ*9FX{2A(5&gvBp?Uabj`z3W| z?`{l;5*y^F{niu>|5x&5AF%LRf=^`ofTLT!Z&@trW=~!*HF~pn2~%k-_tmP?^)n40 zdC@O9=KZ+SL6W1TapLYwsuntI>h4rs_^0nu!74VLKOQ+gICoJ4)a|Qzx_kQMWs^`t zJ}A7bMWgXY-oNM(w1FQtW{xM)4RcgeY|jW1=SF!ww)M)MOfzqpX-?$a*E0bt6n)g7 z=Fr|V^P(7U&iE*yLB4^DqXWHudTUyRt^n{O!z%;Z_E3rd zUh)sC++8L}%S^R!%L3bft7q&>DI<+Oe^9iHUc`rl*)286uH9_9^q0}d)6vbVuaB>h z;c7G0#@{O{J$S|}Q{XSar-S!rKEded%>Kj{_k5i$>=G!x|7OxzQNjr-i{i~&W)mQA z*}c7vQ9t6BXM!K$_y>H%dx+FCS{b04!-Q_%)A&Py_@kSLtAai5q(i?+$gknJ?ABIVx3IxWpE zzR100q6vcEk0hjr%)w0JkZrkI5lM}L1}H1@-DCsp1g4tf21$ER_s4FPOM^l$9HKsb zYINF%G5$nXacU zo%tZ+!Ft527=Z{|BW8qQ|LYg(p5qVG+%nt}O#D#yn&aQ~ID<^{Z#U1rOfhmb2b)+Kf1s&7HvY|e!osNfWq(G*JaM|U^Pc%<18f}L=f!=UHx4nI#BYL}q(>E`A} z{B*A824q0mkM=aoo(oY<8*=D{)>k-N&UsO}^-)$KLhZVZ6O98!nfhoPQ|M2I1(=RT zeEIQJ4@V*oO@;1MIEQOLi_;1;2UQNteRFGwc?ih%tmj+g)A zm6UxwI5;@l>Et!O=6~U14fvDObo)uw$jVst?)tiD5#wK9A4$(7NLfG&HYy|}HoiN> zG6QYX1tgUUfHbC_$)=>V>8iJxb6r5C$LjmtII2H(D;zoa>zWO|KsvfS)6&4*eL!#AtX^E5jd~ zw}qo^&9QM>lE>})*J@3`2Z;DXC5a(~2bdzJ;{!`e%S@r&9kqbp?XRw`Z_)ZCdsG(`5?MNnJMe!a(`&45#~oW8ixEtF+jqw8v7K+uPS4H=fX`agN(QVpzj^Ar zZfS54KC_;4?9V;>Gt)G7`1Itt7Ev(Qozyd6f$v2jLm7;;wxxPs7ELt(!-1NA@4TUk zQynb&yCk4P)m_|Q)umj|&vlJnxNaE2B+a|7-d{OY6t9@w+npx2G1%=SP8w!z<}#Tn z!?yG9^EPIzYfWJkwgP}O%wh}==~m*+k(wHjGCcqq9XD1K8!E1dfkgg}1KAkztHzEk z&70cf7E(82vE=0{nsV=_WfN zjVLY)$eeW5-!?&oXpJ3};(tLmN_#2NqaSDr^9eI#M#V}P)rY+?*<$%l5k8i z&dGJ|&oVhB1TbHl``Sb&cv(0e?U`RDt%}{t=3cg)pwN<8lifsD4fjx>wKJJP@x$TI zqQ-s%nsXp$I!-$RmesHV|BbH!B29mpGN%2QHmyJ*oeBO%KTrnQ@Vc(P*qTu2NN`~* zFjfI>#H)FIw5W)1a4to3khV(drUGSoeXtTLF!pta`1wtc-+Hs{#kg6yI3RzRprA_7!T0kORATYLG9~kFHq|pkyQ{K%NEm|9y`UYx8efu_ zc&c2RX1n<%Xt-kQNW$7H{#hts7(^^&rQG~5pDFyA%_l^(q-+YA`YhEsH;l0b6tiS9 zbt(o9FrQq^;`e!uePkXcW3F^#<ARCBoT%O2hd*5q~K3ti-N%N@W_mt2#{-GYSCf61m{w~j=7xB;pZYN0?i*)L* z^e!;>S-K4$w6VUw6+J3H3zEJM_)nY6E5-mDAR`WqQ?s?H>(aOA6pR<6HM;4KerF%oY z3^jfH%#aZM_uoKZ(UwMme>Q_3 zf07iBDV3Y?PDVPJ7~Z>Xom{xIwByG}vma{*2fbKS+FnKv&uL*_N+FoBo)=Yan4_V&Z#B%586N@0@Kf6*eo> zHF%PAANxmAc(h80XLMR`p%eVnEJd{iXg;~gBxjEs7f$+BF7VyzczD^)Ox`7VnFqs`)!~;rPT3@P1#Xc>ZHh_WSSofOX%s-X4hZ z_1k>-vUJ_qLYJ{8dUEBB_pbt+RiI=IjHW{*lSeL-xH3E!bo=v>RH`+!J8}WrEHqq6 zN>c=ul*!H+5n_?`lZlN_{qAC$|3Rk)jDcGMH0VAW&Xb#;@~qLRM@HODhY`SqGU6S$ z)6#pkLf?+I2OM{KQ}*m)2`^tB!{JfS*tPFCo7Z4J>zEiXg1jPavi|>o2#e|4JiR4i zWO_{G9scX7e&SuV;*WZxu)gS~GK7!8#6}ksy{%65#|CqVoOmnclaQyU6HmxC=0Vrg zj<0Vb<&|$nlv#8MNrXdHq}6^d9F4qq6-UOMTdSsnXRai~CG~?DQQUkYbH7{<^812mn z^W5rkXwG;M`aw9s01fHM7r|@vwN_YKV!#meqYUwc<4*5h<2yf{AiCt?k1KHNeZ(L9 zOQta**kx0o-{TWbqaJ5`@t5P|`F)u9F++Z-M@9e%SiUH^M^eePN6*r|?wF{H^hbFi zA9?uLk8h>&s|R!zia>Tv-H}S_f8E`pXL+`V)wD-!(>iE2Z8hypuGzTY_I*VdR-J$y4?>O+gguK&lIzXg1z04FjkH z#|mc+D`HO5VqV3q0)y93s8?iAbGC1K*5Ydn6X58Y9Rcap5~dB-M2BUxn#h?1nRt|l zL>*h-IExt>PI=@ip`r68PB>gC)3kY335U^)L46}7tR=?;mD}V_qBq+E6B;-&d{|KuXaEp zq%f=lv8i#-xSv^6S>M`xYf_(NZh~)ftl-{-R@EtTymRUcA2WK!+)mTG2)vu41NUB3 z)f|Y#>~8)`Ed|J*_unh~$YGT7(LBcS#oA%%3OwZy=orzyns&U$=wOitW=d*LONCR8 z{f*w~0yQPDBno4T-tb@2uzVcld+5PjeRqGsZ6S3@PI7DS+>Bp$OV2oJ$Oew=*(Y~P z%+*FZxChX6Yq}2F{xFr^|B5Ic=?HKb5;{h1{Wn^*1S9aIz~x0Ut_OWRF0&C_PgexV zfT%AJpOLq*y2G9Ms?|6RHUs94rX|)(=)IylHZ^>nF9B`EmzHE{q}aZ&wz&^z1}XtT z;ONsVjPBZCA&BrP{2RcyD>6?O(wkqD4dkBv?5U9fd#PmeFKP`mskjmkN5(B)+d~-8`Wn^W3@?pPIjX7z{`V;4e;BLb$i}3%Ywop6|%& za564!=2~*bXdQWfLU_hm#_w>};VV_NNW19=#BU0osB9EL= zV&U`>-7Ce#0^gM9V+IO_E`u#!|~epRap=5hFN_th@Rt3~$|B0F~a4K1!b?UR(V{t)+x zYc?}nbO_({N@Vf+yi|;{HgzOeduW8-rd=aBbjZA(XRHFUdSF3=d$giE{NE%~VtJ3Q z2HKd$xaQu3Y5~jpTrpdv<@stl@HEzU@5mjcq^tTeO`=;+&T}G>oTq`b_%%P9(?Gt7 z;0}0nWPJPfg00y|22Q#Cw~+cjc4z57JuedrOyC8^wNf=by52pomcG-P-)FdPkYcC4 z$eBuW3-h7+ACpqMcwWIA_NT4c$93eDcfjC~%(cSIINzCj0SbSm-ZJI!f&UWp)->I~E51QWT?oCo%>E5n&v= z4(bS0>^=Ya0#NH`jA3rTO*N8Rxf5CotkuP!WaADKBk}0cmGes{_e1&TBBeT`7tQBs zKg$xNzH7NV-uo>cDjzkySE;3E`*0BL=wc(ie1rNE*8eTt<4Av44c@;LFCwy)|Iov9 zEXS_v2H*u$<^TBWCLkxcv#lf({MFajH(S4BH8(c)WKm(^MG&aHXq6kK5Yf^c!BM}H zCYOoJ{Prz$ww{#mHX=GN|4Iy)p<7gh>#Dh(fInv7^AmR01M*Mak6W=K$FcL5nMSx; zf-g}2u`{6uh@^yDTU&`qLz^i{Gk`bp%<9w=`6@dHwyaduEORFA-DvwmE_-J|Bl!H>Mq1)+BgzL z^Ifj}yA}!e7y_u0hW}HI6-NieJSVf8M=2h^G~Qswu56K(^1;!{g;qb_Sa`UT;~KPM zaBvQ?06178=l1OM8j%77RlmbPL`lxB#jwP`0pEWYE&d58{kI4BzYi||Km54G|0#d? zWO1are0v^hZfq;I3Z|x>Qk>i4Aw zUQDuar(YTD`X^9{;?Z*yqfSle2ls21;k~+TJ>#P*Wgco@_eI|NE&rO)WS_N}x0-*) z;2w^h`5RqVADaXQ)vmPPK`*IT1355$-Pw;u!mQ{-R~I>?UdnQ_WY0$wPTylHBeQ-s zNK$3O_>80cngj7i;B9Be8FbBbiG*&aCG@0w(pab9e6KW0><4^d&R8V+T0yB9w1rUVYL z(^+kzr=0~%8sjU9Lxzw0s`#loil*9m2Nym@l@5`=!W{D$mpf&TJCg-V=0pf!uxcY{ z$C(;4@u!0V%oHJGJN|*+?_ixHu3Q=l%C;^mz(ydW!bvL_!Wry1b zE^fFd0)Kr^KqT0EWK&r&o$(!jHfGYeJcTx zgzd!bIS0Uf65Zva&R0<^wD%o;Sfj zM_zlSjSH>(tGw)y^MtaxKC!W_fE2?yJrkTq17>eL5;3jmoH0FEaAsk>sc>NPjEv=8 ze55YEz@y!j;~MTVVAKUf*eSfDj77lP{12$}&sEHhP3S->1r8cbnqQ2+>VLqcdc%?F z=lLGMGj*ru>4@O+L`tKCUN)~?Kc@PDPmV}v?=ug~^2^6=ANbWPoJ~B`9F&gVvq{y` z4wFQQ)<@b$72Des2Ef!TuvGcT8|Vw67hg_Zik8pus4jyoVyiAXA9*|;S%2duWvz5+ zsrzc$Q@=uf$Dso(imdv29XmE37=M2N5Q@KArnZC~9>alLbWuu-{<8cXt2qhd;&0}gR;j!mO)%V8=B8^OUi;@Y zGi%i$xWGtdn6+SZXY*9apj@CwVP`oJ`?2Is<$c#8cDNc_HHwGlym_cKljj)uJ6RHp zujlG2&%)TwM)*q~T~gOESX0nU+_#8p!PtpXR)*xAH>SE3D)+#mZ+otC9{a25m2@zgDx47lfOrs(Xw_zSm8sb#A z<|mfLg!IE4E_4JG=Mxbr4?vGo94UWEIux#{W}Ry}O}nFz6M+jMirZIqEE2E5p?vO! zT1T=dlTLbNT%oq4-?xB;A2@?c&f@iVypl<8_+A#gi=lUVPVxE$5&bNR4|Nd;@OBB>&R1$S&I zY~ATV*X}QGrMeG1Ym&(!k)1{XEpW-*c9tP9IHJ~|34N zlAF?;tYwFKnBwTJp<_o+@4Sfi{X>oj!17KLAbnwjM>V~WC4 zj+$OsyB7Z5gbT~X>)Z8g7@-8)ZkD&VNg!-`fkCij!H|(oX}E(n4i2DUGOs|GW4mcp zOv`?6l80Vw+<6SP&b{7)%DyipmYy}og8~#n+QSBZHM~AnDMAs$X*K9cP!lxeF~cjW zSr-3mi7EdKOs^H1xsOl-u~$(m-7~x;+H5JE6&i>c_pSBE+f9B~nMK%Hc)^pvS_iUu zd1vBz91KG29NB2iCM64n?qEEJ(De3GvVX28im|wakmJrFKsvecH1~Z1n7(%m1Uo}%f=AL{)_yeL z=YEf>bpHpe^8X7){EO-N`T0FTd#23(SDf--(ki4y$Ct=e%$VVPTGHJ5n?iReWj25> zNF*J_ZsP06GB(-O78vGsQ4SN*9+0mjNNWk22L&;QL3fdtbYS&vL0K-kzQKuxQA z437sn;7K|*k-x5#WMH~Tz`}uWa))%TPQERCP83XCF&cNs3(uj{3Mg_5vN5rTOen39 z&jwkM_k7LQw>DO<3!@j!8-u-`REg~Q$cUGgxa7>c60!U(SO0GU%wWLnzKzx`?%Suo zomVC_B-4IY`p6SHF@>9j7v=q`F;8oNsN%+fLehh){fC!<#+-5EyXB(2-Ey{(GVL9~~gy$g{2>wX(## zikZdU&*vboftbNk3h?A=m?R37G7%3USu@{uLPVlPOaG32l21A`ep0YG8Fwb7ORy{j-%pN@H)%bz~OY(XkL3Qx45sS z49soMth@`z%W%^X6R zZ*JXk3c6G~#_VUBkqf%Ys&oF!0DH7IIkOljuw?YB%`o(uG&?NdkYCNSLUpQPI%u!( zXdT1MPcMx}Q^R7x&i=BX_ZPen{J;Ez6R zaTM>Z&b{N2(}G>1XorVpbTxCZHiuNJ?#M;)($TW;duzT|Ae$;dRbpYWmaEl4m25*N z;0|Q)=tXW4>ef>5ZV6Xe5gu8mo}Tb5v$Zag7U`-?&)m8I);RE1W~IK z;5du~96?rQrjXqZ2KePW-+^Obyjzo(X+h@+GCwH4=vQkyj%X<+^1w`>Gyb(~1DY$l zN7ts?32gChSoe>e%?3?U4@%e~^x%V-`em}NO?k7cu`B+err;54WKrOZiO9$C`K#Ul z#rpkt{o=T@Ww>{W&1m(>n;AD+=2k+kzQc}x19HKK#FsOq8*5sugV4U;cGPP8!m{$7 zRTItX{IeyvhS-7BjA*&jm-}N6{-8WrRM(04WHV4^#PxLY{u9S$JgnFlzMy>R|<3_NB`Bfor1r0jHPbx{9h&jS}}mP^PtFr`6EV+;515 zhL)b$w)dY7y&jx@T*n{E`?Z9x7Ivs89M$2ptHPh00dtsZOjC>TKs5fc4WDbQYdidq zIeYLjE$AP@DtgQGRq7SR#DR?+y4Ob`;g04gr56k4jm+h=9Om&5*CgDjR>{;>r(JX; z_&>9}Vy-bdgH?;4@Ia6kHw#nE8_b^86{sDTaht& zl`0?lPQ130_uD>ia*O~GrNtsOfZ9i&t?HD_zVtrC(vOs;MNO94BAo;N{5^ap<`}P* zXx#et5Zvq{danfXBfMg~&q&PbYt~L3#!P-8=b)a=Prl&~SX;YB) zSm+-8BguR6f&sO^IpVyg$dm@{lKR2E*IUmDI&Pv_Ol{y$%&|kS@s37*%I8XPk9Qrn z%HFH$ws~o#**sZHSjW?}xOEdHQ`_oXZ* zRj}yf!s}zyjbm|}hJm8LpOj>~B3H z2`C%EPvWccU%A(W8XGVqvz)Wqn8*-v;kSGIB*A)Y)Zh=*V#Lv!9c3DV7YuhKeZ6=D z*1pI6x~5%%SU%@M@hTp)#qUsJpAE15;nn=p25Ly$20=mgV3|%5Smm&zk;VyBu79GY z>6FNx|L)()Ti6;P*te_Fm#cz`hkubQ{vO4CO`B6V5I&^y^be)m{{yV*-@5$%g~uI1^9#;0XFtM4w&3HZD8R8MRIzOA;)KGYH9~T+gj6QhM!qkSu2~% z7&r(b2MTUykTC&TN$HqKcLC>$r~@_LXs9Oy=gNZRN(i*`S$W|{axS!i%BDi_(kVKY zYiW>nSZs{=%}AI}?kg1cCq-(LaEs&`)x%XIjB2fP3w_0(a}R;}3S&+&DZyCM z(Oq-|6!;XICKr3w)QAkEM-Nxe;@YT!pnSBGl#~R_!$JVcXIvOR1~fvh!1G+XcY}do zst<$B;~ZIi@BNW)6qSG`h_)ROmc70ftUCvF4L9N|Gs>~hw@C^Lff$_WduemfOZ-NKX&Y-Twhr9s837?uo=De0urB%;{cPacTa7pr4}oscLk9(#7Im zN)T<6k|5R*DqkNSI5p+hemuh?XMKUMQqRyZs(K~I!E21I+W4qLO9HhIT#p`wrB|Qr zFK2rg!~UYtv`{;6aw8V+$M;-9?X=+ubKEm#=ROy>6@KqR`l%S=1?Mz8Kr1gNQy@8~0x&7_=%laV{ zN?Dfn`gqs7=d-t+US3;1G#KUuEW2)moKlZND8y0x;>pda@ur}tx4sVXZ&Njh`@o8F_WiXU`{R3pkwJMF zOUg%ZUhLTeF7+#ZxAq8ggk>MF^kKr3n0eTuAEGyZ3P5{A!EVeU$wiwe^2sEL^4M;0_6P{`hC9&nDAG-K(RBJfN1R07T){_Z|}gF>#p;kTyY1Mim=V-wP&zLU)6HI zbAKXF`-mJYtqHf`Dlu{0GH_V8;^1&Nxca4Zl0j?u0h)mGp-Q89$&psJKcvybz3Mfd zEoCdsx!utVKFHzT3uq&6heee$Pc6(%9JX`pYc|Jid60@@F!O~n5(!1OUy90U7LQq# z22$w#v{o~_dl5DSw@}`XG0iFCL=mtG%`f z6e03AXk)kpdO-F(Efb|D(*3?Sp;&VqUp*wLfU7qAprAQuPx3C+vw2loT^uQNd}?K* zOwII49FRRkSk(vjU9#C&*PCwmHXtl4z0Ec{p+kla@ zK7*yjYRtZ@MFqP72?(p%lPWN7eSa-hJ(b#y<&kyQ01e)5I#(#ayk@z4E_GOSs!R`1 zyF`ytPg~|Rj#wH(n4D=7)ry2AXv8PG`e{Uv8w3E?SUH%h@-Hr~+A!j|i)&X^Qf zDxy60t*5s@UBa1qim_sn)xjW3{q$9m&I%`K_7XZL%!tdr=Aqj=@vpn*PJ1oe;lzj@ z$U#R+scQVI5+=mzbAh(Q0ezEJ%{`sI_{~z%%!2yqC!QXWS zT-%d%tw|WC<;zah0yBA~b7g6#VaylWjYI8lE;lQeL|tlqewL;8%46gkB{Qac92lAu z{`D=p|Cy$s@YDMC9N(Q14n1M#tf+ABt0cwk_7^r#p@!^h7E&P&D&>RH9a z$(Ph8hQI7#Y!%ZtZ^jnrd*3k+7pf!NUiYl{Azc+hHd>3fp2ysO8~bRO)59jFS(nYU zi9ef5VQtBuW? zK>+8_&o~jV7Zw?cE(fkK^Q+zu`s@Lu(@TKcG^Z(}vKG-j>P53q>W1}X(I+f=$WYxp z#il{4iyOju%tXxDS1@;|b7G^n$jNQ3BJaGPYzG`XY5v30&6t`-1c7J5;smO2l+}25mZ&QkX-TM_o@naVs}Ni=AD*szlcP`HSBf$Iz_F`7DuS0C7Yh- z+Fx%FBr!+@5E8myGF(=4sWu}QPRdT@K@7`y#Bv*pVxtD$p;>o6Vfqw<+0hIxI1@sRH;u3B=UQlEUNE@0bx_%Ij{E?bUJ20A*JCG><&#qLS88Ha_=D&Bks(Q~VRr~Aa&vH!b+Ro|kv zM70Ekjrc9@WIo!d<{C{77?TGjE%_a47q}v}qK^9#FeP@7IY^ALhL^CyDX1te+2btu zCj|6h1i`h8jDpo2SH&KTP;ACkYmVk65oMPs z_yVJ>SaqrQH!n`F(f3fdu<6*O(3gYDMRt6$v)qzZ;Uw5W9%jZSo=@ z{)A)kjwW-}&&7ffum0_M@&?3My&@3po;ZVbUw-sF4T*Io^r?xR?GDD!*BsZBMc*1r z?uVd0UiTN;4T0tqEJ_haq_yge=8ymf-C@l6jfA&fl1CqXR7$Z9sOz*%GL7l56(%)dW^P{k(xHz zJ-&-r_IQt2K`|}FFeB+BZRD~)EZ-9TNs#jsxtvYj%>)HKIxOzj%Exp_3~}}uemL}< zi23WM5GeYx9KHl+{}{2n5Qey9)S2SKi&%M%=k>dr9fvM8h44O-pKgSX4ChH|d3W{N zm3BfV;a3;-qZB+$*lws#7?eln?%kR?`0uCCD>0A`mA@4|?T2zk#^$JH?^3*1fw6O- z+1`w!CC-bQ6!6>2Dzk(QXBW3rX-i}@|2P|o7zRqfT(xmkf^4MF&y_hX+xP^K5j3j4 z;b~#j3%`Cf&)(ZpeqN<`d--{wyZr~NUB>B`yKggYmb`lXy4ag+j|PRmzaPH+musa+ zc4G}ewDH%-*cikdT{B@^TWFt)wDtRT0U66_l3wJLRckrH6U%UZ$Mw z;_4!*i9@x19lsV7v;JkZH)?Wb+MDK{>lr5(*SeU?j|<=a zu+P0C-Pz472^7eb7HoPhA=1gD}Ln)rLC1CIkNgK>eF3z z8_*U-YqWI(pOqj;H9>60T1TFpcFZvc8X4Quk5yH>fj-(8rLJ?Xnuo0f+uc0{iio>G zdr=mHSXDd2XwK|m`C&?0YN`M&5zwg2@f4OL;Q$Rn*y9)WpOTZAkJw$zb_-saokHSRc1mrBdhsESgvOg+`iQ;5Oa2H<~n!b@172H*-r$^u*Al zcOZOI3Y2wyFW%iGML2{c7X}R+lbJAjETNX$Z7jY=a@NggFm9_jRj=|E=@y`v6Qj;l z#m%b*b9b<4$t8m97Zqh?WqSZe+x5Yr{tGJISM(@F6#jvF3?0_^&_mhL*x>0PkJ}x> zyi<+YrIc~@_^eUkKu?HCF?7BGQLPBDj?je*$rk{er+t-nRoYfku$N`K-!i_35i*qU z?j18Dr$kdL0N4HZAtpJwxxLF6MO2iyW#=-;%2s&u8y%6(W*w>lE6yG))*HRh@P;D^ z03e&G_QbtFr{Nm9Zw?d+-@AVO8PEn!Zf#^IBq(8FNO?)%NSy-Gt0xMt=y*T(-@m#E z+BI0|{ax1<%xEK$W!pz58p^cnt04x0rw5o*g~34s?wK>5KvNYD;Kl~69(U&>f#wN} zANwoT`Ax_W{VGPI-R~0xsE0|Y4Gaz6;Nc-1vb8`~{u_7y2 znATCSwc`Vwy}tmqnw?!vobRe3&as|RNKo*U;{m#pEf?OR{<<~*)ZDpbd>Q|^rVhz^ z%#jcyIM*)C4uU2w0tUy1!1R2H4kW#LSs9mC%o0kMr6(t*-i5MfB}`q9UdsqccO1B9 ze}wMg1h~5pp!Tc^7Oxp6*AI-AkE@^mGblGhY$-BLWl-X~sGD*>Bk0^|RqOe@5_{je`DAFU7TsGx3U|rBLT$Qst$s%RoQcY< zW^gl6hsAv2wZ)YndCN_0=VVcICv{f6Y~x#2*AD}*as*taH#5L`EcYN4d4P5xwq;M| zPkv1Jw26$bZ$>^m)M7e|FwhLA@jKm_nv z+uPg~!jD^xK2%yN*D0Knjw9Y;?uOWz@aEWzT6V$ z+*%-oWm{_dN3h#KO)O>i&ynLWR!^ijdHe+gzgR=za;Qo?z~|FWVVb8|7D0|@S84T% zh{I5w2g9gcR4$E%`UU&FQZApD4fBPbtfp>%ek&uVO1(eHnqq~3p8c{N9H*|4%Vejo zocg3hM0VrA08zlZL3m&d(wWU(j}3Ig5||vyyS%Huw|@P6pY}f3#&>~C-uvLxaAX?? z!5cVep9#ez>XoE^$e^dE=R>_*<5YH+tL2bvu)E=iC9d$Iu25}peW2 z>~Ps46#iSyCgvxy;o(&!;Um{lS~i^`0nfwS;$=X)ftzwHXntd{1%IYs9v3gqK8>4UY*~rT zr3!YmIQhl$M4F1(ZQ6)U$>Yr;XD&07cVYf~@`Axu8>~^T^r~NJKXc`t_i2JJuW4?Q zJi&B+L5OV9JJwgit{?FgaalE9QLlo(GfBFW3js~h)lm=`Vq-AqA|f5*Wp#Hy^2vw* zk9);iR$OGCT4)uMu~Gp*=<(T_t0Ne1;O1JG;#T>>xF#UtHjuUWBn4HySJC z1xX;q#K#+GLVl+x8Tq?$D2wq>ZGq}FY){EK&t~)fiAc89QZ-zdTv=?l{6hVpK_%2B z_qEDw6nwd~g^BNg^&o~NPPl3q4#NJjyES8IdZ^1@2JvsgW7ih~6|-B!YKDq$4A?I8 zR~=#z_)_fF@SC=9sH$Ft;Lo(N>8nl5vs?KO%PJViJn~DBmwUg3hLcTMKh#)0NiCm{ z8ZB{2n<#tqkbM$sxRimJSw`j=Qpp+hxu>G^Nw_KY2P3s&g%9}k1?+lHL26F-NZFQ8 zZRF#ZIxb(vADw;aFvy@qZAO4N$88rC@1e%HuEE=Rq}Qcyj2*V!iAOMGvK<*xlRCfM z%oTJnBFJgbuZ^-f|Oum^U(Ro0aa(-^iz3XG<;pQytR4U*S}sQaSzNnx;sOUV5!& zNxe;#Rty_oywOPqfEkuYUyD^_v`K^K7)WWK399K?2qwQMoZjv0SwS)vTi6Ic60~k5 zVHGds_5oUh@i)`r>9r``Tfh7R0n=$6>8Oyl#*t%m-5sF!Wk=w!iacIiz%pSrYN0f~ zqp4=yZ%|tzt{!2(&D6a>_E4!A+Nkn7dgznl2FKReYsk!H(;Q6TV2eG+T<@X0$CR$6 z3DxQoEw4-TH(OIWR*^nVReqNQPdwo3ZD>rcS(-qquvAl?-8|{nzamsP{T{Ras#?}M zWV^4q>&n!tlXP^_6}N6&)$OZ5p0nGG3Eo?TnquFu{psc>vBY2N!Ri-__Z!Mk+;;LD zV3;`5sI2IUDWrywTC{Yi=(PUHLf_j!`$Cf(D>t?l~02Y?C5 zioUa{eaye2g^5@XLIy8YlU*N8*qEuLSUF2pDAA+w(9iMq)SSrDqS;;prkOhaa1QcG zy8(mT@#xHNXH2f^0(I<5Wc3@vTdd(37aR}MJBWly%^$8|PIC=?bWYCF$t#0lOoZEB zHg@|;|FGJV0wG$?&34(1kg*D-Tam{Ki}PI3C5RDEY_NsKsQc;pr1ungfdM2k`YlpV5XW+$OxsWQ9 z)m!W#uT0oWeO6`jwIz|uG0)#|)~+NoQmbI|!RvQomaPZK)H{(x3TBOHBJpORb80fT zcM|Doy`(KsGmsrraTm#Yu;QGL=;ki+nEquU<3jHi;pm0y4ByX)R*r8hteMG^4SXv1 z5egNkulzWOu?i-I+iieHDOOnZ$`~nLeMY*jW!F208BXWezQu)~gKhb~6Wgy{VO02O zhesLeu}72%_}F+pR2*`OTDc2pkqy{(2E$wvjduLzwURR)u6iiK;S$$GquSHstuV2k z`H+2eyK0&F^^EvqfHWGRnkJ^h9EzYWOIBz;jtjt64xtqY_iBXLiW>8s#cL-CFP?TR z4su^ITDPk{F%8{GR3DFM8Xn5Z!b|-um6=`-oe{XZc-8elh=p2@kwQI>tZbX!r*r-6 z3XBx<;(qba+F{W(i@+`VlgGDCCt12mKIXgp@C6v*W`basmmbU?>u1;Bf(aHQE$ns)ypT-*$6Q|z;4xqBOK%^4l%71|cqjGh^O^IZ*4 zE>3@c*6vTf+bnilTdMxr_xnHK7TVdQz!JNAP8eL+?};RN|)V$i+$KDL%b!2?wffZ93PlW`xP3#r4w%o39%c z=HI>tzkUck>}xlyc;H%3b4{HhJ&#<3;8*+aTs)s@vJd9LY|A>{JX|U*gl_F~*BQ9U zxcS{LsH6I~64gib7h4mmsC~5~uu7Gr!d6X9#4oBh8hCL+&Sk96W52elz7u6Z?lIsh zJ7lZ%V^fCm3A|2N$+c~Y<7T<@R32w8MyHP4D9GK*wZqytq$_5J>bobGBAh!O59Jfx zp~>Bvv+Csw3#GYf-gQpWB%{sc)0EleeucDMzw}s#Z-#2~a`o$zN|C!<+4$5 zL-@IJ)D~B!(Fx;^^NnBh8j=a}KXL-yX7?wCZrKT&N=Lg=_%g~s5zYX?kd+rBtmjQXT>jsI(kYzi)iomxl4W9Ya0W@J7MZ(Lm;MxIZ!oY}Xr0NaopR(GA`NlMY* z&eFteh!``eA)TMiB{zD9jBU;^ng~W~4F=td4cQJAunn2#sG)erq-dGOUY(!6`7Ht$ ze+2L8=IvQ!SBax@8}mT*Hh$tam6@_*gn?ixn{@Xns0_?#Sw*F_xs;-7)y?q z-$c)s5HxQN3=Y}&O-8D!)g9Nopr4)qUi&jCcQ-pv8B0hG#0=T%aSrlTTBqT&tWy~P5RFUc55Z$p4x($2g0RYWv~UmYcx&L=Or$q+|G;2V)YM__o6% z{G`6IM~@IM_|Cjg@Nt+er(T+FHR_0+ttwb%KtB%uv|hzUHehlja8P5XP}ii`hBzwM zGqP~oxL>@JyZFz78e~_D13_=oV25_9iF3VESQV4y9*RruslKt$(%^G1nl*hFvR?#( zfVc)#MNr!t2Qmf~MjYn5v#G0*r6aPULri>;><+s1XFOXd2Qu=k@ei>jMZ^1rl zU*^FP+THJI(0Auy9a|BLw_B}h?#pkyIHMXo_3~U?yCl{m>C>mvv_z#1`rV!hA%I|M zXPKRx({or&jj?|Pb;yQn=JM5KZww4i>J>m^Ms00eHJmx(J^PhX#~J{gY%iiGKPVAtaN zO|a1+-t|2HEj9p4fAfYn9ZjKUBweTO>;^Rx6-~Rzf5{A%{e1QA+({syYT}~j0YT#Q zJA&bdZQe=0c|4ll|C)@?T3#@ZY^t~=O|`6~|Njc_^gqcX{Wt#m(|<}jW1xEo164_@ zbGWQK=aT`aMCi*mmvNbR69YVmGWFYbiVvHP(w>#;>+75#))hPla3+9-jFf~xD)WOu zK*WwHTmIWqGGLIhs;i;?{{EcekKU*Rb7z34Uz_%XtM)Y6HwOq6mqC!yIXO9t9EKHo zdU`T`Q-W7%S_$qyXd}Vm;$p;VzolC}BP2aJ`T1wSIbJAKs;;Oo!YER!KxJA6xFCUT zo{l8>``t`9H#=0`Mez6N(u6pncOm*3^h2gp#UNP|#pZ~ySREO+03>41R!_O~GuQR6 zlbLJHr#6;DOp*=F1HFg`n0ULzF>+&D8@7ObhJre;DdXStq*93?h78V#TctSnm;lDt zdw0TxG^zGBimk>_lel z$c~RGT<-57qB;iWzh>IFb{VdMN6b|10X`BU>feMLU-SWQ)k4x=tsoExXs+B(r~(3P z#zkNd`^YsoJoc22Ds6wMmcwL{(_0{1+yQ7Qk4i7gR*`)+rfQaNZ42N}O}XCe$Y0Pv z`a%=H0BH<^BjV(DVikCF!b|5k=LNiPgk`d&F>Se6=4cZ$`U!GISz-z6 zNO*;nfUls?je$cZBnP0zfj_7H@P7fj6YW3`>s3AR9<+i$d+WKU=!IpMN0^WXks#Xq zcg+QhfW`|rLF+dKl-jQIs--mD9cvFE4YA*z;sNrdNo2&UU@yvZ35#F!PulTJ_oNe! zo8Y_sP0jMecBgtMwK6v*i&0jl{QzE=pP4YuA;M=aAGc@xD6{&9KGzv-@dH)RNjvW# zfr$Gr-Y36Yy~r2=b4&q}YV@5mgs+Gc0g_6PH_tYT&Xxkiu_^->6^G`CHG_dcBUpB5 zFZ5YyYgs4LA|{I9TTEv{tK&7v3Uh4Ci_nJUO+JI~kr%Ly#En>=0-Wg+awN{Ne-uJ#!RH1zVNmb43}P@ zzYM2Kbq1?|Aa3bS&5_vxGGa}>>YO9v!8l_<6yt3mOj*$9fB6pD)gER8O(J`TNP8N< zLk@SKUw3ZZ7S{648G5a_W}%n;v-$feM0^|esUyWWqr|L585^<^5fTx)7;s<9$Gdug zB+^@nZzacf5uA`O8}|Rj>!4=Uat_gWoz~8*Vltb9#AySmhLwronbj6pTkj%Sd|PsV zh`JV){{H=C)Ukg7J$b)&-`A`+C0a8~V$D8-nOuaXo&| zsSE>(+vgaY&bHRh_aWz~Aw$tiJ)LO#7{XGqk4nKplUn_IphGbOIuw>`TfYKOQl0%v z#jmo~PE$4)nxTz)nqF4{`Q?N4EaEuL$1_!2gQ@i&7Yq~-gAnQ^2fdo9|a{*vZpEL7=7+7igNH>TUe@% z@lgI7nAZ3>9+45>7&#-^Yn>%@#?F1HPPOv%CfN$<&9NyWtX{lQ(NwioWBQ2MAqlKxoRpn7V%U>VWL<<|?wc#hQ^JC*wdDjO!`E9~1VJUNeO9;CtjubU+-b zK{jpZ1fs5v)gi--v`~^_C09OR8|6C<;4 zJEt0aHa+W5okL04nseZ?r>;)vbgW**#I=8ksy#~K)+{%wz{F4^pgexJ&K^biX-4+B zHcx)+t3N)x`H<6Zw|jD78Dqpr z^|3E41si|Py0N(vAP|o|hP`upDpFXm7p~QeHAt`AB>E3CggJa)2#Al` z6xoAe-yC!+-RAr}Hk%I8h=|{KhmGZZ7|XHLYna?}?WvWfArdy=2O@Mi`O1QF8fpwH zk)U`b-KjVYxKhiXqjr< z)0H%)c+{;9{B&BeT^0n8y5L9(`)iAOd_gb{Guf8>UCNk}i1G#!D4T%14&rDCj z-HIoWPVJhI>Ba+Es;l)pk;Pi&hWJZz(+yzie#=NpwgvjBoJ_%30Yw=*u7_!Q9~GN} zq-n&OAJP+dlaAo8=3R2$b?jklwY|M7;(G0r)ru{BF-b_->%pV!sJKmh-Yn~sd$CX*sE*O(U-;b zo=yxVVLB)Q<#BT_8~4dK)Bthg-<~^fv$-|gd$km$-=sFMp0jeUyeFNSY4lV_|P}; zp~!64pv^dC{8aW{|ClbK+Sa>^`H6OiJ_M_;a*FuG^BNuZjnf?GSbYq^t(9s#EXL&= z@wo$Uj)%J0$sAIXIM%ntp^p{`=o6=g~LP-Pb=?nZY&w}3e|>$UKY1E7(skF z#~oQIHu5?tZWMOrUpSQ;xtoDK6Gs9h+2Tq(#Pv|eZzj0s`;Xs)n~HditvtYIO2(vg zux%PdvGluE3wwl_XnI)`C12}mSX$WT7t|jM*L~4_g4`o-cnWt#+Cr>Lw@QrOWNSIs z#zliOOE-K?Il%u>a|kz!dCft`q{S5Py4CFVDm4iHuKSzOZ3Wz!9=P1m%p;^X9%prt<0j4KE?-5%d>n6SC3)WqfO z%`@!fmq-`%U!_{Tz)u>Hx}DI7t3H@DNu=D_s;SV!fUs99c_TuP_graS@Emln+%?l$ zuQl`4>Q-c%*HjM+!h20QAF+ye$9aBON#^tRN7nbs5jBlVacaXKQTuASsy2q443COL znUC94Fq4wb{M!+?tI59F=;P_nFLB?+{f`x{G|_aG>FMI{yZwXT-s70=F2M)zmkYU2lNE}*^*zx$b*&XI>5!Oiv{c}7kl%&+TX z@lbOC$R!Oq0r3*GmuPZ*%lq&^2@Eoqho0ojC>IZLh~^b@D}2-QML#)PgHnrFJMneP zx9)l>U(Q!zw1s1GG>Os7BxQ<#xeryGiL7%&`#B6&>%4EE5 zYr)BD^@9rAI+5tWfUD1CbO$M<Q`V_AV{O98e6b8+K01U4*V6hXz_E^55Q$9f|Lo zik4JI^(JFs9c7}cxsClE_H8H8B!3^)po%+SW#1j+P@Mrj`&)s>_uqJpx4#jPF_;`=4T2X$|8AYc2ouQah2Zjy=7H(tH`QH@>>40Yrjj`A$0O>%GUcmG0RJbLaGhCp>FaV8GR$ktn zzi~x0iIWJp!ex>``uJZ;rL>9)8BmuzwLw6gdjZ}nTFm;6-bg+L2)X`t9ULv&L-*E# ztx5kcmI}x>cF3!0kWsTk!jYcG%6cHs3-%S$0=W<+ra^GGZ2ff|s-?9pXgMU*$UrRL zivGG5Zy>irUrWGeFQRAyv%g7TKv_ARFT?LQ7%0frw>#Cvrb`CxyYkFJPtqx^(j;>p zii7DqiRQWcJ}bGHZXcDGaC!bp#WekIT;6ppTB3Ub$cvJm1I5cEalK{S4mDcmkuYh1 zBExwZK#<;^kEVNOjqYRj{zv(XY)!!~MDU7FjaNO_`{-Ri^5IWRS!M_B$2aacLxALh z<_l?W=?3fqjXnrNe~V)kLX@>>KD=cfJ~!o$s<9q>z^VzfFkkOwmM$)g_0Ls~6Lm_c zyuKe+a9y(^z5+G4MOm#5ebq)Q-&KbUa!nF&LI$cFMg*Qpekz-jpZF7wGQI*umn6m%tp zZh(c}UjiHq5dS!BlWOJSO83gdQs1ZmTS`YuY|SMWnF%6G=lcwF0@*V#Ry%zl=)vd3 zf5n?`wM`t_l%k&L674+4b%&f;^qXLvVlj8fd5U7U#5w{#SJd*3It_kI2=_Lr9L_>& z-S?}j{z~+?ACtfJAwgDZKZQCdwdIw+rIpD-87E>kSF|<#Qz-<`!CO?5Z^6hxbIzf_ z7eA_`Q0L63NsYB|v7Y@oSUK#RqQ0%4r*UtXqLZms-KFmdZ$gNcw!^gIqcY8yU}R0Q zPpcD3a1}Ago3-7qz7FO;PHE?400(>8Rs=^j)#W^NpiC?vDl=)ayGmuA%D=lN4f6`$kqvwe9L7Ugz==MEFF`j4{^6t*!cuOdDr= zpkwA0)39UP%t4HDX{E9Er`a7iN}>JXMl5mj^MlbT`tW%Xyw#07+c$*Pnx22xW_%(I8+WImD^-8`(fD9yt{i@+90|?WH_*7@> zb>G@M8AdHwH4D6puFY*t|2W4dx-_g^BCXFgao~FD^OZWx$N@vPiUuMXL=|~uzOi+{ zvT63qwdR;#b;u}clgH*-57?M_(Z}|qOoYdop?Y5}@P0T+yhz;b%$nDSxVr`>n~z8H zF+`xThJ0ReO$z&|ysM>|cl=1j`-7k9GoP!%L}xYD(^{r4Bpd9+sK)D$kI#9@x*zuS z$NGm1AE8e1+_}lGJ*D)p0H`;tGX*HgI`Z}-irh@T>m$$CzbaqyhzfZ__qyvgJ-puhphWk{pmi0a6yju5o>+C zh3JP6ZuXvv$@0lE0oK@gyIuX0|Nef4CfzeBgo&=Yf>a4wWa^6^YDr#E1C#0=kjc~= z(5ali#4wg-ecRDHCA{OaGob^s_9|McadCgc-JK3EmUk`Q6a+lihV|up+#qE$glWJE+mVgD{R~JuH<%l8b>HA-R|2|hQ{gfQO*8GG8 zD&JZC?Bk(A#v*8;d!vd3(=(!U)w?+ zyALlb)wtdnv(e%gQ+8?LkN#v{A$HVNZ1d|SK?egB3wW=IQ#CXv2YU^&)jor*8!I0` zxY48&T6_wyuuteNE%=~bO)ljs+Vje0zWXhbj&MpPyJ>QMV2ossm=+6u&X=N9`BLL! zcUK2?#-^1znh;~(8Nw77JR2x03XgX#tTOkc_0RyvFmN-TwUm#~IbiWldq39%CDG9{ zkGFM&5=Jh_z7Qlb8Gh-IHL^gPk5(ETBp@!N*jL=DCcU>b%E%TCdWn)V&7hzbX_Khg zPFkAjW2fJj1n!$knL-$G0TEw`&-N3UmOw_{Sj2>_ZO|fI_l=unSXnKT91fL*$B>eA@| zp+9{xy_RxIje}MUJ(>{vR&e{#b1B!Afah%5IeLDi^&APcRPB9tLpz0>DAVML+XoY3 zpjvK)*}1d&=gw|b(ozC=4rZ~ykUOnW!{G-VmW2bpkgr)<_#A#V8+i~k)?=+}gdyTW z!glm( z6h_L1d=J66SC0Ri9Yg8Wd!v^n^QMC)IAU?sp z3ItDAsVQdLQ#Q_wo1Gph(SOQ+CuE?`3)Ow6fP78W_2&tJCRzi0j6OW(G;Fu${J9v> z4{Uyt#Fl0XD&!jmg9Sq)kk#h6qxeQ#$hWARtO}6%tQTVSKNsTWdH(MM^JaUx8QgcV zJGm!ytNHZ~_+UVD^`7|#KXvqvLL!1?cdgxHeIb6u+$#0Eom>apl{{lC#!u<{@ypHL zX^?Mah%Ad?uW+06KV54-@(z&4d>00P43`z%@$iCNUKuR4vdP>SH|;~+6j^QZ{gep9cXgjFWwq0Se%T|@*MFkUfL4d z1@7<6lrP%S84t&{u#Nu(hSy)OoOG+ihS2hIM@t}@Eet|o!-u2DKB$Xe0yd4*5?d>* zQ|sV%AB%g&=@GK>rsjfC!1%!71T<~)+AyX%`ED*L~DgA zZIjd28fHm9G;HV|rbl6}72{&rzKQ%l;d7AznFS9tnM7WNW2RGV6@_)@_PvnW{=%A7 zacW9cNK0|6NEA)d-Vw3WHI)qPnV*SnyhhtcK1hPotgm5Er1DrrUnQ^QFxXC#I@y=* zflVTDs9eXPdOg*?di~Lkuz%k#VgF9rEl1G3%=3|{K0^pjDeK9J%{PSdBo|t7uRQ3i zmGNxv+1mHkjV(_e0B|wKJu<|I-6B%~ol;jQJ0pFiRNvpM=HLr{R3<%E^_Y&8|3RF1 zm*TXNJ(*1i?v$E(F)(06t1hk}mJCYR_Fcr%pB&6Sw~50@*{Du^fbZ%&U#{)Y%FUeh zCq6GUPD_aVjnDo6*}CGIazJjEoFf~}b8=|a#Ul&i{U3I=?^AbeTp|$te(!7XJEHsi zxOt4+@*8>v20?}cKoJ09rhoYpUV*lizjnqqp6$QO3pS~?1v@GNZwpJXHNJ)M0MO^+ z9~y?R=;-L8{~7nn=dAU(7&!SeP3^(@3y6`kfoR{ZAGCNVf+hvfEs#Ar`am;U;v3h2 z{q+Bz(ECax9lmnc)I`QWkxj|_kya%FZye2SMrz7_NWJ?2GH;TzIZ3Nrz;^GWm9ND4 zEZy>5tLN)2vhMn1R_VXM)?|E<`c=&DE^XC_-Rb?Jqgw+p6_aJEbW=q`hFQ9mHYEr+ zm6u`I0llKv8Z9ZDn^qZQ9OFN~Q(*gxB2XgJ;2X+t-kq?{JBzd5Nojq4h-Gx(*S|l` z1v-%Z=Y_d|Lg^`&UV0lRSC(s_;#{9I2=iKM$g$OMjs1G>RZ)eVJhzFkK#$C^10d8Z zz6O{La;0DXaNpee_B{Lp2!FoH)-(tLl&V1WHZ84#_Awu=T;hAnqdt3JD@+Qy}Zclg@EMj7=)th5df+HqtZ0--Rp4_9{DH*D^i<M8IJiZm(Ke%prz6V0+^M3WWwKf?!Z06_uTWBoH73DTP)ml&S@h zB1NBqoNnup1y*{jxo zU~}SAMmc~=M<7Sh3YM^D{?#>tA+YLzB?kiB#Hep`2O6|^|KnvWXD(=C?l39|Dm-R# zrl@*&$QRIW-mpX^77wLx*#%BDn_onP8%I*r6FX_a{W6h)h3IY+b3Tf4XKowk0+BF? zrdThZR*1WRS@;|*T_E$OG`3+H=Ql?T@B;~nhkd;B`wV_qE#sqwb^3pMXAqtcecQ2Q zV5V~fd%%|StW{L6AZty(&iJ0m6qTuPk(am9#z{JQh_XL)p|b?QspQgmNZAG za0c7LG03b!LQ~Wa;@8!ixXI9!u0F3C9~tUrf95xC3SEz$>T@+7r&W%W(PnIpKcTkM z=UEqUWjeH-LUmHg0QbE3MY6i0AZiF7d2+mF?;Wtd0R{RWw1mkSt~*;FzBe1@@v}BQ zxTssedW;A1Iw&A}6@RnoKE8kjB5VrtTtj?8z{Uvx7)o<^OS=ytYzG7rDhvE8jDbMl z_|$F5!$%-{k4|3uBY+nJ=+<-S#LDl#Uj)%Cg(b^U{>z&GXch$Wmm2ba|G6T-9fq2Q z#QVCtXCM%Wd)e76L}TZg9FGD96?)og^FCW&x_|7~cAma-h!ZQq+Od8;`B-_;(XvaL zCysNQZ*ZRzGy0k{{ilFxxxy5I=7}R+=OOaBigeV#H}g@jkyPwno*V1~uN z42EDQ1U#-UeFo5vM3^;s#x}8gg~KenDoX1xIb7wGdmT)kHIwE&+{*bdT$1jzTiU$| z%WSQlrvbxAecaN3z7gwljFQm6G z(asG{vgAt!cdR)n;+stTI2*jqzAtw^$djf5kV+wx-Fb5BpkaDa**BGPA7~3Eqx9k) z|MTj+5})?YBLaiblTMA|m!>o|{A&Txra010Ko!wTmm7^T77Fxbwc24Nf!mb5axeg> z1pErWme+11cLMMmJ8gJRWIs}ZD;kNzH`Hj7gg0(`<;4C?e@<;4Wdtr4_V&D(5nM@p#g2ZGv*6!_ZlV_o+qKq-?E1{H%0D+B&E?v*TUa;3B) z(TjVTp(6YO4>^i$f74pbhGQEyu%)*A7&4PItviydnYEItpAT1k!