From 7ac299ba776a3d67421d31b6275d139b49657dde Mon Sep 17 00:00:00 2001 From: aendrawos <91459443+aendrawos@users.noreply.github.com> Date: Tue, 3 Sep 2024 06:57:27 +0300 Subject: [PATCH 001/237] Update custom-settings-linux.md The current statement is wrong The script will only start to run after that the user gives consent. After that consent, the script can keep executing normally. --- memdocs/intune/configuration/custom-settings-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md index e9edec7477b..187f986c685 100644 --- a/memdocs/intune/configuration/custom-settings-linux.md +++ b/memdocs/intune/configuration/custom-settings-linux.md @@ -61,7 +61,7 @@ This article lists the steps to add an existing script and has a GitHub repo wit - **Execution context**: Select the context the script is executed in. Your options: - **User** (default): When a user signs in to the device, the script runs. If a user never signs into the device, or there isn't any user affinity, then the script doesn't run. - - **Root**: The script always runs (with or without users logged in) at the device level. + - **Root**: The script always runs (with or without users logged in) at the device level. (**Note**: The user will have to give consent for the first time the script is executing, afterward it will continue to execute in its schedule) - **Execution frequency**: Select how frequently the script is executed. The default is **Every 15 minutes**. From 38f17cec2e054168d0304ceab8f4dd92aa2972d7 Mon Sep 17 00:00:00 2001 From: sudharsansrikanthan <49568590+sudharsansrikanthan@users.noreply.github.com> Date: Mon, 9 Sep 2024 19:47:43 +0530 Subject: [PATCH 002/237] Update mde-security-integration.md Issue has been fixed, hence removing this from doc. --- memdocs/intune/protect/mde-security-integration.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 5a1eabaab21..01c3ffdc481 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -313,10 +313,6 @@ In Microsoft Defender for Endpoint portal, as a security administrator: 2. Initially, we recommend testing the feature for each platform by selecting the platforms option for **On tagged devices**, and then tagging the devices with the `MDE-Management` tag. - > [!IMPORTANT] - > - > Use of [*Microsoft Defender for Endpoint's Dynamic tag capability*](/microsoft-365/security/defender/configure-asset-rules?view=o365-worldwide&preserve-view=true) to tag devices with *MDE-Management* isn't currently supported with security settings management. Devices tagged through this capability won't successfully enroll. This issue remains under investigation. - > [!TIP] > > Use the proper device tags to test and validate your rollout on a small number of devices. From 0fd33ef1c618f84e799a1302050b0121156b71b2 Mon Sep 17 00:00:00 2001 From: mackie1604 Date: Thu, 3 Oct 2024 09:52:58 -0500 Subject: [PATCH 003/237] Update intune-endpoints.md Adding full list of URL's for diagnostic upload --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 76a708ef796..b02919bee29 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -113,7 +113,7 @@ ID |Desc |Category |ER |Addresses |Ports| 165 | Autopilot - NTP Sync | Default
Required | False | `time.windows.com` |**UDP:** 123| 169 | Autopilot - WNS Dependencies| Default
Required | False | `clientconfig.passport.net`
`windowsphone.com`
`*.s-microsoft.com`
`c.s-microsoft.com` | **TCP:** 443 | 173 | Autopilot - Third party deployment dependencies| Default
Required | False | `ekop.intel.com`
`ekcert.spserv.microsoft.com`
`ftpm.amd.com`
| **TCP:** 443| -182 | Autopilot - Diagnostics upload| Default
Required | False | `lgmsapeweu.blob.core.windows.net`
| **TCP:** 443| +182 | Autopilot - Diagnostics upload | Default
Required | False | `lgmsapeweu.blob.core.windows.net`
`lgmsapewus2.blob.core.windows.net`
`lgmsapesea.blob.core.windows.net`
`lgmsapeaus.blob.core.windows.net`
`lgmsapeind.blob.core.windows.net`
| **TCP:** 443| ### Remote Help From 320cdb11e7a7dddc41322c0363f4f606ac7978f5 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 5 Nov 2024 08:34:03 -0500 Subject: [PATCH 004/237] Update multi-factor-authentication.md Updated article --- .../enrollment/multi-factor-authentication.md | 32 ++++++++++++------- 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md index cc9bad1e8f0..979e7f766fa 100644 --- a/memdocs/intune/enrollment/multi-factor-authentication.md +++ b/memdocs/intune/enrollment/multi-factor-authentication.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 01/23/2024 +ms.date: 11/05/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -44,7 +44,9 @@ You can use Intune together with Microsoft Entra Conditional Access policies to - Something they know, such as a password or PIN. - Something they have that can't be duplicated, such as a trusted device or phone. -- Something they are, such as a fingerprint. +- Something they are, such as a fingerprint. + +If a device isn't compliant, the device user is prompted to make the device compliant before enrolling in Microsoft Intune. ## Prerequisites To implement this policy, you must assign Microsoft Entra ID P1 or later to users. @@ -57,18 +59,21 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu > Don't configure **Device based access rules** for Microsoft Intune enrollment. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Go to **Devices** > **Conditional Access**. This area is the same as the Conditional Access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies). +1. Go to **Devices**. +1. Expand **Manage devices**, and then select **Conditional access**. This conditional access area is the same as the conditional access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies). 1. Choose **Create new policy**. 1. Name your policy. 1. Select the **Users** category. 1. Under the **Include** tab, choose **Select users or groups**. 2. Additional options appear. Select **Users and groups**. A list of users and groups opens. - 3. Add the users or groups you're assigning the policy to, and then choose **Select**. + 3. Browse and select the Microsoft Entra users or groups you want to include in the policy. Then choose **Select**. 4. To exclude users or groups from the policy, select the **Exclude** tab and add those users or groups like you did in the previous step. -1. Select the next category, **Target resources**. +1. Select the next category, **Target resources**. In this step, you select the resources that the policy applies to. In this case, we want the policy to apply to events where users or groups try to access the Microsoft Intune Enrollment app. + 1. Under **Select what this policy applies to**, choose **Resources (formerly cloud apps)**. 1. Select the **Include** tab. - 2. Choose **Select apps** > **Select**. - 3. Choose **Microsoft Intune Enrollment** > **Select** to add the app. Use the search bar in the app picker to find the app. + 2. Choose **Select resources**. Additional options appear. + 3. Under **Select**, choose **None**. A list of resources open. + 4. Search for **Microsoft Intune Enrollment**. Then choose **Select** to add the app. For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the *Microsoft Intune* option and *Microsoft Intune Enrollment* option. @@ -80,17 +85,20 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu > [!NOTE] > The Microsoft Intune Enrollment cloud app isn't created automatically for new tenants. To add the app for new tenants, a Microsoft Entra administrator must create a service principal object, with app ID d4ebce55-015a-49b5-a083-c84d1797ae8c, in PowerShell or Microsoft Graph. -1. Select the **Grant** category. - 1. Select **Require multifactor authentication** and **Require device to be marked as compliant**. +1. Select the **Grant** category. In this step, you grant or block access to the Microsoft Intune Enrollment app. + 1. Choose **Grant access**. + 1. Select **Require multifactor authentication**. + 1. Select **Require device to be marked as compliant**. 1. Under **For multiple controls**, select **Require all the selected controls**. 1. Choose **Select**. -1. Select the **Session** category. - 1. Select **Sign-in frequency** and choose **Every time**. +1. Select the **Session** category. In this step, you can make use of session controls to enable limited experiences within the Microsoft Intune Enrollment app. + 1. Select **Sign-in frequency**. Additional options appear. + 1. Choose **Every time**. 1. Choose **Select**. 1. For **Enable policy**, select **On**. 1. Select **Create** to save and create your policy. -After you apply and deploy this policy, users will see a one-time MFA prompt when they enroll their device. +After you apply and deploy this policy, device users enrolling their devices see a one-time MFA prompt. > [!NOTE] > A second device or a Temporary Access Pass is required to complete the MFA challenge for these types of corporate-owned devices: From 859359431c20155871ef1d1c460d46c6f8884d65 Mon Sep 17 00:00:00 2001 From: Jacob Scott <49541449+mrjacobascott@users.noreply.github.com> Date: Tue, 12 Nov 2024 11:32:05 -0600 Subject: [PATCH 005/237] Update apple-account-driven-user-enrollment.md Adding 2 tips based on ICM 543230801 to help prevent repeat customer issues in the future. --- .../enrollment/apple-account-driven-user-enrollment.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md index 90e0bf05376..16fd891d2fa 100644 --- a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md +++ b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md @@ -51,6 +51,9 @@ Before beginning setup, complete the following tasks: You also need to set up service discovery so that Apple can reach the Intune service and retrieve enrollment information. To do this, set up and publish an HTTP well-known resource file on the same domain that employees sign into. Apple retrieves the file via an HTTP GET request to `“https://contoso.com/.well-known/com.apple.remotemanagement”`, with your organization's domain in place of `contoso.com`. Publish the file on a domain that can handle HTTP GET requests. +> [!NOTE] +> The well-known resource file must be saved *without* a file extension (e.g. .json) to function correctly. + Create the file in JSON format, with the content type set to `application/json`. We've provided the following JSON samples that you can copy and paste into your file. Use the one that aligns with your environment. Replace the *YourAADTenantID* variable in the base URL with your organization's Microsoft Entra tenant ID. Microsoft Intune environments: @@ -72,7 +75,10 @@ Create the file in JSON format, with the content type set to `application/json`. The rest of the JSON sample is populated with all of the information you need, including: * Version: The server version is `mdm-byod`. -* BaseURL: This URL is the location where the Intune service resides. +* BaseURL: This URL is the location where the Intune service resides. + +> [!NOTE] +> For more information on the technical requirements for service discovery, refer to the Apple documentation: [Implementing the simple authentication user-enrollment flow](https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow) ## Best practices We recommend extra configurations to help improve the enrollment experience for device users. This section provides more information about each recommendation. From 2f6ab5bd42f063e35240fb2dd65d302ae90eada2 Mon Sep 17 00:00:00 2001 From: Jordi Ortiz Domenech Date: Wed, 13 Nov 2024 10:50:18 +0100 Subject: [PATCH 006/237] Limitations - Enrollment restrictions - Add co-management Add co-management to the list of enrollment methods that aren't user driven. --- memdocs/intune/enrollment/enrollment-restrictions-set.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index 93079dc5b66..aa12007f240 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -156,7 +156,8 @@ Intune also blocks personal devices using these enrollment methods: * Enrollment restrictions are applied to enrollments that are user-driven. Intune enforces the default policy in enrollment scenarios that aren't user-driven, such as: * Windows Autopilot self-deploying mode and Autopilot for pre-provisioned deployment - * Bulk enrollment via Windows Configuration Designer + * Bulk enrollment via Windows Configuration Designer + * Co-managed enrollments * Userless Apple automated device enrollment (without user-device affinity) * Azure Virtual Desktop * Windows 365 From e3eddf2f75e007192a01c7f027e5fcf5af04183c Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 13 Nov 2024 18:13:28 +0000 Subject: [PATCH 007/237] Update enroll-device-android-company-portal.md Updated screenshots, alt text --- .../enroll-device-android-company-portal.md | 22 ++++++++----------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/memdocs/intune/user-help/enroll-device-android-company-portal.md b/memdocs/intune/user-help/enroll-device-android-company-portal.md index 031f4f6ad7f..eae9022c682 100644 --- a/memdocs/intune/user-help/enroll-device-android-company-portal.md +++ b/memdocs/intune/user-help/enroll-device-android-company-portal.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 10/21/2024 +ms.date: 11/13/2024 ms.topic: end-user-help ms.service: microsoft-intune ms.subservice: end-user @@ -48,8 +48,6 @@ Install the Intune Company Portal app [from Google Play](https://play.google.com 2. Search for and install **Intune Company Portal**. - ![android-search-company-portal](./media/enroll-device-android-company-portal/android-search-company-portal-2101.png) - 3. When prompted about app permissions, tap **ACCEPT**. ## Enroll device @@ -59,16 +57,16 @@ During enrollment, you might be asked to choose a category that best describes h 2. If you're prompted to accept your organization's terms and conditions, tap **ACCEPT ALL**. - ![Example image of the Company Portal, Terms screen, highlighting "Accept all" button.](./media/enroll-device-android-company-portal/accept-terms-1911.png) + ![Screenshot of the Company Portal, Terms screen, highlighting "Accept all" button.](./media/enroll-device-android-company-portal/accept-terms-1911.png) 3. Review what your organization can and can't see. Then tap **CONTINUE**. - ![Example image of Company Portal, We care about your privacy screen, highlighting the Continue button.](./media/enroll-device-android-company-portal/android-privacy-screen-1911.png) + ![Screenshot of Company Portal, We care about your privacy screen, highlighting the Continue button.](./media/enroll-device-android-company-portal/android-privacy-screen-1911.png) 4. Review what to expect in the upcoming steps. Then tap **NEXT**. - ![Example image of Company Portal, What's next screen, highlighting the Next button.](./media/enroll-device-android-company-portal/android-whats-next-1911.png) + ![Screenshot of Company Portal, What's next screen, highlighting the Next button.](./media/enroll-device-android-company-portal/android-whats-next-1911.png) 5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are required by Google and not controlled by Microsoft. @@ -83,27 +81,25 @@ During enrollment, you might be asked to choose a category that best describes h Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately. - ![Example image of the Activate device administrator screen, highlighting the activate button.](./media/enroll-device-android-company-portal/activate-device-administrator-1911.png) + ![Screenshot of the Activate device administrator screen, highlighting the activate button.](./media/enroll-device-android-company-portal/activate-device-administrator-1911.png) > [!NOTE] > Microsoft does not control the messaging on this screen. We understand that its phrasing can seem somewhat drastic. Company Portal can't specify which restrictions and access are relevant to your organization. If you have questions about how your organization uses the app, contact your IT support person. Go to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) to find your organization's contact information. -7. Your device begins enrolling. If you're using a Samsung Knox device, you'll be prompted to review and acknowledge the ELM Agent privacy policy first. - - ![Example image of the Samsung Knox privacy policy screen that appears during enrollment.](./media/enroll-device-android-company-portal/and-enroll-7-knox-privacy-policy.png) +7. Your device begins enrolling. Review and acknowledge the ELM Agent privacy policy if Company Portal prompts for it. 8. On the **Company Access Setup** screen, check that your device is enrolled. Then tap **CONTINUE**. - ![Example image of Company Portal, Company Access Setup screen, showing Get your device managed is complete.](./media/enroll-device-android-company-portal/update-settings-1911.png) + ![Screenshot of Company Portal, Company Access Setup screen, showing Get your device managed is complete.](./media/enroll-device-android-company-portal/update-settings-1911.png) 9. Your organization might require you to update your device settings. Tap **RESOLVE** to adjust a setting. When you're done updating settings, tap **CONTINUE**. - ![Example image of Company Portal, Update device settings, highlighting Resolve and Continue buttons.](./media/enroll-device-android-company-portal/resolve-settings-1911.png) + ![Screenshot of Company Portal, Update device settings, highlighting Resolve and Continue buttons.](./media/enroll-device-android-company-portal/resolve-settings-1911.png) 10. When setup is complete, tap **DONE**. - ![Example image of Company Portal, Company Access Setup screen, showing completed setup and highlighting Done button.](./media/enroll-device-android-company-portal/android-enrollment-done-1911.png) + ![Screenshot of Company Portal, Company Access Setup screen, showing completed setup and highlighting Done button.](./media/enroll-device-android-company-portal/android-enrollment-done-1911.png) ## Next steps From 7dd377d2b4ba41bfcea3da80ecebc6799b0a43ab Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 13 Nov 2024 18:25:39 +0000 Subject: [PATCH 008/237] Update enroll-device-android-company-portal.md Screenshot, alt text, acrolinx edits --- .../enroll-device-android-company-portal.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/memdocs/intune/user-help/enroll-device-android-company-portal.md b/memdocs/intune/user-help/enroll-device-android-company-portal.md index eae9022c682..76e3d082bd9 100644 --- a/memdocs/intune/user-help/enroll-device-android-company-portal.md +++ b/memdocs/intune/user-help/enroll-device-android-company-portal.md @@ -29,9 +29,7 @@ ms.collection: --- # Enroll your device with Company Portal -Enroll your personal or corporate-owned Android device with Intune Company Portal to get secure access to company email, apps, and data. - - +Enroll your personal or corporate-owned Android device with Intune Company Portal to get secure access to company email, apps, and data. ## Prerequisites The Intune Company Portal app supports devices running Android 8.0 and later, including devices secured by Samsung Knox Standard 2.4 and later. To learn how to update your Android device to meet requirements, see [Check & update your Android version](https://support.google.com/android/answer/7680439). @@ -53,7 +51,7 @@ Install the Intune Company Portal app [from Google Play](https://play.google.com ## Enroll device During enrollment, you might be asked to choose a category that best describes how you use your device. Company Portal uses your answer to check for work and school apps relevant to you. -1. Open the Company Portal app and sign in with your work or school account. If prompted to, review notification permissions for Company Portal. You can adjust notification permissions anytime in the Settings app. +1. Open the Company Portal app and sign in with your work or school account. Review notification permissions for Company Portal as they pop up. You can adjust notification permissions anytime in the Settings app. 2. If you're prompted to accept your organization's terms and conditions, tap **ACCEPT ALL**. @@ -69,11 +67,11 @@ During enrollment, you might be asked to choose a category that best describes h ![Screenshot of Company Portal, What's next screen, highlighting the Next button.](./media/enroll-device-android-company-portal/android-whats-next-1911.png) -5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are required by Google and not controlled by Microsoft. +5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are a Google requirement and not controlled by Microsoft. Tap **Allow** for the following permissions: - * **Allow Company Portal to make and manage phone calls**: This permission enables your device to share its international mobile station equipment identity (IMEI) number with Intune, your organization's device management provider. It's safe to allow this permission. Microsoft will never make or manage phone calls. - * **Allow Company Portal to access your contacts**: This permission lets the Company Portal app create, use, and manage your work account. It's safe to allow this permission. Microsoft will never access your contacts. + * **Allow Company Portal to make and manage phone calls**: This permission enables your device to share its international mobile station equipment identity (IMEI) number with Intune, your organization's device management provider. It's safe to allow this permission. Microsoft never makes or manages phone calls. + * **Allow Company Portal to access your contacts**: This permission lets the Company Portal app create, use, and manage your work account. It's safe to allow this permission. Microsoft never accesses your contacts. If you deny permission, you'll be prompted again the next time you sign in to Company Portal. To turn off these messages, select **Never ask again**. To manage app permissions, go to the Settings app > **Apps** > **Company Portal** > **Permissions** > **Phone**. @@ -103,7 +101,7 @@ During enrollment, you might be asked to choose a category that best describes h ## Next steps -Before you try to install a school or work app, modify device settings to allow app installations from unknown sources. If you don't make this change on your device, apps installations will be blocked. Open the **Settings** app on your device. Then go to **Security and privacy** > **Install unknown apps**. +Before you try to install a school or work app, modify device settings to allow app installations from unknown sources. If you don't make this change on your device, Company Portal blocks app installations. Open the **Settings** app on your device. Then go to **Security and privacy** > **Install unknown apps**. If you get an error while you try to enroll your device in Intune, you can [email your company support](send-logs-to-your-it-admin-by-email-android.md). From 583870161cac53f30b718590772085f4c3773b81 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 13 Nov 2024 18:40:36 +0000 Subject: [PATCH 009/237] Update enroll-android-device-disa-purebred.md Acrolinx, updated alt text, removed low quality images --- .../enroll-android-device-disa-purebred.md | 55 +++++-------------- 1 file changed, 15 insertions(+), 40 deletions(-) diff --git a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md index c6ea0db4792..6acdde1eeda 100644 --- a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md +++ b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md @@ -41,7 +41,7 @@ You likely need to set up a derived credential if you use a smart card to: * Sign in to school or work apps, Wi-Fi, and virtual private networks (VPN) * Sign and encrypt school or work emails using S/MIME certificates -In this article, you will: +In this article, you learn how to: * Enroll a mobile Android device with the Intune app * Set up your smart card by installing a derived credential from your organization's derived credential provider, [DISA Purebred](https://public.cyber.mil/pki-pke/purebred/) @@ -82,17 +82,11 @@ You'll also need to contact a Purebred agent or representative during setup. 3. Connect to Wi-Fi and tap **NEXT**. Follow the step that matches your enrollment method. * Token: When you get to the Google sign-in screen, complete the steps in [Token enrollment](#token-enrollment). - * Google Zero Touch: After you connect to Wi-Fi, your device will be recognized by your organization. Continue to step 4 and follow the onscreen prompts until setup is complete. - - ![Example image of Google terms screen that you see if you're using Google Zero Touch, highlighting Accept & Continue button.](./media/enroll-android-device-disa-purebred/google-zero-touch-intune-app-01.png) + * Google Zero Touch: After you connect to Wi-Fi, your device is recognized by your organization. Continue to step 4 and follow the onscreen prompts until setup is complete. 4. Review Google's terms. Then tap **ACCEPT & CONTINUE**. - ![Example image of Google terms screen, highlighting Accept & Continue button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-04.png) - -5. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**. - - ![Example image of Chrome Terms of Service screen, highlighting Accept & Continue button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-06.png) +5. Review Chrome's Terms of Service. Then tap **ACCEPT & CONTINUE**. 6. On the sign-in screen, tap **Sign-in options** and then **Sign in from another device**. @@ -100,10 +94,7 @@ You'll also need to contact a Purebred agent or representative during setup. 8. Switch to your smart card-enabled device and go to the web address that's shown on your screen. -9. Enter the code you previously wrote down. - - > [!div class="mx-imgBorder"] - > ![Screenshot of the Company Portal website "Enter code" prompt.](./media/enroll-android-device-disa-purebred/enter-code-intercede.png) +9. Enter the code you previously wrote down. 10. Insert your smart card to sign in. @@ -111,40 +102,26 @@ You'll also need to contact a Purebred agent or representative during setup. 12. Depending on your organization's requirements, you might be prompted to update settings, such as screen lock or encryption. If you see these prompts, tap **SET** and follow the onscreen instructions. - ![Example image of Set up your work phone screen, highlighting Set button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-10.png) - 13. To install work apps on your device, tap **INSTALL**. After installation is complete, tap **NEXT**. - - ![Example image of Set up your work phone screen, highlighting Install button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-11.png) - 14. Tap **START** to open the Microsoft Intune app. - ![Example image of Set up your work phone screen, highlighting Start button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-17.png) - 15. Return to the Intune app on your mobile device and follow the onscreen instructions until enrollment is done. - ![Example image of Set up access, register your device screen, highlighting Done button.](./media/enroll-android-device-disa-purebred/fully-managed-intune-app-19.png) - 16. Continue to the [set up your smart card](enroll-android-device-disa-purebred.md#set-up-smart-card) section in this article to finish setting up your device. ### QR code enrollment In this section, you'll scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps. 1. On the **Welcome** screen, tap the screen five times to start QR code setup. - - ![Example image of device setup Welcome screen, highlighting instructions to tap screen.](./media/enroll-android-device-disa-purebred/qr-code-intune-app-01.png) - 2. Follow any onscreen instructions to connect to Wi-Fi. -3. If your device doesn't have a QR code scanner, the setup screens will show the progress as a scanner is installed. Wait for installation to complete. -4. When prompted, scan the enrollment profile QR code that your organization gave you. +3. If your device doesn't have a QR code scanner, the setup screens show the installation progress as a scanner installs. Wait for installation to complete. +4. Scan the enrollment profile QR code that your organization gave you. 5. Return to [Enroll device](#enroll-device), step 4 to continue setup. ### Token enrollment In this section, you'll enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps. -1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Tap **Next**. - - ![Example image of Google sign-in screen, showing that "afw#setup" is typed into field.](./media/enroll-android-device-disa-purebred/token-intune-app-01.png) +1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Tap **Next**. 2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept additional terms. @@ -154,31 +131,29 @@ In this section, you'll enter your company-provided token. When you're done, we' 5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**. - ![Example image of Scan or enter code screen, highlighting Next button.](./media/enroll-android-device-disa-purebred/token-intune-app-04.png) - 6. Return to [Enroll device](#enroll-device), step 4 to continue setup. ## Set up smart card > [!NOTE] -> The Purebred app is required to complete these steps and will automatically install on your device after enrollment. If you still don't have the app after waiting a short while, contact your IT support person. +> The Purebred app is required to complete these steps and automatically installs on your device after enrollment. If you still don't have the app after waiting a short while, contact your IT support person. -1. After enrollment is complete, the Intune app will notify you to set up your smart card. Tap the notification. If you don't get a notification, check your email. +1. After enrollment is complete, the Intune app prompts you to set up your smart card via a notification. Tap the notification. If you don't get a notification, check your email. > [!div class="mx-imgBorder"] > ![Screenshot of the Intune app push notification on device home screen.](./media/enroll-android-device-disa-purebred/action-required-in-app-android.png) 2. On the **Set up smart card** screen: - 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide additional instructions, you'll be sent to this article. + 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide additional instructions, you are sent to this article. 2. Tap **BEGIN**. > [!div class="mx-imgBorder"] > ![Screenshot of the Intune app, Set up smart card screen.](./media/enroll-android-device-disa-purebred/smart-card-open-disa-purebred-android.png) -3. On the **Get certificates** screen, tap **LAUNCH PUREBRED** to open the Purebred app. (The app should have been installed automatically on your device. If you don't have it, contact your support person.) +3. On the **Get certificates** screen, tap **LAUNCH PUREBRED** to open the Purebred app. (The app should be on your device already, because it installs automatically. If you don't have it, contact your support person.) > [!div class="mx-imgBorder"] > ![Screenshot of the Intune app prompt to open DISA Purebred app.](./media/enroll-android-device-disa-purebred/open-app-prompt-disa-purbred-android.png) @@ -193,26 +168,26 @@ In this section, you'll enter your company-provided token. When you're done, we' 6. After installation is complete, you'll receive a notification that your certificates are ready. Tap the notification to return to the Intune app. > [!div class="mx-imgBorder"] - > ![Screenshot of the "Allow access to certificates" screen](./media/enroll-android-device-disa-purebred/certificates-ready-prompt-disa-purbred-android.png) + > ![Screenshot of the Allow access to certificates screen](./media/enroll-android-device-disa-purebred/certificates-ready-prompt-disa-purbred-android.png) 7. From the **Allow access to certificates** screen, you'll give the Intune app permission to access the derived credential you got from DISA Purebred. This step ensures that your organization can verify your identity whenever you access protected work or school resources. 1. Tap **NEXT**. > [!div class="mx-imgBorder"] - > ![Screenshot of the "Certificates are ready" prompt](./media/enroll-android-device-disa-purebred/certificates-access-disa-purbred-android.png) + > ![Screenshot of the Certificates are ready prompt](./media/enroll-android-device-disa-purebred/certificates-access-disa-purbred-android.png) 2. When you're prompted to **Choose certificate**, don't change the selection. The correct certificate is already selected, so just tap **Select** or **OK**. > [!div class="mx-imgBorder"] - > ![Screenshot of the "Choose certificate" prompt](./media/enroll-android-device-disa-purebred/choose-certificates-prompt-disa-purbred-android.png) + > ![Screenshot of the Choose certificate prompt](./media/enroll-android-device-disa-purebred/choose-certificates-prompt-disa-purbred-android.png) 3. Your derived credential is made up of multiple certificates, so you might see the **Choose certificate** prompt multiple times. Repeat the previous step until no more prompts appear. 8. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You'll know setup is complete when you see the **You're all set!** screen. > [!div class="mx-imgBorder"] - > ![Screenshot of the "You're all set" screen](./media/enroll-android-device-disa-purebred/all-set-android.png) + > ![Screenshot of the You're all set screen](./media/enroll-android-device-disa-purebred/all-set-android.png) ## Next steps From e2c4d064207da5652015be60c0b69c96b8d6bc30 Mon Sep 17 00:00:00 2001 From: Jacob Scott <49541449+mrjacobascott@users.noreply.github.com> Date: Fri, 15 Nov 2024 16:14:43 -0600 Subject: [PATCH 010/237] Update overview.md Updating overview doc to clarify that the Windows of version of the client needs to be an Intune supported version of Windows for comanagement to be available. Based on multiple support cases from customers thinking that tenant attach and comanagment are the same thing, but they are not. Trying to help make that more clear. --- memdocs/configmgr/comanage/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/comanage/overview.md b/memdocs/configmgr/comanage/overview.md index 4b8d3914807..ac536a058c4 100644 --- a/memdocs/configmgr/comanage/overview.md +++ b/memdocs/configmgr/comanage/overview.md @@ -121,7 +121,7 @@ Enabling co-management itself doesn't require that you onboard your site with Mi ### Windows -Update your devices to a supported version of Windows 11 or Windows 10. For more information, see [Adopting Windows as a service](../core/understand/configuration-manager-and-windows-as-service.md#windows-as-a-service). +Update your devices to an [Intune supported version of Windows 11 or Windows 10](../../intune/fundementals/supported-devices-browsers.md). For more information, see [Adopting Windows as a service](../core/understand/configuration-manager-and-windows-as-service.md#windows-as-a-service). ### Permissions and roles From c9fdc55ea56c039c0cfc53553010cc1e2c380acb Mon Sep 17 00:00:00 2001 From: Jacob Scott <49541449+mrjacobascott@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:36:40 -0600 Subject: [PATCH 011/237] Update overview.md Fixing typo in link --- memdocs/configmgr/comanage/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/comanage/overview.md b/memdocs/configmgr/comanage/overview.md index ac536a058c4..147066d4020 100644 --- a/memdocs/configmgr/comanage/overview.md +++ b/memdocs/configmgr/comanage/overview.md @@ -121,7 +121,7 @@ Enabling co-management itself doesn't require that you onboard your site with Mi ### Windows -Update your devices to an [Intune supported version of Windows 11 or Windows 10](../../intune/fundementals/supported-devices-browsers.md). For more information, see [Adopting Windows as a service](../core/understand/configuration-manager-and-windows-as-service.md#windows-as-a-service). +Update your devices to an [Intune supported version of Windows 11 or Windows 10](../../intune/fundamentals/supported-devices-browsers.md). For more information, see [Adopting Windows as a service](../core/understand/configuration-manager-and-windows-as-service.md#windows-as-a-service). ### Permissions and roles From f4d9529819dfd7f97a6d93019a0d666bf7d71b0d Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 17:14:34 -0500 Subject: [PATCH 012/237] Update multi-factor-authentication.md fixed numbering --- .../enrollment/multi-factor-authentication.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md index 979e7f766fa..7b3a62fc66a 100644 --- a/memdocs/intune/enrollment/multi-factor-authentication.md +++ b/memdocs/intune/enrollment/multi-factor-authentication.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 11/05/2024 +ms.date: 11/19/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -34,8 +34,7 @@ ms.collection: *Applies to*: * Android * iOS/iPadOS - * macOS - * Windows 8.1 + * macOS * Windows 10 * Windows 11 @@ -70,10 +69,10 @@ Complete these steps to enable multi-factor authentication during Microsoft Intu 4. To exclude users or groups from the policy, select the **Exclude** tab and add those users or groups like you did in the previous step. 1. Select the next category, **Target resources**. In this step, you select the resources that the policy applies to. In this case, we want the policy to apply to events where users or groups try to access the Microsoft Intune Enrollment app. 1. Under **Select what this policy applies to**, choose **Resources (formerly cloud apps)**. - 1. Select the **Include** tab. - 2. Choose **Select resources**. Additional options appear. - 3. Under **Select**, choose **None**. A list of resources open. - 4. Search for **Microsoft Intune Enrollment**. Then choose **Select** to add the app. + 2. Select the **Include** tab. + 3. Choose **Select resources**. Additional options appear. + 4. Under **Select**, choose **None**. A list of resources open. + 5. Search for **Microsoft Intune Enrollment**. Then choose **Select** to add the app. For Apple automated device enrollments using Setup Assistant with modern authentication, you have two options to choose from. The following table describes the difference between the *Microsoft Intune* option and *Microsoft Intune Enrollment* option. From 27fe4ba9f88c303e7cacc80f4dffe7d45da5401c Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 19 Nov 2024 17:17:41 -0500 Subject: [PATCH 013/237] Update multi-factor-authentication.md acrolinx --- memdocs/intune/enrollment/multi-factor-authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md index 7b3a62fc66a..6e3ddcc3ad1 100644 --- a/memdocs/intune/enrollment/multi-factor-authentication.md +++ b/memdocs/intune/enrollment/multi-factor-authentication.md @@ -39,7 +39,7 @@ ms.collection: * Windows 11 -You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods: +You can use Intune together with Microsoft Entra Conditional Access policies to require multifactor authentication (MFA) during device enrollment. If you require MFA, employees and students wanting to enroll devices must first authenticate with a second device and two forms of credentials. MFA requires them to authenticate using two or more of these verification methods: - Something they know, such as a password or PIN. - Something they have that can't be duplicated, such as a trusted device or phone. @@ -52,7 +52,7 @@ To implement this policy, you must assign Microsoft Entra ID P1 or later to user ## Configure Intune to require multifactor authentication at device enrollment -Complete these steps to enable multi-factor authentication during Microsoft Intune enrollment. +Complete these steps to enable multifactor authentication during Microsoft Intune enrollment. > [!IMPORTANT] > Don't configure **Device based access rules** for Microsoft Intune enrollment. From 2fffb470fcf45702c08ae8f0bb74088c661fdcca Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Mon, 25 Nov 2024 14:25:42 -0800 Subject: [PATCH 014/237] Updates and fixes --- .../device-profile-troubleshoot.md | 45 +++++++++++-------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 45ae7faf526..9e9da76eae1 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 11/11/2024 +ms.date: 11/25/2024 ms.topic: troubleshooting ms.service: microsoft-intune ms.subservice: configuration @@ -46,13 +46,13 @@ This article applies to the following policies: ## Policy refresh intervals -Intune notifies the device to check in with the Intune service. The notification times vary, including immediately up to a few hours. These notification times also vary between platforms. On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed). +When a device checks-in, it immediately checks for compliance, non-compliance and configuration for the current user/device context, receiving any pending actions, policies and apps assigned to it. -If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. An offline device, such as turned off, or not connected to a network, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. The same applies to checks for noncompliance, including devices that move from a compliant to a noncompliant state. +There are 4 main types of check-ins: -**Estimated** frequencies: +**Maintenance check-ins** - These check-ins happen at predetermined intervals and can be client or service initiated depending on the platform. -| Platform | Refresh cycle| +| Platform | Estimated refresh cycle| | --- | --- | | Android, AOSP | About every 8 hours | | iOS/iPadOS | About every 8 hours | @@ -60,9 +60,26 @@ If a device doesn't check in to get the policy or profile after the first notifi | Windows 10/11 PCs enrolled as devices | About every 8 hours | | Windows 8.1 | About every 8 hours | -If devices recently enroll, then the compliance, noncompliance, and configuration check-in runs more frequently. The check-ins are **estimated** at: +**End user driven check-ins** – These check-ins are driven by end users when they perform certain actions in the Company Portal app like going into  **Devices** > **Check Status** or **Settings** > **Sync** to check for policy or profile updates or selecting an app for download. -| Platform | Frequency | +**Admin check-ins** - These check-ins are driven by admins when they perform certain actions on a single device from the Intune portal, like [device sync](../remote-actions/device-sync.md), [remote lock](../remote-actions/device-remote-lock.md) or [reset passcode](../remote-actions/device-passcode-reset.md). Other actions like [remotely assist users](../fundamentals/remote-help.md) do not cause a device check-in. + +**Notification-based check-ins** - These check-ins happen through different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, or when certain behind the scenes changes like Microsoft Entra group membership updates are made. Other changes don't cause an immediate notification to devices, like adding an app as available to your users. + +Intune notifies online devices to check-in with the Intune service. The notification times vary from immediately up to a few hours. +These notification times also vary between