>pY*6= z!UW~*A)Ag=G?PTGvznqIx!49?jVyTS-8j6w-YaNj9gN#(!Ot`uD86y&%9~1Ocem^A zbFU()g{K7_X;Ei~M%=hiAELh9QW=+z`I_e$=`f_WU{dWk&G z@u-A<@shVsfuD>@?bBlQ&~y%cLc1Gn$(`7QZJ3!B-Q7biMl$8qtv-l3=9bInZ!vX@ zV%p&G70`KpcH7aXIt#65aUSEu)pc-d0j$NEA1!Tn?j86pEtdOiSQ|@X=4{0$+>DTO zOU7#V>>Jf0*xew=7SEc|2jnbiR=Dakwm;;3Y8m~of9uFSFYVnMYVtOvx6YcUnp^BT z7)YiBCX`cdsGEG@6a`6tiQm6L^Wy_rC#|7ByeRx8YX{6>M)TX5^+E{jOuYsoov(2e z@hK-o`|Iitb=6pD#|jL49Y%6ah3eIr3*yCgPnPYk=k#2Vo!SdYR#Q_!-d!A2cfj`+ zloyalq&}Nd-_7n8-B?xns% zT{lV;2@mAu<#p(J?s_Ij&)k>ZzeC7>w^_Npy}k>98g5t4PJXLe+~EhR#_{gWV*ERFa~@r*(=}4mlOHkiM@1u` zcTa)V&9Zzh#yaW)NdEjV2c2iyx#iEZQ2vC+(&w zM~;kW3{8DmnL{9Kt*fgGK=Fcu$Ov5Pg9i_UI{SC7Q*tlVH2mZ8wu}r>fM7+uESY8W janS9PlL3cs8Avu{np!%N%$!3NHGk&h{z;AF<&=K{vP&?- diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png deleted file mode 100644 index edcbe0ec34d970f1a702b0e0f6ed42a454bf6c1a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 74741 zcmbrlWl)?!w=GN(2o_v|y9EvI5ZnR;n8DqHyGwxJ9^Bm>f;$Aa;O?%256&Huyyu)h zr|N$9>naN7p{Jkj-Q8Q(UOV`UoCFdA9s(2;6q1yrs3H^;G&U5}>vOobkSA8uD$tN$ zuj~~igrUku3HBi$piP8ig`l9SA`u_-U?892Z6wv~p`frSUw&RmDN>w5K|SY5i3$N+ zw2ziyJus&i-kwsw`sy3|?Gq~HH^o@VXfj!fZ+pPuo`4|HPXZMrS{3h6;Yjow0k0}1 z!btSH;b;kqq|tt527zA-eZ(ZiEP|)F-Ql-4W^JCAb>hUAbbWg2P2-+4p(fo;1E<1= z1eqo{?N5lIqWx{R(lFRot+n~-6l8zfc{&2Uri!HezyG7%lBjy4|EF`956pkM;lDu? z{oA%U-(m;-ZT;5o=>Lrzy^5ns@~?9{bLFRhoxKcneg1WR=BCScOu>sc8{}dbO+Dk6h_iNlOIf9QxX%o zG99JSZs9tZ9#TCkU(I|~-u~p4o0qqbo@qGnqoG_94H{;5B>}kPq`~0e#)Y0Iz5I>X z`KW_Q@VRs_r!TChFT<>1eKecZ=wJ8IwUBvs1w1y=*dD4=-r+ zk_QJ36Z89`+4LZ)sM&lmB`vW0$ie!HZfr{%g>U%b$q?AB_V&EyuOw%+PdQh&HHi^b z$~8NCLf?OBmLp_W%_UOMDypv$Lrw6A(}Gke?(^ts8MoGs_ex||31 z{chDzdH88xz&N5=q?q@mY9svM&SkTr{Ym)te0#jwh)zr2Z0?j%Q>CG@Nsy-UEz(hB zATNK=?S;T^%Em}0L76`jcQ}R-6a6XEJlgD*DNkY9EbNaUDJj`8!nx`TLp<8ohbX9c zk-m3M(d6Wb&`!)3R9X4)p~d`tz|&y{ZBMgxyBC+&16TUtW2rg^--F!c-aO*8`P8Rq zGO?)C)Ub+p`raqc`>AS^(T6-=49;Z-3}t$q0O#imV!p{7*b__qEEbZjB5+1u#Cpw` zK+miWgTms&q94loxCC)`I2K)T!A@V~bMU@(dw7{fedf59GbwFx;DQcmj<3hrhS<@A zEv)h9jEH+;7pO?VaTxz_=?Wvz%5#=QQZ*biZ9g_VLCe()J}&LnIkfUj{pf5QTW~{; zHh+#{JK9xOw?gk+IiTF2UG+Q4?wHch(sV;`6VY@rP-(LLu}%WGCn797#hoh2=aZoA zrZy59dJjLM@e?q6e7Uc5b2KRrJQbJBEO4Jku^G;Qeeq zY(BTg=qOjMd6X@-XS`&7&KmvWhcBr89yx|e?#r&}vO$JN3+jbH(Ahz{J*D7Ss~cFn z)ouNNXFz}g^=hG^D&k&xXJ9N+vwONk8BZ_)l)I`_XAtiWiWGe6a0fm0-Ehk(Uo1b; zKZ5I@i!%=EdcpLwpHEb7xqloFI-95UrSrFM%xGA5H`bUeKfU{-?-bUyT?8(z-LDJB zn(;W5GlZ+L%5mbNZyxU*g54E;ZY44V3W3cW5rq69*6mt3wCA&0DxyrU0Hvzqg^2{h zU@LjO^W5N@zKgLE0m9ts8ofszASu00*6Zx_eLVmU2#8fz(8M3E$hnmH8cm1(ZmICM zra~M?(ak#?E>#$;TwkjDn1X|m6RU{#cUOHY&yOhh9HlC8l(;j8$JTR|LO@fajG0UL z9N{gLqA)3c^GMs}+#<0m{T={`XoN<2UyZoGoG&x1_cP()Oqtkx_4b!M>E0(A>4XnC z$tf1|5By$_j+|BvS!_g}N4B+u133G$-XsUJ*5A6};fp8SxBB(44EH8?VSt_2xr%v% zG)i@)O~~j_#ahkC=|^|5O&lrVo>Kl}O&n_MXHlTbtpQOWTI?pe^NJd=k#qv{Ns12e zOQ#&|{C&8)@k#3Z+*3Elm0`2}u0&eI?BrQ+igja8VLx_H2-XlV@2<=L!gRbEi--TA zGWl6FfzfoftrY>=St9Z7s z{G@C&8pQ;THfVUXCjr!`*=X1MWUjk7!%)n^u*+-OAKJ^ETL==NJv^^@KR#;T{w`_R zzI^Lu%cQ!BS>AK3w@PZe_0-Xy5F7`MwdJyPr`cfh3We{K6U(7Gmic7Fthdn3*AZc3DFqIBWMA9oobDga8XVCSx|ebr>o)Dl=X)$JzL^M14WJ;g>&_b&q!7 ztfOnC)%|QYqi>4%K~W)Ei1vpBGO;pN(6HpUO!eB24^8fzZ!bZCoI1pjq<(MpdoSy+ z&^x3I@O65<^Z){3(uQd~kaff*fuAmrd)qmXy8|C(fVx{BOfGgt6z&4>!$Oo49440f`yO$Pb=wf^cx631=MJ3+8ntD*yx zA1PV!U|qnEGnXI5i&H6jH`KN*^%DSPUF;T99AwQ=t|vW+)mJ-E92^Ku>hxT#0pr-! z-3?3v_{K2laFlOav0Kiz>*!o*4LEH#^LpO>EY4j~KICZqzPpL>Qe-g-&_<60ah6y<}dKT21q`Z68jY2E1I$)lLeR-B!>6#zuLs z^FAeI=5@+KAazn&DAVc%<)*s#(|iFA_&~LkZB!*f=fo1edVu=@-2M#o@jaL>Ib>hD za2RWJJIxBTabI4XZap8Y%!m z+dFtUKt?&}RbX#-g(iouad!+@(EB(xyYjq1F%ni_i82sNM2b0q&B}RHhYRGwqDJ{M zr1*QklFa}|<%8{B)ItPb?druMQ4X2QRN?0U{ez$TF2`4#HZrvuQ`bhGYI5mq8WcSm zv}R(V*b0QJFutu9z3k#WLv4cd&+FarW||TEQv*uH`c!cuQho^q)n{k-gtG>ly-4CP zhd=S^c_CK-nILFZ>5C7tD~r}d!?j{`JVLFZx9Vavbzk4}gOa6AH6b6j`!!PzdJ`~Q zrp}KKEy42kFhR#lSyl~?!{Yl6gL!rW@z#jRbcD!`)9d{1Jsr$WE^2}YN-Y3xe^3)z?3O&9pMyk){c9%)-dK&_$ z%;SIFU@`z6G_b+m><)=cmoQdfyYGg_P(5hyAA|h?ne^wF{4_L&6$-uxjpGNv5&%@D zex7u(&O3M>HS2}S7=YW?W}UNM{P6p)p@RZkjt9BvDeR4M6T>3ain+m}NAGoXHv^E| zteV(1wPmDa+uOv#5vl;g$A<0Ct|kGSys>(NTLU-y1sRvPKeX-GZKCy()fiej{Y@Ul7Z|vPEyg1ngp1Kmk62+L<%TG!JdVfiFPjRN<2i-?N{0D6`!I6=V2u4F4TCx=HZ|-=o^+A9 zQM3g#9Su3woc-?D`rV;SG4-kPOz^wI8LyJ$O&9VK`?GELwuMsn0_Cy=Tx|@q5kw>; zpls;TEH&>Vp{n5Qk1Glx@p~uAnC`)Ye}dbD2=2QB0=2vsaB*M9YdkNBmDi3p%k9S7 z{q9}M%~%4n-h|=h{-Qk7`e#}uUgxJmZ6MhD*+simOLxhJf#lm7@1v)ORR2K?Uh2C)X|f(Z|%(ltl*aH|vsNAw)SmAwMOlhE5==py)wf zU>>NY(FlvjW?Go=(T~Jdu%~Fs%a!%lsfu`^9RI3^`D=0U$Qc+Wy<2vDy{|k@A!WxzlSR z@|VyrJJo*rHR1&6M$%*futy}F#Z83vd;)E?(@&hT!42srB#=limEm=h&zDch=Lw5Z z0oAq@gq!g)9gck*G;*J4Ty>nqQs$o?N+F{#t+ea0yP_30_nv_Dy)0kNA89RSAy4ZZ zaAGA_!=;u_7Y)Z_pPpPAhUjKj{%rQ8<(9_u7;gAfkIV7baS9}Tvp?sT#VI}N7b@sJ z#9UvMsn;s^k$>Hqc$N7xG+|wk)wqz;Ns=Rw!0)Hd>cgXR;tk0A{t;R=Lf#iz@vD`C ziUFV$pfEO&s_E=nmg6AW;JL`5b#QbsCZHq~DIG_f5HRvYgV($d;S&~9%rgZfmQ~*TfgQAXg~an%j+>U|AJQL4d}3cBqwov< zr+M-bRB^G$Uc##bQjTlHVK5oyS5u4na zzHt1R!@R%U`XeB4hU^3=?`s&FAEZkbu(&Yx`Kz_O?IP&!yV0sXK>x!&jNY*RzriQi z4;@NcS2X{IiMB?_OXVfj3Ud7~Tn07(^Y46u{x@9aPrR&AxhBFdB|6&`&bd<9_xBs; z*v9|Aft>#B68vPEejNLJYNhFF$xGXYk+D zSRrsz^#B4b-_4p|L}piq&l_OWUrdRn9fB^=;M>`MS-*#AUyEipxdb%jm|v5ab}I14 z$rC&iM!tK55n}9a(7AlDP@J{c0QH-wgujeSLjr-TvNa912jjRL_M+0yfy^G9PfodN z-D^MQn4c5AK`YSKmRVYWumKa3DoWSo@Go*#7)5+LaY=)AE6sxS-H=f--q(;$a>jQ$ znEW>1^Zt77=T{|N+6gSH&fQIs(}VI!RU6HOZJ}4KRDTxA{S6mUbUqgBhiFo%o81cE zNmLNhFzq0mtekiOUUx6itk_)G>Jk`JU(wKNa)8$rYeHX`k?GuRo`@WKtV){gXx#r^ zc9h`BC`+nYo@AN6YcCjL8({|?0r0^evH!uD5K7k~w3-hT$j%e6G^2EVu{2fdt@~5#W%3GZf<~RV1b7aZ?C)7pR*s)o4f6z8!E%ZBOk` zq6yZnKl}=Nk?g7cOm*=PzTSMdlR7;5cn=diH@>32OVy&PfaMd9m4Zs->aMuNVGuNwaz%~ud?RzXNP>m5;%%|Ii{cb)63Mg?5!lq~C4){;6f9ZDAu-egP= zk2mNo5}skj>oOiqzQBNGvpp!E_kC0&JWgqS4H=B<)4Z%Z6g1VtXZCyMhaPA5?A0T~ zb>43gv2znj*1ku+wv+vHr|qC17am6as{^42h5%o&(xp)%iU;RPaoByi;^M+h`2;t> zi4FGSTVfvTScIQ|^gQ%q{2C>xK7oYy%4sy}o+3e|k+Lgfw(u1MjItlQbTbm z4=)Cm9H4Lf5q@8P|*JZV87_S#*Xcwgy`7V+=9P-&ygYf zXXo?tCtGfA?%sz#5O8*j-^<7(?Cf#>89WA}ga%T1f4~G7EkXZE>Uv~vYz+(3@31+_~JO2+>KUiYNR(Wc7B=lMPDF*N9YFkK4 zTC^PUwLi{C3vJ(PM3j*mTu{Yo_(5DrvEE73@}6NVTD1E=C|^N4mfXi5w%|Fe%>DUO z>p|`BQY%mP{u}I^&##e1x59+}&7|Zto+_8qbu|Kk#UdCsd8R0Gv1A!xe^+3-kZoD} zm;*@l3KnvUQvZ_+a0Pa}MwA%S7XS6jlGesX<(OBYRv$}KO13*L7N8kFHU$7uT^J_u zihCE#kdk5e{WWW`?_b38%GU{_e*N+`)D&c$o6Bm;bP`WJmtWpMmK{8)1 zijQ-wMqt#0Xin?4TPkD%u1uNFCZnmH{n6yp)C$^t5D@I8Z386eh(R<4C$q7_542XYQE6&qIm)@b)F3K99FBp=Tp*mx957#Hpp-5)MoCZ_ z*+GdIV@vqDS>qC{XsQTethHK%U%Z^DHt7w+g@hnUcy3n*+x^B-7J;39u;f%!;v=D9 zVE`kUczWC9x_-Cnwq{pRZc-CJgu1m)-NC(pr5Dv2-eOBQcpm35;5RMs|LP+Nmvl zSDjwUbU`Jb9#*7OP(1*%&BYPeFDlJ~?!?qXy{Ypnhm|!zTsT>rtXdf@^E21ol9EP( znOdm^2?h09y%F(dIB6QQdjVtff?S`$;>JGCiaky|;iOS~NEzyUBS%OkW>tH&q0SHAv;?~C8PHdk%);D+D?*$E#LK4{dHru!m%l$;-kp>_-g zE0?PJa9A!BLIrp*s{ib-IR2M?+jf41NH2-)tY}8dxZfePum9EM=$eF2owNT;E#D>C zpv~hg%asNT@{tm(3^zUq6qdI)q3{J%$fk&n1JtQGj zC6a)uML5gWU}HhI6X}8+SQ8~ZiC8m~VQMLnLCS9=oU@^w)0 z!T7qzB<2hWBRFMO&t=T1L1R$8P9*ZIYV?pWRLncc`PtNBLM$kFf>43u({s-qKNc^w zG5wI;a>kidEcZ&``r+KxH4ysjCO1WUXFIRoMp_OXZE{=gict(wPh{RSgwA|~JHp7JM*=(W`%>Yy%(RuKh z?XW(w-zzuc-Rxt_*}gJGQ?tBQ#aC&vx}J9;D6MTwV6GQUWW)$@2){~7M~6Y*eipMU zPS+!U5wUWzJhXI%fF}U8)2s^>A3qebL)>?or}5Aq#KUlWm<@Wl?(A{6?Q+R=g<@AJ zK&cVsk$iztI@V$>ZZ*CNPV~qbqJqIhlgjI{#xDxEk@E>+$=H?l9|3$4_Lq!R=+eVFDS(-U=oyU)Zhb#w?m-^v3@lw}hV zDWFK=yl;O>+H{&VkzAB!`j+zAZix0(uY8u#?OLu2I**$yVZQTMyO9M_bfa>!y$zi$ z?OR~i(L4DqNn%W-KkbW4>BSE{_Blpc4edMF>wPHabI>ub*RO@!XW>xv-q*c#fsxM7 zm$-rv63?8^U6V2I_56=OL-pgbD+eUV!(A=xcWAD+upi}iyf2y9IAp#tTI2Uo_cai0 z@&xP&bGE3~OW!k^mY8@}dzl9y>{y%ctaIXiID;m#K9o__Lt1g!Hi$iV2i?8LE@iIRy{;$E8a=n6*M4Z<4~hX5i&`!^Q!bu_ z_8J*x)u^&&6B{2|20D1irXBivb1);miaTa#{bvK7N2K?1sTuxy{^L#pW2IKU)1~q*6&gL5h~=O z10@!8O)27cGak3^40~Ur-7@NJ!>Z={B8dGy3&#m_p(g+i#tIj)08yXjXy{$;;lccu z)Yd(vXZRz7D+U;+HgqE`PInh2D=>(z=T$SsC_t-DEf zQRE(1D9JWzp@U07lDjB8?Ab=yMLYN;j5^cAw32qoHq23AzEB%V)+T zV59`j`pPM4=wie63_4_wYoSY-W2-nJm@Ehn zw~X>kJz<SD+}PjubY^mct;(XHc0dw6W3jEp#VT8* z?DfUTk%CK$7nc2Uh@R>Az1Hw!!OED={!IshWTPbG1$4gLVJP;r@Kh5}9i_Knw=6-u zyjQ-R%kzx;1QJ^}fLGk73n+Pb)RC~AhhEIfwlc&be2+&EKTJW)^2*aSp!q&X>9b6& zm>Muh=|^y(u}V-nLz-<)iPp@qKd5JF?cjVN+9p|3=b{>ClHHZ zT~q@dHh9ZqWrr{PVxBY%3i7sgSt%UR^DZI}2083pMA`B4l~Z#@WyHQ3_0Wdbw83bx zgBMh|)(lefvTZ#n>Dj@OrPIn~QJ0(+#HXXFfKwf5J3#7mX;=D6?>0q1RmbG-h84<% zq-Z>nU}Qu{)})Mndg#WFr%bfHy4lT@U&U|eAYEJh=o#)3?bg{t3!&vDFI56bQ-W4}xs zsd}8tp__v%+sLX2RD_!rLL5++J|R}F9GZxrnqg>-FzShkh*K{|=H zcX|eyzzM&!NV(0IXoxVkae1NEe7c~A-Jo-s<;6Q}#4^7Y1$6jl^>iEac%E;t8`}rP z^3UDmsU2INN%AgxkairnA)x+oF}4{X;Q^Man2q06AsB%EG?61WN)*@(yGj~2Ir-2$ zGM@I%4JY4eFxRg~vuiv!XPTgE{2keAl%Ln2o0ugdGm7Vs)lz4jl_QZE@!Kz4ps*bg`Ax3E^-HKiPy%h??a)j@9j^4$Gm!J*U4Z3r~8?}n+n0-U{f?vj?-GEcQ3O; zfPM+vOUXsY-s&gB@s;(&D0dGTpSF#zj?; z5v)eHEgG_RhAg|3;T`|uY+y(Mr`aXam0zBkHJV{`^)+QHj~P)vCgJ&$IGT6HGdT}6u@?_j;# zhMMGcbtUXk1`Z`Q$5$}Wnpr!!un%2!^lk!2S3SoSmHmE%tJVy*FrMjDaOmvrOBKO6 zcng^@5F|#J9NmwDO;H}5LdeQ;&Ma7;+ZbL%G)VL!qH6VJ=4xll8gw^O1I-p z5u>H4S#6L5+wL4&XA5Iw#0|Vu({PNs0xR>?hYKRdg~%p}`eI{Ju>)|=eZ}&aG3v{e zoRzexor#3tceE~H(%Tor>m|5;<5gZkxVj%{!}Y)d;kLv*x?djg0l^xILg|eNh}!Ph zgem@cCNQyZLS;>8E*^V}H>CyhAM~%K#GFXQ`LH8UwS*WInF(sGFY}#Fj+<)7nQ0$g zx^qq>7@VyKPZc){aW)tD!t16l<33;n^m^lmJ$pPw=LnyaL}B|?tzF=R1%-TKFmLXy z$5t$X=Ry8h4xYfdEIu?|G$Q+W@TlOjbVi7OI8_l&J41)_c*}UjlOfA-LU_+}z?ad} z(B8-<6V=h*>^WHxSS3E!s(l&!g$9}-00+F6s<7u|ZTVeIR%vT4c{x%D;vV%3n~Z!z zd~uDnFoX(BQVPVO+xpA}hL5R8LBvq#v_l;efBG)}7sAN)rE6I7 zXLXAWDqNFZxntm97d^i0g=lQiT1=nU6ohXG6V`IIcBw{Tksh(DooLdg z|HJzIA3Wt;>a>c`Ei9<;TX4z@pj9tZDMKx&Sr-%Fjt4qFe*I?{0eFEtiJ%~aR5Bjc zEKxXh(bfPMWf@@l-JgtfiKEa70hC_k2|+!$ zS1>o$HLSW%?-)>(i^G!JK=}uIN(Iq))Y+-Eo69RMeIKr!p>-l{KJebLi(h-ep6{rs zd2Ojk4BJ%)*7_NHn?Aipt0lw9$pSoMoKU9NGvo2 zIQ=s=fl(2&+v^7V%tW3yzD9MjeA@{EYjix`723qi8;7+Xli_GO)z+zJ@ zcHnglEeEj~t1v_`Yd$nX*e2bx8?K;hqrU`os0Bs}Heu@;b z}I&=L5|d;b8=5A|}e2CG=}=6zaiefJ0BI=EeK z-OdbQR0~2aJQguir=<`grDVtQ_w$=7h`pEgMPxUh`Bkpf4CvAFg*Klp2jU_@V3@8z zVz0vZn%D5kb=@K;{JHr(62zY0)A`+t&yfjv)*!+hxBrGBaPtXxZIo^(^EriMvC#}_Q@T&(cjpMfW+Q&Ve|M;Y3ad)P@DJD4cPHr{k;u@# zhBuG0)}h^g1nA~eS6SD<2SB6Kl2_MYnR5C1@ib)lqUfm4BXU#n-|KEA^p4L}ygn4eC z3o!lBnAL=;lCm=0MKbSCXGTG%X$nPA`%_bZ%f(8}=Lajwa-2;TOC;rzKsJ8H5t7^` zVqi(KCpRXY@;iCHv+sA9=%|%|B1JKnSEZ$|cn44mmCKUx5*&|)96>9DNchQdv}!x$ z%_oXN@8AhM?vLwfxpa>!td^UK8v{z2UPbm1duzrGJ@kg-m)M3ve=PMpS!vbq9J~{r zi6eQV@JZ^+S|G!XdNp)dNOShR_RT`%6V?%yZ3b7e5f0XFN|*slL`gL?p4XBuxh#Hi zC(>hV`@V9`k7G}zpuvX59|}_S3`~6=d=N~~0YN<@%Hm?gOru(_S=^@FcT!l8oo4Q% z>0$V(a|ZY4iQS?;zkPAPvRlX&ef%Mtx)%QwsQN7aM zXIN0;qVfpRuki}Bd%r5rS%fA8^jvVy+GX!M`Kj9KWHC7Ig3^e?po5Ffrn-sC?ngZ1 z8q7Xhj6YUTsPo(H<&sVUla6wy{|=V*phJVlZHPJtJG+<>ttNB+WY{w#-LT#E!x(;| zPZ)BU0AENsIA+G#I%}0AzCMv`qw6NJnnW;Oh4Tm5LMX`vZKxEgq(c}vAHbS5AJEa!A@(;jG0rOI&gxL6v-CGlf@{&l>ghwb!~`$vlAFDo65PJXr#pytXj##+C|WVh;w4$ovRBG?m61! zB3Y@y>JM9ZPTEat&+V(Y8E(tY5j76~k15|&XV=r9HS9463oCi7EpC<)FE^D%7(HdF zUL+6=D};vDI)P2^A}fDazPc0FP-fv8%VgWiXbWnmmS6kTbFt^KNC=0F&=ubu_?zt~ zEpjTiKXJs9Pkl=5tPD?#Gn$=tAqy%6d1vvkMiPRuZfANUNh#E? zO1*BtH=%0OQi1n|DH$H;@ONNP#hqxB04gL`PC&vqrX-1}<*RQSVQczQqv#|jZ{x~~m+en>+ z%^b5iPu$K=d`=H%yvh&G&iUOw7~aK3f;YB^E2~ww?L@L)GR(n``Gc(F^H7kix-A(zC&^FiRc+v9*{##HF(lK9!(teuB8!sDXaXZ17S47aSGfJ<(@Q#KM%>0RxJbzw(o@NAh%??&I|9rWHPJBY9@NBu(mFCL@gIuvCrbS%D_EfI? zzUtlUbF8ZuH|#(8yAp^#BFR4bPgTr$u|@kohY#W*GX4)Y?|&55`1-toIH~{qKhEL* zw=$dmD|W`;1(5xJtl#+}`#DoR?u0o_F2O>leLgw)8%Z7APz#`aK;I`uO_!MMFw3e*gZW1$hK%v7FFiqLX0B3hs7SHOcVX`g;Y}~_b1~3H#%ETczDmRU@n2<9w)qE$Rwe9f>vHFH*IhYz;_|rp zSZB3-FdKyhPbI1I4&vC%wYb(WUX4I}psBl&WOk7X?N&e~S&iL*m&?TnC$rs_Bv9b% z1O?DIdfPDFLs|*$zJ-w2sqnaQF&}8fo`ISk@vo4IhI7bCcm3hkzTpPKf{?jUla*nG z)(NaJ87p>VCGUhTa+obtcmwgbfLOLVl470*Q$>kGM3IieGXo-j~q;{+)?X9cCUFyD&)UESzrKh0?bm-X(|Ve9&62Kd3?#y zO-~&x{_F|F71a8;rUA1IEVC=K0gXHd?k2YsECdRk_mc~tsI{UA`@*4rhUi5=gZWHp zuvW9ve&fmq^`A5^?k@4avRd=Nl1|efS{d>9qH|bCVDLwPa;?99Cwf z@0*bnPL=zFCsGQ!EY&LgV$GSjj*tR_KfF2!lyF>~R%LS-?wn=?xUMb6y?@3;R?E47Se+Md+BO*ZxEa17<(o} ztTzHTGe{{ZdqABSMTIgKuiUrWWfB-wf10Ab}}Z+PM98-@g;O20##VV-02;Y4OL{Pc)FbR`G``DfR4 zH>@lcpV`~yA0cHSy!o^}ZO9Y5->8*OI}Q>$@Je;R2_DI!KnUc4Ol>z^haoL&fl>5t z1`?wjwWOjlZ8v*q?>i2@DcpUH+QC2%f><)S{3L7(Y@xp!>M8|UR1cc3jET}TNiy5l zjf<%H=6gyP5-i8rVW^_1=hJQ!ZCL2sA53X9(!D|{9F|iY_#766EEw7@>o9RJdPbsi zt21kZX2_&!@aOxZFV5$kVw5pfb*s@(e9(8KeF6t9RDZ|qY>nByQH}WtyVlqGO3gkguG`e zA7s*Q34+|9V!?$Hm5K<6E-JDcYHhg9M=FW+NvI+FxV^*n#b2P+8lK?0i>*l?cEIT-uW66g&Jd7K;haG`*dF< zaUZ0tM4=e)Vac|SuqpN&e+4l%_srU(ls6F`t&S)NXbWI`2Z#1vIKllJ* zYtKWxtG|0q_j`*LqpzvB#(5_)0yG`$A`bIe#Y7Hh|=A2G-3AP~9!l^0GRNd*4 z3=VA-X@B_=B`<$vsHP?{llR~Ue!XqnA{hMeeyPgbo?luNW@G>n{${HH&5hQ4jMJNV zdT<6(N^m&HL1Ry@{1BWGNxA<4G{95MsGv=imVUfgj{>2MPgAbMK;Ah2cH6V%Jq_pP zqf{(^=Mc6>fkbd&rdqRgInj{%lva$b{1r{hQ$4X`@W8z#1zDZW8#Xgj{JS2!ym_=h zsa_|lnCMFt?RPo4BATqQ4b)RLLub&4k@BkM}pkSFC(3rkVTbSbgMuj!=7rRp{Up`_b+2|b>wf1G78)~ z^_MZu_i1^-zDsZHn6`d_T_Ba7^lH`65)lLnn>rq6{>8d?Lp(FXb$ad8M%;%2D8HT< zW^5ruVu=W$I)?kx0M6a$MVBT)Ce4O#kP;DYFCCbJr&!Q$FHgb8OC?8QBMB1FD>5Aj z@m1l~_2jyd8@)Yv%H=J1mMF7V@J27{?x#yLl1x3fp#D8FuCgAqxWVPd(Rb`F=Ki^v z%u9+8O_O=+T^o)8kF@j{>5hmBZ=v76b5!k%Xo&U+vrV{S9F6d`d0Q}<_#Y?&ypz9G z%84*L_BJQpjnOQrUDC5CFFx2ijX*zarj->wc1fsKoxpt0knNDSUs5UE;;H|Gtrb6a?8;(I4y5eBtUq*%M>21AaZp$8!huP(x)^Y4 z&jeReO$`>6(+-6gB_i+V`&ES;aU`uDtbEHc<@X8pwZ248W)r#a=^p1&?6C|Q$}q1e zO{0iin*_JPF)gn)R@_0r_L?o{1m35mjQVA#l+C+Ad@2s>mDDo#OS5Ia#w2KqI_uT) zf;}^RU7tcIUWYpqeq%FDcJ#5;<5V9KS>h(n4bA%XR@9$ntLP~k z7tTr{S`thL%tb9->N}KzEP#{3u#};lIB2DHIfd2fQRbU7GpPrzmqSs zuRe679aYfb{dkp7+~K-0)=FZySij;%7lK6>0Acs+DV_r%EOr33|M^|dLx0LDFzF2Z z^mD3QOJn)@+&)T0^0yfzNWJBl6K&IbkxaAAZ5RKOfUcEaovtgQ2A06$WEC!U|2gjQI?cP5 zh7bEj^VYuWt?fTptouHi+fe>wi2puj;wF$?TDM+#i1>K{2p#!+0mH_aH?$B$MBclvX6CcP_<_r3)aC5lvT?9-HX$H|Kyd}zUXnlG+QO|Q&f~g|LC#zPASZ~ zOT91J^GDcCPeqP|M&n9Z_;H2!5j5`Xsz$(e8K|CEe_F)6CRip1zDo7tAg0$gd3yj> z*#cf7-w@2TVdAP)zc|Iz{ ziK-;JuXiN!g7p^j*|hW!`sA#AYNG}x>p5(>;fH<=C&MU}-uVou!G>G}js3ov7zX+6 z^RMz*^-R=7L(NXdc7`yj`>Tq^I=ycCM^VLmH(9F`dcQg!Q??GK~NS zY$oj^Rrwu_p+V-kijnEHeQhoqNEvb4tudD2`L9`bq5fN`d|y7I*oSxv z6`_u0->0WOy+)t$NUF2$*7sDoW^=e@+~%#Fsr43APHJ5u!*aO?Tdn3h4woO@Cp>yV zT=;|g1fx7nUyJfS#-TfRV%6CZvc-OSkuI;%a&V)?Q1Y%@m`Y56`{#(=MeBB;EE$Dg zC!zPr*s$tqfumL_NV7br8Kf|{bssOER5u5*JZ!G3v(%BRvpyDaX&S5Ue&W~Y(poCtQxDCsT!3!DS3W^;Dq4B;re*TRxpjtOMbLNT2n zG87J0+xWO%V#%&$#-vLiI>$<) zLUH$O<9DlzazfLlEB+`tN-uugEL9=a&MlgAwJk%syA>WXCy_6>UDJO|`=0mo%G80d zZtBBawdI1t!_+0aN828|DE4ZQ)bj(>`4VRf*p2?i1jC>dUi-aO_G=~jFA<{g54MmxqCh%az=C6tx! zF}c9r+0kjl>4uzh0OIrNH_8G*S2#xMEcuDv*M z_O=y7)%)@G-*c*^XM*8^n6oVbu~;Fy3ZzBciZ$bV6ZB-t-w=76pF5OB?|m91 z8s@m>-qfXgmwbWM=C%v}a5cb&Rr)clC;3bv@lpdL>|x?&rR{-p0UJT{BC#|#&*)u* zRLT~_>K9$=7o8qKP{lFZ9joPGRaxS}IJ$zju9iy>CMPgyuFf*0xI_BDc6T(*b~BvQ zSlx=+d#+ry>h=2ix>+M6?jVJ5wn9VUA&u-YyPk~gmLqsFo<~{(3!nB2Fl=NS&bqxa!RO%SG`>VB)&qoX= z2-Sff!K;Uj=>txbwJ%|V8Gqx69l-`9I*$MewblEpz@s=D`&RHcf9z1Lnc=a^$WvoGS{p((8$cn_X7xQXQU^n;!>olPYPPGTqO zoREh!ZEEUrAF_0HS*gcd75=?zthMH|NPjE&Z6n;QCxw8z+z21Q zexcmrFe*^Yk4QnQ(lv)6+P-KWnzDoC)V)u&9Esf_v40UfacJ~XxS2PMEIc1R;e{#D z+w2pHM3xs&tPQ(7jGH}nU!`oYRhUU75SB|E%pAFCbYoT zH*v8hFYzg;n)w?1{V~JM%2f+rZGIfg;_8s#RNk@qm$fTbRAMCa>vp{*mEg*k8Oexp z)d5d8c0Af*CRCG1zHiV?{V0)3XX-?=E&Pb**ASaCyQgBMMTAh6ztI(SLq1(RAXY5i zj0psgLuSfVQ$ZCv^EWwJg5tbDw+~*^%foC-iLYfrg~m|^D3DHXu!YQDT`Q0jd)5f6 z^-w{1TTwvp=9xZb8S3&_O0`1mb6~V;1QGt4w~3!^ohSv5YH{I5hD8-9WManrS-!0@m~dOV2+mj6X*a=H3RgVd~{)U58cI=P)Kbp`bi|ci*|Ew$cE) zI{NGBJrV}$Gnj>PoZ<0zKHS*Kqr>nAweLlSvjppb=;%hYl0JmtglSlis*1=LS)g2DVl?b9CP#!a{~2fI+NM6ea9Q^?WZ6hlO7KHxg!vUh^x(TZLIlX$H?*f@9{y%w6P)h!y1RcLpJwZx3Q z#ohFH(mc};bvn(8(u>Q9SolGGwe)E9fiBku>2Og>WP%l3hl+pJ?Sisz&270Y=2=3o z14e7$e8^QinOw8}i?W<+=~|*ws>e1~N0hsAm14=@IlzIzt-uq{w)mD$wsx%t%KDyf^CwQYan%yQD z!XYV>Z#dOpuq5JjW)noL)`(<_)UEY5<^ezfu*L;*z7a?J(`%gtNQZ#4n_WE8FNuSGBos{VUp^-BKC@Pb48KT=28vd$Gb=ANr@M#RQlq*4@JHC2@)OM>qbwK%WXKSRH21p5(Qr}^Ek?7B7cVp&by)T%Z9#6mO~29eZ4818i|mAn_A*v&XbQC z(Coi8F^6>S9k}<|ifJATuWE^Q_rx=9i21YBkpQ4%*lk6>wyaDd#^2bD#g4oIyi7=7~!u@slLy+W^0+c7Jd1hsQ!F3G#0$P%0veOaj#PvS}j7gh+I**`U;%2FMz&v zTWKX%N4yl(5eQ~%tToy*cx6XA_lfEKR>Ssfo{^*4!uvE(IeWef=2&%ns)UjV&Hht5 z%QP@{9&psErdx`Nw;7`(2-i44`mm9-J*_R0 z7NE-vyfA{D9t|rV=ebzZFy)rc1}mRMS=C}Qx{eMac3>vMG6T|b#cc&fzJs_m!O|%S zsC^F)zP-8)21B2ACjDf0?F$>=`wjhM6ocifb5;uyktfArW+eEZbCW21Y2zFjI_Z40 zPu%vA%!jJLEAhN?Q&sFHki%Um&Fw4H;2jNEW=s!NGMI_addYcEC?0CSh~z>D?7q*o zlxmgupxjC*JDw}TWvu40xN*>g%HL&2b;>F6HE!eeW?Hw=#iZJcBFpsvYTX@dSmK!P^-ub$Muz%wX+2H+>2Npn;axtdX8PJSxc`Vgh?)EcOTwd#ZxJVsxF>iOar`^W0Q}wCocS(ua zxJfJ^ipO>pOu@YO$}u48q)=6`dsz>{S5gG$B)g|GS{N43rTTC*;+NBPbfVGh(1&Z{ zyfMcAxT0U}L|Z}-;8{^+y``9!yAaHR--y-;E_a)+mHp|p%${_YUhcTm@wLS3X50Pa z1sV)AT*DAov}B7Bfm-`qNv8#oo-vAx)a3w8aR(i6b6i!A z2{F>fRv%UD==$Lv2}(`?%q4OLqfD?{e#o*y5H&du#uxbZo#GVd|CG24Vx(sF?n!x5 zCsdcaCgwlR$g*ljy?}hKZpz+>Z!mUp>+Kp1sr%#$_Tj1k<&qZV(p@9T{MNDQgRr(NIfQTwJx@2sR!~AD7r{dh&Xv z7(H69GC%mDc{k&WILrK^KBeig2|`9{cSQ?qZ^9Dc5+&-ISQT+r64-R^Wp6U)5glWs zY6{w@v>r8U`7%Za1>K$6yZWi!^8&=cg`7x#m!^f$t~hPKQ{9mB+BOp^^rK8~$n_<| zDyd;+0ngfUGpZeAn0~o>0v!$#Z+BG7nbT$yMxPT6NIR_;ZuhFhC$%xi4=4BQIbtD0 zCi*X{5wvYDP#otE;K6`+$eq5R-0y(Ry#buaJjx$Qv_Vpm4y8y^PV2S zw@rKa+#gm#d}yM)UnMRgK^0RL|D_NE$OrR)#ElY_c6_^LQGZ!;Qau?2?yjwEpA+gA zZ+5^6dBnlz(g%NXUqCjZibwJP;%yBf&es}o7ih!2AJwKFwYTZ#CAtmmNt+;&3nN`K zkn2vM!FY5zvDSTGWm7x`OSqIEOQ4;;B1x(Xs^V;~tA3m9VQLSjqT%7(&pFUIz&Yr7 zYAvER8=Ln*0lF5rXQ$a8mu$vKRvx;lZE4J>_b*9!BhRvJQ#R#G8pt-M+~#vnN`GoI zy>F|2SV%k-N~m11Hvq>vDlujnVu?N#0kyT~AAGj576U~)@kMN_U88BbK3tFTw8eQBkB#^XJUu0pSd3qy#uh;q&@d}>pXv^91 zV7;?%Bpm0!HRldKVzZx>-$H)a-_#~~+EVGWkh$@$TFgI6wsk`0c8|V$@2=u1EMRa3 z=~S&8ceX}1KtN>`nvF1Zr8ji%>+h{jj1yh!63e(%E2R@BW|(~zWQXC=cjagU9CsB% zG6fookE>2qB_*5Ib-tuqEAmN?6PA0kYa9s?_<`P6t_bvP)kp)PJ*q{uxr^4lJaofi`OqZQ;#(KL zK8$pl*_~sD9pAij^H6}1WDU2whW zc(um{x3t`nS*@Z3hbGM4`NH{pw)c#)h+<@mb!?!cnO%iW#?6!NCV)Dl-KzLW$zDjaYl0)boc|4TE2geiIymg6EIA#Y@hktc{} zq5j^<6&V%vArjTH5v{7sNtQ{ikK{J@8B2mK_UKTfK?Ar1E<7b-Kis#GS`rked)|M^ zjiCi%_MVaU>4Po?o?=Y>wRLK@zSopX(e6qR)csMI_i2m3KzQ4eGfAFPQJ95sxk4#@e(o87#h#-qg?EVS_x7|2JFPSYPs*vALBDRQdli*=d@k4t6@C8B;tFkB5l_I zo=~=H=J&A3#86BxQp_(7sW0|RB1gOlpsqc|Fg*SFDK@fluH&A10z{hSttL;5O$GsU zj1r$eWpxPO3w(j12`+_1Uq93(->Ba_aqlTs&IEr^F=a?uURFhhyeHj*I^eoqLePD|R%ernnnVNyI>574v0#HY52XEM|%ds{m7^-q~8`0lu9H z_GhmsO;Febf97_B(-2zm7QH%3cuG4Iiv*ics@$nnPHCTLqIN|1Ha6G(8HApVTyNR# z-c{si8p^v`jr9-^p^0Kl2UPn}b*mpYL@R1FsOOWaTFDG7UsiGbbb^ITJFeSNKVNXm zy@V(7F9tkC(-oGVaET7lmVEMU#cjMg7|js85nn}*nY7kcZA8p*^(`+yxfBzCq3LfF zXT~!(>4d{R)gF3`rJ#ov*V8|~tj98>64vv;NRQ|jc(_96*ZQ@>9~-Vfo!xnV$)Bna zzRhfpuJ!?03xn5<<;@T@SgO}e-~NsNRkmXm2vVJSuEvETuF0g6z5yfqwQfXy z$CNim$D5NZ++}YZq&pB^v7N^V8{gy1hYFw1qhV>g+2wSU0P>!;9{jIIx&?I&h!3Pw zp5&M3|4W2CoHX*bna+>-DPNS+D!f&<}ZW!ypW&jP+kfMsCx%TepJWQ__a zVpUrz7_-iH5eoIkDjtI9{+{70QlSENK$C9Y?9rZi?=(TTgQa_kgW3I<@ zrO<1&F?06)j#N|B9S>*WZ-2Ys10LMmguhk_Dl?#mp-`oP;^kjS+^*nV|2ZgIQT0)a z-;-1TxJ06fjPHI>$YT_pW{UmCfoOa=m=T9Q~)ZW zg)kXfg0c`V2&l||ui)qd3FP3A5IZ9haXr0X!AKa)CSiuj(Zph0zF;a2Pzwr6~ctgI*Gi=mPX#<_L;u?qhm<5HF{$zJM$O|FwyMRVFP zXSWLZ`lAr#!F4RV4t~js=>4v`gNBaS{V_A?RSaOn*JV%k28VwZiA36#HQ%(EGkkL; zyfhYJ!WIgcGrUAzkbX;;DRYp{$9g6I`wLpgfnQKP#l?S@kw%hb=>srg-d=I4;P1)* zMf)k!P=xyDUl0v?`%cZbg8XxEk?tumD2m1Y_=tfAiU$hZ&&hugl3$*(jsImHJ8Fsk zYb5(Wz%2g!e&PQc=J|h28vhDoWM($`2U9RO_ndS;Nbs+B6-ohr2a@{Vk&VA+UT1L2 z(^m!34gC1ygaH1?`pNX1Ci2zjfw#a>EclI!oVC2MHx_c&a>{k3J*S?yC1V8xSW)64 zCGtT3csm+npRiN$t6(ty$MOcAL-~uEy1ct*$gS%$F$p~DV6J}8>(5Oz+%GacFR`8T zKMG*sNXy>$*439vE4_QeE^WuvccHK4Hk7%AzP-C2PiHnxfQNmQ^nIcEsE~$6iXl%= zA2i&Urff1)$pXpe_+~zK6zAo0|1tF3^K>Tg3W%2q|n}#CyBq zYgqCDS2ld1EnTdDAQZBiEiHN06BR-%7TYIc!=#!iob(#Su|eXEJd8emQdzlsG9Xxf zrE6vR7!TRc$US(m}j~=?q7fUeJI%8xRSmA53}X#J`wH*>D_m@*|+{HWb>=*9zz%= zH^OTggG6{bzqbxJmQnK0=-_#;(K(LpF&N-1jfMn)rdh^{30w+WpS{@Gm0`~z+;Yp- zlG99Aa8}$8+g{PAGJ^ga3D`p>8e}UBW(xz|!9X?3uF4I}ovGyd6hDrpuY9FO_qiRn z$yy^E{)V6{`gz_T2%q&hxAol+w~2shC{IsqC3bk-${ChzzTgDhrTIX6ZIi+B{fsP= za}wHG<<1rkL2mkJp*8qMivyU!Q@Na(q@pyn&v;+Ckv$|xfwx-S-!Fc&y#E^oL0vY1 z9?I9J%5B;k|MjPDK(oSGC1d|?J>=xsWhG1B+fiQa%{QUA4Fp4}vtA0MQZCY4ZS!o3 z3$7wZh;{2N9`v7@S_+NEm>wunXyBo(!|Vq$a30xNJ~wFO5++)y>>fukDT`x0PqitI>v9FbJJ|w_WnL%_>_pZddph) zAyt0;`C5|vFibSb@U?i{*_gW?wI^(~)#Y{qOSsroolQRKk*%m6efRX4b?GB7%2yG5 z%{V(bO%Ra#6%|oEk-*KH3hTt}R%_8}gB~WwhOtKG?M0`9f==0lg$BFUw5Cv=mD}Di zsg~o1`SR3?Qd5(Z2E<^_SH3e38{ksaw!A)^6SK0i%IgHDE+7~hxBwUUlp;uyo5KZ9 z6|4tWwyogIInyW&VI$5UK=s0EG2H=J#O&5OKzRGEIwA23?yHsoq9>#EB1<2T-~R(2 zOT0(UNMi20lUmdRN6yg-48n60mq9_rco=BWZOq zeQ~e?K{I@*7A2KFuC{l|Hw?AG_hGPn==aL-q~7F)5x7qI^wc?A{2D5sT%Go$;b-(g z&7)BVt$57;O41vO$bI2GQS#XZpW7@OKXG=KMQWtc!u$#DSWCMJ?bg0u8y@mr=gM<$ z<^E}@s$1;4WK)y+uk&>tiRxNXaz`Whzk1;hXY|O2wzSA2uo-V&uH1Vm&od7dqSjo27IG>!z=o2IHy`j4 zmy37F^2Oh2`Q>-sg#S)cMAX<$DM+>TeL>ulWAZKKII@2HbphD|ibZ;zVW=j0WStB# zz&w!|6Ph2{VgJC_;SuvAb8=VGCB+P%#IGZyer|}Y`(A>StN5{RW6Era#M=TaCoNJ^Qh#8_tHA$JT%mv#K#TYXJc$kn)&w3pm@t?cB3~ zyTC+3^FIsS2cGnlv94u9rXrwVfQ9*;4*(7Ue03@23>iR^=0=kZxaqQt24XC=S@%Q&&h~X&HSI6#~XkccZmLaUX0fVf2-LYB6&fwPCV|^XEMmE%+&QTwUn^6eB32 z)dYtjucC(AIcn{|&@@MnWcA+f+MiB|b<@mDZ&Ml_%_#h`6@?I&%J}ECMvKYF_FJGa z`kBg-;pgJOP)$?;019ItsbQzc1Mle|9>=7RjvF?RwM7+2=22^QrUjxL!GL7|eLlk% zN*o_nGcreSX`Ol=I4JjrAs?U4Rf`N4AD%YLKORX)4}4C;EZmdI4_8ry#B6fh_XW7l z`nM;)-3r5igjr4%(lV#hK^zPXu$4kdM(PsM9D)!8qBsOhzVk!G$)wJMSEBP+p8=yp zT1Qbww^>*n?|!%@herO6Y0yH*#(cp3n1gZikE;gx(mGZd28{SbJVv)=c+`*Mp4?xF zw{{q;LL<7=v_n)$EZ=2MbT{CsRCJ=7pnOl>@6*%jR*x`bqwcyqwqg2wIpqg&kfbvD z3o8lLiFsUKdM+*xtIWd;Z9TAjPAX{^-MBdE&;&H?A*%xR&eQ0|Pha`7_Txy>)=gm} z|J*R#UCu4}n#9cy5y!o8B=8f8!S1{^ zGx5FW+9W#wbCbu@2S?u-P1V%%gCV-RjQsf;b>4Ry6mzcKh3fIzXMEiVboQo-(^t23 z_Rwrk_RBQ&fOeH!=?i&bto}^U&){)qdu^^>X%LVt2fp86_jq$$wC^89hPdi+8IG0s zDF6%+u=Q`6Vd?8v15kQFuGa8lhpwNKQP{08j;iM47j3T?{)H>gBd*n5Dz388H$FMh zk@G*&BHADD-0@+Xp4;Mm+sbfvMEBKC3a%Uy9r{aRh)}gRyE&N!*f-B^S!2uI4yLK~ z2;vr3d2oc>Df!yV^Vivx!rUSc?0DnitTIqsY!I=__xm)T%Prw1CsJ2e{eYv|&sB8E zYnkdCe7Y?n_Fa?*7AG7b!c$X* zfyZiTh31n}RC48}f{R9-h4Ir;EiNSDOPSO#6DAGNgPSiD)zU$;?CwCVuxvx^e>{G2 zfScn(BT}kHWz}u<>3zPoefEqxu1^EfLE0j~W!q#X06eq)M`e4R_S^-mf2;_!VPw4w z&yc$?Zt2aT20x708^BPU`EA(jY{gdQ2}ZEAxRvARzX108qI+MK_^3Q2z&xV}0R-Q^y1%AR zQB$^_tK5OMe4JB$Tg@Z?B^Ljs6hT}s^I?hnI*Aa02tRQIRDXE&RgjZ+9UmG&do=zqxvW7 zg#@nC2K7d$jdmv;MC+bNe|Bf31dhu#%{{xuOX=w0g$MxZY>AK|45r9G3jG~)9qZK< zpy(0L^mgos1p;RMPJ~ zMp41;to%DiVqDhlyWf_o6NbGJB<2F-bRVHXb*vMuWIrJNzh$kwUnZD%57M*I=?r%# z+AALKIP)`nsRwk#n+*^o%$xr3_<+ahMGemJ69FaZ%yCpqZ~x!jPV!z+***bMTv2Ne zuB6wCU}yjm&Ic&r_b6X+Ic(p(DPQTXGclx641a6)ziB=I@FeygcJkC03|Wi6{4T1J z09Ci}9lPc1Fr(HXj9sn83=N}{s0Lr14so$Skm-K{?