platforms. + +- On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed). + +- On iOS devices, [NotNow status can affect policy refresh intervals](/troubleshoot/mem/intune/device-configuration/2016341112-ios-device-is-currently-busy). + +An offline device, such as a powered off, or a disconnected device, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with Intune. + +It might take additional time for Intune reports to reflect the latest status of the policy on the device in the Intune portal. + +Additionally, when devices first enroll, configuration check-ins run more frequently to perform configuration, compliance and non-compliance checks. The check-ins are estimated as follows: + +| Platform | Estimated refresh cycle| | --- | --- | | Android, AOSP | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | | iOS/iPadOS | Every 15 minutes for 1 hour, and then around every 8 hours | @@ -70,19 +87,11 @@ If devices recently enroll, then the compliance, noncompliance, and configuratio | Windows 10/11 PCs enrolled as devices | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | | Windows 8.1 | Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | -For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md). - -At any time, users can open the Company Portal app, **Devices** > **Check Status** or **Settings** > **Sync** to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). - -## Intune actions that immediately send a notification to a device +For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md). -There are different actions that trigger a notification. For example, when a policy, profile, or app is assigned (or unassigned), updated, deleted, and so on. These action times vary between platforms. +## Company portal -Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, a notification happens when a lock, passcode reset, app, or policy assignment action runs. - -Other changes don't cause an immediate notification to devices, including revising the contact information in the Company Portal app or updates to an `.ipa` file. - -The settings in the policy or profile are applied at every check-in. A [Windows 10 MDM policy refresh customer blog post](https://www.petervanderwoude.nl/post/windows-10-mdm-policy-refresh/) might be a good resource. +At any time, users can open the Company Portal app, **Devices** > **Check Status** or **Settings** > **Sync** to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). ## Conflicts From 7b60abd1a3ec93d7a7191b696fc1f6a2e238034f Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Mon, 25 Nov 2024 14:38:06 -0800 Subject: [PATCH 015/237] minor fix --- memdocs/intune/configuration/device-profile-troubleshoot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 9e9da76eae1..77c57a9753e 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -50,7 +50,7 @@ When a device checks-in, it immediately checks for compliance, non-compliance an There are 4 main types of check-ins: -**Maintenance check-ins** - These check-ins happen at predetermined intervals and can be client or service initiated depending on the platform. +**Maintenance check-ins** - These check-ins happen at predetermined intervals and can be initiated by the client or service depending on the platform. The check-ins are estimated as follows: | Platform | Estimated refresh cycle| | --- | --- | From 7cf33026cc46232e627366fc55dd8f86f6e6d8de Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Wed, 27 Nov 2024 15:47:34 -0800 Subject: [PATCH 016/237] Updated with edits from feedback --- .../configuration/device-profile-troubleshoot.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 77c57a9753e..19e8a415390 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -50,7 +50,7 @@ When a device checks-in, it immediately checks for compliance, non-compliance an There are 4 main types of check-ins: -**Maintenance check-ins** - These check-ins happen at predetermined intervals and can be initiated by the client or service depending on the platform. The check-ins are estimated as follows: +**Scheduled check-ins** - These check-ins happen at predetermined intervals and can be initiated by the client or service depending on the platform. The check-ins are estimated as follows: | Platform | Estimated refresh cycle| | --- | --- | @@ -71,11 +71,12 @@ These notification times also vary between platforms. - On Android devices, [Google Mobile Services (GMS) can affect policy refresh intervals](../apps/manage-without-gms.md#some-tasks-can-be-delayed). -- On iOS devices, [NotNow status can affect policy refresh intervals](/troubleshoot/mem/intune/device-configuration/2016341112-ios-device-is-currently-busy). +- On iOS devices, [Specific conditions can affect policy refresh intervals](/troubleshoot/mem/intune/device-configuration/2016341112-ios-device-is-currently-busy). An offline device, such as a powered off, or a disconnected device, might not receive the notifications. In this case, the device gets the policy or profile on its next scheduled check-in with Intune. -It might take additional time for Intune reports to reflect the latest status of the policy on the device in the Intune portal. +> [!NOTE] +> It might take additional time for Intune reports to reflect the latest status of the policy on the device in the Intune portal. Additionally, when devices first enroll, configuration check-ins run more frequently to perform configuration, compliance and non-compliance checks. The check-ins are estimated as follows: @@ -91,7 +92,11 @@ For app protection policy refresh intervals, go to [App Protection Policy deli ## Company portal -At any time, users can open the Company Portal app, **Devices** > **Check Status** or **Settings** > **Sync** to immediately check for policy or profile updates. For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). +At any time, users can open the Company Portal app and navigate to **Devices** > **Check Status** to evaluate your device's settings and verify access to work or school resources or navigate to **Settings** > **Sync** to get the latest updates, requirements, and communications from your organization. + +For related information about the Intune Management Extension agent or Win32 apps, see [Win32 app management in Microsoft Intune](../apps/apps-win32-app-management.md). + +For related information, see [Sync enrolled device for Windows](../user-help/sync-your-device-manually-windows.md) and [Check device access in Company Portal for Windows](../user-help/check-device-access-windows-cpapp.md). ## Conflicts From d0c7f39c4f2ea3a92ba4b15e21a601302bedc3c3 Mon Sep 17 00:00:00 2001 From: brenduns Date: Tue, 3 Dec 2024 08:39:48 -0800 Subject: [PATCH 017/237] 13204113 MDE attach support for tamper protection settings --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index ad102136f1b..6c7ec50eb81 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 10/30/2024 +ms.date: 12/13/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -271,7 +271,7 @@ To support use with Microsoft Defender security settings management, your polici | Antivirus | Defender Update controls | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | | Antivirus | Microsoft Defender Antivirus | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | | Antivirus | Microsoft Defender Antivirus exclusions| ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | -| Antivirus | Windows Security Experience | *Note 1* | ![Supported](./media/mde-security-integration/green-check.png) | +| Antivirus | Windows Security Experience | ![Supported](./media/mde-security-integration/green-check.png) ![Supported](./media/mde-security-integration/green-check.png) | | Attack Surface Reduction | Attack Surface Reduction Rules | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | |Attack Surface Reduction|Device Control | *Note 1* | ![Supported](./media/mde-security-integration/green-check.png) | | Endpoint detection and response | Endpoint detection and response | ![Supported](./media/mde-security-integration/green-check.png)| ![Supported](./media/mde-security-integration/green-check.png)| From 13d599f7a0ff4f58fb25ca6aec37a274abd0781e Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:28:02 -0800 Subject: [PATCH 018/237] compliance article for CM --- .../understand/fundamentals-of-compliance.md | 54 +++++++++++++++++++ .../understand/fundamentals-of-security.md | 4 +- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 memdocs/configmgr/core/understand/fundamentals-of-compliance.md diff --git a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md new file mode 100644 index 00000000000..6754feca813 --- /dev/null +++ b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md @@ -0,0 +1,54 @@ +--- +title: Compliance in Configuration Manager +author: dougeby +ms.author: dougeby +manager: dougeby +audience: ITPro +ms.topic: conceptual +ms.service: configuration-manager +ms.collection: + - tier1 + - essentials-compliance +description: Learn about compliance certifications, dependencies, and features in Configuration Manager supporting data protection and regulatory requirements. +ms.date: 12/3/2024 +--- + +# Compliance in Configuration Manager + +Configuration Manager supports compliance features to help organizations meet national, regional, and industry-specific regulations. Configuration Manager aligns with Microsoft's commitment to data protection, privacy, and compliance, by offering tools to help secure and manage data effectively. + +## Shared responsibility model + +Microsoft ensures that Configuration Manager complies with various industry standards and regulatory frameworks. However, customers are responsible for implementing their data protection and compliance strategies to align with their specific organizational requirements. + +## Compliance dependencies + +Configuration Manager leverages other Microsoft services for compliance, including: + +- [Microsoft Entra ID](/entra/fundamentals/whatis): Identity and access management. +- [Microsoft Intune](/mem/intune): Enforces device compliance and conditional access policies. + +## Microsoft Intune capabilities for compliance + +Microsoft Intune helps enforce compliance policies and protect organizational data specifically for Intune: + +- **Conditional Access**: Ensures only compliant devices and apps managed by Intune can access sensitive data. See [Conditional Access](/mem/intune/protect/conditional-access). +- **Device Compliance Enforcement**: Enforces device compliance policies to meet organizational security requirements. See [Device Compliance Policies](/mem/intune/protect/device-compliance-get-started). + +For more information about Intune compliance capabilities, visit the [Microsoft Intune documentation](/mem/intune). +For more information about how to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune, see [What is co-management?](/mem/configmgr/comanage/overview). + +## Data encryption + +Use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring. For more information, see [Plan for BitLocker management](../protect/plan-design/bitlocker-management.md). + +## Compliance features + +Configuration Manager includes several compliance features that help organizations manage device compliance. For more information, see [Ensure device compliance with Configuration Manager](../compliance/understand/ensure-device-compliance.md). + +## Related articles + +- [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) +- [Microsoft Trust Center](https://www.microsoft.com/trust-center) +- [Additional privacy information](../security/additional-privacy.md) +- [Fundamentals of security](fundamentals-of-security.md) diff --git a/memdocs/configmgr/core/understand/fundamentals-of-security.md b/memdocs/configmgr/core/understand/fundamentals-of-security.md index 17e78bb96a2..aff3337f7eb 100644 --- a/memdocs/configmgr/core/understand/fundamentals-of-security.md +++ b/memdocs/configmgr/core/understand/fundamentals-of-security.md @@ -10,7 +10,9 @@ author: banreet ms.author: banreetkaur manager: apoorvseth ms.localizationpriority: medium -ms.collection: tier3 +ms.collection: +- essentials-security +- tier3 ms.reviewer: mstewart,aaroncz --- From dce674e5dd5089517dbd5707d6974289879bba2a Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:36:37 -0800 Subject: [PATCH 019/237] compliance article for CM2 --- .../configmgr/core/understand/fundamentals-of-compliance.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md index 6754feca813..a7ef437aea5 100644 --- a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md +++ b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md @@ -40,15 +40,15 @@ For more information about how to concurrently manage Windows 10 or later device ## Data encryption -Use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring. For more information, see [Plan for BitLocker management](../protect/plan-design/bitlocker-management.md). +Use Configuration Manager to manage BitLocker Drive Encryption (BDE) for on-premises Windows clients, which are joined to Active Directory. It provides full BitLocker lifecycle management that can replace the use of Microsoft BitLocker Administration and Monitoring. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management). ## Compliance features -Configuration Manager includes several compliance features that help organizations manage device compliance. For more information, see [Ensure device compliance with Configuration Manager](../compliance/understand/ensure-device-compliance.md). +Configuration Manager includes several compliance features that help organizations manage device compliance. For more information, see [Ensure device compliance with Configuration Manager](/mem/configmgr/compliance/understand/ensure-device-compliance). ## Related articles - [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - [Microsoft Trust Center](https://www.microsoft.com/trust-center) -- [Additional privacy information](../security/additional-privacy.md) +- [Additional privacy information](/mem/configmgr/security/additional-privacy.md) - [Fundamentals of security](fundamentals-of-security.md) From ec48425b3fe596698faf5e113b9b34d87abca7bb Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:39:01 -0800 Subject: [PATCH 020/237] compliance article for CM3 --- .../configmgr/core/understand/fundamentals-of-compliance.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md index a7ef437aea5..5ee2fccd868 100644 --- a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md +++ b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md @@ -36,7 +36,8 @@ Microsoft Intune helps enforce compliance policies and protect organizational da - **Device Compliance Enforcement**: Enforces device compliance policies to meet organizational security requirements. See [Device Compliance Policies](/mem/intune/protect/device-compliance-get-started). For more information about Intune compliance capabilities, visit the [Microsoft Intune documentation](/mem/intune). -For more information about how to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune, see [What is co-management?](/mem/configmgr/comanage/overview). +> [!NOTE] +> For more information about how to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune, see [What is co-management?](/mem/configmgr/comanage/overview). ## Data encryption From 148c6deb19f7fc75bcda28a0a68b6c8f1c64ac01 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:43:02 -0800 Subject: [PATCH 021/237] compliance article for CM4 --- memdocs/configmgr/core/understand/fundamentals-of-compliance.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md index 5ee2fccd868..19e29358358 100644 --- a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md +++ b/memdocs/configmgr/core/understand/fundamentals-of-compliance.md @@ -51,5 +51,5 @@ Configuration Manager includes several compliance features that help organizatio - [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - [Microsoft Trust Center](https://www.microsoft.com/trust-center) -- [Additional privacy information](/mem/configmgr/security/additional-privacy.md) +- [Additional privacy information](/mem/configmgr/security/additional-privacy) - [Fundamentals of security](fundamentals-of-security.md) From 24eb1b145a093b4d9ccb3fd7515e164b682279e4 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:47:20 -0800 Subject: [PATCH 022/237] compliance article for CM5 --- memdocs/configmgr/compliance/TOC.yml | 2 ++ .../understand/fundamentals-of-compliance.md | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) rename memdocs/configmgr/{core => compliance}/understand/fundamentals-of-compliance.md (94%) diff --git a/memdocs/configmgr/compliance/TOC.yml b/memdocs/configmgr/compliance/TOC.yml index 8abbcd105eb..33ed3f4729d 100644 --- a/memdocs/configmgr/compliance/TOC.yml +++ b/memdocs/configmgr/compliance/TOC.yml @@ -3,6 +3,8 @@ items: href: index.yml - name: Understand and explore items: + - name: Understand compliance in Configuration Manager + href: understand/fundamentals-of-compliance.md - name: Ensure device compliance href: understand/ensure-device-compliance.md - name: Get started diff --git a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md b/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md similarity index 94% rename from memdocs/configmgr/core/understand/fundamentals-of-compliance.md rename to memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md index 19e29358358..f37730e4df1 100644 --- a/memdocs/configmgr/core/understand/fundamentals-of-compliance.md +++ b/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md @@ -1,5 +1,5 @@ --- -title: Compliance in Configuration Manager +title: Understand compliance in Configuration Manager author: dougeby ms.author: dougeby manager: dougeby @@ -13,7 +13,7 @@ description: Learn about compliance certifications, dependencies, and features i ms.date: 12/3/2024 --- -# Compliance in Configuration Manager +# Understand compliance in Configuration Manager Configuration Manager supports compliance features to help organizations meet national, regional, and industry-specific regulations. Configuration Manager aligns with Microsoft's commitment to data protection, privacy, and compliance, by offering tools to help secure and manage data effectively. @@ -52,4 +52,4 @@ Configuration Manager includes several compliance features that help organizatio - [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - [Microsoft Trust Center](https://www.microsoft.com/trust-center) - [Additional privacy information](/mem/configmgr/security/additional-privacy) -- [Fundamentals of security](fundamentals-of-security.md) +- [Fundamentals of security](/mem/core/understand/fundamentals-of-security) From 11001dbd4f3f39f7374215152e3b87b23f0250f0 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:52:51 -0800 Subject: [PATCH 023/237] compliance article for CM6 --- .../compliance/understand/fundamentals-of-compliance.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md b/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md index f37730e4df1..b88d4cf1121 100644 --- a/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md +++ b/memdocs/configmgr/compliance/understand/fundamentals-of-compliance.md @@ -51,5 +51,5 @@ Configuration Manager includes several compliance features that help organizatio - [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) - [Microsoft Trust Center](https://www.microsoft.com/trust-center) -- [Additional privacy information](/mem/configmgr/security/additional-privacy) -- [Fundamentals of security](/mem/core/understand/fundamentals-of-security) +- [Additional privacy information](/mem/configmgr/core/plan-design/security/additional-privacy) +- [Fundamentals of security](/mem/configmgr/core/understand/fundamentals-of-security) From 7d188f6b23ab4907a8f26e47b4e9991fbc286435 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Tue, 3 Dec 2024 17:55:44 -0800 Subject: [PATCH 024/237] compliance article for CM7 --- memdocs/configmgr/compliance/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/compliance/TOC.yml b/memdocs/configmgr/compliance/TOC.yml index 33ed3f4729d..5c3a3741e61 100644 --- a/memdocs/configmgr/compliance/TOC.yml +++ b/memdocs/configmgr/compliance/TOC.yml @@ -3,7 +3,7 @@ items: href: index.yml - name: Understand and explore items: - - name: Understand compliance in Configuration Manager + - name: Understand compliance href: understand/fundamentals-of-compliance.md - name: Ensure device compliance href: understand/ensure-device-compliance.md From fa31aa187d2d098e67aa6d90dfac5ee851659201 Mon Sep 17 00:00:00 2001 From: Takashi-kg <131775434+Takashi-kg@users.noreply.github.com> Date: Wed, 4 Dec 2024 18:02:36 +0900 Subject: [PATCH 025/237] Update intune-endpoints.md Customer pointed out the difference about required URLs when using apple product managed by MDM. I confirmed from packet capture that macOS managed by Intune communicate with *.push.apple.com. Other than specific 5-courier.push.apple.com. MS docs: "5-courier.push.apple.com" https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints?tabs=north-america#apple-dependencies Apple docs: "*.push.apple.com" https://support.apple.com/en-us/101555 --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 0980568d4c8..3547b9fb68a 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -169,7 +169,7 @@ For Delivery Optimization metadata: | ID | Desc | Category | ER | Addresses | Ports | | --- | ---- | -------- | ----- | --------- | ----- | -| 178 | MEM - Apple Dependencies | Default
Required | False | `itunes.apple.com`
`*.itunes.apple.com`
`*.mzstatic.com`
`*.phobos.apple.com`
`phobos.itunes-apple.com.akadns.net`
`5-courier.push.apple.com`
`phobos.apple.com`
`ocsp.apple.com`
`ax.itunes.apple.com`
`ax.itunes.apple.com.edgesuite.net`
`s.mzstatic.com`
`a1165.phobos.apple.com`
|**TCP:** 80, 443, 5223| +| 178 | MEM - Apple Dependencies | Default
Required | False | `itunes.apple.com`
`*.itunes.apple.com`
`*.mzstatic.com`
`*.phobos.apple.com`
`phobos.itunes-apple.com.akadns.net`
`*.push.apple.com`
`phobos.apple.com`
`ocsp.apple.com`
`ax.itunes.apple.com`
`ax.itunes.apple.com.edgesuite.net`
`s.mzstatic.com`
`a1165.phobos.apple.com`
|**TCP:** 80, 443, 5223| For more information, see the following resources: - [Use Apple products on enterprise networks](https://support.apple.com/HT210060) From 5ffe65c3aa0c3db75ca6b458294bf05d239e9ad6 Mon Sep 17 00:00:00 2001 From: mackie1604 Date: Wed, 4 Dec 2024 14:04:54 -0600 Subject: [PATCH 026/237] Update collect-diagnostics.md Fixed a bug and removed the note about it. --- memdocs/intune/remote-actions/collect-diagnostics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/remote-actions/collect-diagnostics.md b/memdocs/intune/remote-actions/collect-diagnostics.md index 5dad0d2b000..8bfa2de2f97 100644 --- a/memdocs/intune/remote-actions/collect-diagnostics.md +++ b/memdocs/intune/remote-actions/collect-diagnostics.md @@ -64,7 +64,7 @@ To download diagnostics: 2. On the **Summary** page, select the **Diagnostics** page and download the diagnostics. > [!IMPORTANT] -> For Android devices, if the Company Portal isn't signed in by the user, logs will not be available for download in the Intune portal. Diagnostic uploads exceeding 50 diagnostics or 4MB in diagnostic data cannot be downloaded directly from the Intune portal. For access to larger diagnostic uploads, reach out to [Microsoft Intune support](/mem/get-support). +> Diagnostic uploads exceeding 50 diagnostics or 4MB in diagnostic data cannot be downloaded directly from the Intune portal. For access to larger diagnostic uploads, reach out to [Microsoft Intune support](/mem/get-support). Diagnostics take approximately 30 minutes to be delivered from an end user's device. The user may be required to close and reopen the app if prompted for a pin when opening the app for the diagnostics request to prompt. From 49c75969e00dc682e035fe7979f6be133623c503 Mon Sep 17 00:00:00 2001 From: mackie1604 Date: Wed, 4 Dec 2024 15:57:00 -0600 Subject: [PATCH 027/237] Update collect-diagnostics.md Added supported apps for M365 diagnostics, added clarity around setting it up/configuring, and also around not needing MDM to collect M365 app logs --- .../remote-actions/collect-diagnostics.md | 27 ++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/remote-actions/collect-diagnostics.md b/memdocs/intune/remote-actions/collect-diagnostics.md index 8bfa2de2f97..8ee708d6890 100644 --- a/memdocs/intune/remote-actions/collect-diagnostics.md +++ b/memdocs/intune/remote-actions/collect-diagnostics.md @@ -32,19 +32,40 @@ ms.collection: # Collect diagnostics from an Intune managed device -The **Collect diagnostics** remote action lets you collect and download managed device logs without interrupting the user. Only nonuser locations and file types are accessed. +The **Collect diagnostics** remote action lets you collect and download managed device diagnostics without interrupting the user. Only nonuser locations and file types are accessed. > [!NOTE] -> Intune App Protection logs are available to download from the diagnostics tab in the **Troubleshooting** pane. However, M365 remote application logs are only available to their specific support engineers. +> Intune App Protection logs are available to download from the diagnostics tab in the **Troubleshooting** pane. However, M365 remote application diagnostics are only available to their specific support engineers. +> +> Devices do not have to be managed by MDM (Mobile device mangement) to have Intune app protection or M365 app diagnostics collected, only managed by an Intune app protection policy. > > The data is stored in Microsoft support systems and isn't subject to Intune data management policies or protections. Some applications might collect and store data using systems other than Intune. ## Collect diagnostics for Microsoft 365 remote applications -The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection logs and Microsoft 365 application logs (where applicable) directly from the Intune console. Admins can find this report in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Troubleshooting + support** > **Troubleshoot** > *select a user* > **Summary** > *App protection**. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application. +The Microsoft 365 remote application diagnostics allows Intune admins to request Intune app protection diagnostics and Microsoft 365 application diagnostics (where applicable) directly from the Intune console. Admins can find this report in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Troubleshooting + support** > **Troubleshoot** > *select a user* > **Summary** > *App protection**. This feature is exclusive to applications that are under Intune app protection management. If supported, the application specific logs are gathered and stored within dedicated storage solutions for each application. +Applications with support for M365 application diagnostics: + +- Outlook iOS/Android +- Teams iOS/Android +- OneDrive iOS/Android +- Microsoft Edge iOS/Android +- Microsoft Word iOS +- Microsoft Excel iOS +- Microsoft PowerPoint iOS +- OneNote iOS +- Microsoft 365 (Office) iOS + ### Collect diagnostics from a M365 Application +Requirements to collect diagnostics from an M365 application: + +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Tenant administration** > **Device diagnostics** > Make sure the 3rd setting is enabled. +3. Create and deploy an Intune App Protection policy to a user, more information [here](https://learn.microsoft.com/mem/intune/apps/app-protection-policies). +4. Confirm the application has been managed by Intune App Protection policy. This can be checked locally on the device and/or loading the user into the Intune Troubleshooting Pane and opening the App Protection summary page. + To use the *Collect diagnostics* action: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) From cbdf0e5da7bca244564cbc4516f866f60351d721 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 6 Dec 2024 17:21:36 -0500 Subject: [PATCH 028/237] Update enroll-android-device-disa-purebred.md Acrolinx clarity --- .../enroll-android-device-disa-purebred.md | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md index 6acdde1eeda..e5a27fd27cd 100644 --- a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md +++ b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md @@ -34,7 +34,7 @@ ms.collection: Enroll your device with the Microsoft Intune app to gain secure, mobile access to your work email, files, and apps. After your device is enrolled, it becomes *managed*, which means your organization can assign policies and apps to the device through a mobile device management (MDM) provider, such as Microsoft Intune. -During enrollment, you'll also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails. +During enrollment, you also install a derived credential on your device. Your organization might require you to use the derived credential as an authentication method when accessing resources, or for signing and encrypting emails. You likely need to set up a derived credential if you use a smart card to: @@ -67,22 +67,22 @@ To complete enrollment, you must have: * The Microsoft Intune app installed on your device * The Purebred app installed on your device (App should automatically install shortly after device setup. If it doesn't, contact your IT support person.) -You'll also need to contact a Purebred agent or representative during setup. +You must also contact a Purebred agent or representative during setup. ## Enroll device 1. Turn on your new or factory-reset device. -2. On the **Welcome** screen, select your language. If you've been instructed to enroll with a QR code or NFC, follow the step below that matches the method. +2. On the **Welcome** screen, select your language. If you were instructed to enroll with a QR code or NFC, complete the step that matches the method: * NFC: Tap your NFC-supported device against a programmer device to connect to your organization's network. Follow the onscreen prompts. When you reach the screen for Chrome's Terms of Service, continue to step 5. * QR code: Complete the steps in [QR code enrollment](#qr-code-enrollment). - If you've been instructed to use another method, continue to step 3. + If you were instructed to use another method, continue to step 3. 3. Connect to Wi-Fi and tap **NEXT**. Follow the step that matches your enrollment method. * Token: When you get to the Google sign-in screen, complete the steps in [Token enrollment](#token-enrollment). - * Google Zero Touch: After you connect to Wi-Fi, your device is recognized by your organization. Continue to step 4 and follow the onscreen prompts until setup is complete. + * Google Zero Touch: After you connect to Wi-Fi, your organization can recognize your device. Continue to step 4 and follow the onscreen prompts until setup is complete. 4. Review Google's terms. Then tap **ACCEPT & CONTINUE**. @@ -92,7 +92,7 @@ You'll also need to contact a Purebred agent or representative during setup. 7. Write down the onscreen code. -8. Switch to your smart card-enabled device and go to the web address that's shown on your screen. +8. Switch to your smart card-enabled device and go to the web address that appears on your screen. 9. Enter the code you previously wrote down. @@ -110,28 +110,28 @@ You'll also need to contact a Purebred agent or representative during setup. 16. Continue to the [set up your smart card](enroll-android-device-disa-purebred.md#set-up-smart-card) section in this article to finish setting up your device. ### QR code enrollment -In this section, you'll scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps. +In this section, you scan your company-provided QR code. When you're done, we'll redirect you back to the device enrollment steps. 1. On the **Welcome** screen, tap the screen five times to start QR code setup. 2. Follow any onscreen instructions to connect to Wi-Fi. 3. If your device doesn't have a QR code scanner, the setup screens show the installation progress as a scanner installs. Wait for installation to complete. 4. Scan the enrollment profile QR code that your organization gave you. -5. Return to [Enroll device](#enroll-device), step 4 to continue setup. +5. Return to [Enroll device](#enroll-device) > step 4 to continue setup. ### Token enrollment -In this section, you'll enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps. +In this section, you enter your company-provided token. When you're done, we'll redirect you back to the device enrollment steps. 1. On the Google sign-in screen, in the **Email or phone** box, type **afw#setup**. Tap **Next**. -2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept additional terms. +2. Choose **Install** for the **Android Device Policy** app. Continue through the installation. Depending on your device, you might need to review and accept other terms. 3. On the **Enroll this device** screen, select **Next**. 4. Select **Enter code**. -5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**. +5. On the **Scan or enter code** screen, type in the code that your organization gave you. Then click **Next**. -6. Return to [Enroll device](#enroll-device), step 4 to continue setup. +6. Return to [Enroll device](#enroll-device) > step 4 to continue setup. ## Set up smart card @@ -146,7 +146,7 @@ In this section, you'll enter your company-provided token. When you're done, we' 2. On the **Set up smart card** screen: - 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide additional instructions, you are sent to this article. + 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide other instructions, you are sent to this article. 2. Tap **BEGIN**. @@ -158,19 +158,19 @@ In this section, you'll enter your company-provided token. When you're done, we' > [!div class="mx-imgBorder"] > ![Screenshot of the Intune app prompt to open DISA Purebred app.](./media/enroll-android-device-disa-purebred/open-app-prompt-disa-purbred-android.png) -4. The Purebred app might need additional permissions from you in order to run properly. Tap **Allow** or **Allow all the time** when prompted. For more information about why these permissions are required, speak with your support person or Purebred agent. +4. The Purebred app might need other permissions from you in order to run properly. Tap **Allow** or **Allow all the time** when prompted. For more information about why these permissions are required, speak with your support person or Purebred agent. 5. Once you're in the Purebred app, work with your organization's Purebred agent to download and install the certificates you need to access work or school resources. > [!IMPORTANT] > During this process, tap **OK** or **Install** when prompted. Don't change the names of any certificate authorities (CAs) or certificates that you're prompted to install. -6. After installation is complete, you'll receive a notification that your certificates are ready. Tap the notification to return to the Intune app. +6. After installation is complete, you receive a notification that your certificates are ready. Tap the notification to return to the Intune app. > [!div class="mx-imgBorder"] > ![Screenshot of the Allow access to certificates screen](./media/enroll-android-device-disa-purebred/certificates-ready-prompt-disa-purbred-android.png) -7. From the **Allow access to certificates** screen, you'll give the Intune app permission to access the derived credential you got from DISA Purebred. This step ensures that your organization can verify your identity whenever you access protected work or school resources. +7. From the **Allow access to certificates** screen, give the Intune app permission to access the derived credential you got from DISA Purebred. This step ensures that your organization can verify your identity whenever you access protected work or school resources. 1. Tap **NEXT**. @@ -184,14 +184,14 @@ In this section, you'll enter your company-provided token. When you're done, we' 3. Your derived credential is made up of multiple certificates, so you might see the **Choose certificate** prompt multiple times. Repeat the previous step until no more prompts appear. -8. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You'll know setup is complete when you see the **You're all set!** screen. +8. Once all of the certificates are processed, wait for the Intune app to finish setting up your device. You know setup is complete when you see the **You're all set!** screen. > [!div class="mx-imgBorder"] > ![Screenshot of the You're all set screen](./media/enroll-android-device-disa-purebred/all-set-android.png) ## Next steps -After enrollment is complete, you'll have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see: +After enrollment is complete, you have access to work resources, such as email, Wi-Fi, and any apps that your organization makes available. For more information about how to get, search for, install, and uninstall apps in the Intune app see: * [Use managed apps on your device](use-managed-apps-on-your-device-android.md) * [Manage apps from the Company Portal website](manage-apps-cpweb.md) From 873c0bc6b53828d53fd3781b7233e40c420a522d Mon Sep 17 00:00:00 2001 From: Oluchi Date: Mon, 9 Dec 2024 09:37:10 -0800 Subject: [PATCH 029/237] Update microsoft-tunnel-upgrade.md --- memdocs/intune/protect/microsoft-tunnel-upgrade.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/protect/microsoft-tunnel-upgrade.md b/memdocs/intune/protect/microsoft-tunnel-upgrade.md index 3dfa61e19f4..5a4851493af 100644 --- a/memdocs/intune/protect/microsoft-tunnel-upgrade.md +++ b/memdocs/intune/protect/microsoft-tunnel-upgrade.md @@ -139,6 +139,9 @@ Image hash values: Changes in this release: -Diagnostic tool improvements +-Bug fixes for rootless container mode in mst-cli +-Localization improvements in mstunnel-setup + ### October 2, 2024 @@ -600,4 +603,4 @@ Changes in this release: The initial public preview release of Microsoft Tunnel. -End of archive --> \ No newline at end of file +End of archive --> From e4cbd24a6fe8d25f3b11e4b593fb5bc5f754d5d6 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 9 Dec 2024 14:18:25 -0500 Subject: [PATCH 030/237] Updated note for deprecation --- .../intune/includes/android-device-administrator-support.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/includes/android-device-administrator-support.md b/memdocs/intune/includes/android-device-administrator-support.md index 6338e8f11ff..3f3fa72c642 100644 --- a/memdocs/intune/includes/android-device-administrator-support.md +++ b/memdocs/intune/includes/android-device-administrator-support.md @@ -4,7 +4,7 @@ description: include file author: lenewsad ms.service: microsoft-intune ms.topic: include -ms.date: 06/12/2024 +ms.date: 12/09/2024 ms.author: lanewsad ms.custom: include file ms.collection: @@ -13,4 +13,4 @@ ms.collection: --- > [!IMPORTANT] -> Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443). +> Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443). Support and help documentation remain available for devices without GMS, running Android 15 and earlier. From e0a095bfcae163b37e0eb02795c8812fd6eb2680 Mon Sep 17 00:00:00 2001 From: Emma-yxf Date: Mon, 9 Dec 2024 12:18:03 -0800 Subject: [PATCH 031/237] 2024_12-Monthly-broken-links-fix-Smritib17 --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 0980568d4c8..327d9a3e404 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -155,7 +155,7 @@ For Intune-managed Windows devices managed using Mobile Device Management (MDM), **Port requirements** - For client-service communication, it uses HTTP or HTTPS over port 80/443. Optionally, for peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP and Teredo on port 3544 for NAT traversal. For more information, see [Delivery Optimization documentation](/windows/deployment/do/) -**Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Delivery Optimization](/windows/deployment/do/waas-delivery-optimization-faq.md#what-are-the-requirements-if-i-use-a-proxy). +**Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Delivery Optimization](/windows/deployment/do/waas-delivery-optimization-faq#what-are-the-requirements-if-i-use-a-proxy). **Firewall requirements** - Allow the following hostnames through your firewall to support Delivery Optimization. For communication between clients and the Delivery Optimization cloud service: From 905ebfbd5d07d4eabde6fa76063a47b106743076 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Mon, 9 Dec 2024 15:19:55 -0800 Subject: [PATCH 032/237] remove win365 app --- windows-365/end-user-access-cloud-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/end-user-access-cloud-pc.md b/windows-365/end-user-access-cloud-pc.md index 16e4e1aeba7..330bf46d79d 100644 --- a/windows-365/end-user-access-cloud-pc.md +++ b/windows-365/end-user-access-cloud-pc.md @@ -33,7 +33,7 @@ ms.collection: Users can access their Cloud PCs in accordance with the matrix below: -| Windows 365 Edition | [Windows 365 app](https://support.microsoft.com/topic/cbb0d4d5-69d4-4f00-b050-6dc7a02d02d0) | [windows365.microsoft.com](https://Windows365.microsoft.com) web client | [Microsoft Remote Desktop](#remote-desktop) | [LG Web OS](#lg-webos-23) | +| Windows 365 Edition | [Windows App](/windows-app/overview) | [windows365.microsoft.com](https://Windows365.microsoft.com) web client | [Microsoft Remote Desktop](#remote-desktop) | [LG Web OS](#lg-webos-23) | |--|--|--|--|--| | Windows 365 Business | X | X | X | X | | Windows 365 Enterprise | X | X | X | X | From 54507325926d7bc71fd00023b96110193c774e59 Mon Sep 17 00:00:00 2001 From: yegor-a <48032930+yegor-a@users.noreply.github.com> Date: Mon, 9 Dec 2024 21:49:42 -0800 Subject: [PATCH 033/237] Adding Try It button to Edge optional policies. Adjusting tables in OneDrive policies --- .../common-config-settings-catalog-edge.md | 19 +++++++++++++++++++ ...ttings-catalog-onedrive-knownfoldermove.md | 7 +++++++ 2 files changed, 26 insertions(+) diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md index 947b5dd9ea1..65bf9370357 100644 --- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md +++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-edge.md @@ -119,6 +119,8 @@ Content-Type: application/json ## (Optional) Startup, home page and new tab page +### [**Settings**](#tab/settings) + | **Category** | **Name** | **Value** | **Notes** | **CSP** | |---|---|---|---|---| | Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Action to take on startup":::** | _custom_ | Specify how Microsoft Edge behaves when it starts. | [:::no-loc text="RestoreOnStartup":::](/deployedge/microsoft-edge-policies#restoreonstartup) | @@ -127,6 +129,23 @@ Content-Type: application/json | Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="Configure the new tab page URL":::** | Disabled | This policy determines the page that's opened when new tabs