#nL{~S?k zh{>w@IGt~O#%h=eJfzhcYzYCQbO}VUp!DDNeoh6*i)@FYc3E$iyKs|`kgnTKlH$m+ z@mUK=7VXLc1C#xy$r=HO0i)osFh`3t+nr&|tAiP-k=QXntOW??bMc+mA+4SO{cs7T zDiY{Nip?>NJl=YeS75wEZiElS&pH8z@_3#Mc0DFY6|E)joM!_yI@6cbM7Sz#^%r1A zk)x4lf4;O-qf;2Z_fw^YPQ(zGck*1ljjmIeeMw9sgYn=;)>VU2`lY|BPZf~*A}nF~ z%v2DywBAlWx>>(DDl}0IIZo(W=~k;l;BnRoSyV-n45zS=Kn9~wn4k}2yox4iF3Dtn z2EUCNYNc_=xvkJ;WS$Uy>0{$f+!wr zV_}aPbPqznopydJ8s``W+}@<>t%2AXK9jMuaG62aZWn~N7$;9=J-^K9N^5g= zmrl73Z>`mT5RM14rNw-?ptSLJ+>cEP=50X2q{4EJP8s_3X30hwGF&AVb|HdgAWF}V zdZDhiB#hl+8VVX3+O5nKC}NbCcw8@X=om|N+gA#SbODS0HRUd8yvIV@bHm|uVRkPw zao=^vd&IrM;e}gr5)8t*)PJ;~er4c{3b&CI3C9lId->?d57VRzu6mpB^gbRYRe4k4 zJRzg&{&IK5(M0P}t%BdKo*Do0U44}xW>V2mXFM4cb0=l||oGeVCV#eQUk?h4Nh zHTwGApERc;XBskjGroAevJcOJC!F8wsR7I0S1I^d2EA&K2w-1-ctcJ0l3sSMko#GQ z4Zhh&r9g$K&L_bHQ$7!;^RGsCG6L0z7=cLO{JdHpYwYH*dCYHu1#D!kC;~qm@;`Sg zr08Nmi7HBz>N#uvp5-w>M5QSJ3VUIWscp{uh1N|YoZa$k^FzzC^QEFM%;f8*i~$s9 zXc9FUqOE~urP1S@Zoy(A`UTKQcHa{6cr)`*z3VvwBW`51C`o783ij_&WVmmMlqC}) zCb@{E!7ow9UeDL6@!EtwABzinfwz4A+hw)T&b!}Ll5GG86t;X3{F`Y5m-_??E0`kO zvRK4Hl|W^2Q>h0_Gu%FnJQq)q-3#O}Ub#F20|Pezi-*c)TEk7{+Cu`E3kka4?x$kDx)kL+aX)RHs~iQAe$)4^LZcEZ zpY&T%1$`+M$Ykj3nUemAy$ZYPj)$q+5vS1&_&XT_Uq$UopJy^Q;4fMkec81hN9?rhu zTUyp0azIJ%ZA}t|ON@8+rH~5Ye{+Ic^?Dg4|K2QUEBUV!Gf=Vv*xbK&UZT~CNN}Qy zl}fcMn|Z{_zAHzvjXai5*_3u}Mejb(nGltoVD{<9B(937uzi{TCQq!>*^ktHz7Zv0 z;jtaM?IA+A4ZQ@2Mv)YT!3)+A*y(eN>+#u)9@}=jBEWlpOIs^tkp2me9iUr=H4>xF zLF~1wjg?}A6mqYK8i_bCF|WV(`gH@+xbNAr)5uZWv zmQK~r-`DV4G=i%V=KE|-H!R~N1A7r2mIx4h6c%>8W&qyXTCFf_ST7_d)r6>%`?>V+ z+~$2ZfLYoUvr-j;>&jYcgvK+Y)gWryWrZWsBK<$=t#R!$!W0G!y!3p=?p-+UBS;--+MjfxeNEs@R)LcYUit!TkkguBK;wP z3f5$Ct>rOuZVUd1FqqT_0AH9+#h}Lx5$WR#*ER8*qyEmX&U0brC|rKxd~e;x0l~@h z>VBaLZtH2wLs=1tb*z@skGEP-SC?Ww&JoQuWeOX)I&w3&( zjK?BYxfCN|5Qi%_?nQm4F;@$O14Na%hJewgq(#bKG>M0d*ciD9>}A_zw+rMaC2Ey$ zxF?4N`O>wA)AD|)G}U&SZoDG*n%XUA3am6K>xG5aEw;E8ny^NHrGk@)RLqVWkhinJyd%MB;3eY|**WiVeFZ^@I~k9>f`_8ddmV zP&G5H-;9`NNo69AABRc1k@TliwexvR5RAr|o*NG8h3es^&gV~MOalRBW3gbm-r7QW z{5Rmyr_T2Hf~*f=?3RBkLfBVp&X0UWl4Zb9(8h^1$pT7S;`&De9oHUbE6$0Lv+SwFHr@KVYe&}?1${CmoD0qAHp~~_mp+@xE947svSb9OZtz_ zHe6CX5yz|VQy*)D3h2zIb$VT}<862Cm(SmE8KTs2Gl5zx?#%W4w)P)9VJM|l7z4B*YWMJUmZt?<5k=tadutJ{7LUg0!9I5WQ@gPoP~z@NAx$ zMgh*idtIQ|;m2?HJ$(@$oh4Wz$g-r)0b2X->c%P=xxSiHDvURhP(`~B?b#zHU_}Gp z1}V<6hzCQXUsyvvt7E$9!e=wADt2TWIQj3(=bAX-lAOuKGiXl5zcbLw)HDCM-6$b! zW(Llir(EPazKZBRp}%SO)K-oqSUOmbGIs$3)oM)d#a~3Ot%PuWlPDvztRN8y;rqp2 zpDh3*OyqGglCj$fm@ZO%0%qF5N!~EA-VHIO0(Anyb17GxA0pMiZ+_tBUioen(9*x+ zn(bm!|KWut#0;rb^0cq-`S|zgw3y&V=U3hY=Klz2ajUuPA+|DtTpshJifd+|2&>2` zY1UDcm(bp#W!rsrcekIwz_t8PkeA1^U(C3ttq%0COOD{@4(+!X-q39Fok&r6A1q(X zHR>RU260Jf@h9XlzC+bqP-+s|3VuQ8&Wp#Me8l;x%tg~OTSA5u;~K?!$>nxp(?vXE z)U_h!>zL6f9|@@g)Z&!}_e{LTRJv`xSVu<53AD_o)_xa+zex;IO3S~EL(qP(xVFjI z+kpsgac#|J(Vst@_U^ukXG*JFwsIZ^4PQ24{|bQne`}*Gg>P2Z6{pbb*%2lq?vHRd z8>Tq&?GNCFPdz%@>gy!RO)>LKQ!`uxq-uGP4`+O6ba^1UI1RzCX-y?k%kH~y6=x-B z1X;_O1|(_WpiS3Ri$}Weud^9IvnK>t34qud~dg92lGu z_SmOX(ZQ2w-Jr>pepNsR6lE@k6=c)k6*V(+ehtfe64jC8#G0t9{{)r*hF~({fe0)P3%J2OabR(c+CijNrRf8< zD6TE6yzX8}N)BqSxEb>3xVaXjQSEIxMK9UbyA8dmiYHNTD$vRDHXm;aZ#&uh(^qgF zhxZj_hOR9r>X`he+>w;r;eyt#2FPg79&r4493c?ic&cxb%SA^qyQ)zn7#twNZ~zd2 zKQ)4s5QP48uquPoAc?*YYD&+Db57qTxyN>xoJ`W7|`D^YU&4x*RPBRH#DSs=?67i zx9>vl9;|`3G%E}gP0dUZ^o|-;%>(c54u@d}*#FY}N+McU7-1jq&Be4t;G7_%q_QvZ zrB$$e8-GCK&k7;mK_Y-`M^fBDwE5Q26K@hSF(E@D;EX$D_T~<2%%z1BYyz7p@-*s! z`3eS?BL&~x+Izs+ga9le=t^cbohH~ksgnUdAMjH8fHCt_<;LPpV)j8Bp;5>O`)PZ{Os4-3(^@LU2&9PpgmJgM(1`u>HwPU3Sf%^P?sEm z_(t+QK)uN>mn7m0&PQrupFj2HO79Fjy!HLtZ(z4WAc&2=*%v7WNceB9-f$W(HqZ>e zEq@pX^oZIv9K~7-4=12j+oqeG-rkEQ{>Mpya?ieaz{5=so5FWFQX|GKvM;f^unMzY zKD+`$=;J@9;|@=)lBA9>31{#ooFdzd#9H|T!ebZRBV$B`dc7g;dj)}=#pmNfh=r~< z+bGD$O0#}6rj_N?ozQdlWlIjJWEbeGfG330SXB#Ww)|10b>Hu;tVf5Ys%hKRnTAE2 zBXv~-Iy}o)dUv^lr4|>0DS$;$sCa(28Ck67J2Ndn^;9MRDFxg)8LZ|RhLf4eg?e;n z6RjYjX`mi?%m>c~$kQ{tUtfw4gGxYQZ=R*d-oJ<2qW=qGq9`A9#)p-grVZ3z#c}3_ zySwth@h_Z7T>K|_wuxqU?;k}+#oNsn1&*pzW7lCUG_>JHILV#K+S*lhCgpD$V%T%hhzEy+!n(&JpsyuSMy{iTDx*`-*Z z_ctwZcd>QLsb!|){^Z_l>5oCt4}j-NeiNC+R_uW<>gA)q5uv!AK#JmYv8tRgmRjdK z_0<&@KYEf5f~A@&f`5dGV3<(7wKzQZmUNWS1ID%Sf$wfKj|a1?s{*tj;O1Tg@egn7 zBr?9i-34qtm3^s!?D-Lo~#X*fbvlgfxRvB!TaSt zf72R;3F<%UX_hb9e<`L+wrxu;$lmE~%5uqVdrM#=mPsQY${?J}#9hJP?yel5foNDc+W*3EJ8+#KguT zVPO?X1qXu~{&QZUy_s|VX++~FYnh?YMm#xlZCpJ^S zdOu6eBf1kDuwhvMYdkSnH&DZH7;)$kFmrlU%hX2MVLq4D@$Q&k1v3RE{oZLfcP+)$ z;l%1z#hX(E{`dPg0h?UGkMUWHk=IyUN=Ui0Ow%U_Mc8!q1!8%H;??;_H6C+tLGEPPYydAdPLknM#H}KRTQ$q^UK|_;!l1w zLiaOvG?<1;{e2}}`q~EPg}zS?VN2Fq1t`T8W-{C@AD9sxvJbN4{N!$W&1d{Q zOiKL~+N$v>cYKlljulSIzjR~C>J$YRLdeKrwUlqwm!_}3x_TDh zTxk?mN$crVRWfBacym=ZaN2h1F(pnTD3waUca zXFD#UrsnDyQ|Fk{s%_@liO|akHwrA>$QizH%@sM|@C74u2k#}gE#{=KsmVQ-N<+rK zoId2NmV^ymsEB^r*zhuAA)OtLu`MaDCOcZ18sajR?B~O|bUJu7V9x#ofr>GX2@zpl z?w{Rk7jX`0{a97JfSsMSInjN(gL4B1y~J9TB0V3mz{&ipElo!j*DtQVdtRpFDXo{s zy>0+$Ay21ICoKS#Iw7;$6Zbl<&^eXMq9WFq?Tc1(DsGD(gJu|B zqEzG_RNn|YHA=wREUb7Ny(7WGJ2E2Y8y?3W%<~0R%}CW)Ur9Zm5#Ym7t*0#9brymv z&yR-ChQcJ7D*_L*v>JBjMkXv;ZosSdk+-vm(EA7DEA zRr!vA>X3eUqfO%1dVIQp`%-2dj0ZT+^g=^Wz5A5nW17~_L*9<*LdPPmSvK+Ox!T?DCtDL zKEb0A!lafu(0h}o%y4|`?qy7w>#4K4civkn%}WC=+rd{*JhcKH8jRnA=n9^c;_Wc1 zVRD$N3oyN=bJ*qG)^q5yQYi8#AAD7gfjpP^ufTYK5>u85lC5yKM=vldF=oO*y~>Q# z%mHC&*{k>2leb%0$wpWu4ymEwgW_& zk%LBe!e9^MxKkM-XRJBU?D5}CXm7Fu?4uoTc;oD~(j^;_&PBfVTJ_)L}Ur4UP3aQ~Gm z^mhE2SURd8H%;^M5KXH6iBID)bi;Wc{3^|K9~ey<=zyCkxOhZMTBf?0c}-&>OK6^i zH*8F4ls{2nVZ&}-)!id)?zMtXEnv)Nv7D8LXEqrg&rKUL<{=}4c&lXrj<)iSU!3~T zpqntbgn0f6V3ivz;gIU7%Tr!=$xC70b9@Bck4}XQRI9CB46_9}+*Cu2vpiQ7DR9f} zSk{Sc$2VH31toC&DZ*AUC2+0uGyVdQh)hrdPVU-;|IrI}$!OHi$@B<@8cf(ed&RGi zbX`01{{L^#$2+~6&@d~RR^8?vN5JwOa6uY^;Qe1 zRa6h?RNpTFYwLlH8kK-g5lBb(SvOWd!p)ZJMuwn}8vy2kw^oBHcH8LdUS`lVi+m@c zC;TtN*$s|gqY*B#rFsykT)%E-_wV@)0u*0iC&7sDerHup;djm$oVHAS&+y$*jfL93 z8mXjrI7=GQuXky;6PY5#3!5|anadOsD^Y8cmP;N?EYE=8R?jn*+U;eGi`*wenzHf) z_h&Qn`CRP%UWA?9Y-{8YHy65FC;tVzt~~BMY}=&T56x_gt+`VZb$st6W&R6Jdad@1 zkw7HufQPtEZzc9r&ZUIhiP_JUdOz69CXbY~^-LX~!al%X4)YCYyGRPoE(WrKo1t>F z8+|Va5-XpVQT=~^hMTdWh`9FFRxxHe{a)RfWJ_k-836DT*MSOHTvBq9^fM+@Wo0EW zPW`ivE!l|Z4J;fEo2=SYlPn;gD~XE3>lWw9_Spvw5XFK4e~)lR{EtCr!6(rgsN$^r zoJL`{UcrqGv-oWWvu{Rx9Jh08kx@UoE6lecv>RoGkBYM^CBk*3RAPfEPFE5LWta?} z_I?P=IvfxSa81^j27##zsgzb2_BrG5+%?lN4jEPS^8g2~c(%zO2GksRLOhasdr5!U zp905~x|OrzG}Stltf&o%ryUijFDj2{_eY@faM_q~wT9ejihS*etv%`PB)H;gY+ShT z91aW#Yn~0M)b!GZ*p_Ki<=m9e={ZuH8P#y52c4qfA_<#3AjXqD0sn$L2y#V77dN@z z*=qHGcq575Rbf<^jhxme4T}`4y0n@V1pQH6=L;CLXVjdz(KNtqmI?3~8cy3Dm8Kx} z&nAc#U{x+5FmFHdn9WxZVzGY-1Il-f6wwc;9H_+SRv*Vp6K7Ob)$iV2&V-q0c(ZI+ z9)ty?qD&BSNwfPzy}Sdiw!&CJ{^`icRPK~V!E$-COjB*eA_@Qc5x6kRN+nPv6-6k+ zvjc1RvcpnAe?@%Q$s=JGwf*iTe5OmQ)7S2jEKBF;idY^Z9h|wsRh8sMVqF7)qkf_c=QVP@jMXRK^%xe0!B> z1m|c3k4Awm8Rmj41Xyr{2(SkmV0ap0UOpD7lpfR#_^~8L4MWUXqio0hmowZvwoB0- zV?vRQ6keEGHFYVtLlT^^0#RxAp04QSW0}}Fa?eDSv1R@d_`mg<`MN%yaC3|lMm=C8 z>j=Lczh|T@!_VZOL$Vd6eIQ4|+&8cdxX8d<26e_LDET3Yw1* ziF7)jwlQG?0I~)H2hRiuJ#WD2u?5ICOlM=Ls!drx-+<_zt*+Rc>;A7?($gM@VETVi z_SI2Ub?x>CBm`6x1qA632|?)&K~g%TLFpEdE@|oRmX_`YQR!~UgVdo9-3NZ__`dJ= z-S3Wje`DPJ7lX0S*=Mc2_geFr&wS>i;C)d1gHa-%OY22|S)0T=l0P*RD1@Md=;C2Q zWb#L%!k!+@(}Qy&pErB zQge7jllN~ZmT$}iWo!!<=a1^WauU1>I5VSeD(_~AGoK+ zTm3EiQCxU9*U;wy3WwrC@LwUed{r~B3LD{QdV*T9%*BAv6%+HO^DqIqKe4|=QdG#0 zsm>Z*HsjoQCOhrR5zPY~9Ar_+KLo<$2FDlhsaQTqg{)(N(=WR9&9wsX|C9uM{nY$# zOXj@)PnHlo`+o=7|Iu&zSJ&TCm+0d=%JTnq|)bvH>bGPdMEtY)*wn$7^$YM6mh6s92F6F@4ZN^xi3ZocB!Nd(5 zv0Y>Wg~#Y(R(Y>GJ0e?YwfFC8plpfoMbIH$1nPO~qtwD9plZ5)gZ2I5P}p3FRf(CF za&?K8BZv6MLRHV%wKfAM9gV?oa8__*aO3&5Ro7e@sT(ie9oFja90*x6k@TNO1bF3m3TR?Q1vFrL=7 z;@3^w`|*T+^~H)lWpnifKd}nE_bGXik4Z{wyB1VO!Q;81F(`(42IyB%7n3717egTe zgh9Q=NHnBELBYvM01RK>8sQ~ILi`01Ba@K*DA4a2&LjJv0EH663(DDf;9b_680iAE zR3jGm6&LUVrS4u*o+PICtFHVa)*qD%AWiQ3ZwFP}M{m~< zOrVIA^`RdcMsX{_${6;eSY{n!T>iaJ#0hH;@Khr69x5>dMM?nR!M_Uob0NE~c1K1! zz#F%iw`Xc_fH&n2(7iS?_9vGnsP_ddMMI5Unw#Y7jzXVudn)4N5ROt^IjpWsQla-C zoY=Tk*k6DhZ;*If0$(P4R`GWz>{F8F#tDJKn4Hk0n}M^;?qP58p#sL+W>Q1g7sXrOKcflQj9n;;d;= ztQ>+JDl$GfxF(2jf2tuQ{GgHxzcXpeXKzH_WDok#IL`--aN***nfP>NeIz@)^%0H2 z3%3)?xF7`pMN(37Sh+RI!5@tXsLKL?Pt_28xd;$!0Q&;}9i<-D z0DNSEzT(Ri-t!m4*;VH%s>wpYy%UoQ>K^hJPHP5~F;ASL^~1!=-^r$mr0F+QAX397 zF?-);pYLRrTbatFci)h&y!`42Kb0rLFIGlMk^|$M|6=O3C7;U!C>hU|3UkJ)HA5)Y zlhhm2^IhDb0ZQ}nf-F`vn)*c?4H!_gx%L8$ch(!<2T6c@PP#LC=M^gzs6zgBkA^;j zb!?whzBMiV<7^d)_SlILFM_^-`t|hV(G1s3fES6&+# zj}w)2o=eZ-L$-{ilg}uez$vqr?!B*N6O2DwpPlz{AMfBLkOT8g$_sfpFe$$u$Zv1t z-&!7G`2?YRv2D zgvZXV$q)ZAgbj}CwAWj1=<)^ZUA|S@V z5^7ol9M1Bs4kT06o#wW4MqWOSvpmh%Y+r$$!)1Wh7S63KAe}p-vlvun_zZ-?PjRF2lsiny!wI_9FXPxq4o+I|ln@l(s zTiWzvHL0^f zA^=T|$7ds#lLE zQbHhA6iUn?{hY-cGl`CrMU#|WIs@AgB+|N4dF;opfcO?!UTv;}1A)z0BIdHadCI^N|Lnfli7WBpl*_|)X+ZCE z!u{S_f*UmC^7**wyIS~#;$!cLUyEl%?4EkuYk}0?3!wQo%=m3H@0Bs87()?cj;q2NA&??Dq;HV5L&HlEzbF-t>Ibe09aR5v)7wHd^QH z&Vz?mj!|U)y6~5LD!1Zu1G;u}3yqD0b}~qLGFvwV3I@@3SyikcF-<1Lp;6mp?atP8 zU(i8X^2FFpHz9rzb^q7e>-zgjx1};H8So*TUYk6pVg&QmcGi@{TO6cD_yS^nO7H%l1H^fHRluW`|M1R& z*Num&ngS@9saM8x;ewW<{q|2G_&Huir_mYzy6PZYiT*03~f`R(*=R#Rq1(FWPcO zG~D^Gx}KBVt+rV$;O~C;<7}GkL0QJAlxu6UBa;CJdGi*|H_N9l+e|JVUj6K-=&V;k zwTuffcv9Y}llyI?`P=qQJM0>D#l3`c*7LR*an!=8FUyrBL6pHqYQtUl~X?#9pk*4dkSUW#+Lz7FVkrE2jGSP z)Rc8QDu2F`OjZD9rC)s78yb9)(m@qE9}PaQK(43SFNUg^*Rra4VbY$nd5!&N*?g8` z;(qg~t#8ggsXnflS`hn|OX%=q<4m@NSdnG+UGBa_+wu4~FDR6x?(bEP93(5*`6@To ze@$e_r$i(z|Mp~#&x6-MNJfHkVZrZvyj12z!my3Mg6jQ=>)FY}7V`ytJ~<+ObQOLQ zCu>Ujz4@bhmh>Hj7qTYDo#@hEx#~7i0&5aoUpc+lLiBIXNVoY7laBspc7~_**Ov9S z$@j9yhD;)y*~Z#ynn$)b)ql(8DH3RVk%x-g+1R>oT z7LxJDYpuj)B*>o+Bb!6)l^~=2zjeK7y0?(|%LZRGd`+l5%cehUNAS}>{t)2WATb>L zKL^$Smz3_#S9AhTK~MCX1$UIdYiTf_e;u(?=+MzkxGVbyPvMtLvQ1>Oq4Irhe9TKF z@S&pi?-W2`gFF-$2>v~SX?r~Xy^QhEGl7zFW|Xgs*rT;i7k`kmEWS}zx4jb$#e5UtA}GBX~VG2s`gz9MZpgRiRj6?<-16NhnZ0e}31ju#h_zFVtXF`YY&c zF?8zLT;PNK<>Ls&@jop;UF5%^;t-C0vVti`ecVN5P7{d8sXB0JPZW%(qMUkn;mfu7 zD-)YR^mm@pnsw2_{m?Zoo%~LmXk>0^r8{bKjIh!jgs{k%PiJWw850UJ>on%b*e!$- zv5h0|C^*n1z(slrJ3m~bMi1(Z`-aNsx2Lw!6&GmAB@6r%)Kv?UA;)3!YF_U){vg57 z1-cgXy^!oUH;=|{Bnjb)yGT_6%^i_y5o9<@n=Sy%d;XF?$iQLW<5EM~+A*D`vVmKb z`Cs|?FFw>DqGa{|^dyFP)6)NtL93l)Fx&m$wTdL%QN)BH5y8-0c|u~H5>?PSAJw}L zBIk+^zhAN2ERZ0h#W5w@f1-E`#!L^UkI$ck8ulo>2w1Tv9H*GZ))B?tpdFpAdSqQE zLF!JSfun}uD}b)oDRg~iAW`efPF~K%7kNJEdO~-SJ{gl`18oJ>L;kK*@D2L5{2lDe zW^&Ink%Z)dCm6V7#U~a62}}^8Z26#!B7?673z4lJ$SZZG zJ>R?uHE2^JAR^jOf7{EigF7845c9KD{<1;?R^fVV-c`HvPkEAy#J2@(TgvCREk;3Q ze9ns0x%VF+}SMm_e8K8jYb@dL6&>9De0H3BE+2kMd7yFk+N(tP~c z1dT95J>bzFb6O@!pC$x@!Wvc8r{KQjIst_ZvN>V)C_|in;kfkV4`3-(%J8GC<%Af} z#Hp*Ula)#j9H$;pR_#a|T@Gi7n)AJ?ZSuHu1kE`WWo2laKtl@i*3<-d(6ng&rGUr9 z$F9n3i3stVYXoT*Y{Ply^5cA4$1!m)2O03}!A4alqEtFBQ_K#SX+@}mu8_&UUAwPK z;KC;jRIG5Dw;>VW~Nf^-~KiY5i557xLr60lEZi0{*d!p_R`3L&iDR z1G^Xyl1FBK|2fXeov8NsAUyDGA7)nKOFR0z&Z}a?p}5tz<-V5$KHTryXLR0jJDi9a zrCAEpr8Iw{QGrP?r)r+N#2`zPb6{DvsCl@JZ_2lY)r7CUSDoI?RKD0dV+|@9(tJ=} z`P_f_^v$*^n6?N;Yc7q*YP;%1ktY5vfp5xX@j@ok7*slgw)GB%Q$@$B1!EJ`}k};U_1Kj*k z`aXs)x_Lkyj0ZC2wr7R84&v2ER{rU<1sX&GZR59?H|QAn$jyT8oQqe;5Z{=ue9yw} z{?fIy_yKo`^8AYpQ@oA>or}LJ17g90+kKOSGrj(kN013y|JFnvP2-&I z9hP|yfm)#_OR6{6r8Le8`EsPHA}6aGO`zM?@kh`W%oBpzKIWJ!B?1z*}}U3*ezs6SM+2CawwX3C8IDO6#A|Ehm?OFYaOom%2fSBNM^;eH%r z{Gmf&tikw@wCEv>w(e?#p!)z&HqHg=!B%D_T912l;{WW`#joHpSB1hcpNr@;#}Fd_~U&2LWN80 zx`j;|)Go;Y(Pi zDgeWSR}fwx!av-ziy%5xKWffDtyf$)wGYqIkB?`5Qkj+>nl9N@QuW;U$@i+3=F5%? z?HwUeEXXinoaR)Ivk#87f=B`!S4oItArwVeg`?6iPBN(BR_oKTiwE$MI|+m`6Er5e z^YM85Ls-{~ljN|f+_^b{ve+vt|8(+$NmqpbNprqQ4v)|#>~qYh;<6SS{LLDz5Ts>j^k>3%?m zm{~YES*U83HjEmq(zWpzES$wQEJ6rQ-ZzA=Ca&WMu&>sozcn}`B={^-abv_~)Gh>U_f?jG&dMmy6 zs)Li8=q_b-C7w358B3SDJNh0re(sX*<|)uN)`XE<@-LBvj4ZHit20L7SLRIihXkJ1 z*VN{{_jaJVof?8|c*!pRt=;X41y4gm(_jb%LX!Zx`%TL?hu~{}@WpOSWrmVRRzN83 zHB>q)MwuRK7|p*!M6#5z3l%)?SZyai`VnHNYa3>H6Q_o?xjL;B)!|f+4`c61iDtY; zSUa?9+UTd(9F^9v+SfcG84i|?VzX8y^Vu4Txgud>&iz#g^xZ#e$ z-N$J%#Lac*zF!MHr^%W>67kw@ufBIDOocbVoa@44zBE)B&X+p-Xb&j04Dfa~!|=8q z%iBi?$Tx&C#&;;uPI!kx;5^S{u!}D|F1w6DNps~Oy}j?2Y>Fa7$Sqg|w{yg7%W9>V z^vYnQeUu(?iIt`Ol@_c$dQ_VY1tQ70u;_CQpCI?eW^h=a$Y9Hc+|U0_w8WMj6?)*} zr7+bUZT3{)7ja(vq-2SZQe2}3@e{j_1nZ}wiQ%i;4v$=Sxy?C68oEhLbS0(jU2GQx zs_4}5Eo>Pe6&+0_ia#&Y)pD23TBt2p2)$wg?h~iJ$d2M3;7qlusCu!~9o((yyemt! zB%+^n8gi`Dz3+c)oC)oy_tD1e(A$c+Q+Gg0)yyx;$~ud2S0@XWsQx8Q8P70To4YGM zJ;Z1BmvI{e5}o`+yB?G`uXG7rSLjUYfq@+VB2VYahFoNHJ6+`#Dw?yg`8eVJAT@jB z6*@S2@517zQ|_htm{yb1XU(24m8jv&S6OGU#7fIhLiL>0XXKgungr~FkYEs96*S1I~hZm^L1 zBdG4bS1VA%NFR90jVuNb$%<9XsxWZZPe1v6`Fh9~@@XZn-8YTTsn_Flp3ca~2*Fv9 zX^M?6E4*&Tg%*TbRcOI!6DLuuV|D#cbRXA^rkYm$zj z4EFY6VIEW0Ea9i=c%F8?vw;+bV%w72&J2$wz8bmx3>JAI8SUudolhR%>|m%hE4?l7 z9E&q#o%QKmPe;tzK>4%_v+0XIy+ryhqlCLvm@GO^xwwYjWW5d9(;0@lgwM8l53qCH z=Ft<&?n-oE-ampW*pMy{Jm^g`#zc>vvVQR*z81#S)Z;_+Hu?O%W#{kI%P*sAvXmJD z-P0`Thl>w9(DH~dAv7FZ_2r=2-Sdfx0vf?5PdPsADn5fdIj006ZPl#B5398`wu|oM z-5AHG+`|cbU!>GB-s~B!M__|>5))Zdu0+7)oO0XmIA=F&_Pr4C2os+}N&rrOnsQyx z_fheEbXJ1mU}60h|4NVGY3rs!Zx{#f&j&9)*ObhZ`PIw&52H4*U=1l#@*bqmNaZ$# z&i~f>;B}0Vj3G1@+QrDlBJT(yb&)>#~aIcS&{DY_JJstiJf z;WXL!t;_p&Ynt+UaX@dTJ?X|MoB7>T11xoRH|!}ze#7cmlgOj@4TWCP4*L}W`tEH5c58y6o> zK*VF0L%$(gebD;KU5hIJcou9HFsFhZNOTOwJ+;!aC_@vkS9xy`Dw#dLoL;|bj}w&M zo@ym=-Gop^t~!bAB;I8cDiu2mi|eV4W}ZkquD;nk7$^c2~;IA-^UxGKS|u~9Nv zvgy$vkd`O1ln~@0+$OG%0{KLfH=ulvizA610vS$O=a|{qYeb$nj5GWQRrsw-Nvp2z zLd_3PUQ7sNU5CBk!*WiKosJrG_g2B!Egal7`>5*L+TPd@xxQE&`IOOa&q{cC^OT)< zE4y_pJ<0_gDh~2m7hmOUuq)1%PFD>rf|=ZGKB+X{5azLu@5hg^!U=7#y{EOsqQ&;l+J(D!)Ua!h?4gRc|PQb zBMnczfZL_D`CKtL39rz`wo^XUEUt45HoaWxbpy|K)PFZoU2%ZxCGf9H6ey$ObPZMa zzKyu{x8zG=5ORj`yKJ;PG86C+*BnZX3OyW3%oV#vL`baim0e4z$v&aZc>MBb?8!ao z<-+NT(DkxVze)jU{U<}_yollg9BgH!x_)XpnT(x|q9A|Nr`=(CZ~qj`jHoJ;!R}=* zxu^^c2lz61T8%GuiOFEEs6=Y0Ka?vYw(I)vxyEtQOFP*aiY6wqo2#K4;NJW}G$pHv zVY6i#liXb&o-yC#l!6z<;&tA4^63}V4j=Lg!d(v1`XZOA&Q}L)b|celb|=;M@^Ag{ z%HXBOZ99%)`gP!@A>d&d=!3nP0=>#>zSu0PeD?z*3D^N$9VE0>=igkzZx)!mcXKqJ zBtOW)w?}>{gqOBFlNIyxRg?S*rq_h|T`D4&#iUP6!`^JX3X#yh&1!NVFM-PE4y$wp zU0rLF7xhl*HKSX`9Q|p0T*K}n2{(gItq%+CZ{6^gtTKCa)}>G?s;E3-9g>+U+zPKw zJw>!=;8#qRENc>MI53QwjQ-wjg2$I=)y)uLH(Dd!G!|dFBJ}d-r@CDAJP?ONLQu0L zil~#Q_>If;8|HaVI8?5Va@2ElY8~42^(%v6N(;)pdB^9tUL~UrTTZX*HlifRqF6jO zWUNj|k;BPc=6w!AZIa0MxHr((n>TT=ICZG0Yfg?t3l;(Jhs-m+H0YuJtDww5c(s$iy>Y6{0cfB$O&omGmLD z+OCWE5l3SucGkJteGYrZs?JjaKpAm#5ZF?{6hZ| z|6xDdNn`bBaS|z^u5%WGxXdKOW3tqA%c4dJs8-D{+14*N9k))l_~$w2I|uK#Mldii ztb8phWwkd5Ip!L^aoU+NGAUcXdO$7yD??)Adi2zmO|#jHaH@}`jj1pGd5i?Phf3=W z0$$eyM@|G}M+PzO%r+^taJg6g2w@m;wQTRUvID)+9c*@cHR$DfYwhS*OZr%`amTezhp{VdKWVr5aPV7W zS<@~rkL{A5``PcnlS^Y`V~kp|N8be1N)?tU&h>vZJhkstgv}|QIf`!Y) z>VEfD-RrGkTb{!ajq`Ox#7c_SF`;ACXEt)PweJ#@=X+8v)%!UvuVJIur+|?fh*fT% zsJuZyZ#Zc8?HRkGOtD+EDkg8dPO37d;aT`+@}37VjvB>Bt^<|BJ9av@9r(umS%>ow zVH3}%I`YM*VXv!L*nedap%52;V0-rE*dYrAGSK{)!2PpCahvynCmBNTG$p~aRm|rJ z^8S1}%hkQ$s!JKM&ld3?5<2B`L4e=t)~KopmMI`vib)Z44C24w@-@nI+&&wT7@awY zx@r@pThY6|6gcc1%#O1iAo*a{q1*SJF?Ij*v1W<7MeYn=y#|Uky7sL**2$i3_ei+) zJ4uMyhl49Qo!0w@9x-2e{Ky~j$3U+R5^)|24>yHZZF-I%KDMJ1{_69`)H*se?YxEj zahY2=t%qHN{iaJ`59pc^IMBm{RjH#|uT5xNNLzFtKc2FL;68BcOqDv=P z4qn?cb-ruSA|65Z+`++NM=jQXBV=!M4J#Stcd2~B)Xp#;V#g!TJ_~+13%%wXZqK?d zn;n^+E50>AGAtZqmqNF0GHHyjTXBt{xqBj;bt!t#h{9x4hVue;20;j4}8Q3dwW!6Vn+;ppEU`7 z&sWgpo5v1l^KRNUDKk~&y#M~vx|uoOcXqpdCr}u(WJTQ7gL?-@n2-45RQ_zK2TDEB z{R+XDdySS<@|?q`EwFSq)Jsvo)0{=zn68QEXXrs$CSjvH!#lR8{-ba1!B5N^j2%r+ z0^fp%s?`Y?NDIiH2JRBp(Fa_YZA}VNd~9{RP*+lV-}W@xe%k5Jurp)3$e2u9wu*+5 zdVV%vUQ5_*_3}8E_}UV)Rua-9x8z7c$v^g*rjV7 zk!`Z^5U*Nk7lWfQrM2xOMI{FkqGXFBl5>5`JpU0{gABFHTk8 zX)l+FHnkTYtDQpoaiBrIq35dC>@p+vjbJ$I2^-SXksBUyT(tKYaa%x5Z(jNpWgz&Z!K6&~TyR2z!~l)f|YhJN(gHWcYlJ+5zYCgw2(D zB=}8&8bttM&sb9e2!Gi~x$cfSU)N6FpBpqTRA0nW+tx82^0F&Sx;O0bk;$~m>n3Am zHo{Zp`U;kPut%+zV8eVK?|vFYx3doj+8J*Q9gLPBPx4}Tw-2@jlS&{%_k}=kc{sCC z+7Gq(p=ge#v_qN7bQ1sx2W~S#5J?#Lc}PxUE3p3hSzQ1}Yv*psqs)*b>;!?>kh1C* zulBxm_u${8+7Deh@6v6p9D-2iHJ6tfF!?lt~nxwbf&KyXj$} z6YDLfA3s=0U#%rg`7cc4wxp2VklqYW`Kv?^=s3CUS<9=di7#?Ep0gIdm^Dw3(3&*f z-Ar}?GhCi;k`OYkiGN}_l!g#CuWixZtKzu?Hd%Ml5qM_PkgBx7M(Qh_r9sx7Xg(SH zjy9p**1=R3+FZ{hk9!)7GgrTpEjqj7-g@@OavSm1e_Zgxnx-^bCp{oE+bd*utV$_2 z_=y;t>AFg-nQT{hs$6nlic%~I!&nu#*W9Jl4{s(r1XS7NVR{xUY526sN!dd(FC58N zH40W)UpmOECK@cbT_suFwn<-^2MYkNX)p?;CwIJ2uJhp^j>X+eSRZA5C;%qasxH)> ztwv*E*uxNo$CW}kR#kj_%YCyJb$W9!W+@U|yt|p+(YBx^j;d%N?dUnJYkYV%E($_X zkK}+iBZ<0F%^1#bCl(f4cDuOj{B2l!ap**qp-#8Xc}=B`^p4AEL`Y3B20pgYWvsNx z!mgbK^lsdj)k#UH;x8F@g+M$Fe+?Qqq5WLtyNi> z_?7IS;Y=u|58`1cV{DS~_)D2J7luQ{1OcVzvnA$IQu@Id(Ip)geWMvP?H+v;8(U))XDpuWZ4p)&(s451B5#*Z3oO)WRu^!0260cG_lEnmu79err6awB7)DZH8TvIli!N1 zS*a;Jp3?cbhVbm!?-+~b1vJw@!9Yr@Hq+J{GegCAEA!Zy{!sl6x;$bH)&ZR^=Oj%{ z10UuG>T&fY%3rtHcM~rK0~A};@e^xUXA%4-q!Zk{-qnn+VUsjeWM~AgWySs@DPq+; z7-MWSbft^x#rC4k4P-ys7xn9ZL0!tU_j6N52KA9-R&9En&+KDp0~REbX>Remj?+A? z(Di=APUSW6p8=s6J}rB&F+<7r_=cQ|5opN`H(KbXh|Lt1KEZ$8F?O?8y z*uNMosd6c?vjqm!f)Es+qpM+Z+y?`9@nTUhncq5_CBG0gIY6H^qIB9BAnUw&!Yid!L}+1@c0(dKB7DUSIz%vL0CU*-%&u!(2-NTfsP3fRGyQQG%W?;}}1Jd>YKsz*ZJIHskxeclJQZ}skoug=wW!Oj*_>AP8G%nQ7uPz^D5}|!+?ekcY)?b(PNQ6Kl#Q+FE z9-sUk05Xjt$gC>%hpenIHsFGux`sLOHSYE~GXN6nXfXd3L=vNHVydsN$?=!`D)>xG z2nN1&D!WE$-{!0bB=>4BP{{H*0|RRe#1-`~Jm;Yb5Z@sn+>l4)V=&Wy4lL^Ozy82O zGH1wxCiL4M#tI_&_(=Wz&t)|Wgbq1+%P}#5d=jn>mu$MMr?oeltwsk3^YVMPBC3hFV?r0BH}_AA8Af$#(HTAUa`r_l4UgnecJ?aqXP; zt|)L3@3vKbQX}-I$PeaKMdVW|v^V1krIM4vGY&O;XOn18;S1EK5o|GOy)I?DMJhDc zodSM*DxEVyF&%$dh0L6)HR0u4L##r}N8LkPM=!(oRnw z+250RKbm9e(r_l-mrH$WR&)M?V=6R?vFs|5-nRGS2jHCluu`-)5_F2x>dh&hMSY+4 z?7x9yXvDjJu<>3wLxH`CRLM{^ zgTGeY^{YJ3%`xL%+kwQFNE|Xg-fWo{*$?3Hr?2cQ^`_J-mxNd8GhGX*HB>c5tP>0o z1fTBkhzm^L#Uk}`O;1#NT9bZyN64`m?gY<&Th@oN<<_Y_;MRc6|k=${9m3OZv#2u~hPP4V*qB<8y3S zV8g=i1U!1Ix!-z>RZjSw39l7(X)7fY+`fI)po29lW4z8_Ao7ryHln?KI zGar9jmcAPAWm6W--b~{JRh6g`a+d{=+pX2wEw(?5dZMz$G5!%+vbs8cl$mNY+}NM# zPkwYw<3!E%L_SEjWZNT}!z_N>y69eOTg_bK(zy~lzoo|s%<)%Q5b>kn{@E*$36(ZW zT;0YyY1}7-lNFUSbTaYc7K544HrD+HsK!=(FI3Hx9LJF@ccMznE_L~t5*xL^V4n3M zNw%`jDww)uvhs+OR8x3^lScPtTsJn~x5stmhceZN8cpDBp)f=CvIETGdyGF*mfv@Z zO#eHp3x&h{=B*+qti%g-rX$oVPFPWV`Q{Hd_V{~-_GPj?5{6XtIaMS(7}}V0S4y@) zOz6!y`ZVObR?kT#@2({{EWtO3M>2=P3Qlxy*4e95}q!dd~@`lY-**@!q z>hEZ1Z@ftpdpI5v6uo~`aA*3mD>MRt;hHe-ru5^cxwgJ%`>W%h+j{76qd*$>ZkQs2 zA1vV8E1~xubW?`n)_A|&Gx`MZondF%b&RdT2FF00&twr0?sTwEs9zblhB0N4(KKhk zM7ChS)p=e#zf1y&RB3KUM?i~&{=!MnqA1$2Hy68TFl+5gQew@xAmq{+nTp$Ite*Yu3yQcg_L)C06o3h5aPnJ>p&u{K@h4+`(pAr z?Z$$VEBW5u-U}-Q5wLYfzNnM>X<6j?Br5MvVk_jEwd3!E4kvyJr}$u|>BYMW&U}=i zWiA2c3vj}Hl@HbD!tU&RnNO>A8q!X*DO@U8>A&o=zmr4)*11-i@dqC4=|pvmJn6kL z^FqEL8)`nUKrg>Lig>hf7|0Q_u7EC2^S@>qp)X{qjNLA{hr%saYSwuqbY znTigUt(W~?O$*Z2+ptHDj(ps9Ic$3dh!x4}mZjWC;|IK@M!fO~S@dEzhEA2{omLkf z_jvNsLQ}r&o1KQ;M-<-w-8F65_VD&r^)gGS7+a1IV89i)`kb^0#}kqR zyc0vuhmxlN9r32j(;J0K7nvi$)p|@_?A0ht;-zShQm&f@K)o!0<<@noOIXc%9aHRWA`T(Ea+m72U4ljFj%ESGnW6dzB*kAe z49#1Mqkt`GM3DU+SHlnu;0jxUbhBfAZ)ox3qpqU^gbJXTrbkP2vxP+WvKTlQo+;x0 zgibbotMbB8R3E(FEP&Jj-z%*5n*2{D^)H4IiKhMwu0-aBkw;|tI4r}fJ@hY3`ti;` zncn{!0{#C%S*3$R9L=dRufaE{>sW<_g`=aRRMZmT?6i z)*TXVg};DyFDtDF;7T(Ikz{TWf7KOz!|LR$k(g^EJs4d}$M3wS(`QRKcBel6c{w&; zka=pUH*EN~k#Pgx1_v)uB{tT71^mdtV#y%pVAeoh^5-CpxwtxHNd$c1`=Y|q_~?$1 zl?*~J(bj`S#K~E0N!v;gGL3=oS>GU(m)#JsnYJ7G zgB^)BTCeLvMVGUvvOiBy>*ddwle3-}x*cI(=37T-myeSdNhDfUoktHRT2hh+KpMIy z>>KKE8HY><>Y?u(DS?W5E<)B1u~?Ysr*@xR@;)y#7e5(*+@O2in)MQ!1f8Ca6{Ssd zjP(BrHMRZ|YI;QQU{I0Vkbb3r>r5hGk<|E=mG1Gy(>o**`y}#!p0)>T=tT?Qq&hAr zONDw%-pLv##UA%HSuP+H{sNqNNWhsPc|VI~bPab(n@zm5`M@CWC;eD^?%~rn-S_B4 z^$a}9awEuYc!*eg!J{)A7aSaH2wyn!MBB7${KF~=e=e4)%9->Ue#7I$NIl=-w43>s z+X;T_uz&ul+(^}=L}I#d(Ad*-b>WcLX3Uow-wy6)r1Y*f3-L)f`O(1LdE6{_RvX2j zGZ<6VLdC7*k9_?nF1won#?*dZ7%;hmztn<7OlRo}h{fkllkZv_$5`DKTDB&qGoVc+ zCs69|tzm{+lX~6b@*Xp9cuI-bI+5H$a&p4Jql+(BuUD5CpNGv@b{Uh)x5Lvf=WE)O z?I$($##xih<0SY7Uk#$a>k`T2A3b#`gL%xuON}MpFve&Oxdo8PXZ?jIow3uOe4LKl z89z>P;Omm~?=iNkqwD1ncL92+hA(LX5Qv9Xp+j0IUHu{k{>Ss{Pav)YNW0<>2!0y& z>mo|PLCf3Hp^Av+h}qN1Ec?-~!(Jm}mx^QGMpi@KJ>Qn9$?W2duTq1qo3&t~5VmFb zd+(zrcAHVB1qZZvG#F=d$J3o|xRpOL2M|h073vvxY48vhM$s0DNzV-#srsc`*$ZG_ z-a!)ld+hX@);nxP-1*g`3~s_lW!Z7*K>6YAp;@PC=qQQZcq!W!<^ybB|@y-}m}pA}_&|Akx)u2GFTMQ_cHi*73!78D;dW~yrq ztSV;tde{PX!i`hT73~+a>I=K4({5MwFn?RzUodZgEQuU<>Hk&*O1Q*zQ+bq-IaLh4 zY}ETo108VHq^Yc|?o7W0kz`)(42uEJR$@CkS3zdq#sLBaBvLK}wlFW*Pw#0LBB*E1 zZLNLo*oV*z=$2Y>iprT)==4nVN_y+;-%UG#PnnCDlyp5~##JLL?nN{&5l>$;T3j#K zX}ni`vU{h$uZm&J)9lWiVk+&SalO_sSyA+hu7~1&>e5=L!S<1V5N_YpC0}0)BfCr-c=>SuSvt$> zU0b|mlI3l}p-RWams4+mN-m76KJ&)yxGU2KEOWzf^h*MD1J%(4%iARs#VN}eq{Sj* zsZWSYGPX#kG`6s~dSU1L)}vWzr}VM3H5^MetcNqJcgxjl;wSbEIo0F70yARuSG6EE z$+E{(ultcQF%l18De5ia*w5E4W2G$jr`4?BhiiJOL2r6+)Rva+%YPG2z#6g?hQ`*s zaE(EGeMlDiZD9$GuYX2q$feMi{{~y371hty= zWtF>sKI`wD;o&=d0#5kLlNwuQTbXU*?r)Ph@Dl=C139Y6Nj~^n8_bn$eTeyd!YxbQ zOurW8QuR`$ik@;IUGg>rZw^Alqb`Mj~VPEUFT zC9uSMu<%wmrBx!CIG2-+dT^QN%57_N@s!8<-%zv54^Ak+g#w9A!N3K2YI>l`$%u`M zJD$z-0UPtTAG58RV=!8Atu1GVN!L3ziw1w|_m1WSO3SUh?#%zR!pkCMa!gkrpkl{w ze)=(E#%!h{h09R(py%Z7YNfzfOeJaHTr>Z4OOxCQ{3hnF_?#aI_Tb{mK7vDk(VW6; zdUmhE*~aEF(~L#KYoW6jvb^cPP8&Sr9%ece`E1psFeTdNCgHXllgK?RD0rW0kcwF1 z;hK*4#=Z>sl(U9GI9aSQ283zBfUHq)oLys0x=?AECrVLc@+oZF=U2=s8Ptp@sTVdZ z)EFXZV_I1HXl#o4dV7$>7e3-KH0G2n_AzI}(Qt-G`@^M)Oas5wg@1Qrw%AX=X?du5 zbqngmQEJWhp;j=6w;t3ig%sgEHea}6>FvcAiuNjVrq9vv3%5ub95XV-j?&&{ddg<~ zM3+WBki^7)DPyZ=&vuA>vRSgr`RvrO7TWVsa{ZDdaL-;IK*bFMN~=zHKJ`WScxn3K zLAvZ<+wc*@7ZHs*o(ZL`#Ha<<+uwiA=<>ci_%gBU; zlJJbiLUcsPxK4yhJ}w=`XL2#NJ4UDpDsPNl2&HbBEsD_6ZInW zB0tzj$CgqA;4)q!z~4zaN-(S}U@h;!&J%tjx@9xr77NuBzy3jh{(krXGFk%2NHJ}8 zX|vP*|B8F-xTw0eZ5RnrDNzwYX%GoP84&3dq?MFbVgM;=h7Kv|b{J9#k&)wfW38#dxb^o7#>0 zXTh77z?<0dD>jR2F0&2$2P~-^nDZQjYUz~Uaxdc4bXe}}Y;G3PFhrim28RCs1SP?) z?sn!kb&fqr^5-#sL7mt?|GUTsyyX*-feoI(__v58h&+FP=uav8{7-V=|Mb0o6aMWa zArPj(V`XL!GY|Aa_M3BZ0`9x{a1ga#%4l3AB%x+*3M9Fl*2`+#8WCSs#tY#W_;Z>y zv1hMfA6F6*l9>2-7NGM=*xq)e5_bKNnVI=I3(O~@j;`)}bI9d^p&@3hY4y;^hyoOv zJ?S{8BzOHOh$^>n!PGk@*3<}&)xk=ECylnfgTr}d5I=t5?R%uA#sqw*qm~A96aWhe z9xDvO_<9_0$)_@EYQ`HZ?YFx59U9KmjAipjbgCG-t300;WFth1+|KE(ND{z_=|0G1 zv;V?