are created (including when new windows are opened). It also affects the startup page if that's set to open to the new tab page. | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) | | Microsoft Edge > Startup, home page and new tab page |**:::no-loc text="New tab page URL (Device)":::** | _custom_ _url_ | | [:::no-loc text="NewTabPageLocation":::](/deployedge/microsoft-edge-policies#newtabpagelocation) | +### [:::image type="icon" source="../../../media/icons/graph.svg"::: **Create policy using Graph Explorer**](#tab/graph) + +[!INCLUDE [graph-explorer-introduction](../../../includes/graph-explorer-intro.md)] + +This will create a policy in your tenant with the name **_MSLearn_Example_CommonEDU - Windows - Microsoft Edge (Optional)**. + +```msgraph-interactive +POST https://graph.microsoft.com/beta/deviceManagement/configurationPolicies +Content-Type: application/json + +{"name":"_MSLearn_Example_CommonEDU - Windows - Microsoft Edge (Optional)","description":"https://aka.ms/ManageEduDevices","platforms":"windows10","technologies":"mdm","roleScopeTagIds":["0"],"settings":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_restoreonstartup","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_restoreonstartup_restoreonstartup_5","children":[]}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_homepagelocation_homepagelocation","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":"https://www.office.com"}}]}}},{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSetting","settingInstance":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation","choiceSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationChoiceSettingValue","value":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation_1","children":[{"@odata.type":"#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance","settingDefinitionId":"device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~startup_newtabpagelocation_newtabpagelocation","simpleSettingValue":{"@odata.type":"#microsoft.graph.deviceManagementConfigurationStringSettingValue","value":"https://www.office.com"}}]}}}]} +``` + +[!INCLUDE [graph-explorer-steps](../../../includes/graph-explorer-steps.md)] + +--- + ## (Optional) Content settings in Microsoft 365 admin center If you leave the default configuration, when users open a new tab page they'll see a combination of the Microsoft 365 feed and news. You can control the visibility of news from the Microsoft 365 admin center. diff --git a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md index 69e6ef163ae..e42ed759669 100644 --- a/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md +++ b/memdocs/intune/industry/education/tutorial-school-deployment/common-config-settings-catalog-onedrive-knownfoldermove.md @@ -28,10 +28,17 @@ To learn more, see: ## [**Settings**](#tab/settings) +### Organization-specific settings catalog policies + | **Category** | **Name** | **Value** | **Notes** | **CSP** | |---|---|---|---|---| | OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations":::** | Enabled | Only enables the setting configuration. | [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) | | OneDrive |**:::no-loc text="Allow syncing OneDrive accounts for only specific organizations > Tenant ID: (Device)":::** | _tenant ID_ | **Important!** This is a tenant-specific value. [How to find your Microsoft Entra tenant ID](/entra/fundamentals/how-to-find-tenant)| [:::no-loc text="AllowTenantList":::](/sharepoint/use-group-policy#allow-syncing-onedrive-accounts-for-only-specific-organizations) | + +### General restrictions + +| **Category** | **Name** | **Value** | **Notes** | **CSP** | +|---|---|---|---|---| | OneDrive |**:::no-loc text="Block file downloads when users are low on disk space":::** | Enabled | | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) | | OneDrive |**:::no-loc text="Block file downloads when users are low on disk space > Minimum available disk space: (Device)":::** | 1024 | Only enables the setting configuration. | [:::no-loc text="MinDiskSpaceLimitInMB":::](/sharepoint/use-group-policy#block-file-downloads-when-users-are-low-on-disk-space) | | OneDrive |**:::no-loc text="Convert synced team site files to online-only files":::** | Enabled | Files in currently syncing team sites are changed to online-only files, by default. Files later added or updated in the team site are also downloaded as online-only files. | [:::no-loc text="DehydrateSyncedTeamSites":::](/sharepoint/use-group-policy#convert-synced-team-site-files-to-online-only-files) | From 7e4d1c8864382d2705a1907a080f504902897ecb Mon Sep 17 00:00:00 2001 From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com> Date: Tue, 10 Dec 2024 10:39:38 +0100 Subject: [PATCH 034/237] Update deployment-guide-enrollment-linux.md Updating statement to include the recently released support for Ubuntu 24.04 --- .../intune/fundamentals/deployment-guide-enrollment-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md index 9084fe3d7ae..8786258dca5 100644 --- a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md +++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md @@ -48,7 +48,7 @@ Use for personal/BYOD and organization-owned devices running Linux. --- | Feature | Use this enrollment option when | | --- | --- | -| You use Ubuntu Desktop (20.04 or 22.04 LTS on x86/64). | ✅ | +| You use Ubuntu Desktop (20.04 LTS or later on x86/64). | ✅ | | You use Ubuntu Server. | ❌ | | You use RedHat Enterprise Linux 8 or 9. |✅ | | Devices are owned by the organization or school. | ✅ | From ea03309579a594f1b35f44ec708fdfb9f39808e5 Mon Sep 17 00:00:00 2001 From: Tom Hickling Date: Tue, 10 Dec 2024 14:33:07 +0000 Subject: [PATCH 035/237] Update requirements.md Giving Israel Central its full name (There will be another Israel region in the coming months - Israel North) --- windows-365/enterprise/requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/requirements.md b/windows-365/enterprise/requirements.md index b7ff69dd9a1..fd9438fac07 100644 --- a/windows-365/enterprise/requirements.md +++ b/windows-365/enterprise/requirements.md @@ -126,7 +126,7 @@ Windows 365 manages the capacity and availability of underlying Azure resources - Japan - Japan East - Middle East - - Israel + - Israel Central - Norway - Norway East - South Africa From e8cdf1e20102827e8f4ee8a6c9d82ea74c68dd72 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Tue, 10 Dec 2024 09:35:38 -0800 Subject: [PATCH 036/237] Update android-os-project-supported-devices.md --- .../fundamentals/android-os-project-supported-devices.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/android-os-project-supported-devices.md b/memdocs/intune/fundamentals/android-os-project-supported-devices.md index 0361383d0a3..867e6aae9c0 100644 --- a/memdocs/intune/fundamentals/android-os-project-supported-devices.md +++ b/memdocs/intune/fundamentals/android-os-project-supported-devices.md @@ -57,4 +57,5 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu | Lenovo| ThinkReality VRX | VRX_user_S766001_2310192349_kona | AR/VR Headset | | | DigiLens Inc.| DigiLens ARGO | DigiOS 2068 (B1.0001.2068) | AR/VR Headset | | | Vuzix | M400 | M-Series Version 3.0.2 | AR/VR Headset | | -| Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | | \ No newline at end of file +| Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | | +| Vuzix | Quest 3s | v71 | AR/VR Headset | | From 4e9eb5649b19442c04791a3a82f1927963f6fe33 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Tue, 10 Dec 2024 09:58:39 -0800 Subject: [PATCH 037/237] Update android-os-project-supported-devices.md --- .../intune/fundamentals/android-os-project-supported-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/android-os-project-supported-devices.md b/memdocs/intune/fundamentals/android-os-project-supported-devices.md index 867e6aae9c0..39da1ac1d9d 100644 --- a/memdocs/intune/fundamentals/android-os-project-supported-devices.md +++ b/memdocs/intune/fundamentals/android-os-project-supported-devices.md @@ -58,4 +58,4 @@ Before setting up Microsoft Intune for Android Open Source Project devices, ensu | DigiLens Inc.| DigiLens ARGO | DigiOS 2068 (B1.0001.2068) | AR/VR Headset | | | Vuzix | M400 | M-Series Version 3.0.2 | AR/VR Headset | | | Vuzix | M4000 | M-Series Version 3.0.2 | AR/VR Headset | | -| Vuzix | Quest 3s | v71 | AR/VR Headset | | +| Meta | Quest 3s | v71 | AR/VR Headset | | From f29a22e320d06d687cd823a1f8eb1aee24dca78a Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 10 Dec 2024 13:52:27 -0500 Subject: [PATCH 038/237] updated ms.reviewer for Linux --- .../configuration/custom-settings-linux.md | 2 +- .../deployment-guide-enrollment-linux.md | 2 +- .../protect/compliance-policy-create-linux.md | 6 +++--- memdocs/intune/protect/compliance-wsl.md | 2 +- memdocs/intune/user-help/check-status-linux.md | 16 ++++++++-------- memdocs/intune/user-help/enroll-device-linux.md | 2 +- .../user-help/microsoft-intune-app-linux.md | 2 +- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md index e9edec7477b..2c8971f259c 100644 --- a/memdocs/intune/configuration/custom-settings-linux.md +++ b/memdocs/intune/configuration/custom-settings-linux.md @@ -17,7 +17,7 @@ ms.localizationpriority: medium #ROBOTS: #audience: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md index 9084fe3d7ae..00a245cfb42 100644 --- a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md +++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md @@ -18,7 +18,7 @@ ms.localizationpriority: high #ROBOTS: #audience: #ms.devlang: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: diff --git a/memdocs/intune/protect/compliance-policy-create-linux.md b/memdocs/intune/protect/compliance-policy-create-linux.md index 387e57a9c8d..732cc919767 100644 --- a/memdocs/intune/protect/compliance-policy-create-linux.md +++ b/memdocs/intune/protect/compliance-policy-create-linux.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium #ROBOTS: #audience: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: @@ -69,7 +69,7 @@ Add settings to manage disk encryption. - **Require Device Encryption** – Specifies whether device-level encryption is required for writable fixed disks on this computer. - Users of devices that aren’t encrypted receive a message that they must encrypt the drives to bring the device into compliance. + Users of devices that aren't encrypted receive a message that they must encrypt the drives to bring the device into compliance. There are several options for disk and partition encryption on Linux operating systems. At this time, Intune recognizes any encryption system that uses the underlying [dm-crypt](https://gitlab.com/cryptsetup/cryptsetup/-/wikis/DMCrypt) subsystem that has been standard on Linux systems for some time. @@ -97,7 +97,7 @@ Users that fail to meet password complexity requirements can receive a message t ## Refresh compliance status -If you must modify a device’s configuration, use one of the following methods to refresh the device compliance status with Intune after making changes: +If you must modify a device's configuration, use one of the following methods to refresh the device compliance status with Intune after making changes: - If the Microsoft Intune app is still running, on the apps *device details* page or the *compliance issues* page, select the **Refresh** link. The device starts a new check-in. diff --git a/memdocs/intune/protect/compliance-wsl.md b/memdocs/intune/protect/compliance-wsl.md index 47c5d6df5ab..635ab4c9178 100644 --- a/memdocs/intune/protect/compliance-wsl.md +++ b/memdocs/intune/protect/compliance-wsl.md @@ -20,7 +20,7 @@ ms.localizationpriority: high #ms.devlang: ms.suite: ems search.appverid: MET150 -ms.reviewer: ilwu +ms.reviewer: arnab #ms.tgt_pltfrm: ms.custom: intune-azure ms.collection: diff --git a/memdocs/intune/user-help/check-status-linux.md b/memdocs/intune/user-help/check-status-linux.md index 3119602cb36..7a99e30eb57 100644 --- a/memdocs/intune/user-help/check-status-linux.md +++ b/memdocs/intune/user-help/check-status-linux.md @@ -20,7 +20,7 @@ searchScope: ROBOTS: #audience: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems #ms.tgt_pltfrm: ms.custom: intune-enduser @@ -44,11 +44,11 @@ The Intune app routinely checks in with your device to verify that it complies w There are three statuses in the Intune app: - * **Compliant** – Your device meets your organization’s requirements. It should have access to work or school resources. + * **Compliant** – Your device meets your organization's requirements. It should have access to work or school resources. * **Checking status** – Intune is checking the device settings. - * **Not compliant** – Your device doesn't meet your organization’s requirements. It may be restricted from accessing work or school resources. Additional action is needed from you to update your settings. + * **Not compliant** – Your device doesn't meet your organization's requirements. It may be restricted from accessing work or school resources. Additional action is needed from you to update your settings. ## View compliance issues @@ -65,21 +65,21 @@ The app shows you the following information: * The action required, such as *Upgrade your operating system*. - * The reason for noncompliance, such as *This device’s operating system is not supported*. + * The reason for noncompliance, such as *This device's operating system is not supported*. * The **How to resolve this** link that, when available, points to a help article on learn.microsoft.com. ### Operating system and version -When OS and version requirements are enforced, devices running Linux flavors or versions that aren't supported are marked as noncompliant. To resolve this issue, upgrade to or install a version that’s supported by your organization. +When OS and version requirements are enforced, devices running Linux flavors or versions that aren't supported are marked as noncompliant. To resolve this issue, upgrade to or install a version that's supported by your organization. -Contact your support person for more information about your organization’s OS requirements. +Contact your support person for more information about your organization's OS requirements. ### Password complexity -When password complexity requirements are enforced, devices with weak passwords are marked as noncompliant. To resolve this issue, update your device password so that it meets your organization’s requirements for length and quality. +When password complexity requirements are enforced, devices with weak passwords are marked as noncompliant. To resolve this issue, update your device password so that it meets your organization's requirements for length and quality. ### Device encryption -When encryption requirements are enforced, devices that aren’t encrypted are marked as noncompliant. To resolve this issue, encrypt the local data on your device in accordance with your organization’s encryption policies. +When encryption requirements are enforced, devices that aren't encrypted are marked as noncompliant. To resolve this issue, encrypt the local data on your device in accordance with your organization's encryption policies. Not all filesystem partitions need to be encrypted: diff --git a/memdocs/intune/user-help/enroll-device-linux.md b/memdocs/intune/user-help/enroll-device-linux.md index f790e07579e..4c32be27764 100644 --- a/memdocs/intune/user-help/enroll-device-linux.md +++ b/memdocs/intune/user-help/enroll-device-linux.md @@ -20,7 +20,7 @@ searchScope: ROBOTS: #audience: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems #ms.tgt_pltfrm: ms.custom: intune-enduser diff --git a/memdocs/intune/user-help/microsoft-intune-app-linux.md b/memdocs/intune/user-help/microsoft-intune-app-linux.md index e955e7a2400..d09b1c530de 100644 --- a/memdocs/intune/user-help/microsoft-intune-app-linux.md +++ b/memdocs/intune/user-help/microsoft-intune-app-linux.md @@ -20,7 +20,7 @@ searchScope: ROBOTS: #audience: -ms.reviewer: ilwu +ms.reviewer: arnab ms.suite: ems #ms.tgt_pltfrm: ms.custom: intune-enduser From 02d3f9145766d4755d4febf6e8bc0bfe767f990f Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Tue, 10 Dec 2024 10:53:19 -0800 Subject: [PATCH 039/237] changes per Shannon --- windows-365/link/create-intune-filter.md | 14 ++++++++------ windows-365/link/enrollment-restrictions.md | 6 +++--- windows-365/link/intune-automatic-enrollment.md | 2 +- windows-365/link/join-microsoft-entra.md | 6 +++--- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/windows-365/link/create-intune-filter.md b/windows-365/link/create-intune-filter.md index 044bd57fe30..ea5ccdcfb79 100644 --- a/windows-365/link/create-intune-filter.md +++ b/windows-365/link/create-intune-filter.md @@ -38,12 +38,14 @@ To create a filter exclusively including Windows 365 Link devices: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) >**Tenant administration** > **Filters** > **Create** > **Managed devices**. 2. Provide a **Filter name**, like *Windows 365 Link devices*, and an optional **Description**. 3. For **Platform**, select **Windows 10 and later** > **Next**. -4. Select **Edit** (next to **Rule syntax**). -5. In the **Edit rule syntax** box, type `(device.operatingSystemSKU -eq "WCPC")` > **OK** > **Next**. -6. On the **Scope tags** page, select **Next**. -7. On the **Review + create** page, select **Create**. - -The new filter can now be used on any policy assignment to include or exclude Windows 365 Link devices. +4. Select the following values: + - **Property**: **operatingSystemSKU (Operating System SKU)**. + - **Operator**: **Equals**. + - **Value**: **WCPC (Widnows PC (210))**. +5. Select **Next**. +6. On the **Review + create** page, select **Create**. + +This new filter can now be used on various policy assignments to include or exclude Windows 365 Link devices for [supported Windows workloads](/mem/intune/fundamentals/filters-supported-workloads#windows-1011). For more information, see [Use filters when assigning your apps, policies, and profiles in Microsoft Intune](/mem/intune/fundamentals/filters). diff --git a/windows-365/link/enrollment-restrictions.md b/windows-365/link/enrollment-restrictions.md index 4008f3ada84..cc3f77bab66 100644 --- a/windows-365/link/enrollment-restrictions.md +++ b/windows-365/link/enrollment-restrictions.md @@ -29,7 +29,7 @@ ms.collection: - tier2 --- -# Optimize enrollment restrictions +# Configure enrollment restrictions While [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you should make sure that your environment's enrollment restrictions don't block Windows 365 Link devices from enrolling in Intune. @@ -47,11 +47,11 @@ Windows 365 Link devices don't currently support Autopilot. If there's a policy that blocks personally-owned Windows devices from enrolling in Intune it will also block Windows 365 Link devices. You can create another policy with higher priority to allow Windows 365 Link devices to enroll in Intune while still blocking other personally-owned Windows devices. -Follow these steps to create a policy to allow Windows 365 Link devices to enroll in Intune: +Follow these steps to create a policy to allow users to enroll Windows 365 Link devices in Intune: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Enrollment** > **Windows** > **Device platform restriction** > **Windows restrictions**. 2. Under **Windows restrictions**, select **Create restriction**. -3. On the **Basics** page, type a **Name** (like *Allowed Windows 365 Link devices to enroll*) and an optional **Description** > **Next**. +3. On the **Basics** page, type a **Name** (like *Allow enrollment of Windows 365 Link devices*) and an optional **Description** > **Next**. 4. On the **Platform settings** page, set the following options: - **MDM**: *Allow* - **Personally owned devices**: *Allow* diff --git a/windows-365/link/intune-automatic-enrollment.md b/windows-365/link/intune-automatic-enrollment.md index 69a2956af29..07de67a7756 100644 --- a/windows-365/link/intune-automatic-enrollment.md +++ b/windows-365/link/intune-automatic-enrollment.md @@ -35,7 +35,7 @@ As the second step to [set up your organization's environment to support Windows After a Windows 365 Link device is [joined to Entra ID](join-microsoft-entra.md), it can be managed with Intune if automatic enrollment is enabled by setting **MDM user scope**. The user must also have the appropriate Microsoft Entra Premium license. Without setting **MDM user scope**, automatic enrollment doesn't occur and Windows 365 Link devices can't be managed by, and don't appear in, Intune. -To set up automatically enrollment in Intune for Windows 365 Link devices: +To set up automatic enrollment in Intune for Windows 365 Link devices: 1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Show more** > **Settings** > **Mobility**. 2. On the **Mobility (MDM and WIP)** page, select **Microsoft Intune**. diff --git a/windows-365/link/join-microsoft-entra.md b/windows-365/link/join-microsoft-entra.md index edd26c0d5e7..2a262ea3b00 100644 --- a/windows-365/link/join-microsoft-entra.md +++ b/windows-365/link/join-microsoft-entra.md @@ -1,6 +1,6 @@ --- # required metadata -title: Join Windows 365 Link to Microsoft Entra +title: Allow joining Windows 365 Link to Microsoft Entra titleSuffix: description: Learn about joining Windows 365 Link to Microsoft Entra keywords: @@ -29,7 +29,7 @@ ms.collection: - tier2 --- -# Join Windows 365 Link to Microsoft Entra +# Allow joining Windows 365 Link to Microsoft Entra As the first step in setting up your organization's environment to support Windows 365 Link, you must allow Windows 365 Link devices to [join Microsoft Entra](/entra/identity/devices/concept-directory-join). @@ -53,7 +53,7 @@ To set permissions to allow your organization's users to join their Windows 365 For more about configuring device settings for Microsoft Entra ID, see [Configure your device settings](/entra/identity/devices/device-join-plan#configure-your-device-settings). -For full information about planning yoru join implementation, see [How to: Plan your Microsoft Entra join implementation](/entra/identity/devices/device-join-plan). +For full information about planning your join implementation, see [How to: Plan your Microsoft Entra join implementation](/entra/identity/devices/device-join-plan). ## Next steps From 492632eeda4da1d729dc2debb5ad97ae805fe77e Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Tue, 10 Dec 2024 11:09:44 -0800 Subject: [PATCH 040/237] changes --- windows-365/link/TOC.yml | 2 +- windows-365/link/deployment-overview.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows-365/link/TOC.yml b/windows-365/link/TOC.yml index d5843631558..ccb20625f66 100644 --- a/windows-365/link/TOC.yml +++ b/windows-365/link/TOC.yml @@ -31,7 +31,7 @@ items: href: intune-automatic-enrollment.md - name: Create Intune filter for Windows 365 Link href: create-intune-filter.md - - name: Optimize enrollment restrictions + - name: Configure enrollment restrictions href: enrollment-restrictions.md - name: Synchronize conditional access policies href: conditional-access-policies-synchronize.md diff --git a/windows-365/link/deployment-overview.md b/windows-365/link/deployment-overview.md index ef4c2a70c14..5bafdfd1d1b 100644 --- a/windows-365/link/deployment-overview.md +++ b/windows-365/link/deployment-overview.md @@ -39,7 +39,7 @@ To set up your organization's environment to deploy and manage Windows 365 Link 2. [Configure Microsoft Entra Device settings to let users join Windows 365 Link devices to Microsoft Entra](join-microsoft-entra.md). 3. [Configure Microsoft Entra Mobility settings to automatically enroll Windows 365 Link devices in Intune](intune-automatic-enrollment.md). 4. [Create an Intune filter for Windows 365 Link devices](create-intune-filter.md) (optional). -5. [Optimize enrollment restrictions to let Windows 365 Link devices enroll](enrollment-restrictions.md). +5. [Configure enrollment restrictions to let Windows 365 Link devices enroll](enrollment-restrictions.md). 6. [Validate conditional access policies](conditional-access-policies-synchronize.md). 7. [Suppress single sign-on consent prompt](single-sign-on-suppress.md) (recommended). From 2adf0fd8f4d310da2939d4da4026d21eb5c3ae6b Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Tue, 10 Dec 2024 11:27:32 -0800 Subject: [PATCH 041/237] acro fixes --- windows-365/link/create-intune-filter.md | 2 +- windows-365/link/enrollment-restrictions.md | 6 +++--- windows-365/link/join-microsoft-entra.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows-365/link/create-intune-filter.md b/windows-365/link/create-intune-filter.md index ea5ccdcfb79..6c1d4420b06 100644 --- a/windows-365/link/create-intune-filter.md +++ b/windows-365/link/create-intune-filter.md @@ -41,7 +41,7 @@ To create a filter exclusively including Windows 365 Link devices: 4. Select the following values: - **Property**: **operatingSystemSKU (Operating System SKU)**. - **Operator**: **Equals**. - - **Value**: **WCPC (Widnows PC (210))**. + - **Value**: **WCPC (Windows PC (210))**. 5. Select **Next**. 6. On the **Review + create** page, select **Create**. diff --git a/windows-365/link/enrollment-restrictions.md b/windows-365/link/enrollment-restrictions.md index cc3f77bab66..cc644f10bcb 100644 --- a/windows-365/link/enrollment-restrictions.md +++ b/windows-365/link/enrollment-restrictions.md @@ -33,9 +33,9 @@ ms.collection: While [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you should make sure that your environment's enrollment restrictions don't block Windows 365 Link devices from enrolling in Intune. -The first time a user signs in to their Windows 365 Link, the Out of Box Experience (OOBE) joins the device to Microsoft Entra and enrolls it in Microsoft Intune for management. This is the first time the device is introduced to Intune, and thus it's an Unknown device. Because the device is Microsoft Entra joined, Intune sets the ownership to Corporate-owned after the Intune enrollment process completes. +The first time a user signs in to their Windows 365 Link, the Out of Box Experience (OOBE) joins the device to Microsoft Entra and enrolls it in Microsoft Intune for management. This is the first time the device is introduced to Intune, and thus it's an Unknown device. Because the device is Microsoft Entra joined, Intune sets the ownership to Corporate owned after the Intune enrollment process completes. -If a [device platform restriction]() blocks personally-owned devices, Windows 365 Link devices are prevented from completing Intune enrollment. To avoid this, make sure to allow Windows 365 Link devices to enroll in Intune using one of the following methods: +If a [device platform restriction]() blocks personally owned devices, Windows 365 Link devices are prevented from completing Intune enrollment. To avoid this prevention, make sure to allow Windows 365 Link devices to enroll in Intune using one of the following methods: - [Use a Device Enrollment Manager to bypass all restrictions](/mem/intune/enrollment/device-enrollment-manager-enroll). - [Use an operating system SKU filter to let Windows 365 Link devices enroll](#use-an-operating-system-sku-filter-to-let-windows-365-link-devices-enroll-in-intune). @@ -45,7 +45,7 @@ Windows 365 Link devices don't currently support Autopilot. ## Use an operating system SKU filter to let Windows 365 Link devices enroll in Intune -If there's a policy that blocks personally-owned Windows devices from enrolling in Intune it will also block Windows 365 Link devices. You can create another policy with higher priority to allow Windows 365 Link devices to enroll in Intune while still blocking other personally-owned Windows devices. +If there's a policy that blocks personally owned Windows devices from enrolling in Intune it also blocks Windows 365 Link devices. You can create another policy with higher priority to allow Windows 365 Link devices to enroll in Intune while still blocking other personally owned Windows devices. Follow these steps to create a policy to allow users to enroll Windows 365 Link devices in Intune: diff --git a/windows-365/link/join-microsoft-entra.md b/windows-365/link/join-microsoft-entra.md index 2a262ea3b00..05aac21ef23 100644 --- a/windows-365/link/join-microsoft-entra.md +++ b/windows-365/link/join-microsoft-entra.md @@ -33,7 +33,7 @@ ms.collection: As the first step in setting up your organization's environment to support Windows 365 Link, you must allow Windows 365 Link devices to [join Microsoft Entra](/entra/identity/devices/concept-directory-join). -Prior to signing in, the user must have permission to join and not be blocked by any Intune device enrollment restrictions. +Before signing in, the user must have permission to join and not be blocked by any Intune device enrollment restrictions. The first time the device is powered on, the Out of Box Experience (OOBE): From 4a5bdc27975e8faf02d3eb447b09d116225dd094 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Wed, 11 Dec 2024 03:28:25 +0530 Subject: [PATCH 042/237] acro fix --- memdocs/intune/user-help/enroll-android-device-disa-purebred.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md index e5a27fd27cd..e79822ebefc 100644 --- a/memdocs/intune/user-help/enroll-android-device-disa-purebred.md +++ b/memdocs/intune/user-help/enroll-android-device-disa-purebred.md @@ -146,7 +146,7 @@ In this section, you enter your company-provided token. When you're done, we'll 2. On the **Set up smart card** screen: - 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide other instructions, you are sent to this article. + 1. Tap the link to your organization's setup instructions and review them. If your organization doesn't provide other instructions, you're sent to this article. 2. Tap **BEGIN**. From 7d9a8a0385290bc9009f2b557d6bf756d1a812ca Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Wed, 11 Dec 2024 03:45:12 +0530 Subject: [PATCH 043/237] alt-text fixed --- .../enroll-device-android-company-portal.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/memdocs/intune/user-help/enroll-device-android-company-portal.md b/memdocs/intune/user-help/enroll-device-android-company-portal.md index 76e3d082bd9..8c025c91713 100644 --- a/memdocs/intune/user-help/enroll-device-android-company-portal.md +++ b/memdocs/intune/user-help/enroll-device-android-company-portal.md @@ -37,7 +37,7 @@ The Intune Company Portal app supports devices running Android 8.0 and later, in > [!VIDEO https://www.youtube.com/embed/k0Q_sGLSx6o] > [!NOTE] -> Samsung Knox is a type of security that certain Samsung devices use for additional protection outside of what native Android provides. To check if you have a Samsung Knox device, go to **Settings** > **About device**. If you don't see **Knox version** listed there, you have a native Android device. +> Samsung Knox is a type of security that certain Samsung devices use for additional protection outside of what native Android provides. To check if you have a Samsung Knox device, go to **Settings** > **About device**. If you don't see the **Knox version** listed there, you have a native Android device. ## Install Company Portal app Install the Intune Company Portal app [from Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal). See [Install Company Portal app in People's Republic of China](install-company-portal-android-china.md) for a list of stores that offer the app in People's Republic of China. @@ -55,16 +55,17 @@ During enrollment, you might be asked to choose a category that best describes h 2. If you're prompted to accept your organization's terms and conditions, tap **ACCEPT ALL**. - ![Screenshot of the Company Portal, Terms screen, highlighting "Accept all" button.](./media/enroll-device-android-company-portal/accept-terms-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/accept-terms-1911.png" lightbox="./media/enroll-device-android-company-portal/accept-terms-1911.png" alt-text="Screenshot of the Company Portal Terms screen, highlighting the 'Accept all' button."::: 3. Review what your organization can and can't see. Then tap **CONTINUE**. - ![Screenshot of Company Portal, We care about your privacy screen, highlighting the Continue button.](./media/enroll-device-android-company-portal/android-privacy-screen-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/android-privacy-screen-1911.png" lightbox="./media/enroll-device-android-company-portal/android-privacy-screen-1911.png" alt-text="Screenshot of the Company Portal 'We care about your privacy' screen, highlighting the 'Continue' button."::: + 4. Review what to expect in the upcoming steps. Then tap **NEXT**. - ![Screenshot of Company Portal, What's next screen, highlighting the Next button.](./media/enroll-device-android-company-portal/android-whats-next-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/android-whats-next-1911.png" lightbox="./media/enroll-device-android-company-portal/android-whats-next-1911.png" alt-text="Screenshot of the Company Portal 'What's next' screen, highlighting the 'Next' button."::: 5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are a Google requirement and not controlled by Microsoft. @@ -79,7 +80,7 @@ During enrollment, you might be asked to choose a category that best describes h Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately. - ![Screenshot of the Activate device administrator screen, highlighting the activate button.](./media/enroll-device-android-company-portal/activate-device-administrator-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/activate-device-administrator-1911.png" lightbox="./media/enroll-device-android-company-portal/activate-device-administrator-1911.png" alt-text="Screenshot of the Activate Device Administrator screen, highlighting the 'Activate' button."::: > [!NOTE] > Microsoft does not control the messaging on this screen. We understand that its phrasing can seem somewhat drastic. Company Portal can't specify which restrictions and access are relevant to your organization. If you have questions about how your organization uses the app, contact your IT support person. Go to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) to find your organization's contact information. @@ -89,15 +90,15 @@ During enrollment, you might be asked to choose a category that best describes h 8. On the **Company Access Setup** screen, check that your device is enrolled. Then tap **CONTINUE**. - ![Screenshot of Company Portal, Company Access Setup screen, showing Get your device managed is complete.](./media/enroll-device-android-company-portal/update-settings-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/update-settings-1911.png" lightbox="./media/enroll-device-android-company-portal/update-settings-1911.png" alt-text="Screenshot of the Company Portal 'Company Access Setup' screen, showing 'Get your device managed is complete' message."::: 9. Your organization might require you to update your device settings. Tap **RESOLVE** to adjust a setting. When you're done updating settings, tap **CONTINUE**. - ![Screenshot of Company Portal, Update device settings, highlighting Resolve and Continue buttons.](./media/enroll-device-android-company-portal/resolve-settings-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/resolve-settings-1911.png" lightbox="./media/enroll-device-android-company-portal/resolve-settings-1911.png" alt-text="Screenshot of the Company Portal 'Update device settings' screen, highlighting the 'Resolve' and 'Continue' buttons."::: 10. When setup is complete, tap **DONE**. - ![Screenshot of Company Portal, Company Access Setup screen, showing completed setup and highlighting Done button.](./media/enroll-device-android-company-portal/android-enrollment-done-1911.png) + :::image type="content" source="./media/enroll-device-android-company-portal/android-enrollment-done-1911.png" lightbox="./media/enroll-device-android-company-portal/android-enrollment-done-1911.png" alt-text="Screenshot of the Company Portal 'Company Access Setup' screen, showing completed setup and highlighting the 'Done' button."::: ## Next steps From e5f20223742563f1d2c36e438950b3aeea5d201e Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Wed, 11 Dec 2024 05:45:05 +0530 Subject: [PATCH 044/237] alt-text fixed-1 --- .../enroll-device-android-company-portal.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/user-help/enroll-device-android-company-portal.md b/memdocs/intune/user-help/enroll-device-android-company-portal.md index 8c025c91713..929d93a2c50 100644 --- a/memdocs/intune/user-help/enroll-device-android-company-portal.md +++ b/memdocs/intune/user-help/enroll-device-android-company-portal.md @@ -55,17 +55,17 @@ During enrollment, you might be asked to choose a category that best describes h 2. If you're prompted to accept your organization's terms and conditions, tap **ACCEPT ALL**. - :::image type="content" source="./media/enroll-device-android-company-portal/accept-terms-1911.png" lightbox="./media/enroll-device-android-company-portal/accept-terms-1911.png" alt-text="Screenshot of the Company Portal Terms screen, highlighting the 'Accept all' button."::: + ![Screenshot of the Company Portal, Terms screen, highlighting "Accept all" button.](./media/enroll-device-android-company-portal/accept-terms-1911.png) 3. Review what your organization can and can't see. Then tap **CONTINUE**. - :::image type="content" source="./media/enroll-device-android-company-portal/android-privacy-screen-1911.png" lightbox="./media/enroll-device-android-company-portal/android-privacy-screen-1911.png" alt-text="Screenshot of the Company Portal 'We care about your privacy' screen, highlighting the 'Continue' button."::: + ![Screenshot of Company Portal, We care about your privacy screen, highlighting the Continue button.](./media/enroll-device-android-company-portal/android-privacy-screen-1911.png) 4. Review what to expect in the upcoming steps. Then tap **NEXT**. - :::image type="content" source="./media/enroll-device-android-company-portal/android-whats-next-1911.png" lightbox="./media/enroll-device-android-company-portal/android-whats-next-1911.png" alt-text="Screenshot of the Company Portal 'What's next' screen, highlighting the 'Next' button."::: + ![Screenshot of Company Portal, What's next screen, highlighting the Next button.](./media/enroll-device-android-company-portal/android-whats-next-1911.png) 5. Depending on your version of Android, you might be prompted to allow access to certain parts of your device. These prompts are a Google requirement and not controlled by Microsoft. @@ -80,7 +80,7 @@ During enrollment, you might be asked to choose a category that best describes h Company Portal needs device administrator permissions to securely manage your device. Activating the app lets your organization identify possible security issues, such as repeated failed attempts to unlock your device, and respond appropriately. - :::image type="content" source="./media/enroll-device-android-company-portal/activate-device-administrator-1911.png" lightbox="./media/enroll-device-android-company-portal/activate-device-administrator-1911.png" alt-text="Screenshot of the Activate Device Administrator screen, highlighting the 'Activate' button."::: + ![Screenshot of the Activate device administrator screen, highlighting the activate button.](./media/enroll-device-android-company-portal/activate-device-administrator-1911.png) > [!NOTE] > Microsoft does not control the messaging on this screen. We understand that its phrasing can seem somewhat drastic. Company Portal can't specify which restrictions and access are relevant to your organization. If you have questions about how your organization uses the app, contact your IT support person. Go to the [Company Portal website](https://go.microsoft.com/fwlink/?linkid=2010980) to find your organization's contact information. @@ -90,15 +90,15 @@ During enrollment, you might be asked to choose a category that best describes h 8. On the **Company Access Setup** screen, check that your device is enrolled. Then tap **CONTINUE**. - :::image type="content" source="./media/enroll-device-android-company-portal/update-settings-1911.png" lightbox="./media/enroll-device-android-company-portal/update-settings-1911.png" alt-text="Screenshot of the Company Portal 'Company Access Setup' screen, showing 'Get your device managed is complete' message."::: + ![Screenshot of Company Portal, Company Access Setup screen, showing Get your device managed is complete.](./media/enroll-device-android-company-portal/update-settings-1911.png) 9. Your organization might require you to update your device settings. Tap **RESOLVE** to adjust a setting. When you're done updating settings, tap **CONTINUE**. - :::image type="content" source="./media/enroll-device-android-company-portal/resolve-settings-1911.png" lightbox="./media/enroll-device-android-company-portal/resolve-settings-1911.png" alt-text="Screenshot of the Company Portal 'Update device settings' screen, highlighting the 'Resolve' and 'Continue' buttons."::: + ![Screenshot of Company Portal, Update device settings, highlighting Resolve and Continue buttons.](./media/enroll-device-android-company-portal/resolve-settings-1911.png) 10. When setup is complete, tap **DONE**. - :::image type="content" source="./media/enroll-device-android-company-portal/android-enrollment-done-1911.png" lightbox="./media/enroll-device-android-company-portal/android-enrollment-done-1911.png" alt-text="Screenshot of the Company Portal 'Company Access Setup' screen, showing completed setup and highlighting the 'Done' button."::: + ![Screenshot of Company Portal, Company Access Setup screen, showing completed setup and highlighting Done button.](./media/enroll-device-android-company-portal/android-enrollment-done-1911.png) ## Next steps From f6da88dacb8710d4b7f5352db35972bf0c93e40e Mon Sep 17 00:00:00 2001 From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com> Date: Wed, 11 Dec 2024 13:34:16 +0800 Subject: [PATCH 045/237] Update manage-microsoft-edge.md --- memdocs/intune/apps/manage-microsoft-edge.md | 21 +++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md index 51ec4fd0a3d..3bdf9c1bb35 100644 --- a/memdocs/intune/apps/manage-microsoft-edge.md +++ b/memdocs/intune/apps/manage-microsoft-edge.md @@ -590,6 +590,16 @@ You can configure a policy to enhance users' experience. This policy is recommen |:--|:----| |com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. | +#### Manage Sub Resource Blocking +By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked. To further restrict these sub resources, you can configure a policy to block the sub resource URLs. + +|Key |Value | +|:--|:----| +|com.microsoft.intune.mam.managedbrowser.ManageRestrictedSubresourceEnabled |**false**: (Default) Sub resource URLs will not be blocked even if the sub resource URLs are blocked.