^Qs~j}pQ~8rN}w_h9GwR)&M}DwZtXo+yE;2dJ7Wm`if}EmKj#%Su)82(ImA>m zM<37h?ff8Z;3l&XWvo47RXXo;0*$ea629wMWfEEQFoI5ut5+10Kl!4GL@vG>I8$*471Jp&V;!A``PZHPqH-!-B~Q^xBJ47d;RCori)O-W#MQe-LMnc-?+yHN~YL zQg(nRK_I>L?Z`57r{6NGe2#rAb9VTYED0vEFsx|d>4W2_HQ?ZvdOgk{apy3ZQyZ`` ze7p*@*{_BruAEPOCJ~@9KCu}2qi>b?EbBJJ)$0ZNZ;}FM>B;IeU@OsMozXnW-GNOH zxD}*n-B<3q>-k@xe%famC5+{pxm@}(NLLf7-%loB_JHgHy?{jxq?@iLRZXB#=Kbf{ z>}sv{VponIH7jr7B?F4ikrl*VPYg+-&+BUSfY|{>YLE zwvLWPZWBaQD<_CMLo;1O^<5J3?JDhD07Of~gijWhthdq25PY#6c)`p8x=$47DAxuI z%9L_PXLX!=MfTc$e9cp0i}9UCCxR}f2sX#W1R1#42@;_(N(B(^`gs8f>fDEFN`&)mH15#=~&lXT#C?Lq^Yim-~YDEXiA0; zOAKuckxrP@P6G0X#|gc^Xb3d6&)1_bRF51IQ!GHLC$4)=NJ2#Xwm$Q4;G)r-bR~4# zB6wpA$Pw7C!@l#eqc$QeCW7~N{{oqop=Y@sV6Xko3R)uR=u`t6R>4yolbULi-B+p@ z8(8mV6_m!xxqBC#O2n8fgb>~`Hcbr352CkJ>64XzgSa8co)M9i*rfket zsA}mX=}^owN{=1Sq)@|)b6n7|`s1?y7>Vx!@$R?oC^=OELbDne35@4`0f za_VVqFXOvYZPmo&nPl-zPgTT|>2Y9e%4KPg3q&_DZ#t|JYm*yVrh58%7pJ(VQp)=q ztN)s_hV{=Xpgi@GjXMFv*)){}S&Rw^HDV@+tZ_qn-R`L>zAu(i92==4U#;25Pm|j$ zK2j&YzCFJXVURUv8yX$ZCt(4RH?@OtWe0Uzm26jSW`3Kid$8itc{+Jv28Ty z4E=(xR;ZSFrIaNGYVmU&HTs`ChmP{tquF4?H&9L`<1nSEgr7k@`MTAJbpTIkh5UOw zObLJh&D!gzHs)WO(_IJ%2!M8E_@1Q!S&Wte?2BSXkq~J0MocR_s+fWL+7_e1$g*&B zcTmu<29>*D$S2=`kf?A=$R}#A+id6&Y&1z|9}5072-rnB@n#~7rS7JeE9acQO$|bc zr=B58j0fWG=3B>}(@j#3Cyw84X^PowTi*R3A1Fw%LV2CpbW089;*EQ1XazWHWh3sKAv9}zm;y_a zRc>!yIkQXMw=)SIwzM6=6k@E}!hJaMtHoMM!H3%EFZ0eUx>@>$^aADK_I>b}Hvyk+ zUe=CC2r zNbjKP$3zs>HZqVBf@wEv)){@ugFzHhcK&1sXpi^BvCQ?FEYGw1JcSqmHAoY}~* zBKFW6Ol&G5gD*i34l*D;&aaP4emsD5B7^9X?9yk!CU|TBiU%t0>@5s|X2HE-KVLlKV`N?=0^AE3@K(5KB6phEe^samtWjKl9E9)xcI3grZB0pg7^$@$%Lf9| z2d|=9#d;#1oEg6I?Lz}q&C3bqHz~E=3`SOn6ivOGrm3XYIUMVhs`<>M;7hWfGP)T| zbgR|*Tz7*SdIno+JgL*y6~3y)&v4&fdjvVRDkOo?UI#HdRjABwiGScA}d#(RqDGGQ%UXdC^420 zwr6Ea8wj)5>Rn4}|FDV9m!Ha*wVNz(Ng@qv-*p~!jpsvF=m{y;nT`f+%BNdM7^S+- z;=#;DzkE7jT-iyo3x$e?RS&E#+GVbUj&b|l`*e-op`J#nrppU{-Ml8F`(_V|k8i|_ zKT`u@aPdaUq)j>%vKgDJKA0r-^JwEwhtFz<@@=uACm6jE!F|hTrfqIDE81x1*kJSS zyNsa?*4p-su*obn15PiY>r8bXb@|&Gf%k3~Bc$@^8Ar88oe5{G0Cc9SvCcs zcXeZm=*{tt_V#Gd^rQ{gkp0C9LGo-{V`JgNLpKX+Yd)4mQU*`XCsMVaq$-yZFiH9Y z6_EtX$us#yj}lB0WNm7o1*oO34Sic~iG(l6ZCYM4@U+VgOGftHBxgujp^GVwG{4yt zEbic=8$n0voMe6|6TGV)%&K{0&@kZIATn(u|MY7=9}r8`IUOF9Y>=y@5rqu&(D2=# zxo7ynOVxUNyLi3%)!s@3eM&FSBLj;Z!pbkA|+m zb~;7dX`Q0gwX`}XY#VP^PTGgUCn|qu6N|xseLE4k6*f*LCBz&2NLSZVjAZ6`Z#prQ ztEP?gj`Y{{Y(`e$qh2LuJnBVuMZ&uqUO8dA5g zu!xRkl1;jVv*^~{-CbfkExLg@w%=ZSEC8aoWD)n_E|AlQ^iA*jpCyTT))W{5*2QAu zR(ZhAha-~zo?yHS*qUfy;8}37V!#wBxVhDUAP~^?Rl9)fkDk1spum2n`MkyR=P_Vi zRr|5L%mRU^0ZB}DCdnO;`Tc|mY83SKQ>>76+Ba2FIjgIy@j>}z(TLjoU2bkPjgWI2 z@PlU&5}N3e19ZsWH^U=+ed}qyYH&;8p%8~1)17N+jWdrgya70jaw1|H zf!T(P@G-jB^J&$}B^QeBI^fWY{!7{m$!Z6TBJ9(E)Ato9D86bL#tWhA)B=gA7%`{I z>2>=Bw>PI7HxVp2j?IRK=vdvxyGn&e6ORGyXx!y!-ww7rW;P#q-R9x@E&^J9z#)wp z6s7pRI!KgWp~b9_fie(EJd#c%V%rth$92i+Nl~kt{_wIx3E1ASpO2s}S0U(rHJ}(k z=XJo!3&RogrImFPUa}*=*%(+Z{*``$ITx?}G2ec^Gv8Zi@nOIuqHWpgFm;w?f;x55 z@>PuF5vJrMcf%f?Jr^=3tEQ{V0R+Lj>+4Nq6Q^35njN`nIbD}fGU&j?LAtWHGFjbp z=h(OT_!Z=4jjC-U;KXYCv0pZit@%N&$1jq)U4<(+vmScNZrHIO=wZ>Le85dpc_L=D zu=9Fal-2NXcNvPSuY_Gdl@sy_ux0%0_&NeryJp3jGReAh$r?282w*TJ%RBD(X;XA^ zjZ$+2Qr=FwymV!^=1yf`Ekq&uxHqJQ8R~{c(|Vmr1)I&;vp0Z^6M@wX9~5fwlZ))E>rkd$E7FO7!^5)a>!;ff4HrEli?uC8N>CR7fd?;Y;8g7 z_1=I`b4^3k!WlP|!1~FjoA^C6=BTxuKc%iGc46hmNb9vnYA*rV`hF{SI63=U1~jVP zQdEf}*V42?qY#dBh*VRs{9G}Dsm^COLa(a_v>(1maN*%)_bVz++{b7YZTnqjPR_(E z*lf0$2Q$A5Iheu`-QTP~-)U8|Az_)mJ6~uiytUU8FR3;u)8@7o3(vl$A3B>C5cSxbfM zSsx7=Cf{#g)uq_%h+2AmCU&_%-g$J&Ee9r(@lx1Hd(SwRJL;KgWtMn_``V$)a09Wv z3IHcK!s?E(RsyS>Y>Sx-OjM8sAgd8xhs8lT+Tw)U?+iw8vfU~q_l|{I1?^@$dU8$Y z_K>(gsXTbY(e66CiBb|v`N_k2BeV8nn>(L%1a0LPr`GnnVqkWB zArE826vj)(&Ld8gT;HXCk4&1$Z5{66OwxhPsIv%d2e6C zLK-9T@%l?*m7Y{r8fa1OSDY{oJj~HD%+aULHATZ69pV>r0CdFUO(%O`WTl1=>bLTE z=e|qe>t~k=+DY%#ES@St#D)tPGL24skG?Nys9Hoe0*su^zWo-e?#V%bH_1Kt{*ScJ zs=#ryZ(l^?>) zz7-=Uem=TP#hBO+GfAA?|M4ts-(&kGxi^G!+m-sR;(!Zn%x-K~M8|hA(pZj@4#hxo z-PBYI_Eqx5I@j>Fy2&u7z_%q9Zv-f{rN*=hdWY64ARHcz=@Wk~YJElFmkgC(Zd(^5 z!#GNk3X9klfniEnNN@ZXUB$y%A?bH<7LT62_x5^9rL=+8v5}3sJ1}ouTp^Yp`I0GI zQ;rx(iepRwxPkbHxcoKo7QYK*bm~;4gq75D7CY`NyuafY`WA(5T?DH(8Lcdt67Imk$hT_w^&@B_-(HYi-EV54Gw+-@eD zPM;%uHZ>Ko*CH*zvBm^%Y3s}yFL0As3Jz@W$$7h^xeER%!7ab@-V`j1L(7ye*^ZGzAnSMZTqPW0#Yaaq&`^-3Ir58eZjycutHw z@N)C3$lV(QQ*J8%B@MPlMWpc_CsFaj8{4KuC$#lS$g0{iX98oz0X=JQbB&m}-sc z$VVqxAwedAQ*5&Wf6$x#nl@q;IwB^U6eAb>C69#ZcGig{%4bI-Yq3<`+oE4Td%6Xb z8ydhFl`3oJSBr>J6#hMOW8p@9HtIe};3|9Ar23mY=JizS`%miK%8wt)bw7Q95C#ZJ zw|ZatXJEW8Nh=3`7k-_;V?NQ43kHLgoHmkn7^fZkCX0B29QXy7YOhLskoWFsd%X8V zdH7(T_tGq*x7woc{F(N*H8nceGFSC{g07<6G|<#65`Zi%MGm5c)t1_H{J0OOqvK=3 zhpuXBS6N9IhlYp8Rs3B~kN4)^gmRVO5d+b!9)zL}RG#PIW~tGzt%WfZ9GlFNH6C5| zBl;*Xkp5ZB6HR2ok-m&i>oRtJ?BXKdzkoTAwm)DFNMC>a_%Zj7{ME>e>v#4lpD(18 z-Z;2GR_SF-4ZpCc7vv&8Capq8emL5pwMHcBb;%R?AK)7$i)q>4C$vbK~-4%3ZM{f%CDk$lTB>@ z6PeBq;n`p6beI0F0APCG37`}fets=1PH+Phxhcxtwj?D{j};pSfrd>YxjYnlCVxuY z|DT{ZoLFw@eagcLufB8%9)NFe9C++9vBdJFe*;XLpVfGPoNR04E_naMP<%-L?~A7r z+%RHuNr3VRhED{;Us@@RvzdrL|0)+xh5(8q>=17SmPSASV&B)fvwUn%(mC|{;g@`j#;kQk#F7BCvApo;9DTlvh!rb*sBSR zj86&AnX4hkoBQ$Do6Wc-EE*X9=um8I#jv*lZ?J#T9&lg(p*xEECocT^x!BJIRy zZKH>f@qpkbK9h3QJDlo4<7_I^ufPO5H*H9HZ7sc9dn!o)C~=}U`=o3^hKwiTHSQA{ zN-djQS9eQ^K+b(nPhsiXs7oI3s*wO|nu@&R$J`?XDh$$S!h z?+ni3A4$s#Pv&=b5!Rz7o}!l8$HcpWQmRo>l^jMDQlnl(TyKj=x~cmY7z9CnB4Amd zV+U6xF)UiMb@6;$`DF{$_SPm(cj2U-$)*x>vYV&AcsTCilE3t= zrs>3awNI4d0ufPnoD?33AaL<4s@r@8m*TssC`dqR*0j^IP~C_F={l|M<6aV( zShEIxqFZ{+4%9WVqNpA67w)o39FoD)vX#2)R;P4v#k6Z#zAz?!*u!N)Q}ji_O6}KQ$jeG7d#V1K z{UNoBkd)Y4mqtgIVVTo~e_nziG!}U>4Z(UG%yZ1-S80ny<-~{Bmb=Rqs%})3Hn2Tmk=A`hSwVx#3t53)FW$l3_&3Qz8x;je9=m(>lY&}T331OA_mUt-v|Hss z^h|PoA8^hG`%*~j+{eQ*gt~N{6_a=Z%dIaxQ;2;ZlM#b-eWFSWo1)chf0W~QY~-J5 zCCY|w3o7Ygr>kN79Q}r3&#D-;Y}q(qeo~=%-~v%5>`=SsO@BGtodboEJ1J*WSUqT+ z3x6h+^2)1Qmq$J4Z9|U6SejSH$}kpbVUO13>49v`+!eps_83!cZ0P7m=P>`ev{06` zb1j-l@#Cj4ZdEfRDq4-_uDehDSx1q7RMf@2U4H3dace&(0s$yr$+6bzDZVwbOmdha z(VhL3g(~kzx9c^Qh8vaI0UF<}Zbcm_x*VqOXNhmV$s|BMp_ml!Sg$h5Gos6YwE%iI zBa7-x?x@++GmVH!4Rq_LosKqbX&Qyo zrF!zzJ$yB;o>{P$wjsWVf%i9e#qbez?-B#k*ktMre(hN(-4xa6)f7}>i+JCyj^**o zI}m95@!DZNS`ry|U+6*@%617RhMq1gWwCsEM&vDEdqlx5Ch0#-k-A##D=&h2wZA9i zV4QZnuE-%G7RWJ1zHT^BM-h{@kJb!EBcvw<)i>ueId{~*p^nGjw}s!hq_q_iuSFWg z|AX2j74Bv9MR&MLgRSvinI7KR>ye~UA--0Akdpe2RsQc$b@uAap62U1l->SY+zEGO zr(+q>eX088OZBL?eFaDy5E?EsZtDV*mWU4E!#Wh?G4wb-{=rg#xCvM1y=sr9JkI zTq*A0G7kh-EW%g;fM5`6E)SX}NOR(1Bx-Z!DZx|8;{40D1j1h3m}BcbIcc|%X^dA2 zidRt~|SyapTi#FMQmH{bpT-iM$V z&HUEc?}9IEf}J=W2Lwn$YG-1$y06uAhmrv2jvKb;SFaUkKS<&dHf(v_zBtg#KNrSJ zb1#-*JfYEUQhl7M54Pckay8Rj2iJD#Q})H_?)xfSG)6p^KkpIMgu8=1r_>-P_6(Q@ z!$IhIO@clQlcNqCnEecxHI?EszS{}XI0mfpVf9NpJtb#v{n$f5$(E>~<7nR6UboP4r?H7T|@r)CCW0TGX`sIAPU zC&HCbBO>)95`Ej5 z_wloq7t@X6m+~aWTvGB(=I=!lA4}vd?Y#t!jy39bY5W zI$NcS=B2q7ySn;egWa;uy4pF}wethne7yLeU$gK=3*lzZhfx2&u#RgESrh%U5637= z4e_o0?uswC2?aXBk9hz%B!y5)R=~ld`TmbhZLzg%uqFAHn4*6Qj?CSRNN7=@o~CuIR6M zTAkTS2+5=ei&Y6rK(nBYkPM>{(gZc-tn%`&ap^)Yw~H@s)Y9EtsFncUHp`TlTBzi^_O6{9IN-#a zk9R(N@Vav4gB9HjSCKzv`+{X7*w&WDY+#sWNmQSMKbZZR{9nLc+|iNW@Xm4?1ekV6 zK7anctgNi9EgDeLaC+cp$)8(VuI5P8ot|K@4kcs0_|_*;`S1${*ZFPYfIFt%=H{m2 zd7nZ}mvztT@9tg#o(bu+J>jBU_A_26HnPQu9u=i%t;UtumB*BFPEO@mZ%O;k+m)}Y zJ+Ff`}58BA{K%~O-?|{A`yIGR zmVizk)j<3_v5gth%KA<3#bIVT?&kr`O<+q|iF5lKv)Na~wFWP|M5bhF0s!mlS?-g#2g*?vj=5!(To@OaJ1cL8jEMsEz#zrHdB>t5Jz zLOUGFeY9P^m$_RIYY*6=CU=3Zvh?zHbj;y4;p)4`cv!9o@4Kk@_;|r1 zu>5%}Kpm?c`uepUbiFYJ-CSZ22o5$jHYh2e7F-yAY^@fW_45R;ZRUE_7^ z_McQO;v<$eHVK}X-4MVF2l-3~;Nr}$jFm#UK<4}Mq=JsuJc{`GJw*@EH0*;3_K2>@ zIq5$zk}~z9-)x+Rnwkk=v?4kKgM(Nz)|i+WqXYmDgqT}f$N!#QELlj^(2yGrhuaS- z@v~U_{6*8y2RN4rxNUi0nU0xtar5^x!dDRg*x7nP=mkQB22}CwwNE-s6*oX1VGF5qsG2tFs(+7!P2>RFAD&^AFZb)(h*hm$-J)=IRuKwa15Yi?T)2LZ)^vxT|W1bAkcuC`9Wg8qgj%eqezauSGamWtCB-ejPZu%kkgnf z#54=OLd#@o6WF%fU8EpCrpsge1-*KjcE=%la(glz@b7^R<#(kWCmqitra#Y*#ys+$ z+6VdEiTYOJ`r8kK3$s%Qo{lUfVl&FHNxss51vh2EtyJnI$LQBBrWZT zqKsun6hWof8~ln+WU7GWgXf(l?=jTwBE{1j11Gk%D)kfJ)_W|sV4o|*KG3af8fmiv z&IOyxG{^mEokXa?%f{iW6=bvK%5Ns9CU>zOn)*4)L0*P$ycVK*uN>7`?`ha0HAH{$ zAwXx1eCHmOXRU_&#n*Q{u5op^&`!zHv4z;!FTTqc6n%KLJ2GC3Uv<}_6wl?w;4$Bh z_aS|?`q?(UyrU;&PK)-wBZQ^bal5HjJ|P4$&}K^0@5e4e8!)NPfz6MoW??GsBFLNP zc6k<@ShU*ZEgNdBIq0f1cc-353f6T~D(*grALDWn@C>g_$w=$3HLMY`eCzG-hvy0& zV)}b|xc7gmlhJjzyIwtMka^X_9>cX9v|YyDKC%tdcP?+ULX*vG8s#RSlQ~XGInHd65V)rIynE4VB&Nw=s2Cmvg4`?NWxx|VP2 zf~6|(7WH4SDsFqeWl&3$CGU^(n7KsXVm$Msj;6i*%4&^wvbJ!7xi{tfSdNn}@Frq? z@~lG4%zsO?=bqas?O`SRWy5c!ZoB?dyiMa!IE!UIOrt$OK~nKce=^!&G<5`*ZGb9Lt(8F|{|-jdL%4Qy<`xy`gqq zuP{f?QfhfRO`bP@(-WG8Ifmk)Q|}osl5Qo?#Ab&*vqngd4rIPJd6&sgn-C{!P#L7b zGnD(Zag?47q0%9=nUP=85mXrbBGdefi0;b4;dl{mQe%O}$yC^&?`B*#UE9kgz-EBO zco(#(x}V&I8IL~7d1JVhK>YO=nIXsUR&6=_WkZGhTte7ZSDhb;pBJCo`^x{`SthIzB z*F=-(C7K&UzmMfmUwo~l$28%cg*Fz=L2dmOQd<`c9_YdhEN^S@j_6j~_Ht^^p1qH) zwke12Bl0&$*P3vS!{+0azdX0i+RwQX+?!(a{0cmV^619n23geZG2SIDT^;iXZOe1H zqb@D5Znt?FmQS-yZ>P}0QE~s5((9p`d=e79@;7cTPQLIgEV`?HyBGUmxVCH~3?AGX zRC0G+Tgi~LQPdxBxj*r2xAQ$^H>W$DmwAhC1la89@71dnxYRLb4izG1HJuA2 z(Bk~OG7TJ>1~>G2lymkJj5Fi5{_5aj`@mej*d?W(z|aNAtosko0Y?1b`8@CpDwDjy7sH7@k#SB0NK6^WZhH1F$;a~u&^BROoKWRTOIXb%u$|F6o$sd7` zcgGjxHbCD%cU?Gv#fXWFUYV(-LbYc}DMBUpy(B9Cxpr?`zHLS!HFlprkJGVz@M02= zT=ls_N)8@AdtJY`aFDZ6c2l*pNw!#nRxtPaNzxm-B6G11DOXOTRvpm|K^pmpJ=tXw zlwJkL8S+yuYZ{O!vVZ@c*7&pCjakyS%67r?r(DeJYo3c)a3;nHZw>D7?6Ia>c{fc} z_`72K#Lr4wrJNow>tcz;N=n}e1>Dj|Q^g{9Ux~3c35HgFoo?K!m*~-GfBbmS5?6^) z<~8m}6p>`rkGGEoKo9&x(q9AaaD2BGYaCSklv_5TbVhi!o^SCfKP+The=#^>rRk1^)?ude#Dy^~=0`3v=?Dy=E{{N`Mzy_HP z<96v&=U=m04;$)GS(z2p@6~Rtkba{5z~N|ZNSQ(CV4AankxZg0+vD|d)?Vgh+d)8a zhCe9G^blkFz=%MKQdV8q^Rb&iWGhK>G;;6($(U6LyZ5uxft)`_r6|Y@pv#32-&~f}ZCHM@?+4 zX5(wp=tF2eck1S(abKs~*shMcwL1COpUGy6U^%9tf3WrQWe#Mike{Pyr#LJt#fyC5 zwh-q;P*vyhH_`gf8uyuy>ZNRiNoxd+{bJMvkAFM*pfNdFBY zcR>1&GLd+C2B^C0M5c6`%6K*koP}Z)V&BZCLT@Zy0=)eHlubLD)eFg$o@>61EmE0R zJS7=Jb?$cmJhFW688@yz2S0=jV9H-E&y!NIYV#Cqw!;pNA~NG9C_gKrOR{(U|4uD%VnU^U*BVeme4(xAb{C5tnGht0Cmj}F84vxX%w@u(8G zH)aQ%<_!p&92BU}l?=I3|6#)r19}xL_G6J5eY0FRh zx&1vv$7%HQF)o4_GnaJGA&pSb#4*9raAjmJF5#?@*$pkuP$@s^LN{22y2%Dj#`1Y9 zW7c1WWX;^=hbrK|!8sm4n)+rFj5!P^N#>1vdHS|hJg;q+JPzd9=q5Q!U)RkFI?TNu z7@hG}N-{A?>c98gq@5Qq21LqF{GkR|YF|}k8rD4GVw(B^@B+P%KHZ=G`F)tUT5!!* zn-;$Z2&sqh>U6n@?>Dto@AR+@-W<;iL;Mr3d({C(Z*!ZHs)FnE8@y4tyPI!oaF*WPu`gmDOc0m^w_iA1`>_T3e4 zyNs%@dqA(*z7fu&Hohl`p(0wX2Z~(bz8pyaRBK-{cm5vFLSRF8@qF8VDZax_bTI&( z4vWjEvP!Bl?)R0Y%L`KxU9AN|Nu3R)3s3@++nkh!78x+5+3!;1z4#_{MI6{Z(5syRzYa@={f7aZ+HaG$f9W-WJ&S*6m-=B$eMD6$ z{A&}HKt_jsZyM`nfVG+fFMJwaW&e>h{iUf=-GWa3rIHE^`vsW+CpmJwu4~vM;D{6c zdPsl1aJ=}xF_lZuInHtUi*}RQfv&)IascCh=}+>1g04A6jQm)hpVt?f1Kf{neEnzt zY!VXEn>0-u>wY>LoNO*&EPpZb6J;{1%IWb7_;E-E)&UtuBm^sCa@2VG9X_wpe!CLM z#WXOebiU^EKfURgMWy7uR30%%Q0v_{a1Mt9&`n$g_&7y1^Q!r#OO6bBCO_0XClSzG zjBUB(M)u3X<)13E|1{h6YN3V|iAC|_Qc!B}9r2<#K_ee3JfA9Fg)e>^F(RLcs{?p2 z{TDV|b}!!+vx*z1;4pD-vQzVE4v+JUG~g(RJSn%jVf-pAp6tmyzz6)Hg5=Xx%g+UN zcN}y<(>9#L!l5R*q`Nqa!9oe0J*(WE+1?0lsz$chUhaYzWs)<*Y*AnMxI1UA2ffBk zt|gi)_4W?%Xi;>!I&GNBop=%e$Ns8DDRB3NP`xN7u67I#quvv!Mk@?v&Qoe^B4!zX zVO+MI@6(QACwZUM30IHk>~`7ZavRdCIiwH=xoaKiB=rX0nBH}=94l($M%rnz4KS8R z>U0X%J&2&ojdGtF;m~hYY2+&1;!~S(gA1Z2RQvm8x`+&iyWhLMN5X~GnN*Nkw@zgt zoSR}Ck@b^erSwP(n`oCn1I|-t%u}_2;r*jXIb%4K|B2L?p~6>Q%dtjUHcY~kLBj)% z_K|>r0n@$8!uUNj4MVTki-Im1XuSUYhYgnX3!_K8`dC)j@i|}zgR=VgF|_;jGRwi# zgHy2kqN6dbAx9Z?PoSrmTWqlJTAOLt>7pN>o~Ufbr_sbQ@Ly@m$&!E1$C#nxb(>F& zqS{l&_a%yLblLSsl_I86eysY~Ox3=-$h2KQt3>2tTyVBFJFPxFH!}f5eOm`Ap zPo;#%u%;19SZ_ zyu;hImYGK1P|T;Xl=rzwUJTpqh>*3d8V{PZWxZuaDY$gzs8~m{^WP%>N;t5Yx--48 zHzyssa{?bUS(rO<*E$YKJ1#mxEfLLa4W7PNiVdz6^NJ3OA~T&OQYv}Bp?}bU7L9V5 z!=>_0X#-t$N{^0QUmc}2Vl1mM@3)#y51+yJrWxIlu38Z(U$rXb2UA_<&BBj)&4Ha` zUnE$*qh4TZ2rHzX{NPnd_(Z_d98Pk>B5peEQts{BjtP~4WAmB^RIA_S zaS!Ig(=H!agdb&RJ@DGwRA7W`&d+|gBPfkfiP(kXc1At3hhtA-BCjnXW`gdx@CuE) zjA)v7y<)v>!BIx3P|}J*(sTm%P;v~}09OJUNj=VNbd-hCJ|&H+HoOaZtb<~tQ=n(o z{hNDrHpksu)#4sGD(&x4%H|BQ@#1_ zbL0)v{^5*1PudwOZD{|Ab!&dtm%F{lyHe}+<3cb zw%qvGB30%x9sG3u9k2V<_-KO77YCi2X{Ttz%=BmQNe!DrgToQaY_YI;gZHe1bVHt8@4ye(<@#e`N&xWSrd1TC5k1 z;73Q~edeg7i`{&xkA&qbPR-%!E0zhf=o^Xt?js%C29Q$jYpe$lY3HK}NXhKL!6tlJ z5f;qJ_Ifr}>}Y}q_Q{}CBKP&{RV$k0x%v@chkshw($y=f*?1? zdOZ>rH>i>w+0bSa+NL`A^s1IcVU`+Y+Fpn5iLw0AIX8TY5rFObF&=EXqMR5lc=r2v z4kXuhHodbw9(c`Sl8&nGcXlnemdQ02iA9lhWfm+%O&-73h;a_#tUoTAV;$s<4MBM` z+lEz3o~+go&G~1$%%|2|J&<3O6Yw|*u-{uvoEW>+yHcLrD;QZaxliW3l#exrJ(dAn zNH5UubNN3qS_cGZy;mN?7Qf2^pAA(;j1Gc|-fo->yXU#l0-7Us{976HUxh6YUOzO# zBP9LRYC-?OUh&#;1ht1moSEet{T0xX(g*1eN+7=cl%`9r^<*vAP9LZ$=WbR9~^_=XU#4> zum2Be_uute$gP}mM*J!Fy&g(C*`R>{wk`H>cfsvjiS1eehInfx(s^PUYZD8GPlVj@ zlFF(1A5r*C4N1;llB z?7NG3|7GL?2>w_67Jf!vhm8Lc(}AzD{QAnGyYz{7A)(dGS!ELh_E>Tcl%)$LpZfhj D*}YHM From 5e3cbcfef5cef586416fa3ebcb8234b347ea6cee Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 07:31:08 -0500 Subject: [PATCH 09/37] updates --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 888a64e3bc..e34d3409ed 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -199,15 +199,6 @@ If you deployed Windows Hello for Business using the certificate trust model, an > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. -## Troubleshooting - -If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the *Windows Feedback Hub* app by following these steps: - -1. Open **Feedback Hub**, and make sure that you're signed in -1. Submit feedback by selecting the following categories: - - Category: Security and Privacy - - Subcategory: Windows Hello PIN - ## Frequently Asked Questions For a list of frequently asked questions about Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business Frequently Asked Questions](hello-faq.yml#cloud-kerberos-trust). From c811500a54373ee0de438493f6df0e651f216491 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 07:53:47 -0500 Subject: [PATCH 10/37] toc updates for keywords --- .../identity-protection/hello-for-business/toc.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index fb0ad0ce58..77c3a38b65 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -29,32 +29,44 @@ items: - name: Overview href: hello-hybrid-cloud-kerberos-trust.md + displayName: cloud Kerberos trust - name: Configure and provision Windows Hello for Business href: hello-hybrid-cloud-kerberos-trust-provision.md + displayName: cloud Kerberos trust - name: Key trust deployment items: - name: Overview href: hello-hybrid-key-trust.md + displayName: key trust - name: Configure and validate the PKI href: hello-hybrid-key-trust-validate-pki.md + displayName: key trust - name: Configure and provision Windows Hello for Business href: hello-hybrid-key-trust-provision.md + displayName: key trust - name: Configure SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md + displayName: key trust - name: Certificate trust deployment items: - name: Overview href: hello-hybrid-cert-trust.md + displayName: certificate trust - name: Configure and validate the PKI href: hello-hybrid-cert-trust-validate-pki.md + displayName: certificate trust - name: Configure AD FS href: hello-hybrid-cert-whfb-settings-adfs.md + displayName: certificate trust - name: Configure and provision Windows Hello for Business href: hello-hybrid-cert-whfb-provision.md + displayName: certificate trust - name: Configure SSO for Azure AD joined devices href: hello-hybrid-aadj-sso.md + displayName: certificate trust - name: Deploy certificates to Azure AD joined devices href: hello-hybrid-aadj-sso-cert.md + displayName: certificate trust - name: On-premises deployments items: - name: Key trust deployment From 045dfde0adbf005c1fbd14618972f9cbd3c210dd Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 10:45:02 -0500 Subject: [PATCH 11/37] acrolinx --- .../hello-for-business/hello-faq.yml | 4 +- ...l-smart-card-deploy-virtual-smart-cards.md | 109 ++++++++---------- .../virtual-smart-card-evaluate-security.md | 47 ++++---- .../virtual-smart-card-overview.md | 50 ++------ 4 files changed, 79 insertions(+), 131 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 8c72724ae4..5f966f3ebd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -78,7 +78,7 @@ sections: Windows Hello biometrics template database file is created on the device only when a user is enrolled into Windows Hello biometrics-based authentication. Your workplace or IT administrator may have turned certain authentication functionality, however, it is always your choice if you want to use Windows Hello or an alternative method, like a PIN. Users can check their current enrollment into Windows Hello biometrics by going to sign-in options on their device. Go to **Start > Settings > Accounts > Sign-in** options. If you don't see Windows Hello in Sign-in options, then it may not be available for your device or blocked by admin via policy. Admins can request users to enroll into Windows Hello during Autopilot or during the initial setup of the device. Admins can disallow users to enroll into biometrics via Windows Hello for Business policy configurations. However, when allowed via policy configurations, enrollment into Windows Hello biometrics is always optional for users. - question: When is Windows Hello biometrics database file deleted? How can a user be unenrolled from Windows Hello face or fingerprint authentication? answer: | - To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/en-us/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). + To remove Windows Hello and any associated biometric identification data from the device, user can go to **Start > Settings > Accounts > Sign-in options**. Select the Windows Hello biometrics authentication method you want to remove, and then select **Remove**. This will u-enroll the user from Windows Hello biometrics authentication and will also delete the associated biometrics template database file. For more details, see [Windows sign-in options and account protection (microsoft.com)](https://support.microsoft.com/windows/windows-sign-in-options-and-account-protection-7b34d4cf-794f-f6bd-ddcc-e73cdf1a6fbf#bkmk_helloandprivacy). - name: Management and operations questions: @@ -117,7 +117,7 @@ sections: - Data about whether people sign in with their face, iris, fingerprint, or PIN - The number of times they use it - Whether it works or not - All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + All this is valuable information that helps Microsoft building a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it is transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. [Learn more about diagnostic data in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). - question: Can I disable the PIN while using Windows Hello for Business? answer: | No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 31b8132479..e4e0e793bc 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -1,7 +1,7 @@ --- -title: Deploy Virtual Smart Cards (Windows 10) -description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. -ms.topic: article +title: Deploy Virtual Smart Cards +description: Learn about what to consider when deploying a virtual smart card authentication solution +ms.topic: conceptual ms.date: 02/22/2023 appliesto: - ✅ Windows 10 and later @@ -12,13 +12,13 @@ appliesto: [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution. +This article discusses the factors to consider when you deploy a virtual smart card authentication solution. Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram. ![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png) -Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they're lost or stolen and reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. +A device manufacturer creates physical devices, and then an organization purchase and deploy them. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the *administrator key*, *Personal Identification Number (PIN)*, *PIN Unlock Key (PUK)*, and its physical appearance. During the device provisioning phase, the required certificates are installed, such as a sign-in certificate. After you provision the device, it's ready for use. You'll maintain the device, for example you may replace cards when they're lost or stolen, or reset PINs when users forget them. Finally, you'll retire devices when they exceed their intended lifetime or when employees leave the company. This topic contains information about the following phases in a virtual smart card lifecycle: @@ -39,28 +39,29 @@ The TPM Provisioning Wizard, which is launched from the **TPM Management Console When you create virtual smart cards, consider the following actions in the TPM: - **Enable and Activate**: TPMs are built into many devices. In some cases, the TPM must be enabled and activated through the BIOS -- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, it's recommended that the domain administrator restricts access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, the TPM must be cleared and reinitialized +- **Take ownership**: When you provision the TPM, you set an owner password for managing the TPM in the future, and you establish the *storage root key*. To provide anti-hammering protection for virtual smart cards, the user or a domain administrator must be able to reset the TPM owner password. For corporate use of TPM virtual smart cards, the domain administrator should restrict access to the TPM owner password by storing it in Active Directory, and not in the local registry. When TPM ownership is set, you must clear and reinitialize the TPM - **Manage**: You can manage ownership of a virtual smart card by changing the owner password, and you can manage anti-hammering logic by resetting the lockout time -A TPM might operate in reduced functionality mode. This could occur, for example, if the operating system cannot determine if the owner password is available to the user. In those cases, the TPM can be used to create a virtual smart card, but it is strongly recommended to bring the TPM to a fully ready state so that any unexpected circumstances will not leave the user blocked from using the computer. +A TPM might operate in reduced functionality mode, which may occur if the operating system can't determine if the owner password is available to the user. During reduce functionality mode, you can use the TPM to create a virtual smart card, but it's preferable to bring the TPM to a fully ready state so that any unexpected circumstances won't leave the user blocked from using the device. Those smart card deployment management tools that require a status check of a TPM before attempting to create a TPM virtual smart card can do so using the TPM WMI interface. -Depending on the setup of the computer that is designated for installing TPM virtual smart cards, it might be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md). +Depending on the setup of the device designated for installing TPM virtual smart cards, it may be necessary to provision the TPM before continuing with the virtual smart card deployment. For more information about provisioning, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md). For more information about managing TPMs by using built-in tools, see Trusted Platform Module Services Group Policy Settings. ### Creation -A TPM virtual smart card simulates a physical smart card, and it uses the TPM to provide the same functionality as physical smart card hardware. A virtual smart card appears within the operating system as a physical smart card that is always inserted. Supported versions of the Windows operating system present a virtual smart card reader and virtual smart card to applications with the same interface as physical smart cards, but messages to and from the virtual smart card are translated to TPM commands. This process ensures the integrity of the virtual smart card through the three properties of smart card security: +A TPM virtual smart card simulates a physical smart card, using the TPM to provide the same functionality as physical smart card hardware.\ +A virtual smart card appears within the operating system as a physical smart card that is always inserted. Windows presents a *virtual smart card reader* and a *virtual smart card* to applications using the same interface as physical smart cards. The messages to and from the virtual smart card are translated to TPM commands, ensuring the integrity of the virtual smart card through the three properties of smart card security: -- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. +- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). -- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. +- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. -- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. - For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). +- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout. + For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). There are several options for creating virtual smart cards, depending on the size of the deployment and budget of the organization. The lowest cost option is using `tpmvscmgr.exe` to create cards individually on users' computers. Alternatively, a virtual smart card management solution can be purchased to more easily accomplish virtual smart card creation on a larger scale and aid in further phases of deployment. Virtual smart cards can be created on computers that are to be provisioned for an employee or on those that are already in an employee's possession. In either approach, there should be some central control over personalization and provisioning. If a computer is intended for use by multiple employees, multiple virtual smart cards can be created on a computer. @@ -68,23 +69,23 @@ For information about the TPM Virtual Smart Card command-line tool, see [Tpmvscm ### Personalization -During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If a PUK is set, the administrator key can no longer be used to reset the PIN.) +During virtual smart card personalization, the values for the administrator key, PIN, and PUK are assigned. As with a physical card, knowing the administrator key is important for resetting the PIN or for deleting the card in the future. (If you set a PUK, you can't use the administrator key to reset the PIN.) -Because the administrator key is critical to the security of the card, it is important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include: +Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include: -- **Uniform**: Administrator keys for all the virtual smart cards that are deployed in the organization are the same. Although this makes the maintenance infrastructure easy (only one key needs to be stored), it is highly insecure. This strategy might be sufficient for very small organizations, but if the administrator key is compromised, all virtual smart cards that use this key must be reissued. +- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued. -- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they are not recorded. This is a valid option if the deployment administrators do not require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This could also be a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. +- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary. -- **Random, stored**: Administrator keys are assigned randomly and stored in a central location. Each card's security is independent of the others. This is secure on a large scale unless the administrator key database is compromised. +- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised. -- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it does not need to be stored. The security of this method relies on the security of the secret used. +- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used. -Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is simply entered on the computer to enable a user PIN reset. +Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset. -The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it cannot be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process. +The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it can't be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process. -TPM virtual smart cards can be personalized on an individual basis when they are created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An additional advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. +TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. ## Provision virtual smart cards @@ -92,37 +93,35 @@ Provisioning is the process of loading specific credentials onto a TPM virtual s A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. -For deployments in which a high-assurance level is not a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost. +For deployments in which a high-assurance level isn't a primary concern, you can use self-service solutions. These can include using an online portal to obtain credentials or simply enrolling for certificates by using Certificate Manager, depending on the deployment. Consider that virtual smart card authentication is only as strong as the method of provisioning. For example, if weak domain credentials (such as a password alone) are used to request the authentication certificate, virtual smart card authentication will be equivalent to using only the password, and the benefits of two-factor authentication are lost. For information about using Certificate Manager to configure virtual smart cards, see [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md). -High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this is not always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. +High-assurance and self-service solutions approach virtual smart card provisioning by assuming that the user's computer has been issued prior to the virtual smart card deployment, but this isn't always the case. If virtual smart cards are being deployed with new computers, they can be created, personalized, and provisioned on the computer before the user has contact with that computer. In this situation, provisioning becomes relatively simple, but identity checks must be put in place to ensure that the recipient of the computer is the individual who was expected during provisioning. This can be accomplished by requiring the employee to set the initial PIN under the supervision of the deployment administrator or manager. -When you are provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they are also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack. +When you're provisioning your computers, you should also consider the longevity of credentials that are supplied for virtual smart cards. This choice must be based on the risk threshold of the organization. Although longer lived credentials are more convenient, they're also more likely to become compromised during their lifetime. To decide on the appropriate lifetime for credentials, the deployment strategy must take into account the vulnerability of their cryptography (how long it could take to crack the credentials), and the likelihood of attack. -If a virtual smart card is compromised, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. This requires a record of which credentials match which user and computer, which is functionality that does not exist natively in Windows. Deployment administrators might want to consider add-on solutions to maintain such a record. +For compromised virtual smart cards, administrators should be able to revoke the associated credentials, like they would with a lost or stolen laptop. Revoking credentials requires a record of which credentials match which user and device, but the functionality doesn't natively exist in Windows. Deployment administrators might want to consider add-on solutions to maintain a record. ### Virtual smart cards on consumer devices used for corporate access -There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that are not joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Windows Store (for example, devices running Windows RT). +There are techniques that allow employees to provision virtual smart cards and enroll for certificates that can be used to authenticate the users. This is useful when employees attempt to access corporate resources from devices that aren't joined to the corporate domain. Those devices can be further defined to not allow users to download and run applications from sources other than the Microsoft Store. -You can use APIs that were introduced in Windows Server 2012 R2 and Windows 8.1 to build Windows Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically). +You can use APIs to build Microsoft Store apps that you can use to manage the full lifecycle of virtual smart cards. For more information, see [Create and delete virtual smart cards programmatically](virtual-smart-card-use-virtual-smart-cards.md#create-and-delete-virtual-smart-cards-programmatically). #### TPM ownerAuth in the registry -When a device or computer is not joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that are not protected include: +When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include: - A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets. - A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised. -The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. Policies for automatic lockout can be set while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device. +The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device. -For configuration information about the TPM ownerAuth registry key, see the Group Policy setting Configure the level of TPM owner authorization information available to the operating system. - - +For configuration information about the TPM ownerAuth registry key, see the Group Policy setting **Configure the level of TPM owner authorization information** available to the operating system. For information about EAS policies, see [Exchange ActiveSync Policy Engine Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). @@ -130,12 +129,10 @@ For information about EAS policies, see [Exchange ActiveSync Policy Engine Overv The following table describes the important differences between managed and unmanaged virtual smart cards that exist on consumer devices: - - -| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) | -|-----------------------------------------|--------------|----| -| Reset PIN when the user forgets the PIN | Yes | No, the card has to be deleted and created again. | -| Allow user to change the PIN | Yes | No, the card has to be deleted and created again. | +| Operation | [Managed and unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#managed-and-unmanaged-cards) | [Unmanaged cards](virtual-smart-card-deploy-virtual-smart-cards.md#unmanaged-cards) | +|---|---|---| +| Reset PIN when the user forgets the PIN | Yes | No. Delete and recreate the card. | +| Allow user to change the PIN | Yes | No. Delete and recreate the card. | ## Managed cards @@ -143,7 +140,7 @@ A managed virtual smart card can be serviced by the IT administrator or another ### Managed card creation -A user can create blank virtual smart card by using the Tpmvscmgr command-line tool, which is a built-in tool that is run with administrative credentials through an elevated command prompt. This virtual smart card needs to be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option should not be specified). +A user can create blank virtual smart card by using the *Tpmvscmgr* command-line tool, which is a built-in tool executed with administrative credentials through an elevated command prompt. The virtual smart card must be created with well-known parameters (such as default values), and it should be left unformatted (specifically, the **/generate** option shouldn't be specified). The following command creates a virtual smart card that can later be managed by a smart card management tool launched from another computer (as explained in the next section): @@ -153,7 +150,7 @@ Alternatively, instead of using a default administrator key, a user can enter an `tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /AdminKey PROMPT /PIN PROMPT` -In either case, the card management system needs to be aware of the initial administrator key that is used so that it can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when the default value is used, the administrator key is set to: +In either case, the card management system needs to be aware of the initial administrator key. The requirement is so that the card management system can take ownership of the virtual smart card and change the administrator key to a value that is only accessible through the card management tool operated by the IT administrator. For example, when you use the default, the administrator key is set to: `10203040506070801020304050607080102030405060708` @@ -171,7 +168,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm #### Certificate issuance -Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card does not need to be installed on the client computer if it is installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session. +Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session. Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES). @@ -179,11 +176,11 @@ Alternatively, without establishing a remote desktop connection, users can enrol You can renew certificates through remote desktop connections, certificate enrollment policies, or certificate enrollment services. Renewal requirements could be different from the initial issuance requirements, based on the renewal policy. -Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available. +Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available. ## Unmanaged cards -Unmanaged virtual smart cards are not serviceable by an IT administrator. Unmanaged cards might be suitable if an organzation does not have an elaborate smart card deployment management tool and using remote desktop connections to manage the card is not desirable. Because unmanaged cards are not serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll. +Unmanaged virtual smart cards aren't serviceable by an IT administrator. Unmanaged cards might be suitable if an organization doesn't have an elaborate smart card deployment management tool and using remote desktop connections to manage the card isn't desirable. Because unmanaged cards aren't serviceable by the IT administrator, when a user needs help with a virtual smart card (for example, resetting or unlocking a PIN), the only option available to the user is to delete the card and create it again. This results in loss of the user's credentials and he or she must re-enroll. ### Unmanaged card creation @@ -211,7 +208,7 @@ Another option is to have the user access an enrollment portal that is available #### Signing the request with another certificate -You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. Additional policy constraints can be enforced on the .pfx file to assert the identity of the user. +You can provide users with a short-term certificate through a Personal Information Exchange (.pfx) file. You can generate the .pfx file by initiating a request from a domain-joined computer. You can enforce other policy constraints on the .pfx file to assert the identity of the user. The user can import the certificate into the **MY** store (which is the user's certificate store). And your organization can present the user with a script that can be used to sign the request for the short-term certificate and to request a virtual smart card. @@ -225,13 +222,13 @@ For deployments that require users to use a physical smart card to sign the cert #### Using one-time password for enrollment -Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. +Another option to ensure that users is strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. #### Certificate lifecycle management Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal. -Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked is not easy to determine, all certificates that are issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, this could occur if an employee reports a lost or compromised device, and information that associates the device with a certificate is not available. +Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available. ## Maintain virtual smart cards @@ -245,9 +242,9 @@ When renewing with a previously used key, no extra steps are required because a **Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific. -**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they are no longer needed. When an employee leaves the company, it is desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal. +**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal. -The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it is only necessary to revoke the certificates that are stored on the virtual smart card. +The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card. ### Emergency preparedness @@ -257,18 +254,6 @@ The most common scenario in an organization is reissuing virtual smart cards, wh #### Blocked virtual smart card -The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card does not reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire. +The anti-hammering behavior of a TPM virtual smart card is different from that of a physical smart card. A physical smart card blocks itself after the user enters the wrong PIN a few times. A TPM virtual smart card enters a timed delay after the user enters the wrong PIN a few times. If the TPM is in the timed-delay mode, when the user attempts to use the TPM virtual smart card, the user is notified that the card is blocked. Furthermore, if you enable the integrated unlock functionality, the user can see the user interface to unlock the virtual smart card and change the PIN. Unlocking the virtual smart card doesn't reset the TPM lockout. The user needs to perform an extra step to reset the TPM lockout or wait for the timed delay to expire. For more information about setting the Allow Integrated Unblock policy, see [Allow Integrated Unblock screen to be displayed at the time of logon](../smart-cards/smart-card-group-policy-and-registry-settings.md#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon). - -## See also - -[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) - -[Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) - -[Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) - -[Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) - -[Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 4b82db2473..e7fb3868a8 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -1,6 +1,6 @@ --- -title: Evaluate Virtual Smart Card Security (Windows 10) -description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. +title: Evaluate Virtual Smart Card Security +description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards. ms.topic: conceptual ms.date: 02/22/2023 appliesto: @@ -12,11 +12,12 @@ appliesto: [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards. +In this article, you'll learn about security characteristics and considerations when deploying TPM virtual smart cards. ## Virtual smart card non-exportability details -A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data, specifically that the secured data is non-exportable. Data can be accessed and used within the virtual smart card system, but it is meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. This originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN in such a way that changing the PIN doesn't require re-encryption of the data. +A crucial aspect of TPM virtual smart cards is their ability to securely store and use secret data. Specifically, that the secured data is non-exportable.