**true**: Sub resource URLs will be blocked if they are listed as blocked. | + +> [!NOTE] +> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all subresource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load + #### URL formats for allowed and blocked site list You can use various URL formats to build your allowed/blocked sites lists. These permitted patterns are detailed in the following table. @@ -600,7 +610,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These - You can specify port numbers in the address. If you do not specify a port number, the values used are: - Port 80 for http - Port 443 for https -- Using wildcards for the port number is **not** supported. For example, `http://www.contoso.com:*` and `http://www.contoso.com:*/` aren't supported. +- Using wildcards for the port number is supported. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`. +- Specifying IPv4 addresses with or without CIDR notation is supported. For example, you can specify 127.0.0.1 (a single IP address) or 127.0.0.1/24 (a range of IP addresses) |URL |Details |Matches |Does not match | |:----|:-------|:----------|:----------------| @@ -613,6 +624,12 @@ You can use various URL formats to build your allowed/blocked sites lists. These |`http://www.contoso.com:80`|Matches a single page, by using a port number |`www.contoso.com:80`| | |`https://www.contoso.com`|Matches a single, secure page|`www.contoso.com`|`www.contoso.com/images`| |`http://www.contoso.com/images/*` |Matches a single folder and all subfolders |`www.contoso.com/images/dogs`
`www.contoso.com/images/cats` | `www.contoso.com/videos`| + |`http://contoso.com:*` |Matches any port number for the HTTP service |`contoso.com:80`
`contoso.com:8080` | `contoso.com:443`| + |`https://contoso.com:*` |Matches any port number for the HTTPs service |`contoso.com:443`
`contoso.com:8443` | `contoso.com:80`| + |`http://192.168.1.1` |Matches a single IP address |`192.168.1.1`| `192.168.1.2`| + |`http://192.168.1.1:*` |Matches any port number for a single IP address |`192.168.1.1:8080`| `192.168.1.2:8080`| + |`http://10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`| + - The following are examples of some of the inputs that you can't specify: - `*.com` @@ -620,10 +637,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These - `www.contoso.com/*images` - `www.contoso.com/*images*pigs` - `www.contoso.com/page*` - - IP addresses - `https://*` - `http://*` - - `http://www.contoso.com:*` - `http://www.contoso.com: /*` ### Disable Edge internal pages From 1f09f50edbe888a724cc7b75d4bdb15a506faea9 Mon Sep 17 00:00:00 2001 From: Palika Singh <97435621+PalikaSingh@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:25:03 +0530 Subject: [PATCH 046/237] Update whats-new-in-version-2409.md updated SR related changes --- .../plan-design/changes/whats-new-in-version-2409.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md index bd359f150fb..dbb64c27131 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md @@ -93,8 +93,6 @@ CMG Setup now uses managed Identities and third-party **Server App** to interact - Upgrade SQL 2012 or 2014 Express, Standard, Enterprise edition to SQl 2016 or latest version. **VC++ Redistributable Version** need to be upgraded to latest version on **Secondary sites**. [Download Latest Microsoft Visual C++ Redistributable Version](https://aka.ms/vs/17/release/vc_redist.x64.exe). - - Site base bootable media in SSL & Non-SSL session using CMG cert will not work. For more information, see [Create boot media to use a CMG](../../../osd/deploy-use/deploy-task-sequence-over-internet.md#bootable-media-support-for-cloud-based-content) - ## Other Updates ### Performance Enhancement of policy processing and collection evaluation @@ -112,11 +110,12 @@ For more information, see [Removed and deprecated features for Configuration Man ## Next steps -At this time, version 2409 is released for the early update ring. To install this update, you need to opt in. For more information, see [Early update ring](../../servers/manage/checklist-for-installing-update-2409.md#early-update-ring). + + +As of December 11, 2024, version 2409 is globally available for all customers to install. - - - +>[!NOTE] +>For exisiting Fast ring current branch 2409 customers, you will see Slow ring upgrade package in console. Install 2409 Slow ring package to be in production current branch. When you're ready to install this version, see [Installing updates for Configuration Manager](../../servers/manage/updates.md) and [Checklist for installing update 2409](../../servers/manage/checklist-for-installing-update-2409.md). From 970da515bfdc65e873a5fb3c2152303c8fede339 Mon Sep 17 00:00:00 2001 From: Palika Singh <97435621+PalikaSingh@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:30:01 +0530 Subject: [PATCH 047/237] Update checklist-for-installing-update-2409.md SR related changes --- .../manage/checklist-for-installing-update-2409.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md index b3df7c9dc9f..2fe510acf73 100644 --- a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md +++ b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md @@ -65,11 +65,11 @@ The first time you use a Configuration Manager console after the update has fini -At this time, version 2409 is released for the early update ring. To install this update, you need to opt-in. The following PowerShell script adds your hierarchy or standalone primary site to the early update ring for version 2409: + -Microsoft digitally signs the script, and bundles it inside a signed self-extracting executable. + - +As of December 11 , 2024, version 2409 is globally available for all customers to install. If you previously opted in to the early update ring, watch for an update to this current branch version. ## Pre-update checklist From c74a506f94ebcf98c28f5f8f8a7768f530a44e7d Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:49:53 +0530 Subject: [PATCH 048/237] Pencil edit --- .../core/plan-design/changes/whats-new-in-version-2409.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md index b142b26449b..9de89b37b44 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md @@ -103,7 +103,7 @@ The performance of policy processing and collection evaluation has been enhanced Learn about support changes before they're implemented in [removed and deprecated items](deprecated/removed-and-deprecated.md). - - MDT Integration with CM and Standalone is no longer supported with Configuration Manager deprecation first announced in Decemeber 2024 and planned end of support the first release after Oct 10, 2025. Customers should remove MDT Task sequence steps, followed by removing MDT integration, to avoid TS corruption and modification failures. + - MDT Integration with CM and Standalone is no longer supported with Configuration Manager deprecation first announced in December 2024 and planned end of support the first release after Oct 10, 2025. Customers should remove MDT Task sequence steps, followed by removing MDT integration, to avoid TS corruption and modification failures. For more information, see [Removed and deprecated features for Configuration Manager.](deprecated/removed-and-deprecated-cmfeatures.md). From 5838cf35fb4d6094751a3b5e1363172f6bd221b9 Mon Sep 17 00:00:00 2001 From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:50:43 +0800 Subject: [PATCH 049/237] Update manage-microsoft-edge.md --- memdocs/intune/apps/manage-microsoft-edge.md | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md index 3bdf9c1bb35..a736bc96952 100644 --- a/memdocs/intune/apps/manage-microsoft-edge.md +++ b/memdocs/intune/apps/manage-microsoft-edge.md @@ -561,8 +561,8 @@ Use the following key/value pairs to configure either an allowed or blocked site |:--|:----| |com.microsoft.intune.mam.managedbrowser.AllowListURLs

This policy name has been replaced by the UI of **Allowed URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to allow as a single value, separated by a pipe `|` character.

**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` | |com.microsoft.intune.mam.managedbrowser.BlockListURLs

This policy name has been replaced by the UI of **Blocked URLs** under Edge Configuration settings|The corresponding value for the key is a list of URLs. You enter all the URLs you want to block as a single value, separated by a pipe `|` character.

**Examples:**
`URL1|URL2|URL3`
`http://www.contoso.com/|https://www.bing.com/|https://expenses.contoso.com` | -|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock |**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. | -|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked

This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. | +|com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock

This policy name has been replaced by the UI of **Redirect restricted sites to personal context** under Edge Configuration settings|**true** (default) allows Edge for iOS and Android to transition restricted sites. When personal accounts aren't disabled, users are prompted to either switch to the personal context to open the restricted site, or to add a personal account. If com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked is set to true, users have the capability of opening the restricted site in the InPrivate context.
**false** prevents Edge for iOS and Android from transitioning users. Users are simply shown a message stating that the site they are trying to access is blocked. | +|com.microsoft.intune.mam.managedbrowser.openInPrivateIfBlocked |**true** allows restricted sites to be opened in the Microsoft Entra account's InPrivate context. If the Microsoft Entra account is the only account configured in Edge for iOS and Android, the restricted site is opened automatically in the InPrivate context. If the user has a personal account configured, the user is prompted to choose between opening InPrivate or switch to the personal account.
**false** (default) requires the restricted site to be opened in the user's personal account. If personal accounts are disabled, then the site is blocked.
In order for this setting to take effect, com.microsoft.intune.mam.managedbrowser.AllowTransitionOnBlock must be set to true. | |com.microsoft.intune.mam.managedbrowser.durationOfOpenInPrivateSnackBar | Enter the number of seconds that users will see the snack bar notification "Access to this site is blocked by your organization. We’ve opened it in InPrivate mode for you to access the site." By default, the snack bar notification is shown for 7 seconds.| The following sites except copilot.microsoft.com are always allowed regardless of the defined allow list or block list settings: @@ -610,8 +610,8 @@ You can use various URL formats to build your allowed/blocked sites lists. These - You can specify port numbers in the address. If you do not specify a port number, the values used are: - Port 80 for http - Port 443 for https -- Using wildcards for the port number is supported. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`. -- Specifying IPv4 addresses with or without CIDR notation is supported. For example, you can specify 127.0.0.1 (a single IP address) or 127.0.0.1/24 (a range of IP addresses) +- Using wildcards for the port number is supported in Edge for iOS only. For example, you can specify `http://www.contoso.com:*` and `http://www.contoso.com:*/`. +- Specifying IPv4 addresses with CIDR notation is supported. For example, you can specify 127.0.0.1/24 (a range of IP addresses). |URL |Details |Matches |Does not match | |:----|:-------|:----------|:----------------| @@ -624,14 +624,10 @@ You can use various URL formats to build your allowed/blocked sites lists. These |`http://www.contoso.com:80`|Matches a single page, by using a port number |`www.contoso.com:80`| | |`https://www.contoso.com`|Matches a single, secure page|`www.contoso.com`|`www.contoso.com/images`| |`http://www.contoso.com/images/*` |Matches a single folder and all subfolders |`www.contoso.com/images/dogs`
`www.contoso.com/images/cats` | `www.contoso.com/videos`| - |`http://contoso.com:*` |Matches any port number for the HTTP service |`contoso.com:80`
`contoso.com:8080` | `contoso.com:443`| - |`https://contoso.com:*` |Matches any port number for the HTTPs service |`contoso.com:443`
`contoso.com:8443` | `contoso.com:80`| - |`http://192.168.1.1` |Matches a single IP address |`192.168.1.1`| `192.168.1.2`| - |`http://192.168.1.1:*` |Matches any port number for a single IP address |`192.168.1.1:8080`| `192.168.1.2:8080`| - |`http://10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`| + |`http://contoso.com:*` |Matches any port number for a single page |`contoso.com:80`
`contoso.com:8080` | | + |`10.0.0.0/24` |Matches a range of IP addresses from 10.0.0.0 to 10.0.0.255 |`10.0.0.0`
`10.0.0.100`| `192.168.1.1`| - -- The following are examples of some of the inputs that you can't specify: + - The following are examples of some of the inputs that you can't specify: - `*.com` - `*.contoso/*` - `www.contoso.com/*images` From b90fdb05b8215586a4a4a01e557ea2d6e8df4b5d Mon Sep 17 00:00:00 2001 From: CharlieLinMS <119984924+CharlieLinMS@users.noreply.github.com> Date: Wed, 11 Dec 2024 15:58:33 +0800 Subject: [PATCH 050/237] Update manage-microsoft-edge.md --- memdocs/intune/apps/manage-microsoft-edge.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md index a736bc96952..a98bbdc6483 100644 --- a/memdocs/intune/apps/manage-microsoft-edge.md +++ b/memdocs/intune/apps/manage-microsoft-edge.md @@ -591,14 +591,16 @@ You can configure a policy to enhance users' experience. This policy is recommen |com.microsoft.intune.mam.managedbrowser.ProfileAutoSwitchToWork |**1**: (Default) Switch to work profile even if the URL is blocked by Edge policy.
**2**: The blocked URLs will open under personal profile if personal profile is signed in. If personal profile is not signed in, the blocked URL will opened in InPrivate mode. | #### Manage Sub Resource Blocking -By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked. To further restrict these sub resources, you can configure a policy to block the sub resource URLs. +By default, AllowListURLs and BlockListURLs apply only at the navigation level. When you embed blocked URLs (either URLs configured in BlockListURLs or URLs not configured in AllowListURLs) as sub resources within a web page, those sub resource URLs are not blocked. + +To further restrict these sub resources, you can configure a policy to block the sub resource URLs. |Key |Value | |:--|:----| |com.microsoft.intune.mam.managedbrowser.ManageRestrictedSubresourceEnabled |**false**: (Default) Sub resource URLs will not be blocked even if the sub resource URLs are blocked.