\ +Data can be accessed and used within the virtual smart card system, but it's meaningless outside of its intended environment. In TPM virtual smart cards, security is ensured with a secure key hierarchy, which includes several chains of encryption. The chain originates with the TPM storage root key, which is generated and stored within the TPM and never exposed outside the chip. The TPM key hierarchy is designed to allow encryption of user data with the storage root key, but it authorizes decryption with the user PIN so that changing the PIN doesn't require re-encryption of the data. The following diagram illustrates the secure key hierarchy and the process of accessing the user key. @@ -24,38 +25,30 @@ The following diagram illustrates the secure key hierarchy and the process of ac The following keys are stored on the hard disk: -- User key - -- Smart card key, which is encrypted by the storage root key - -- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key +- User key +- Smart card key, which is encrypted by the storage root key +- Authorization key for the user key decryption, which is encrypted by the public portion of the smart card key When the user enters a PIN, the use of the decrypted smart card key is authorized with this PIN. If this authorization succeeds, the decrypted smart card key is used to decrypt the auth key. The auth key is then provided to the TPM to authorize the decryption and use of the user's key that is stored on the virtual smart card. -The auth key is the only sensitive data that is used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it is encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is completely isolated from external access. +The auth key is the only sensitive data used as plaintext outside the TPM, but its presence in memory is protected by Microsoft Data Protection API (DPAPI), such that before being stored in any way, it's encrypted. All data other than the auth key is processed only as plaintext within the TPM, which is isolated from external access. ## Virtual smart card anti-hammering details -The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide very flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism. +The anti-hammering functionality of virtual smart cards relies on the anti-hammering functionality of the TPM that is enabling the virtual smart card. However, the TPM version 1.2 and subsequent specifications (as designed by the Trusted Computing Group) provide flexible guidelines for responding to hammering. The spec requires only that the TPM implement protection against trial-and-error attacks on the user PIN, PUK, and challenge/response mechanism. -The Trusted Computing Group also specifies that if the response to attacks involves suspending proper function of the TPM for some period of time or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. Whatever methodology is chosen by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include: +The Trusted Computing Group specifies that if the response to attacks involves suspending proper function of the TPM for some period of time, or until administrative action is taken, the TPM must prevent running the authorized TPM commands. The TPM can prevent running any TPM commands until the termination of the attack response. Beyond using a time delay or requiring administrative action, a TPM could also force a reboot when an attack is detected. The Trusted Computing Group allows manufacturers a level of creativity in their choice of implementation. The methodology used by TPM manufacturers determines the anti-hammering response of TPM virtual smart cards. Some typical aspects of protection from attacks include: -1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM. +1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM. - > **Note**  Introduced in Windows Server 2012 R2 and Windows 8.1, if the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it has to be unblocked by using the administrative key or the PUK. + > **Note** + > If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK. -1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands. +1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands. +1. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN. -2. Have a failure leakage mechanism to allow the TPM to reset the timed delays over a period of time. This is useful in cases where a valid user has entered the wrong PIN occasionally, for example, due to complexity of the PIN. +For example, it will take 14 years to guess an eight character PIN for a TPM that implements the following protection: -As an example, it will take 14 years to guess an 8-character PIN for a TPM that implements the following protection: - -1. Number of wrong PINs allowed before entering lockout (threshold): 9 - -2. Time the TPM is in lockout after the threshold is reached: 10 seconds - -3. Timed delay doubles for each wrong PIN after the threshold is reached - -## See also - -[Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md) +1. Number of wrong PINs allowed before entering lockout (threshold): 9 +1. Time the TPM is in lockout after the threshold is reached: 10 seconds +1. Timed delay doubles for each wrong PIN after the threshold is reached \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index ddf67cb799..35662ebdef 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -12,37 +12,33 @@ appliesto: [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for IT professional provides an overview of the virtual smart card technology. +This article provides an overview of the virtual smart card technology. ## Feature description -Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys that are used for authentication are stored in cryptographically-secured hardware. +Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware. By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. ## Practical applications -Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They are easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale. +Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They're easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale. ### Authentication use cases **Two-factor authentication‒based remote access** -After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain strongly authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain. +After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain. -In practice, this is as easy as entering a password to access the system. Technically, it is far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request could not have possibly originated from a system other than the system certified by the domain for this user's access, and the user could not have initiated the request without knowing the PIN, a strong two-factor authentication is established. +In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established. **Client authentication** -Virtual smart cards can also be used for client authentication by using Secure Socket Layer (SSL) or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card. +Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card. **Virtual smart card redirection for remote desktop connections** -The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer cannot be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer's TPM. This extends a user's privileges to the remote computer, while maintaining the principles of two-factor authentication. - -**Windows To Go and virtual smart cards** - -Virtual smart cards work well with Windows To Go, where a user can boot into a supported version of Windows from a compatible removable storage device. A virtual smart card can be created for the user, and it is tied to the TPM on the physical host computer to which the removable storage device is connected. When the user boots the operating system from a different physical computer, the virtual smart card will not be available. This can be used for scenarios when a single physical computer is shared by many users. Each user can be given a removable storage device for Windows To Go, which has a virtual smart card provisioned for the user. This way, users are only able to access their personal virtual smart card. +The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer can't be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer's TPM. This extends a user's privileges to the remote computer, while maintaining the principles of two-factor authentication. ### Confidentiality use cases @@ -52,41 +48,15 @@ Physical smart cards are designed to hold private keys that can be used for emai **BitLocker for data volumes** -sBitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary will not be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be very difficult. +BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult. -BitLocker can also be used to encrypt portable drives, which involves storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it is connected to the host for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this computer. However, this method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive. +BitLocker can also be used to encrypt portable drives, storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too. ### Data integrity use case **Signing data** -To verify authorship of data, a user can sign it by using a private key that is stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner's identity. However, if this key is stored in a virtual smart card, it can be used only to sign data on the host computer. It cannot be exported to other systems (intentionally or unintentionally, such as with malware theft). This makes digital signatures far more secure than other methods for private key storage. - -## New and changed functionality as of Windows 8.1 - -Enhancements in Windows 8.1 enabled developers to build Microsoft Store apps to create and manage virtual smart cards. - -The DCOM Interfaces for Trusted Platform Module (TPM) Virtual Smart Card device management protocol provides a Distributed Component Object Model (DCOM) Remote Protocol interface used for creating and destroying virtual smart cards. A virtual smart card is a device that presents a device interface complying with the PC/SC specification for PC-connected interface devices to its host operating system (OS) platform. This protocol does not assume anything about the underlying implementation of virtual smart card devices. In particular, while it is primarily intended for the management of virtual smart cards based on TPMs, it can also be used to manage other types of virtual smart cards. - -**What value does this change add?** - -Starting with Windows 8.1, application developers can build into their apps the following virtual smart card maintenance capabilities to relieve some of your administrative burdens. - -- Create a new virtual smart card or select a virtual smart card from the list of available virtual smart cards on the system. Identify the one that the application is supposed to work with -- Personalize the virtual smart card -- Change the admin key -- Diversify the admin key which allows the user to unblock the PIN in a PIN-blocked scenario -- Change the PIN -- Reset or Unblock the PIN -- Destroy the virtual smart card - -**What works differently?** - -Starting with Windows 8.1, Microsoft Store app developers are able to build apps that have the capability to prompt the user to reset or unblock and change a virtual smart card PIN. This places more responsibility on the user to maintain their virtual smart card but it can also provide a more consistent user experience and administration experience in your organization. - -For more information about developing Microsoft Store apps with these capabilities, see [Trusted Platform Module Virtual Smart Card Management Protocol](/openspecs/windows_protocols/ms-tpmvsc/10bd67d7-4580-4e38-a6e9-ec3be00033b6). - -For more information about managing these capabilities in virtual smart cards, see [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md). +To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner's identity. However, if the key is stored in a virtual smart card, it can be used only to sign data on the host device. The key can't be exported to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage. ## Hardware requirements From a2aaedf2c9f3f232952e2047fc51180184cd84ce Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 11:20:19 -0500 Subject: [PATCH 12/37] acrolinx --- ...ackup-tpm-recovery-information-to-ad-ds.md | 4 +- .../tpm/how-windows-uses-the-tpm.md | 22 ++-- ...lize-and-configure-ownership-of-the-tpm.md | 115 +++++++----------- .../switch-pcr-banks-on-tpm-2-0-devices.md | 52 ++++---- 4 files changed, 81 insertions(+), 112 deletions(-) diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 1f2a9067e6..8f9951dfee 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -15,4 +15,6 @@ appliesto: # Backup the TPM recovery information to AD DS -With Windows 11, you can back up a computer's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS). By doing this, you can use AD DS to administer the TPM from a remote computer. The procedure is the same as it was for Windows 8.1. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). +In Windows 11, you can backup a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM. + +For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index f886cc3480..be0cadec4a 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -23,7 +23,7 @@ The TPM is a cryptographic module that enhances computer security and privacy. P Historically, TPMs have been discrete chips soldered to a computer's motherboard. Such implementations allow the computer's original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. -TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly re-provisioned before it can use all the TPM's features. +TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform's owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, a TPM must be provisioned. Windows automatically provisions a TPM, but if the operating system is reinstalled, the TPM may be required to be explicitly reprovisioned before it can use all the TPM's features. The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). @@ -47,9 +47,9 @@ The Platform Crypto Provider, introduced in the Windows 8 operating system, expo - **Key protection**. The Platform Crypto Provider can create keys in the TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they're vulnerable to malware. The Platform Crypto Provider can also configure keys that a TPM protects so that they aren't removable. If a TPM creates a key, the key is unique and resides only in that TPM. If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM isn't a source for making more copies of the key or enabling the use of copies elsewhere. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. -- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. +- **Dictionary attack protection**. Keys that a TPM protects can require an authorization value such as a PIN. With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they can't provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically. +These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. A practical way to see these benefits in action is when using certificates on a Windows device. On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and can't be exported from the TPM. If the certificate requires a PIN, the PIN gains the TPM's dictionary attack protection automatically. ## Virtual Smart Card @@ -59,7 +59,7 @@ Smart cards are physical devices that typically store a single certificate and t In Windows, the *Virtual Smart Card* feature allows the TPM to mimic a permanently inserted smart card. The TPM becomes *something the user has* but still requires a PIN. While physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM's dictionary attack protection to prevent too many PIN guesses. -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it cannot be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. +For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key, so that it can't be copied when it is in use or stored and used elsewhere. Using a component that is part of the system rather than a separate physical smart card, can reduce total cost of ownership. The *lost card* or *card left at home* scenarios are not applicable, and the benefits of smart card-based multifactor authentication is preserved. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. ## Windows Hello for Business @@ -82,11 +82,11 @@ For Windows Hello for Business, Microsoft can fill the role of the identity CA. BitLocker provides full-volume encryption to protect data at rest. The most common device configuration splits the hard drive into several volumes. The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. (These other volumes are used infrequently enough that they do not need to be visible to users.) Without more protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system's enforcement of file permissions to read any user data. -In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: +In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data can't be read and are not accessible. The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. The system firmware and TPM are carefully designed to work together to provide the following capabilities: -- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. +- **Hardware root of trust for measurement**. A TPM allows software to send it commands that record measurements of software or configuration information. This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. The system firmware has a component called the Core Root of Trust for Measurement (CRTM) that is implicitly trusted. The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component's measurement is sent to the TPM before it runs, a component can't erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. -- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). +- **Key used only when boot measurements are accurate**. BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process can't proceed normally because the data on the operating system can't be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key-in Active Directory Domain Services (AD DS). Device hardware characteristics are important to BitLocker and its ability to protect data. One consideration is whether the device provides attack vectors when the system is at the logon screen. For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume's decryption key from memory while at the Windows logon screen. To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. @@ -127,9 +127,9 @@ Mobile device management (MDM) solutions can receive simple security assertions Credential Guard is a new feature in Windows that helps protect Windows credentials in organizations that have deployed AD DS. Historically, a user's credentials (such as a logon password) were hashed to generate an authorization token. The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer's memory and harvest all the access tokens currently in use. The attacker could then use harvested tokens to log on to other machines and collect more credentials. This kind of attack is called a "pass the hash" attack, a malware technique that infects one machine to infect many machines across an organization. -Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. +Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel can't access. This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment can't tamper with it. Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. -The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows. +The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it can't access the secrets inside the isolated memory area that actually generates authorization tokens. The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows. ## Conclusion @@ -139,9 +139,9 @@ The TPM adds hardware-based security benefits to Windows. When installed on hard |Feature | Benefits when used on a system with a TPM| |---|---| -| Platform Crypto Provider |
  • If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
  • The TPM's dictionary attack mechanism protects PIN values to use a certificate.
| +| Platform Crypto Provider |
  • If the machine is compromised, the private key associated with the certificate can't be copied off the device.
  • The TPM's dictionary attack mechanism protects PIN values to use a certificate.
| | Virtual Smart Card |
  • Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.
| -| Windows Hello for Business |
  • Credentials provisioned on a device cannot be copied elsewhere.
  • Confirm a device's TPM before credentials are provisioned.
| +| Windows Hello for Business |
  • Credentials provisioned on a device can't be copied elsewhere.
  • Confirm a device's TPM before credentials are provisioned.
| | BitLocker Drive Encryption |
  • Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware.
| |Device Encryption |
  • With a Microsoft account and the right hardware, consumers' devices seamlessly benefit from data-at-rest protection.
| | Measured Boot |
  • A hardware root of trust contains boot measurements that help detect malware during remote attestation.
| diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index de9ce89cdd..89649c5eed 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -1,6 +1,6 @@ --- -title: Troubleshoot the TPM (Windows) -description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM). +title: Troubleshoot the TPM +description: Learn how to view and troubleshoot the Trusted Platform Module (TPM). ms.prod: windows-client author: paolomatarazzo ms.author: paoloma @@ -18,45 +18,41 @@ ms.collection: # Troubleshoot the TPM -This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM): +This article provides information how to troubleshoot the Trusted Platform Module (TPM): -- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) -- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) +- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) +- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) With TPM 1.2 and Windows 11, you can also take the following actions: -- [Turn on or turn off the TPM](#turn-on-or-turn-off) +- [Turn on or turn off the TPM](#turn-on-or-turn-off) For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). ## About TPM initialization and ownership -Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. +Windows automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you had to initialize the TPM and create an owner password. -## Troubleshoot TPM initialization +### TPM initialization If you find that Windows isn't able to initialize the TPM automatically, review the following information: -- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. +- You can try clearing the TPM to the factory default values, allowing Windows to reinitialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) +- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system +- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will reinitialize it +- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it, and then allow the operating system to initialize the TPM -- If the TPM is a TPM 2.0 and isn't detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM hasn't been disabled or hidden from the operating system. - -- If you have TPM 1.2 with Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it's turned back on, Windows will re-initialize it. - -- If you're attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM isn't present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM. - -### Troubleshoot network connection issues for Windows 11 +### Network connection issues for domain-joined Windows 11 devices If you have Windows 11, the initialization of the TPM can't complete when your computer has network connection issues and both of the following conditions exist: -- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy. +- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through group policy +- A domain controller can't be reached. This scenario may occur on a device that is currently disconnected from the internal network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter) -- A domain controller can't be reached. This can occur on a computer that is currently disconnected from the network, separated from the domain by a firewall, or experiencing a network component failure (such as an unplugged cable or a faulty network adapter). +If these issues occur, an error message appears, and you can't complete the initialization process. To avoid the issue, allow Windows to initialize the TPM while you're connected to the corporate network, and you can contact a domain controller. -If these issues occur, an error message appears, and you can't complete the initialization process. To avoid this issue, allow Windows to initialize the TPM while you're connected to the corporate network and you can contact a domain controller. +### Systems with multiple TPMs -### Troubleshoot systems with multiple TPMs - -Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article. +Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows doesn't support this configuration. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs, you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm). For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection isn't changed. @@ -64,7 +60,7 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM isn't cleared before a new operating system is installed, most TPM functionality will probably work correctly. -Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again. +Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically reinitialize it and take ownership again. > [!WARNING] > Clearing the TPM can result in data loss. For more information, see the next section, "Precautions to take before clearing the TPM." @@ -73,74 +69,49 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win Clearing the TPM can result in data loss. To protect against such loss, review the following precautions: -- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM. - -- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator. - -- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article. - -- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI. - -- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website. +- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign-in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM +- Don't clear the TPM on a device you don't own, such as a work or school PC, without being instructed to do so by your IT administrator +- If you want to temporarily suspend TPM operations on Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm) +- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Don't clear the TPM directly from UEFI +- Because your TPM security hardware is a physical part of your computer, before clearing the TPM, you might want to read the manuals or instructions that came with your computer, or search the manufacturer's website Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. **To clear the TPM** -1. Open the Windows Defender Security Center app. +1. Open the Windows Defender Security Center app +1. Select **Device security** +1. Select **Security processor details** +1. Select **Security processor troubleshooting** +1. Select **Clear TPM**. + - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. + - After the device restarts, your TPM will be automatically prepared for use by Windows. -2. Select **Device security**. - -3. Select **Security processor details**. - -4. Select **Security processor troubleshooting**. - -5. Select **Clear TPM**. - -6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. - -7. After the PC restarts, your TPM will be automatically prepared for use by Windows. - -## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher) +## Turn on or turn off the TPM Normally, the TPM is turned on as part of the TPM initialization process. You don't normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. ### Turn on the TPM -If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM. +If you want to use the TPM after you've turned it off, you can use the following procedure to turn on the TPM. -**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** +1. Open the TPM MMC (tpm.msc) +1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page +1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. - -3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. - - After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. +After the device restarts, but before you sign in to Windows, you'll be prompted to accept the reconfiguration of the TPM. The acceptance ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. ### Turn off the TPM If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)** - -1. Open the TPM MMC (tpm.msc). - -2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page. - -3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: - - - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. - - - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. - - - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. +1. Open the TPM MMC (`tpm.msc`) +1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page +1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: + - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off** + - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off** + - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password ## Use the TPM cmdlets You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). - -## Related articles - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index adcf3d0a31..de49d856c6 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -1,6 +1,6 @@ --- -title: Understanding PCR banks on TPM 2.0 devices (Windows) -description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices. +title: UnderstandPCR banks on TPM 2.0 devices +description: Learn about what happens when you switch PCR banks on TPM 2.0 devices. ms.prod: windows-client author: paolomatarazzo ms.author: paoloma @@ -13,55 +13,51 @@ appliesto: - ✅ Windows Server 2016 and later --- -# Understanding PCR banks on TPM 2.0 devices +# PCR banks on TPM 2.0 devices -For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices. +For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This article provides background about what happens when you switch PCR banks on TPM 2.0 devices. -A Platform Configuration Register (PCR) is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes – the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a PCR bank. +A *Platform Configuration Register (PCR)* is a memory location in the TPM that has some unique properties. The size of the value that can be stored in a PCR is determined by the size of a digest generated by an associated hashing algorithm. A SHA-1 PCR can store 20 bytes - the size of a SHA-1 digest. Multiple PCRs associated with the same hashing algorithm are referred to as a *PCR bank*. -To store a new value in a PCR, the existing value is extended with a new value as follows: -PCR\[N\] = HASHalg( PCR\[N\] || ArgumentOfExtend ) +To store a new value in a PCR, the existing value is extended with a new value as follows: `PCR[N] = HASHalg( PCR[N] || ArgumentOfExtend)` -The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. This computed digest becomes the new value of the PCR. +The existing value is concatenated with the argument of the TPM Extend operation. The resulting concatenation is then used as input to the associated hashing algorithm, which computes a digest of the input. The computed digest becomes the new value of the PCR. -The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps ensure that the value of those PCRs can only be modified via the TPM Extend operation. +The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputinggroup.org/pc-client-platform-tpm-profile-ptp-specification/) defines the inclusion of at least one PCR bank with 24 registers. The only way to reset the first 16 PCRs is to reset the TPM itself. This restriction helps to ensure that the value of those PCRs can only be modified via the TPM Extend operation. -Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. +Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs can't be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log. ## How does Windows use PCRs? -To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. +To bind the use of a TPM based key to a certain state of the device, the key can be sealed to an expected set of PCR values.\ +For instance, PCRs 0 through 7 have a well-defined value after the boot process, when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. -It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match. +It's important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the `SHA-1 PCR[12]`, if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values won't match. ## What happens when PCR banks are switched? When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn't match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows won't be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? -Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor. +Before switching PCR banks, you should suspend or disable BitLocker or have the recovery key ready. For steps on how to switch PCR banks on your PC, contact your OEM or UEFI vendor. ## How can I identify which PCR bank is being used? -A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. +You can configure a TPM to have multiple PCR banks active. When BIOS performs measurements, it does so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it doesn't support or *cap* PCR banks that it doesn't support by extending a separator. The following registry value identifies which PCR banks are active: -- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMActivePCRBanks
-- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices` +- DWORD: `TPMActivePCRBanks` +- Defines which PCR banks are currently active. (This value should be interpreted as a bitmap for which the bits are defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 21 of Revision 1.27.) -Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. +Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions isn't met. -You can identify which PCR bank is currently used by Windows by looking at the registry. +You can identify which PCR bank is currently used by Windows by looking at the registry: -- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-- DWORD: TPMDigestAlgID
-- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.)
+- Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices` +- DWORD: `TPMDigestAlgID` +- Algorithm ID of the PCR bank that Windows is currently using. (This value represents an algorithm identifier as defined in the [TCG Algorithm Registry](https://trustedcomputinggroup.org/resource/tcg-algorithm-registry/) Table 3 of Revision 1.27.) -Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) +Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they aren't used by Windows and measurements that appear to be from Windows shouldn't be trusted. From 85683c354c0fab3c3d1eaa34a5f344daf266dafb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 14:03:19 -0500 Subject: [PATCH 13/37] acrolinx --- ...smart-card-understanding-and-evaluating.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 0d76c7ea47..5e72d2dfed 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -36,11 +36,11 @@ Virtual smart cards function much like physical smart cards, but they differ in A virtual smart card appears to applications as a conventional smart card. Private keys in the virtual smart card are protected, not by isolation of physical memory, but by the cryptographic capabilities of the TPM. All sensitive information is encrypted by using the TPM and then stored on the hard drive in its encrypted form. -All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user will not be able to access keys that are stored in the virtual smart card because they are securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption. +All cryptographic operations occur in the secure, isolated environment of the TPM, and the unencrypted private keys are never used outside this environment. So like physical smart cards, virtual smart cards remain secure from any malware on the host. Additionally, if the hard drive is compromised in some way, a malicious user won't be able to access keys that are stored in the virtual smart card because they're securely encrypted by using the TPM. Keys can also be protected by BitLocker Drive Encryption. Virtual smart cards maintain the three key properties of physical smart cards: -- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it cannot be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user cannot reverse engineer an identical TPM or install the same TPM on a different computer. +- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md). - **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM. @@ -52,7 +52,7 @@ The following subsections compare the functionality, security, and cost of virtu **Functionality** -The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There is no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. +The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users. The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card. @@ -86,9 +86,9 @@ Additionally, the maintenance cost of virtual smart cards is less than that for | Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. | | Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. | | Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. | -| Alerts users that their card is lost or stolen only when they need to sign in and notice it is missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. | +| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. | | Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. | -| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and cannot be removed from the computer. | +| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. | ## Authentication design options @@ -96,25 +96,25 @@ The following section presents several commonly used options and their respectiv **Passwords** -A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they are also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. +A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users. -Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they cannot be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often will not realize that the password is compromised, which makes it is easy for a malicious user to maintain access to a system if a valid password has been obtained. +Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained. **One-time passwords** -A one-time password (OTP) is similar to a traditional password, but it is more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor cannot use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). +A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). **Smart cards** Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security: -- **Non-exportability**: Information stored on the card, such as the user's private keys, cannot be extracted from one device and used in another medium. +- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium. -- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer cannot observe the transactions. +- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions. - **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken. -Smart cards provide greatly enhanced security over passwords alone, because it is much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN. +Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN. Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone. @@ -124,7 +124,7 @@ Unfortunately, this additional security comes with added material and support co To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers. -Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They are also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there is no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity cannot be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. +Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They're also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. ## See also From 59ef5db80c28fd9e1a6dc2a4cc2479bf4e743f08 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 14:15:42 -0500 Subject: [PATCH 14/37] updates --- .../virtual-smart-card-overview.md | 17 +++--- .../virtual-smart-card-tpmvscmgr.md | 16 ++---- ...tual-smart-card-use-virtual-smart-cards.md | 20 +++---- ...lize-and-configure-ownership-of-the-tpm.md | 2 +- .../tpm/tpm-fundamentals.md | 10 ++-- .../tpm/trusted-platform-module-overview.md | 56 ++++++------------- 6 files changed, 48 insertions(+), 73 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index 35662ebdef..05598bf6ee 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -16,13 +16,13 @@ This article provides an overview of the virtual smart card technology. ## Feature description -Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices, rather than requiring the use of a separate physical smart card and reader. Virtual smart cards are created in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware. +Virtual smart card technology offers comparable security benefits to physical smart cards by using two-factor authentication. Virtual smart cards emulate the functionality of physical smart cards, but they use the Trusted Platform Module (TPM) chip that is available on devices. Virtual smart cards don't require the use of a separate physical smart card and reader. You create virtual smart cards in the TPM, where the keys used for authentication are stored in cryptographically-secured hardware. By utilizing TPM devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. ## Practical applications -Virtual smart cards are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. They're easily deployed by using in-house methods or a purchased solution, and they can become a full replacement for other methods of strong authentication in a corporate setting of any scale. +Virtual smart cards are functionally similar to physical smart cards, appearing in Windows as smart cards that are always-inserted. Virtual smart cards can be used for authentication to external resources, protection of data by encryption, and integrity through signing. You can deploy virtual smart cards by using in-house methods or a purchased solution, and they can be a replacement for other methods of strong authentication in a corporate setting of any scale. ### Authentication use cases @@ -38,25 +38,28 @@ Virtual smart cards can also be used for client authentication by using TLS/SSL **Virtual smart card redirection for remote desktop connections** -The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the computers that they access domain resources through. Therefore, when a user remotely connects to a computer that is hosting virtual smart cards, the virtual smart cards that are located on the remote computer can't be used during the remote session. However, the virtual smart cards that are stored on the connecting computer (which is under physical control of the user) are loaded onto the remote computer, and they can be used as if they were installed by using the remote computer's TPM. This extends a user's privileges to the remote computer, while maintaining the principles of two-factor authentication. +The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication. ### Confidentiality use cases **S/MIME email encryption** -Physical smart cards are designed to hold private keys that can be used for email encryption and decryption. This functionality also exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email can be assured that only the person with the corresponding private key will be able to decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. +Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption. **BitLocker for data volumes** -BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. This ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive and possession of the computer that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult. +BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult. -BitLocker can also be used to encrypt portable drives, storing keys in virtual smart cards. In this scenario (unlike using BitLocker with a physical smart card), the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from this device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too. +You can use BitLocker to encrypt portable drives, storing keys in virtual smart cards. In this scenario, unlike using BitLocker with a physical smart card, the encrypted drive can be used only when it's connected to device for the virtual smart card that is used to encrypt the drive, because the BitLocker key is only accessible from the device. This method can be useful to ensure the security of backup drives and personal storage uses outside the main hard drive, too. ### Data integrity use case **Signing data** -To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. If the key is stored in an operating system that is accessible, a malicious user could access it and use it to modify already signed data or to spoof the key owner's identity. However, if the key is stored in a virtual smart card, it can be used only to sign data on the host device. The key can't be exported to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage. +To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data. + +- Storing the key in an operating system that is accessible, malicious users could access it and use it to modify already signed data or to spoof the key owner's identity +- Storing the key in a virtual smart card, means that you can only use it to sign data on the host device. You can't export the key to other systems (intentionally or unintentionally, such as with malware theft), making digital signatures more secure than other methods for private key storage ## Hardware requirements diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index 2b7bccd7f5..5f39e38b48 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -1,6 +1,6 @@ --- -title: Tpmvscmgr (Windows 10) -description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. +title: Tpmvscmgr +description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer. ms.topic: conceptual ms.date: 02/22/2023 appliesto: @@ -22,7 +22,7 @@ The Tpmvscmgr command-line tool allows users with Administrative credentials to ### Parameters for Create command -The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format ROOT\\SMARTCARDREADER\\000n where n starts from 0 and is increased by 1 each time you create a new virtual smart card. +The Create command sets up new virtual smart cards on the user's system. It returns the instance ID of the newly created card for later reference if deletion is required. The instance ID is in the format `ROOT\SMARTCARDREADER\000n` where n starts from 0 and is increased by 1 each time you create a new virtual smart card. | Parameter | Description | |-----------|-------------| @@ -30,10 +30,10 @@ The Create command sets up new virtual smart cards on the user's system. It retu | /AdminKey | Indicates the desired administrator key that can be used to reset the PIN of the card if the user forgets the PIN.
**DEFAULT** Specifies the default value of 010203040506070801020304050607080102030405060708.
**PROMPT**  Prompts the user to enter a value for the administrator key.
**RANDOM**  Results in a random setting for the administrator key for a card that is not returned to the user. This creates a card that might not be manageable by using smart card management tools. When generated with RANDOM, the administrator key is set as 48 hexadecimal characters. | | /PIN | Indicates desired user PIN value.
**DEFAULT**  Specifies the default PIN of 12345678.
**PROMPT**  Prompts the user to enter a PIN at the command line. The PIN must be a minimum of eight characters, and it can contain numerals, characters, and special characters. | | /PUK | Indicates the desired PIN Unlock Key (PUK) value. The PUK value must be a minimum of eight characters, and it can contain numerals, characters, and special characters. If the parameter is omitted, the card is created without a PUK.
**DEFAULT**  Specifies the default PUK of 12345678.
**PROMPT**  Prompts the user to enter a PUK at the command line. | -| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it is equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. | +| /generate | Generates the files in storage that are necessary for the virtual smart card to function. If the /generate parameter is omitted, it's equivalent to creating a card without this file system. A card without a file system can be managed only by a smart card management system such as Microsoft Configuration Manager. | | /machine | Allows you to specify the name of a remote computer on which the virtual smart card can be created. This can be used in a domain environment only, and it relies on DCOM. For the command to succeed in creating a virtual smart card on a different computer, the user running this command must be a member in the local administrators group on the remote computer. | | /pinpolicy | If **/pin prompt** is used, **/pinpolicy** allows you to specify the following PIN policy options:
**minlen** <minimum PIN length>
   If not specified, defaults to 8. The lower bound is 4.
**maxlen** <maximum PIN length>
   If not specified, defaults to 127. The upper bound is 127.
**uppercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**lowercase**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**digits**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**
**specialchars**  Can be **ALLOWED**, **DISALLOWED**, or **REQUIRED.** Default is **ALLOWED.**

When using **/pinpolicy**, PIN characters must be printable ASCII characters. | -| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT**  Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there is no network connectivity, it is possible that creation of the virtual smart card will fail.
**AIK_ONLY**  Creates an AIK but does not obtain an AIK certificate. | +| /attestation | Configures attestation (subject only). This attestation uses an [Attestation Identity Key (AIK) certificate](/openspecs/windows_protocols/ms-dha/a4a71926-3639-4d62-b915-760c2483f489#gt_89a2ba3c-80af-4d1f-88b3-06ec3489fd5a) as a trust anchor to vouch that the virtual smart card keys and certificates are truly hardware bound. The attestation methods are:
**AIK_AND_CERT**  Creates an AIK and obtains an AIK certificate from the Microsoft cloud certification authority (CA). This requires the device to have a TPM with an [EK certificate](/openspecs/windows_protocols/ms-wcce/719b890d-62e6-4322-b9b1-1f34d11535b4#gt_6aaaff7f-d380-44fb-91d3-b985e458eb6d). If this option is specified and there's no network connectivity, it's possible that creation of the virtual smart card will fail.
**AIK_ONLY**  Creates an AIK but doesn't obtain an AIK certificate. | | /? | Displays Help for this command. | ### Parameters for Destroy command @@ -87,8 +87,4 @@ The following command will create a TPM virtual smart card with the default valu ```console tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate -``` - -## Additional references - -- [Virtual Smart Card Overview](virtual-smart-card-overview.md) +``` \ No newline at end of file diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 3313e66348..eb4d234c61 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -1,6 +1,6 @@ --- -title: Use Virtual Smart Cards (Windows 10) -description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them. +title: Use Virtual Smart Cards +description: Learn about the requirements for virtual smart cards, how to use and manage them. ms.topic: conceptual ms.date: 02/22/2023 appliesto: @@ -12,7 +12,7 @@ appliesto: [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for the IT professional describes requirements for virtual smart cards, how to use virtual smart cards, and tools that are available to help you create and manage them. +Learn about the requirements for virtual smart cards, how to use and manage them. ## Requirements, restrictions, and limitations @@ -20,9 +20,9 @@ This topic for the IT professional describes requirements for virtual smart card |-------------|---------------------------| | Supported operating systems | Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows 10
Windows 8.1
Windows 8 | | Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). | -| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.

**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they are always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
| -| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key is not generated. | -| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It is a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. | +| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.

**Note**
You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them.
| +| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. | +| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters.
The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. | ## Using Tpmvscmgr.exe @@ -64,7 +64,7 @@ For more information about these Windows APIs, see: ## Distinguishing TPM-based virtual smart cards from physical smart cards -To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card. +To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card. ![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png) @@ -82,17 +82,17 @@ The PIN for a virtual smart card can be changed by following these steps: ### TPM not provisioned -For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it is not provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail. +For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail. If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created. -If the TPM ownership was established on a Windows Vista installation, the TPM will not be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards. +If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards. If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system. ### TPM in lockout state -Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it is necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN does not reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it is blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. +Sometimes, due to frequent incorrect PIN attempts from a user, the TPM may enter the lockout state. To resume using the TPM virtual smart card, it's necessary to reset the lockout on the TPM by using the owner's password or to wait for the lockout to expire. Unblocking the user PIN doesn't reset the lockout in the TPM. When the TPM is in lockout, the TPM virtual smart card appears as if it's blocked. When the TPM enters the lockout state because the user entered an incorrect PIN too many times, it may be necessary to reset the user PIN by using the virtual smart card management tools, such as Tpmvscmgr command-line tool. ## See also diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 89649c5eed..7e75833160 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -20,7 +20,7 @@ ms.collection: This article provides information how to troubleshoot the Trusted Platform Module (TPM): -- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization) +- [Troubleshoot TPM initialization](#tpm-initialization) - [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm) With TPM 1.2 and Windows 11, you can also take the following actions: diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index e9c39aac9f..78c253cc6c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -1,13 +1,13 @@ --- -title: Trusted Platform Module (TPM) fundamentals (Windows) -description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks. +title: Trusted Platform Module (TPM) fundamentals +description: Learn about the components of the Trusted Platform Module and how they're used to mitigate dictionary attacks. ms.reviewer: ms.prod: windows-client author: dansimp ms.author: dansimp manager: aaroncz ms.topic: conceptual -ms.date: 12/27/2021 +ms.date: 02/22/2023 ms.technology: itpro-security appliesto: - ✅ Windows 10 and later @@ -65,7 +65,7 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i ## Physical presence interface -For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them. +For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically can't be automated with scripts or other automation tools unless the individual OEM supplies them. ## TPM 1.2 states and initialization @@ -114,7 +114,7 @@ Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). +Staring in Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters, to better align with other Windows features that use TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). ### TPM-based smart cards diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index edc509184a..4bb546cbb3 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -1,12 +1,12 @@ --- -title: Trusted Platform Module Technology Overview (Windows) -description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. +title: Trusted Platform Module Technology Overview +description: Learn about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ms.prod: windows-client author: paolomatarazzo ms.author: paoloma manager: aaroncz ms.topic: conceptual -ms.date: 02/02/2023 +ms.date: 02/22/2023 ms.technology: itpro-security appliesto: - ✅ Windows 10 and later @@ -18,30 +18,21 @@ ms.collection: # Trusted Platform Module Technology Overview -**Applies to** -- Windows 11 -- Windows 10 -- Windows Server 2022 -- Windows Server 2019 -- Windows Server 2016 - -This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. +This article describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. ## Feature description -[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: +The [*Trusted Platform Module (TPM)*](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the advantages of using TPM technology are: -- Generate, store, and limit the use of cryptographic keys. - -- Use TPM technology for platform device authentication by using the TPM's unique RSA key, which is burned into it. - -- Help ensure platform integrity by taking and storing security measurements. +- Generate, store, and limit the use of cryptographic keys +- Use it for device authentication by using the TPM's unique RSA key, which is burned into the chip +- Help ensure platform integrity by taking and storing security measurements of the boot process The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system. TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses. -Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/). +Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, see the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/). ### Automatic initialization of the TPM with Windows @@ -51,11 +42,11 @@ In certain specific enterprise scenarios limited to Windows 10, versions 1507 an ## Practical applications -Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and cannot be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. +Certificates can be installed or created on computers that are using the TPM. After a computer is provisioned, the RSA private key for a certificate is bound to the TPM and can't be exported. The TPM can also be used as a replacement for smart cards, which reduces the costs associated with creating and disbursing smart cards. Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process. -Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. +Anti-malware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization aren't running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry. The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md). @@ -67,16 +58,14 @@ For more info on new and changed functionality for Trusted Platform Module in Wi Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: +Some things that you can check on the device include: -- Is Data Execution Prevention supported and enabled? - -- Is BitLocker Drive Encryption supported and enabled? - -- Is SecureBoot supported and enabled? +- Is Data Execution Prevention supported and enabled? +- Is BitLocker Drive Encryption supported and enabled? +- Is SecureBoot supported and enabled? > [!NOTE] -> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows supports Device Health Attestation with TPM 2.0. TPM 2.0 requires UEFI firmware. A device with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation @@ -84,16 +73,3 @@ Some things that you can check on the device are: |-------------|-------------|-------------|---------------------|---------------------|---------------------| | TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 | | TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** | - -## Related topics - -- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [Details on the TPM standard](https://www.microsoft.com/research/project/the-trusted-platform-module-tpm/) (has links to features using TPM) -- [TPM Base Services Portal](/windows/desktop/TBS/tpm-base-services-portal) -- [TPM Base Services API](/windows/desktop/api/_tbs/) -- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md) -- [Azure device provisioning: Identity attestation with TPM](https://azure.microsoft.com/blog/device-provisioning-identity-attestation-with-tpm/) -- [Azure device provisioning: A manufacturing timeline for TPM devices](https://azure.microsoft.com/blog/device-provisioning-a-manufacturing-timeline-for-tpm-devices/) -- [Windows 10: Enabling vTPM (Virtual TPM)](https://social.technet.microsoft.com/wiki/contents/articles/34431.windows-10-enabling-vtpm-virtual-tpm.aspx) -- [How to Multiboot with Bitlocker, TPM, and a Non-Windows OS](https://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx) From bbb0974a7d70d984d74b6d3558caf4b8e2ef4ee6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 17:01:19 -0500 Subject: [PATCH 15/37] acrolinx --- ...smart-card-understanding-and-evaluating.md | 40 +++++++------------ 1 file changed, 14 insertions(+), 26 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 5e72d2dfed..9b2eaf15af 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -1,6 +1,6 @@ --- -title: Understanding and Evaluating Virtual Smart Cards (Windows 10) -description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards. +title: Understanding and Evaluating Virtual Smart Cards +description: Learn how smart card technology can fit into your authentication design. ms.prod: windows-client ms.topic: conceptual ms.date: 02/22/2023 @@ -9,11 +9,11 @@ appliesto: - ✅ Windows Server 2016 and later --- -# Understanding and Evaluating Virtual Smart Cards +# Understand and Evaluate Virtual Smart Cards [!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)] -This topic for the IT professional describes the virtual smart card technology that was developed by Microsoft; suggests how it can fit into your authentication design; and provides links to additional resources that you can use to design, deploy, and troubleshoot virtual smart cards. +This article describes the virtual smart card technology and how it can fit into your authentication design. Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering. @@ -70,7 +70,7 @@ However, there are several advantages provided by virtual smart cards to mitigat If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market. -Additionally, the maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently. +The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently. **Comparison summary** @@ -81,7 +81,7 @@ Additionally, the maintenance cost of virtual smart cards is less than that for | Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. | | Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. | | Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. | -| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without additional equipment. | +| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. | | Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. | | Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. | | Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. | @@ -102,36 +102,24 @@ Password authentication places a great deal of responsibility on the user. Passw **One-time passwords** -A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. However, assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). +A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session). **Smart cards** Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security: -- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium. +- **Non-exportability**: Information stored on the card, such as the user's private keys, can't be extracted from one device and used in another medium +- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions +- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken -- **Isolated cryptography**: Any cryptographic operations that are related to the card (such as secure encryption and decryption of data) occur in a cryptographic processor on the card, so malicious software on the host computer can't observe the transactions. - -- **Anti-hammering**: To prevent access to the card by a brute-force attack, a set number of consecutive unsuccessful PIN entry attempts blocks the card until administrative action is taken. - -Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It is extremely difficult for a thief to acquire the card and the PIN. +Smart cards provide greatly enhanced security over passwords alone, because it's much more difficult for a malicious user to gain and maintain access to a system. Most importantly, access to a smart card system requires that users have a valid card and that they know the PIN that provides access to that card. It's difficult for a thief to acquire the card and the PIN. Additional security is achieved by the singular nature of the card because only one copy of the card exists, only one individual can use the sign-in credentials, and users will quickly notice if the card has been lost or stolen. This greatly reduces the risk window of credential theft when compared to using a password alone. -Unfortunately, this additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and they also can be easily misplaced or stolen. +The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them. **Virtual smart cards** -To address these issues, virtual smart cards emulate the functionality of traditional smart cards, but instead of requiring the purchase of additional hardware, they utilize technology that users already own and are more likely to have with them at all times. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. However, the virtual smart card platform developed by Microsoft is currently limited to the use of the Trusted Platform Module (TPM) chip, which is installed on most modern computers. +Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices. -Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards (non-exportability, isolated cryptography, and anti-hammering). They're also less expensive to implement and more convenient for users. Because many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. - -## See also - -- [Get Started with Virtual Smart Cards: Walkthrough Guide](virtual-smart-card-get-started.md) - -- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) - -- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md) - -- [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md) +Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card. From 2be05b504129d4e62290d15e2ef1291302c08f3f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 23 Feb 2023 17:38:35 -0500 Subject: [PATCH 16/37] modified: virtual-smart-card-understanding-and-evaluating.md --- .../virtual-smart-card-understanding-and-evaluating.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 9b2eaf15af..dfde051a1a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -27,9 +27,6 @@ This topic contains the following sections: - [Authentication design options](#authentication-design-options): Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization. -- [See also](#see-also): - Links to other topics that can help you design, deploy, and troubleshoot virtual smart cards. - ## Comparing virtual smart cards with physical smart cards Virtual smart cards function much like physical smart cards, but they differ in that they protect private keys by using the TPM of the computer instead of smart card media. From 70fb39dfee84adbc60f822bed47efed8e5366b3d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 24 Feb 2023 12:00:40 -0500 Subject: [PATCH 17/37] updates --- ...o-hybrid-cloud-kerberos-trust-provision.md | 42 +++++++++---------- .../hello-hybrid-cloud-kerberos-trust.md | 11 +++-- 2 files changed, 26 insertions(+), 27 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index e34d3409ed..4f399e17fd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -29,16 +29,12 @@ After setting up the Azure AD Kerberos object, Windows Hello for business cloud #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) -## Configure Windows Hello for Business using Microsoft Intune - -For devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. +For devices managed by Intune, you can use Intune policies to configure Windows Hello for Business. There are different ways to enable and configure Windows Hello for Business in Intune: -- Using a policy applied at the tenant level. The tenant policy: - - Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune - - It applies to *all devices* getting enrolled in Intune. For this reason, the policy is usually disabled and Windows Hello for Business is enabled using a policy targeted to a security group -- A device configuration policy that is applied *after* device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. Chose from the following policy types: +- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group +- After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: - [Settings catalog][MEM-7] - [Security baselines][MEM-2] - [Custom policy][MEM-3], via the [PassportForWork CSP][MEM-4] @@ -49,7 +45,7 @@ There are different ways to enable and configure Windows Hello for Business in I To check the Windows Hello for Business policy applied at enrollment time: -1. Sign in to the Microsoft Intune admin center +1. Sign in to the Microsoft Intune admin center 1. Select **Devices** > **Windows** > **Windows Enrollment** 1. Select **Windows Hello for Business** 1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured @@ -60,25 +56,25 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip ### Enable Windows Hello for Business -To configure Windows Hello for Business using an *account protection* policy: +To configure Windows Hello for Business using an account protection policy: -1. Go to the Microsoft Intune admin center +1. Sign in to the Microsoft Intune admin center 1. Select **Endpoint security** > **Account protection** 1. Select **+ Create Policy** -1. For *Platform**, select **Windows 10 and later** and for *Profile* select **Account protection** +1. For **Platform**, select **Windows 10 and later** and for **Profile* select **Account protection** 1. Select **Create** 1. Specify a **Name** and, optionally, a **Description** > **Next** -1. Under *Block Windows Hello for Business*, select **Disabled** and multiple policies become available - - These policies are optional to configure, but it's recommended to configure *Enable to use a Trusted Platform Module (TPM)* to **Yes** +1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available + - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes** - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) -1. Under *Enable to certificate for on-premises resources*, select **Disabled** and multiple policies become available +1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available 1. Select **Next** -1. Optionally, add *scope tags* > **Next** +1. Optionally, add **scope tags** and select **Next** 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** 1. Review the policy configuration and select **Create** > [!TIP] -> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Identity Protection template. +> If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template. :::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: @@ -86,14 +82,14 @@ Assign the policy to a security group that contains as members the devices or us ### Configure cloud Kerberos trust policy -The cloud Kerberos trust policy needs to be configured using a custom template, and is configured separately from enabling Windows Hello from Business. +The cloud Kerberos trust policy can be configured using a custom template, and is configured separately from enabling Windows Hello from Business. To configure the cloud Kerberos trust policy: -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. -1. For Profile Type, select **Templates** and select the **Custom** Template. -1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust". +1. Sign in to the Microsoft Intune admin center +1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile** +1. For Profile Type, select **Templates** and select the **Custom** Template +1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust" 1. In Configuration Settings, add a new configuration with the following settings: | Setting | @@ -135,12 +131,12 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group 1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** 1. Select **Use Windows Hello for Business** > **Enable** > **OK** 1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK** -1. *Optional, but recommended*: select **Use a hardware security device** > **Enable** > **OK** +1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK** --- > [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. +> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**. ## Provision Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index a8ea65e53d..963f727b71 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -10,7 +10,7 @@ ms.topic: tutorial [!INCLUDE [hello-hybrid-key-trust](./includes/hello-hybrid-cloudkerb-trust.md)] -Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to successfully deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. +Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This deployment guide provides the information to deploy Windows Hello for Business in a *cloud Kerberos trust* scenario. ## Introduction to cloud Kerberos trust @@ -19,7 +19,7 @@ The goal of Windows Hello for Business cloud Kerberos trust is to bring the simp Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which enables a simpler deployment when compared to the *key trust model*: - No need to deploy a public key infrastructure (PKI) or to change an existing PKI -- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. This means that there isn't delay between the user's WHFB provisioning and being able to authenticate to Active Directory +- No need to synchronize public keys between Azure AD and Active Directory for users to access on-premises resources. There isn't any delay between the user's Windows Hello for Business provisioning, and being able to authenticate to Active Directory - [Passwordless security key sign-in][AZ-1] can be deployed with minimal extra setup > [!NOTE] @@ -30,7 +30,7 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which *Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ -With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. +With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for sign-in or to access AD-based resources. The on-premises domain controllers are still responsible for Kerberos service tickets and authorization. When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: @@ -79,7 +79,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou > * Provision Windows Hello for Business on Windows clients > [!div class="nextstepaction"] -> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md) +> [Next: **configure** and provision **Windows** Hello for **Business** >](hello-hybrid-cloud-kerberos-trust-provision.md) @@ -89,3 +89,6 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou [SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e [SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f + + +**hello** you **there** From b2cb73705c03a607bd44033d3056d9990f889ea3 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 24 Feb 2023 12:07:10 -0500 Subject: [PATCH 18/37] typo --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 4f399e17fd..45d2043ee2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -61,7 +61,7 @@ To configure Windows Hello for Business using an account protection policy: 1. Sign in to the Microsoft Intune admin center 1. Select **Endpoint security** > **Account protection** 1. Select **+ Create Policy** -1. For **Platform**, select **Windows 10 and later** and for **Profile* select **Account protection** +1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection** 1. Select **Create** 1. Specify a **Name** and, optionally, a **Description** > **Next** 1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available From c528e673a4d54ce46e47d6b3d22bea0f81003353 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:03:35 -0500 Subject: [PATCH 19/37] typo updates --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 45d2043ee2..0b63b883b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -80,9 +80,9 @@ To configure Windows Hello for Business using an account protection policy: Assign the policy to a security group that contains as members the devices or users that you want to configure. -### Configure cloud Kerberos trust policy +### Configure the cloud Kerberos trust policy -The cloud Kerberos trust policy can be configured using a custom template, and is configured separately from enabling Windows Hello from Business. +The cloud Kerberos trust policy can be configured using a custom template, and it's configured separately from enabling Windows Hello for Business. To configure the cloud Kerberos trust policy: From 721e5dd1f9cf2b2f57e5df017b49c9d5a82c99f6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 24 Feb 2023 14:28:32 -0500 Subject: [PATCH 20/37] updates --- .../hello-hybrid-cloud-kerberos-trust.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 963f727b71..d3f07a3668 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust deployment description: Learn how to deploy Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 02/22/2023 +ms.date: 02/24/2023 appliesto: - ✅ Windows 10, version 21H2 and later ms.topic: tutorial @@ -79,7 +79,7 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou > * Provision Windows Hello for Business on Windows clients > [!div class="nextstepaction"] -> [Next: **configure** and provision **Windows** Hello for **Business** >](hello-hybrid-cloud-kerberos-trust-provision.md) +> [Next: configure and provision Windows Hello for Business >](hello-hybrid-cloud-kerberos-trust-provision.md) @@ -88,7 +88,4 @@ Once the prerequisites are met, deploying Windows Hello for Business with a clou [SERV-1]: /windows-server/administration/performance-tuning/role/active-directory-server/capacity-planning-for-active-directory-domain-services [SUP-1]: https://support.microsoft.com/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e -[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f - - -**hello** you **there** +[SUP-2]: https://support.microsoft.com/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f \ No newline at end of file From 62ec4316445dbfc8ca690a44b989a9b290d9b214 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 24 Feb 2023 14:33:09 -0500 Subject: [PATCH 21/37] fixed link --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 0b63b883b2..7a62af935e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business cloud Kerberos trust clients configuration and enrollment description: Learn how to configure devices and enroll them in Windows Hello for Business in a cloud Kerberos trust scenario. -ms.date: 02/22/2023 +ms.date: 02/24/2023 appliesto: - ✅ Windows 10, version 21H2 and later ms.topic: tutorial @@ -52,7 +52,7 @@ To check the Windows Hello for Business policy applied at enrollment time: :::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png"::: -If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy. +If the tenant-wide policy is enabled and configured to your needs, you can skip to [Configure cloud Kerberos trust policy](#configure-the-cloud-kerberos-trust-policy). Otherwise, follow the instructions below to create a policy using an *account protection* policy. ### Enable Windows Hello for Business From 7a28edf649b40ffed0e23d7e5c23770f5036390c Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 14:48:22 -0700 Subject: [PATCH 22/37] Update hello-faq.yml Line 190: differences > difference --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 81b6287b97..fd1630c12b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -187,7 +187,7 @@ sections: - question: Which is a better or more secure for of authentication, key or certificate? answer: | Both types of authentication provide the same security; one is not more secure than the other. - The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The differences between the two trust types is the issuance of end-entity certificates: + The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types is the issuance of end-entity certificates: - The *key trust* model authenticates to Active Directory by using a raw key. Key trust doesn't require an enterprise-issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed) - The *certificate trust* model authenticates to Active Directory by using a certificate. Therefore, you need to issue certificates to users. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing CA - question: What is convenience PIN? @@ -250,4 +250,4 @@ sections: In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. - question: Can I use Windows Hello for Business key trust and RDP? answer: | - Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. \ No newline at end of file + Remote Desktop Protocol (RDP) doesn't currently support using key-based authentication and self-signed certificates as supplied credentials. However, you can deploy certificates in the key trust model to enable RDP. For more information, see [Deploying certificates to key trust users to enable RDP](hello-deployment-rdp-certs.md). In addition, Windows Hello for Business key trust can be also used with RDP with [Windows Defender Remote Credential Guard](../remote-credential-guard.md) without deploying certificates. From 09e04f7d5855901b520507ee23f4a485a3be561a Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 14:54:47 -0700 Subject: [PATCH 23/37] Update virtual-smart-card-deploy-virtual-smart-cards.md Line 88: An another > Another Line 92: sign in > sign-in Line 225: is > are https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/a3a43aab-f703-4e2a-b3f2-620a57e97c86#CORRECTNESS --- .../virtual-smart-card-deploy-virtual-smart-cards.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index e4e0e793bc..63ac28b3e9 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -85,11 +85,11 @@ Although the PUK and the administrator key methodologies provide unlocking and r The administrator key methodology takes a challenge-response approach. The card provides a set of random data after users verify their identity to the deployment administrator. The administrator then encrypts the data with the administrator key and gives the encrypted data back to the user. If the encrypted data matches that produced by the card during verification, the card will allow PIN reset. Because the administrator key is never accessible by anyone other than the deployment administrator, it can't be intercepted or recorded by any other party (including employees). This provides significant security benefits beyond using a PUK, an important consideration during the personalization process. -TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. An another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. +TPM virtual smart cards can be personalized on an individual basis when they're created with the Tpmvscmgr command-line tool. Or organizations can purchase a management solution that can incorporate personalization into an automated routine. Another advantage of such a solution is the automated creation of administrator keys. Tpmvscmgr.exe allows users to create their own administrator keys, which can be detrimental to the security of the virtual smart cards. ## Provision virtual smart cards -Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security. +Provisioning is the process of loading specific credentials onto a TPM virtual smart card. These credentials consist of certificates that are created to give users access to a specific service, such as domain sign-in. A maximum of 30 certificates is allowed on each virtual smart card. As with physical smart cards, several decisions must be made regarding the provisioning strategy, based on the environment of the deployment and the desired level of security. A high-assurance level of secure provisioning requires absolute certainty about the identity of the individual who is receiving the certificate. Therefore, one method of high-assurance provisioning is utilizing previously provisioned strong credentials, such as a physical smart card, to validate identity during provisioning. In-person proofing at enrollment stations is another option, because an individual can easily and securely prove his or her identity with a passport or driver's license, although this can become infeasible on a larger scale. To achieve a similar level of assurance, a large organization can implement an "enroll-on-behalf-of" strategy, in which employees are enrolled with their credentials by a superior who can personally verify their identities. This creates a chain of trust that ensures individuals are checked in person against their proposed identities, but without the administrative strain of provisioning all virtual smart cards from a single central enrollment station. @@ -222,7 +222,7 @@ For deployments that require users to use a physical smart card to sign the cert #### Using one-time password for enrollment -Another option to ensure that users is strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. +Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools. #### Certificate lifecycle management From 91a695a67d4123d3f964f82e24f91e2fb676b16c Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 14:56:35 -0700 Subject: [PATCH 24/37] Update virtual-smart-card-get-started.md Line 17: , which > that https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/c396561a-9399-4e48-989a-5dbb0d2081b9#CORRECTNESS --- .../virtual-smart-cards/virtual-smart-card-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index acfb1609d8..ab3569f8ab 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -14,7 +14,7 @@ appliesto: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards. -Virtual smart cards are a technology from Microsoft, which offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. +Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering. This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer. From 2cc584680fb8adcb958446e79cfcac5171b0f651 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 15:01:22 -0700 Subject: [PATCH 25/37] Update backup-tpm-recovery-information-to-ad-ds.md Lines 16 and 18: backup > back up --- .../tpm/backup-tpm-recovery-information-to-ad-ds.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 8f9951dfee..d8d6fe181e 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -13,8 +13,8 @@ appliesto: - ✅ Windows Server 2016 and later --- -# Backup the TPM recovery information to AD DS +# Back up the TPM recovery information to AD DS -In Windows 11, you can backup a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM. +In Windows 11, you can back up a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM. For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). From 89ce3a18f159238f0598a0e6a8454ae22c46c5a3 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 15:03:55 -0700 Subject: [PATCH 26/37] Update backup-tpm-recovery-information-to-ad-ds.md Lines 2-3 and 20: backup > back up (two words as a verb) --- .../tpm/backup-tpm-recovery-information-to-ad-ds.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index d8d6fe181e..2779296ea9 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -1,6 +1,6 @@ --- -title: Backup TPM recovery information to Active Directory -description: Learn how to backup the Trusted Platform Module (TPM) recovery information to Active Directory. +title: Back up TPM recovery information to Active Directory +description: Learn how to back up the Trusted Platform Module (TPM) recovery information to Active Directory. ms.prod: windows-client author: paolomatarazzo ms.author: paoloma @@ -17,4 +17,4 @@ appliesto: In Windows 11, you can back up a device's Trusted Platform Module (TPM) information to Active Directory Domain Services (AD DS), enabling remote management of the TPM. -For more information, see [Backup the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). +For more information, see [Back up the TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-8.1-and-8/dn466534(v=ws.11)). From a90fe063bab998210715322157b2565532b2fe5b Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 15:09:04 -0700 Subject: [PATCH 27/37] Update trusted-platform-module-overview.md Line 61: Some security things that you can check on the device include: > Some security issues that you can check on the device include the following: --- .../tpm/trusted-platform-module-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 4bb546cbb3..2c2f23d5cb 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -58,7 +58,7 @@ For more info on new and changed functionality for Trusted Platform Module in Wi Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device include: +Some security issues that you can check on the device include the following: - Is Data Execution Prevention supported and enabled? - Is BitLocker Drive Encryption supported and enabled? From eb36317bb62937a48232afe1e4e055458682a523 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 15:43:12 -0700 Subject: [PATCH 28/37] Update hello-hybrid-cloud-kerberos-trust-provision.md Lines 17-18, 36, 48-51, 61-74, 89-93, 131-136, 161-163, 175-177, 191-195: Add periods to the sentences. Line 79: Add "This image shows the" to the alt-text Lines 94-100: Reformat single col table as a list Line 104: Reformat image with custom extension image Markdown to add border automatically. Line 106: Add number to this step. Line 116: cloud > Cloud Line 150: Delete leading indent. Line 159: This is the process after a user signs in, that occurs to enroll in Windows Hello for Business: > After a user signs in, this is the process that occurs to enroll in Windows Hello for Business: Line 198: sign in > sign-in (used as a noun in this sentence) --- ...o-hybrid-cloud-kerberos-trust-provision.md | 110 +++++++++--------- 1 file changed, 56 insertions(+), 54 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 7a62af935e..c9acafeee8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -14,8 +14,8 @@ ms.topic: tutorial Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: -1. Set up Azure AD Kerberos -1. Configure a Windows Hello for Business policy and deploy it to the devices +1. Set up Azure AD Kerberos. +1. Configure a Windows Hello for Business policy and deploy it to the devices. ### Deploy Azure AD Kerberos @@ -33,7 +33,7 @@ For devices managed by Intune, you can use Intune policies to configure Windows There are different ways to enable and configure Windows Hello for Business in Intune: -- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group +- When the device is enrolled in Intune, a tenant-wide policy is applied to the device. This policy is applied at enrollment time only, and any changes to its configuration won't apply to devices already enrolled in Intune. For this reason, this policy is usually disabled, and Windows Hello for Business can be enabled using a policy targeted to a security group. - After the device is enrolled in Intune, you can apply a device configuration policy. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from: - [Settings catalog][MEM-7] - [Security baselines][MEM-2] @@ -45,10 +45,10 @@ There are different ways to enable and configure Windows Hello for Business in I To check the Windows Hello for Business policy applied at enrollment time: -1. Sign in to the Microsoft Intune admin center -1. Select **Devices** > **Windows** > **Windows Enrollment** -1. Select **Windows Hello for Business** -1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured +1. Sign in to the Microsoft Intune admin center. +1. Select **Devices** > **Windows** > **Windows Enrollment**. +1. Select **Windows Hello for Business**. +1. Verify the status of **Configure Windows Hello for Business** and any settings that may be configured. :::image type="content" source="images/whfb-intune-disable.png" alt-text="Disablement of Windows Hello for Business from Microsoft Intune admin center." border="true" lightbox="images/whfb-intune-disable.png"::: @@ -58,25 +58,25 @@ If the tenant-wide policy is enabled and configured to your needs, you can skip To configure Windows Hello for Business using an account protection policy: -1. Sign in to the Microsoft Intune admin center -1. Select **Endpoint security** > **Account protection** -1. Select **+ Create Policy** -1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection** -1. Select **Create** -1. Specify a **Name** and, optionally, a **Description** > **Next** -1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available - - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes** - - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business) -1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available -1. Select **Next** -1. Optionally, add **scope tags** and select **Next** -1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next** -1. Review the policy configuration and select **Create** +1. Sign in to the Microsoft Intune admin center. +1. Select **Endpoint security** > **Account protection**. +1. Select **+ Create Policy**. +1. For **Platform**, select **Windows 10 and later** and for **Profile** select **Account protection**. +1. Select **Create**. +1. Specify a **Name** and, optionally, a **Description** > **Next**. +1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available. + - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**. + - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). +1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available. +1. Select **Next**. +1. Optionally, add **scope tags** and select **Next**. +1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**. +1. Review the policy configuration and select **Create**. > [!TIP] > If you want to enforce the use of digits for your Windows Hello for Business PIN, use the settings catalog and choose **Digits** or **Digits (User)** instead of using the Account protection template. -:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="Enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: +:::image type="content" source="images/whfb-intune-account-protection-enable.png" alt-text="This image shows the enablement of Windows Hello for Business from Microsoft Intune admin center using an account protection policy." lightbox="images/whfb-intune-account-protection-enable.png"::: Assign the policy to a security group that contains as members the devices or users that you want to configure. @@ -86,22 +86,24 @@ The cloud Kerberos trust policy can be configured using a custom template, and i To configure the cloud Kerberos trust policy: -1. Sign in to the Microsoft Intune admin center -1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile** -1. For Profile Type, select **Templates** and select the **Custom** Template -1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust" +1. Sign in to the Microsoft Intune admin center. +1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. +1. For Profile Type, select **Templates** and select the **Custom** Template. +1. Name the profile with a familiar name, for example, "Windows Hello for Business cloud Kerberos trust". 1. In Configuration Settings, add a new configuration with the following settings: - | Setting | - |--------| - |
  • Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
  • Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
  • OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`**
  • Data type: **Boolean**
  • Value: **True**
| + - Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name + - Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO* + - OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\*`/Policies/UseCloudTrustForOnPremAuth`** + - Data type: **Boolean** + - Value: **True** - >[!IMPORTANT] - >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. + > [!IMPORTANT] + > *Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID][AZ-3] for instructions on looking up your tenant ID. - [![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox) + :::image type="content" alt-text ="Intune custom-device configuration policy creation" source="./images/hello-cloud-trust-intune.png" lightbox="./images/hello-cloud-trust-intune-large.png"::: -Assign the policy to a security group that contains as members the devices or users that you want to configure. +1. Assign the policy to a security group that contains as members the devices or users that you want to configure. #### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo) @@ -111,7 +113,7 @@ The Enable Windows Hello for Business Group Policy setting is used by Windows to You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. -cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. +Cloud Kerberos trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration. > [!NOTE] > If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune][MEM-1] and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources). @@ -126,12 +128,12 @@ You can also create a Group Policy Central Store and copy them their respective You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). -1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory -1. Edit the Group Policy object from Step 1 -1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business** -1. Select **Use Windows Hello for Business** > **Enable** > **OK** -1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK** -1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK** +1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory. +1. Edit the Group Policy object from Step 1. +1. Expand **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**. +1. Select **Use Windows Hello for Business** > **Enable** > **OK**. +1. Select **Use cloud Kerberos trust for on-premises authentication** > **Enable** > **OK**. +1. Optional, but recommended: select **Use a hardware security device** > **Enable** > **OK**. --- @@ -145,7 +147,7 @@ The Windows Hello for Business provisioning process begins immediately after a u You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. - ![Cloud Kerberos trust prerequisite check in the user device registration log](./images/cloud-trust-prereq-check.png) +:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png"::: The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. @@ -154,11 +156,11 @@ The cloud Kerberos trust prerequisite check detects whether the user has a parti ### PIN Setup -This is the process that occurs after a user signs in, to enroll in Windows Hello for Business: +After a user signs in, this is the process that occurs to enroll in Windows Hello for Business: -1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK** -1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry -1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device +1. The user is prompted with a full screen page to use Windows Hello with the organization account. The user selects **OK**. +1. The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry. +1. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device. :::image type="content" source="images/haadj-whfb-pin-provisioning.gif" alt-text="Animation showing a user logging on to an HAADJ device with a password, and being prompted to enroll in Windows Hello for Business."::: @@ -170,9 +172,9 @@ Once a user has set up a PIN with cloud Kerberos trust, it can be used **immedia If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: -1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business +1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos). +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). +1. For hybrid Azure AD joined devices, sign out and sign in to the device using Windows Hello for Business. > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. @@ -186,14 +188,14 @@ If you deployed Windows Hello for Business using the key trust model, and want t If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: -1. Disable the certificate trust policy -1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) -1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context -1. Sign out and sign back in -1. Provision Windows Hello for Business using a method of your choice +1. Disable the certificate trust policy. +1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy). +1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context. +1. Sign out and sign back in. +1. Provision Windows Hello for Business using a method of your choice. > [!NOTE] -> For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. +> For hybrid Azure AD joined devices, users must perform the first sign-in with new credentials while having line of sight to a DC. ## Frequently Asked Questions From e53c70d50960f8fff12350711593bd3d97339eb6 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 17:08:50 -0700 Subject: [PATCH 29/37] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md Line 150: Add lightbox. --- .../hello-hybrid-cloud-kerberos-trust-provision.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index c9acafeee8..0f6b8ab112 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -147,7 +147,7 @@ The Windows Hello for Business provisioning process begins immediately after a u You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs** > **Microsoft** > **Windows**.\ This information is also available using the `dsregcmd /status` command from a console. For more information, see [dsregcmd][AZ-4]. -:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png"::: +:::image type="content" alt-text="Cloud Kerberos trust prerequisite check in the user device registration log" source="./images/cloud-trust-prereq-check.png" lightbox="./images/cloud-trust-prereq-check.png"::: The cloud Kerberos trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud Kerberos trust isn't being enforced by policy or if the device is Azure AD joined. From 797596d153dc2e9575e018a080fec61b45852772 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 17:16:12 -0700 Subject: [PATCH 30/37] Update hello-prepare-people-to-use.md Line 45: Reformat the image to custom extension Markdown to get the auto border. --- .../hello-for-business/hello-prepare-people-to-use.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md index 5eb87bbe29..1d36c9e14c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md +++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md @@ -42,9 +42,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it. -![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png) - - +:::image type="content" alt-text="This screenshot shows account sign-in options to windows, apps, and services using fingerprint or face." source="images/hellosettings.png"::: ## Related topics From aafd2a83cdd1ac427c220432f98478c814fac1d4 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 17:30:28 -0700 Subject: [PATCH 31/37] Update windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md Line 24: Convert standard Markdown to custom extension image Markdown and add lightbox. --- .../virtual-smart-cards/virtual-smart-card-evaluate-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index e7fb3868a8..60a649be01 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -21,7 +21,7 @@ Data can be accessed and used within the virtual smart card system, but it's mea The following diagram illustrates the secure key hierarchy and the process of accessing the user key. -![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png) +:::image type="content" alt-text="Diagram of the process of accessing the user key." source="images/vsc-process-of-accessing-user-key.png" lightbox="images/vsc-process-of-accessing-user-key.png"::: The following keys are stored on the hard disk: From 59c6fe357ff12d9d8e9a3490eb920b607271bb4b Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 17:33:46 -0700 Subject: [PATCH 32/37] Apply suggestions from code review Lines 44-46 Fix incorrect note Markdown. --- .../virtual-smart-card-evaluate-security.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index 60a649be01..b2afb7673e 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -41,7 +41,8 @@ The Trusted Computing Group specifies that if the response to attacks involves s 1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM. - > **Note** + > [!NOTE] + > > If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK. 1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands. From f4772bc5a37ecede7180a73031a4c87dcecc1bec Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 24 Feb 2023 18:12:53 -0700 Subject: [PATCH 33/37] Apply suggestions from code review Add punctuation to sentences. --- ...lize-and-configure-ownership-of-the-tpm.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index 7e75833160..530666774a 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -79,10 +79,10 @@ Membership in the local Administrators group, or equivalent, is the minimum requ **To clear the TPM** -1. Open the Windows Defender Security Center app -1. Select **Device security** -1. Select **Security processor details** -1. Select **Security processor troubleshooting** +1. Open the Windows Defender Security Center app. +1. Select **Device security**. +1. Select **Security processor details**. +1. Select **Security processor troubleshooting**. 1. Select **Clear TPM**. - You'll be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM. - After the device restarts, your TPM will be automatically prepared for use by Windows. @@ -95,9 +95,9 @@ Normally, the TPM is turned on as part of the TPM initialization process. You do If you want to use the TPM after you've turned it off, you can use the following procedure to turn on the TPM. -1. Open the TPM MMC (tpm.msc) -1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page -1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts +1. Open the TPM MMC (tpm.msc). +1. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page. +1. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts. After the device restarts, but before you sign in to Windows, you'll be prompted to accept the reconfiguration of the TPM. The acceptance ensures that the user has physical access to the computer and that malicious software isn't attempting to make changes to the TPM. @@ -105,12 +105,12 @@ After the device restarts, but before you sign in to Windows, you'll be prompted If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM. -1. Open the TPM MMC (`tpm.msc`) -1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page +1. Open the TPM MMC (`tpm.msc`). +1. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page. 1. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM: - - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off** - - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off** - - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password + - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the *.tpm* file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**. + - If you don't have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**. + - If you didn't save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. ## Use the TPM cmdlets From 90a372d349d36ba99fefb05709d3ff1d287b6ea7 Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 25 Feb 2023 23:31:36 -0800 Subject: [PATCH 34/37] Uploaded file: education-content-updates.md - 2023-02-25 23:31:36.6461 --- .../includes/education-content-updates.md | 31 ++++++------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index e41ec1ade3..8de6af0540 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -1,29 +1,18 @@ ---- -ms.date: 10/24/2020 ---- -## Week of January 09, 2023 +## Week of February 20, 2023 | Published On |Topic title | Change | |------|------------|--------| -| 1/12/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | added | - - -## Week of December 19, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 12/22/2022 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | - - -## Week of December 12, 2022 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 12/13/2022 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified | +| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified | +| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | +| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified | +| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified | +| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified | +| 2/23/2023 | Education scenarios Microsoft Store for Education | removed | +| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified | +| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed | +| 2/23/2023 | For teachers get Minecraft Education Edition | removed | From 3f28ad3453d31f8861cbcd3a87beecd9d88ec481 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 27 Feb 2023 08:30:53 -0800 Subject: [PATCH 35/37] Nitpickyness --- ...tch-windows-update-unsupported-policies.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md index 09842260a5..e0ea1e18e2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md @@ -26,10 +26,10 @@ The following policies contain settings which apply to both Windows quality and | ----- | ----- | ----- | ----- | ----- | | Microsoft product updates | Allow | Allow | Allow | Allow | | Windows drivers | Allow | Allow | Allow | Allow | -| Quality update deferral period | 0 | 1 | 6 | 9 | -| Feature update deferral period | 0 | 0 | 0 | 0 | +| Windows quality update deferral period | 0 | 1 | 6 | 9 | +| Windows feature update deferral period | 0 | 0 | 0 | 0 | | Upgrade Windows 10 to latest Windows 11 release | No | No | No | No | -| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days | +| Set Windows feature update uninstall period | 30 days | 30 days | 30 days | 30 days | | Servicing channel | General availability | General availability | General availability | General availability | ### Windows 10 and later user experience settings @@ -41,8 +41,8 @@ The following policies contain settings which apply to both Windows quality and | Option to pause updates | Disable | Disable | Disable | Disable | | Option to check for Windows updates | Default | Default | Default | Default | | Change notification update level | Default | Default | Default | Default | -| Deadline for feature updates | 5 | 5 | 5 | 5 | -| Deadline for quality updates | 0 | 2 | 2 | 5 | +| Deadline for Windows feature updates | 5 | 5 | 5 | 5 | +| Deadline for Windows quality updates | 0 | 2 | 2 | 5 | | Grace period | 0 | 2 | 2 | 2 | | Auto-restart before deadline | Yes | Yes | Yes | Yes | @@ -53,24 +53,24 @@ The following policies contain settings which apply to both Windows quality and | Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad | | Excluded groups | None | None | None | None | -## Feature update policies +## Windows feature update policies -The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices. +The service deploys policies using Microsoft Intune to control how Windows feature updates are deployed to devices. -### Feature updates for Windows 10 and later +### Windows feature updates for Windows 10 and later These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention: **Modern Workplace DSS Policy [ring name]** -#### Feature update deployment settings +#### Windows feature update deployment settings | Setting name | Test | First | Fast | Broad | | ----- | ----- | ----- | ----- | ----- | | Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | | Rollout options | Immediate start | Immediate start | Immediate start | Immediate start | -#### Feature update policy assignments +#### Windows feature update policy assignments | Setting name | Test | First | Fast | Broad | | ----- | ----- | ----- | ----- | ----- | From 55a40c0b9e48e66a9a27166629bd82a017a05d7d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Feb 2023 09:50:44 -0800 Subject: [PATCH 36/37] metadata-wn MAXADO-6401238 --- windows/whats-new/deprecated-features-resources.md | 2 +- windows/whats-new/deprecated-features.md | 2 +- windows/whats-new/feature-lifecycle.md | 2 +- windows/whats-new/ltsc/index.md | 8 ++++---- windows/whats-new/ltsc/whats-new-windows-10-2015.md | 7 +++---- windows/whats-new/ltsc/whats-new-windows-10-2016.md | 7 +++---- windows/whats-new/ltsc/whats-new-windows-10-2019.md | 10 ++++------ windows/whats-new/ltsc/whats-new-windows-10-2021.md | 10 ++++------ windows/whats-new/removed-features.md | 2 +- .../whats-new-windows-10-version-1507-and-1511.md | 7 +++---- windows/whats-new/whats-new-windows-10-version-1607.md | 7 +++---- windows/whats-new/whats-new-windows-10-version-1703.md | 7 +++---- windows/whats-new/whats-new-windows-10-version-1709.md | 7 +++---- windows/whats-new/whats-new-windows-10-version-1803.md | 7 +++---- windows/whats-new/whats-new-windows-10-version-1809.md | 1 - windows/whats-new/whats-new-windows-10-version-1903.md | 6 +++--- windows/whats-new/whats-new-windows-10-version-1909.md | 6 +++--- windows/whats-new/whats-new-windows-10-version-2004.md | 6 +++--- windows/whats-new/whats-new-windows-10-version-20H2.md | 8 ++++---- windows/whats-new/whats-new-windows-10-version-21H1.md | 8 ++++---- windows/whats-new/whats-new-windows-10-version-21H2.md | 9 ++++----- windows/whats-new/whats-new-windows-10-version-22H2.md | 5 +++-- windows/whats-new/whats-new-windows-11-version-22H2.md | 5 ++--- windows/whats-new/windows-11-overview.md | 4 +--- windows/whats-new/windows-11-plan.md | 8 ++++---- windows/whats-new/windows-11-prepare.md | 8 ++++---- windows/whats-new/windows-11-requirements.md | 2 +- 27 files changed, 73 insertions(+), 88 deletions(-) diff --git a/windows/whats-new/deprecated-features-resources.md b/windows/whats-new/deprecated-features-resources.md index e2f67c9051..f00940e722 100644 --- a/windows/whats-new/deprecated-features-resources.md +++ b/windows/whats-new/deprecated-features-resources.md @@ -8,8 +8,8 @@ ms.localizationpriority: medium author: mestew ms.author: mstewart manager: aaroncz -ms.reviewer: ms.topic: reference +ms.collection: highpri, tier1 --- # Resources for deprecated features diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md index c32948df18..9780d97968 100644 --- a/windows/whats-new/deprecated-features.md +++ b/windows/whats-new/deprecated-features.md @@ -8,8 +8,8 @@ ms.localizationpriority: medium author: mestew ms.author: mstewart manager: aaroncz -ms.reviewer: ms.topic: article +ms.collection: highpri, tier1 --- # Deprecated features for Windows client diff --git a/windows/whats-new/feature-lifecycle.md b/windows/whats-new/feature-lifecycle.md index 11eaa12e7e..d97cc8895b 100644 --- a/windows/whats-new/feature-lifecycle.md +++ b/windows/whats-new/feature-lifecycle.md @@ -7,9 +7,9 @@ author: mestew manager: aaroncz ms.author: mstewart ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals ms.date: 10/28/2022 +ms.collection: highpri, tier2 --- # Windows client features lifecycle diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 66e69fb814..78b5590c17 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -2,12 +2,12 @@ title: Windows 10 Enterprise LTSC description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: low ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 60f00167d7..80178fcad2 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -1,11 +1,10 @@ --- title: What's new in Windows 10 Enterprise LTSC 2015 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: medium ms.topic: article ms.technology: itpro-fundamentals diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 43da9f13c3..1b70c22e66 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -1,11 +1,10 @@ --- title: What's new in Windows 10 Enterprise LTSC 2016 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: low ms.topic: article ms.technology: itpro-fundamentals diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index ac0e6ef2cc..14d7f14fa9 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,15 +1,13 @@ --- title: What's new in Windows 10 Enterprise LTSC 2019 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: - - highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index a436940952..cd551766a1 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -1,15 +1,13 @@ --- title: What's new in Windows 10 Enterprise LTSC 2021 -ms.reviewer: -manager: dougeby -ms.author: aaroncz +manager: aaroncz +ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. ms.prod: windows-client -author: aczechowski +author: mestew ms.localizationpriority: low ms.topic: article -ms.collection: - - highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index bdaca31c06..d0825bcd12 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -7,9 +7,9 @@ author: mestew ms.author: mstewart manager: aaroncz ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-fundamentals ms.date: 01/05/2023 +ms.collection: highpri, tier1 --- # Features and functionality removed in Windows client diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 8c1413f87f..02ecc6cade 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,11 +1,10 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511)? -ms.reviewer: ms.prod: windows-client -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index b37fc54c61..d0b7cbda02 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1607 (Windows 10) description: What's new in Windows 10 for Windows 10 (version 1607)? ms.prod: windows-client ms.localizationpriority: medium -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 0b0ebd0b2a..8a8e9a3e7e 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -3,10 +3,9 @@ title: What's new in Windows 10, version 1703 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). ms.prod: windows-client ms.localizationpriority: medium -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.topic: article ROBOTS: NOINDEX ms.technology: itpro-fundamentals diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 24468089e9..55b211215b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -2,10 +2,9 @@ title: What's new in Windows 10, version 1709 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). ms.prod: windows-client -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 4bfc545809..9c77663750 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -2,10 +2,9 @@ title: What's new in Windows 10, version 1803 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). ms.prod: windows-client -ms.reviewer: -author: aczechowski -manager: dougeby -ms.author: aaroncz +author: mestew +manager: aaroncz +ms.author: mstewart ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 8fd4016b72..b617d899f5 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -1,6 +1,5 @@ --- title: What's new in Windows 10, version 1809 -ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. ms.prod: windows-client author: mestew diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 703e8af27b..f4005118e9 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 1903 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 297b322ba9..602a7fcac7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 1909 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index d61e9c57ec..22d328d14f 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -2,9 +2,9 @@ title: What's new in Windows 10, version 2004 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: medium ms.topic: article ROBOTS: NOINDEX diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 4e17202352..078b022d66 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -2,12 +2,12 @@ title: What's new in Windows 10, version 20H2 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index cdf34929de..77d6e3c52f 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -2,12 +2,12 @@ title: What's new in Windows 10, version 21H1 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index 0b5aea83f8..c6aaf4368c 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -1,14 +1,13 @@ --- title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: dougeby +manager: aaroncz ms.prod: windows-client -ms.author: aaroncz -author: aczechowski +ms.author: mstewart +author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier2 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/whats-new-windows-10-version-22H2.md b/windows/whats-new/whats-new-windows-10-version-22H2.md index 19a2bb9c46..99199e8037 100644 --- a/windows/whats-new/whats-new-windows-10-version-22H2.md +++ b/windows/whats-new/whats-new-windows-10-version-22H2.md @@ -5,10 +5,11 @@ ms.prod: windows-client ms.technology: itpro-fundamentals ms.author: mstewart author: mestew -manager: dougeby +manager: aaroncz ms.localizationpriority: medium -ms.topic: overview +ms.topic: article ms.date: 10/18/2022 +ms.collection: highpri, tier1 --- # What's new in Windows 10, version 22H2 diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md index 273e6b1c68..9879efdeab 100644 --- a/windows/whats-new/whats-new-windows-11-version-22H2.md +++ b/windows/whats-new/whats-new-windows-11-version-22H2.md @@ -1,14 +1,13 @@ --- title: What's new in Windows 11, version 22H2 for IT pros description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. -manager: dougeby +manager: aaroncz ms.prod: windows-client ms.author: mstewart author: mestew ms.localizationpriority: medium ms.topic: article -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 165bd132d3..93f8c35444 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -1,7 +1,6 @@ --- title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. -ms.reviewer: manager: aaroncz author: mestew ms.author: mstewart @@ -10,8 +9,7 @@ ms.date: 09/20/2022 ms.technology: itpro-fundamentals ms.localizationpriority: medium ms.topic: overview -ms.collection: highpri -ms.custom: intro-overview +ms.collection: highpri, tier1 --- # Windows 11 overview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 2147e2d0ce..d61ccbad1a 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -2,12 +2,12 @@ title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 6f5f8d35ad..46740f84c3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -2,12 +2,12 @@ title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. ms.prod: windows-client -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.localizationpriority: high ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 12/31/2017 --- diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 3c6653f5b0..f264fb396a 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -7,7 +7,7 @@ ms.author: mstewart ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.collection: highpri +ms.collection: highpri, tier1 ms.technology: itpro-fundamentals ms.date: 02/13/2023 --- From f4f06d11524e3eea8a4ec1ae7e726a729d25e22c Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 27 Feb 2023 09:56:43 -0800 Subject: [PATCH 37/37] edit loca --- windows/whats-new/ltsc/whats-new-windows-10-2015.md | 2 +- windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index 80178fcad2..0663fe6cd9 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -5,7 +5,7 @@ ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). ms.prod: windows-client author: mestew -ms.localizationpriority: medium +ms.localizationpriority: low ms.topic: article ms.technology: itpro-fundamentals ms.date: 12/31/2017 diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index cd551766a1..c6f1572c34 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -5,7 +5,7 @@ ms.author: mstewart description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. ms.prod: windows-client author: mestew -ms.localizationpriority: low +ms.localizationpriority: high ms.topic: article ms.collection: highpri, tier1 ms.technology: itpro-fundamentals