**true**: Sub resource URLs will be blocked if they are listed as blocked. | > [!NOTE] -> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all subresource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load +> It is recommended to use this policy in conjunction with BlockListURLs. If used with AllowListURLs, ensure that all sub resource URLs are included in the AllowListURLs. Otherwise, some sub resources may fail to load #### URL formats for allowed and blocked site list From aec3bb820b478bfff7478da7a6d8bfe808d005d1 Mon Sep 17 00:00:00 2001 From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com> Date: Wed, 11 Dec 2024 11:48:09 +0100 Subject: [PATCH 051/237] Update device-profile-troubleshoot.md We preface the article with a statement that since 2022, Windows 8.1 is no longer supported. Because of this, there's no need to be explicit with policy refresh times on an OS that isn't supported. --- memdocs/intune/configuration/device-profile-troubleshoot.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 45ae7faf526..033ed40794f 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -58,7 +58,6 @@ If a device doesn't check in to get the policy or profile after the first notifi | iOS/iPadOS | About every 8 hours | | macOS | About every 8 hours | | Windows 10/11 PCs enrolled as devices | About every 8 hours | -| Windows 8.1 | About every 8 hours | If devices recently enroll, then the compliance, noncompliance, and configuration check-in runs more frequently. The check-ins are **estimated** at: @@ -68,7 +67,6 @@ If devices recently enroll, then the compliance, noncompliance, and configuratio | iOS/iPadOS | Every 15 minutes for 1 hour, and then around every 8 hours | | macOS | Every 15 minutes for 1 hour, and then around every 8 hours | | Windows 10/11 PCs enrolled as devices | Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | -| Windows 8.1 | Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours | For app protection policy refresh intervals, go to [App Protection Policy delivery timing](../apps/app-protection-policy-delivery.md). From 5c301317ed4fe6ec9d12027efaccbab4ea52eaac Mon Sep 17 00:00:00 2001 From: Madison Holdaas <41927737+maholdaa@users.noreply.github.com> Date: Wed, 11 Dec 2024 09:53:06 -0800 Subject: [PATCH 052/237] Update corporate-identifiers-add.md Found issue with corporate identifier implementation for Windows - it only applies at enrollment time. Making updates to lines that suggest otherwise and adding it as a known issue/limitation until it can be changed. --- memdocs/intune/enrollment/corporate-identifiers-add.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 83e3a98b573..a73f24b66cf 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -120,7 +120,7 @@ Android serial numbers aren't guaranteed to be unique or present. Check with you ### Add Windows corporate identifiers > [!IMPORTANT] -> Corporate identifiers are supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature. +> Windows corporate identifiers are only applied at enrollment, they do not determine Ownership type in Intune after enrollment. They are also only supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature. To add corporate identifiers for corporate devices running Windows 11, list the manufacturer, model, and serial number for each device as shown in the following example. @@ -131,11 +131,11 @@ Lenovo,thinkpad t14,02234567890123 Remove all periods, if applicable, from the serial number before you add it to the file. -After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal. To change the ownership type after enrollment, you have to manually adjust it in the admin center. +After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal, but only at enrollment. Existing Windows logic determines final state in Intune, see table below. To change the ownership type in Intune, you have to manually adjust it in the admin center. :::image type="content" source="./media/corporate-identifiers-add/device-enrollment-add-identifiers.png" alt-text="Screenshot of selecting and adding corporate identifiers."::: -The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers. +The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers. **Reminder** - corporate identifiers only change the device state *at enrollment time* - this means that after enrolling, a device state will match what you see in the **Without corporate identifiers** column in the table. |Windows enrollment types | Without corporate identifiers | With corporate identifiers | |---|---|---| @@ -153,7 +153,7 @@ The following table lists the type of ownership given to devices when they enrol | [Enrollment using the Intune Company Portal app](../user-help/enroll-windows-10-device.md) | Personal | Personal, unless defined by corporate identifiers | | Enrollment via a Microsoft 365 app, which occurs when users select the **Allow my organization to manage my device** option during app sign-in | Personal | Personal, unless defined by corporate identifiers | -Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with: +Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned at enrollment. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with: - [Microsoft Entra join during Windows setup](/azure/active-directory/device-management-azuread-joined-devices-frx). @@ -247,6 +247,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations +- Windows corporate device identifiers apply only at enrollment time - meaning a device that has corporate identifiers uploaded, then enrolls using the **Add Work Account from Windows Settings** option, will be marked **Corporate** at enrollment, treated as a **Corporate** device for enrollment restriction evaluation, but then will show as a **Personal** device in the admin center. Admins should expect the **Without corporate identifiers** column in the table above to determine what devices will remain Corporate or Personal in their tenant for longterm. - Windows corporate device identifiers are only supported for devices running: - Windows 10 version 22H2 (OS build 19045.4598) or later. From 634cc0fb8bfeba33f5b246c353a901cf6742e7e8 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 12:55:06 -0500 Subject: [PATCH 053/237] Update android-device-administrator-support.md PM feedback --- .../intune/includes/android-device-administrator-support.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/includes/android-device-administrator-support.md b/memdocs/intune/includes/android-device-administrator-support.md index 3f3fa72c642..5fd923c6c12 100644 --- a/memdocs/intune/includes/android-device-administrator-support.md +++ b/memdocs/intune/includes/android-device-administrator-support.md @@ -4,7 +4,7 @@ description: include file author: lenewsad ms.service: microsoft-intune ms.topic: include -ms.date: 12/09/2024 +ms.date: 12/31/2024 ms.author: lanewsad ms.custom: include file ms.collection: @@ -13,4 +13,4 @@ ms.collection: --- > [!IMPORTANT] -> Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443). Support and help documentation remain available for devices without GMS, running Android 15 and earlier. +> Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. Support and help documentation remain available for some devices without GMS, running Android 15 and earlier. For more information, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443). From 93695f2ee48d22c1f35bb29db5b8823b69fc622e Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 13:10:43 -0500 Subject: [PATCH 054/237] Update multi-factor-authentication.md Freshness check date --- memdocs/intune/enrollment/multi-factor-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md index 6e3ddcc3ad1..6668def27e4 100644 --- a/memdocs/intune/enrollment/multi-factor-authentication.md +++ b/memdocs/intune/enrollment/multi-factor-authentication.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 11/19/2024 +ms.date: 12/11/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment From 1ed5bb4ecd2f970d208aa9e53b16ce91b6423540 Mon Sep 17 00:00:00 2001 From: Madison Holdaas <41927737+maholdaa@users.noreply.github.com> Date: Wed, 11 Dec 2024 10:18:57 -0800 Subject: [PATCH 055/237] Update filters-performance-recommendations.md In response to current CRI - want to add note here and in enrollment sections about time latency between adding users, groups, and enrolling devices in relation to using filters. --- .../intune/fundamentals/filters-performance-recommendations.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/fundamentals/filters-performance-recommendations.md b/memdocs/intune/fundamentals/filters-performance-recommendations.md index ac621616ac3..e55b3fbffa8 100644 --- a/memdocs/intune/fundamentals/filters-performance-recommendations.md +++ b/memdocs/intune/fundamentals/filters-performance-recommendations.md @@ -89,6 +89,9 @@ These recommendations focus on improving performance and reducing latency in wor Larger groups take longer to sync membership updates between Microsoft Entra ID and Intune. The **All users** and **All devices** are usually the largest groups you have. If you assign Intune workloads to large Microsoft Entra groups that have many users or devices, then synchronization backlogs can happen in your Intune environment. This backlog impacts policy and app deployments, which take longer to reach managed devices. +> [!IMPORTANT] +> The update from Entra to Intune is relatively quick, typically within 5 minutes or so, but it is not instantaneous. This is most crucial for enrollment assignments, admins should try to enroll devices only after several minutes, and not immediately after adding the enrolling users to a group, for optimal performance throughout Intune. + The built-in **All users** and **All devices** groups are Intune-only grouping objects that don't exist in Microsoft Entra ID. There isn't a continuous sync between Microsoft Entra ID and Intune. So, group membership is instant. > [!NOTE] From 7a53432199085a9cca8449bb1dbcebc704d55384 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 13:25:21 -0500 Subject: [PATCH 056/237] Update apple-account-driven-user-enrollment.md Style edits --- .../enrollment/apple-account-driven-user-enrollment.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md index 16fd891d2fa..54ec71f20cd 100644 --- a/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md +++ b/memdocs/intune/enrollment/apple-account-driven-user-enrollment.md @@ -52,7 +52,7 @@ Before beginning setup, complete the following tasks: You also need to set up service discovery so that Apple can reach the Intune service and retrieve enrollment information. To do this, set up and publish an HTTP well-known resource file on the same domain that employees sign into. Apple retrieves the file via an HTTP GET request to `“https://contoso.com/.well-known/com.apple.remotemanagement”`, with your organization's domain in place of `contoso.com`. Publish the file on a domain that can handle HTTP GET requests. > [!NOTE] -> The well-known resource file must be saved *without* a file extension (e.g. .json) to function correctly. +> The well-known resource file must be saved without a file extension, such as .json, to function correctly. Create the file in JSON format, with the content type set to `application/json`. We've provided the following JSON samples that you can copy and paste into your file. Use the one that aligns with your environment. Replace the *YourAADTenantID* variable in the base URL with your organization's Microsoft Entra tenant ID. @@ -77,8 +77,8 @@ The rest of the JSON sample is populated with all of the information you need, i * Version: The server version is `mdm-byod`. * BaseURL: This URL is the location where the Intune service resides. -> [!NOTE] -> For more information on the technical requirements for service discovery, refer to the Apple documentation: [Implementing the simple authentication user-enrollment flow](https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow) +> [!TIP] +> For more information about the technical requirements for service discovery, see [Implementing the simple authentication user-enrollment flow](https://developer.apple.com/documentation/devicemanagement/user_enrollment/onboarding_users_with_account_sign-in/implementing_the_simple_authentication_user-enrollment_flow) in the Apple Developer documentation. ## Best practices We recommend extra configurations to help improve the enrollment experience for device users. This section provides more information about each recommendation. From 58a8cb83067a278577d64338f2f4e27acaa841e1 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 11 Dec 2024 14:47:01 -0500 Subject: [PATCH 057/237] text edits --- .../fundamentals/filters-performance-recommendations.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/filters-performance-recommendations.md b/memdocs/intune/fundamentals/filters-performance-recommendations.md index e55b3fbffa8..85ad1746335 100644 --- a/memdocs/intune/fundamentals/filters-performance-recommendations.md +++ b/memdocs/intune/fundamentals/filters-performance-recommendations.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 07/22/2024 +ms.date: 12/11/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -89,8 +89,7 @@ These recommendations focus on improving performance and reducing latency in wor Larger groups take longer to sync membership updates between Microsoft Entra ID and Intune. The **All users** and **All devices** are usually the largest groups you have. If you assign Intune workloads to large Microsoft Entra groups that have many users or devices, then synchronization backlogs can happen in your Intune environment. This backlog impacts policy and app deployments, which take longer to reach managed devices. -> [!IMPORTANT] -> The update from Entra to Intune is relatively quick, typically within 5 minutes or so, but it is not instantaneous. This is most crucial for enrollment assignments, admins should try to enroll devices only after several minutes, and not immediately after adding the enrolling users to a group, for optimal performance throughout Intune. +The update from Microsoft Entra to Intune typically happens within 5 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group. The built-in **All users** and **All devices** groups are Intune-only grouping objects that don't exist in Microsoft Entra ID. There isn't a continuous sync between Microsoft Entra ID and Intune. So, group membership is instant. From 954b8015752a591a2b9c30b777ecebdadde507a0 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Wed, 11 Dec 2024 13:05:00 -0800 Subject: [PATCH 058/237] 50290712 move cpc changes --- windows-365/enterprise/move-cloud-pc.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows-365/enterprise/move-cloud-pc.md b/windows-365/enterprise/move-cloud-pc.md index 174dcfd3348..f22222e74db 100644 --- a/windows-365/enterprise/move-cloud-pc.md +++ b/windows-365/enterprise/move-cloud-pc.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 07/25/2024 +ms.date: 12/13/2024 ms.topic: how-to ms.service: windows-365 ms.subservice: windows-365-enterprise @@ -72,4 +72,4 @@ If an error occurs, you retry the move. ## Next steps -[Manage your Cloud PCs](device-management-overview.md). +[Manage your Cloud PCs](device-management-overview.md). \ No newline at end of file From d43c799bd8b2bdd4f8d58896b914036a22c8548d Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Wed, 11 Dec 2024 13:10:46 -0800 Subject: [PATCH 059/237] changes --- windows-365/enterprise/move-cloud-pc.md | 52 +++++++++++++------------ 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/windows-365/enterprise/move-cloud-pc.md b/windows-365/enterprise/move-cloud-pc.md index f22222e74db..e73c66557f6 100644 --- a/windows-365/enterprise/move-cloud-pc.md +++ b/windows-365/enterprise/move-cloud-pc.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 12/13/2024 +ms.date: 12/06/2024 ms.topic: how-to ms.service: windows-365 ms.subservice: windows-365-enterprise @@ -31,43 +31,45 @@ ms.collection: # Move a Cloud PC -By editing a provisioning policy, you can move existing Cloud PCs from their current region or Azure network connection (ANC) to a new one. +By editing a provisioning policy, you can move some or all existing Cloud PCs in a policy from: -The best time to perform moves is over the weekend to make sure the impact to users is minimized. Cloud PCs are shut down during the move process, so you should notify your users before the move so that they can save their work and sign out. +- One region to another single region. +- One Azure network connection (ANC) to another ANC. +- A Microsoft hosted network to an ANC and vice versa. -New Cloud PCs created by the edited provisioning policy are assigned to the new region or ANC. +## Bulk move all Cloud PCs in a policy -## Move a Cloud PC +[!INCLUDE [Move a Cloud PC first steps](../includes/move-cloud-pc-steps.md)] +6. In the **Apply this configuration to existing Cloud PCs** box, select **Region or Azure network connections for all devices** > **Apply**. -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** > **Windows 365** (under **Provisioning**) > **Provisioning policies** > select a policy. -2. Under **General**, select **Edit**. -3. Under **Join type details**, make changes depending on the original type: - - - For **Hybrid Microsoft Entra Join**, change the ANC\*. - - For **Microsoft Entra Join**: +\* The domain defined in the new ANC must match that of the Cloud PCs that you want to move. The domain used in the original ANC must be reachable from the new ANC. - - You can change **Network** type from ANC to Microsoft hosted network, or vice versa. - - If a **Microsoft hosted network** is used, change the **Geography** and/or **Region**. - - If an **Azure network connection** is used, change the ANC\*. +All Cloud PCs provisioned after these changes are created in the new region. -4. Select **Next** > **Update**. -5. When ready to move the existing Cloud PCs, select **Apply region change to existing Cloud PCs**. +## Move a subset of Cloud PCs -\* The domain defined in the new ANC must match that of the Cloud PCs that you want to move. The domain used in the original ANC must be reachable from the new ANC. +[!INCLUDE [Move a Cloud PC first steps](../includes/move-cloud-pc-steps.md)] +6. In the **Apply this configuration to existing Cloud PCs** box, select **Region or Azure network connections for select devices (preview)** > **Apply**. +7. Under **Select devices (preview)**, select the devices that you want to move. You can move up to 100 devices at a time. +8. Choose **Select** > **Continue**. -All Cloud PCs provisioned after these changes are created in the new region. +## Best practices -## Move process +The best time to perform moves is over the weekend to make sure the impact to users is minimized. Cloud PCs are shut down and inaccessible for up to several hours during the move process. You should notify your users before the move so that they can save their work and sign out. + +When moving many devices to a new region, start with a few non-essential Cloud PCs and check for success before moving the critical Cloud PCs. + +You can track the status of moving Cloud PCs with the [Cloud PC actions report](report-cloud-pc-actions.md). + +New Cloud PCs created by the edited provisioning policy are assigned to the new region or ANC. -1. All Cloud PCs in the move are backed up before being moved to the new region. This backup, which can take some time, can begin while the user is signed in and active. -2. After the backup is complete, the Cloud PC is shut down. -3. The Cloud PC is moved. During this time, which can take several hours, the Cloud PC is inaccessible. +## Other move operations - - During the move, you can view the status in the **All Cloud PCs** list. The move is complete when the status indicates **Provisioned**. +Cloud PCs can't be moved from one provisioning policy to another. -4. After the move is complete, users can sign in. +You can't move some Cloud PCs to one region and other Cloud PCs to another region in the same policy edit operation. -If an error occurs, you retry the move. +You can't move Cloud PCs from one virtual network or subnet to another using the edit provisioning policy method. To make VNet/subnet changes, create a new ANC with the updated vNet/subnet and then move the Cloud PCs to the new ANC. ## Next steps From 3d8d073476598f18244a3b1075426d47499a2ad1 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Wed, 11 Dec 2024 13:17:14 -0800 Subject: [PATCH 060/237] add wn --- windows-365/enterprise/whats-new.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md index 75235e6384a..b9df59b6783 100644 --- a/windows-365/enterprise/whats-new.md +++ b/windows-365/enterprise/whats-new.md @@ -55,6 +55,16 @@ For more information about public preview items, see [Public preview in Windows ### Windows 365 app --> + +## Week of December 9, 2024 + + +### Device management + +#### Move selected Cloud PCs to a new region + +You can now move selected Cloud PCs to a new region. This is instead of moving all Cloud PCs in a provisioning policy. + ## Week of December 2, 2024 (Service release 2411) From d61d43933d1c1f11c06b490e6cb055db1ea36ebf Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Wed, 11 Dec 2024 13:29:40 -0800 Subject: [PATCH 061/237] change per Tracey --- windows-365/enterprise/move-cloud-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/move-cloud-pc.md b/windows-365/enterprise/move-cloud-pc.md index e73c66557f6..8e1d1fd1c83 100644 --- a/windows-365/enterprise/move-cloud-pc.md +++ b/windows-365/enterprise/move-cloud-pc.md @@ -57,7 +57,7 @@ All Cloud PCs provisioned after these changes are created in the new region. The best time to perform moves is over the weekend to make sure the impact to users is minimized. Cloud PCs are shut down and inaccessible for up to several hours during the move process. You should notify your users before the move so that they can save their work and sign out. -When moving many devices to a new region, start with a few non-essential Cloud PCs and check for success before moving the critical Cloud PCs. +When moving many devices to a new region, start with a few non-critical Cloud PCs and check for success before moving the critical Cloud PCs. You can track the status of moving Cloud PCs with the [Cloud PC actions report](report-cloud-pc-actions.md). From 9e144714b8a16b2555ec4d9afe90d65693b2f435 Mon Sep 17 00:00:00 2001 From: Madison Holdaas <41927737+maholdaa@users.noreply.github.com> Date: Wed, 11 Dec 2024 14:35:58 -0800 Subject: [PATCH 062/237] Update enrollment-restrictions-set.md In response to incident - adding note about wait times between assignments, filters, and enrolling a device with enrollment restrictions. --- memdocs/intune/enrollment/enrollment-restrictions-set.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index aa12007f240..040173e38de 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -79,7 +79,9 @@ Block devices running on a specific device platform. You can apply this restrict In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment. -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Enrollment device platform restrictions**. +> [!NOTE] +> Device platform enrollment restrictions use assignment filters. The update from Microsoft Entra to Intune to process user, group and filter assignments typically happens within 15 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group. ### OS version This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems: From 0c1baf1604ec54c8b51389761d7ad43c67cd772c Mon Sep 17 00:00:00 2001 From: Madison Holdaas <41927737+maholdaa@users.noreply.github.com> Date: Wed, 11 Dec 2024 14:40:32 -0800 Subject: [PATCH 063/237] Update create-device-platform-restrictions.md In response to incident, adding notes to filters section about allowing extra processing time with assignments to enrolling. --- .../intune/enrollment/create-device-platform-restrictions.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/enrollment/create-device-platform-restrictions.md b/memdocs/intune/enrollment/create-device-platform-restrictions.md index c41c68d3215..65fdc406d16 100644 --- a/memdocs/intune/enrollment/create-device-platform-restrictions.md +++ b/memdocs/intune/enrollment/create-device-platform-restrictions.md @@ -132,6 +132,9 @@ For example, you can use a filter to allow personal Windows devices to enroll wh For more information about creating filters, see [Create a filter](../fundamentals/filters.md). +> [!NOTE] +> Processing assignment filters takes added time at enrollment. The update from Microsoft Entra to Intune to process user, group and filter assignments typically happens within 15 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group. + ### Supported filter properties Enrollment restrictions support fewer filter properties than other group-targeted policies. This is because devices aren't yet enrolled, so Intune doesn't have the device info to support all properties. The limited selection of properties become available when you: From 5353f5919c1e3be0f5931d3f707cb4523e027087 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 17:57:22 -0500 Subject: [PATCH 064/237] Update corporate-identifiers-add.md Style edits --- .../intune/enrollment/corporate-identifiers-add.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index a73f24b66cf..7196d2e2c2a 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -120,7 +120,7 @@ Android serial numbers aren't guaranteed to be unique or present. Check with you ### Add Windows corporate identifiers > [!IMPORTANT] -> Windows corporate identifiers are only applied at enrollment, they do not determine Ownership type in Intune after enrollment. They are also only supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature. +> Windows corporate identifiers only apply at enrollment time. They don't determine ownership type in Intune after enrollment. Corporate identifiers are supported for devices running Windows 10 KB5039299 (with OS Build 19045.4598) and later. If you're enrolling Windows 10 devices with an earlier build, do not use the corporate identifier feature. To add corporate identifiers for corporate devices running Windows 11, list the manufacturer, model, and serial number for each device as shown in the following example. @@ -131,11 +131,13 @@ Lenovo,thinkpad t14,02234567890123 Remove all periods, if applicable, from the serial number before you add it to the file. -After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal, but only at enrollment. Existing Windows logic determines final state in Intune, see table below. To change the ownership type in Intune, you have to manually adjust it in the admin center. +After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal, but only at enrollment time. Existing Windows logic determines the final state in Intune. For more information, see the table in this section. To change the ownership type in Intune, you have to manually adjust it in the admin center. :::image type="content" source="./media/corporate-identifiers-add/device-enrollment-add-identifiers.png" alt-text="Screenshot of selecting and adding corporate identifiers."::: -The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers. **Reminder** - corporate identifiers only change the device state *at enrollment time* - this means that after enrolling, a device state will match what you see in the **Without corporate identifiers** column in the table. +The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers. + +>[!TIP] As a reminder, corporate identifiers only change the device state at enrollment time. This means that after the device enrolls, the device state matches what you see in the **Without corporate identifiers** column in the table. |Windows enrollment types | Without corporate identifiers | With corporate identifiers | |---|---|---| @@ -153,7 +155,7 @@ The following table lists the type of ownership given to devices when they enrol | [Enrollment using the Intune Company Portal app](../user-help/enroll-windows-10-device.md) | Personal | Personal, unless defined by corporate identifiers | | Enrollment via a Microsoft 365 app, which occurs when users select the **Allow my organization to manage my device** option during app sign-in | Personal | Personal, unless defined by corporate identifiers | -Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned at enrollment. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with: +Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned at enrollment time. This includes devices enrolled via [automatic MDM enrollment](windows-enroll.md#enable-windows-automatic-enrollment) with: - [Microsoft Entra join during Windows setup](/azure/active-directory/device-management-azuread-joined-devices-frx). @@ -247,7 +249,8 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers apply only at enrollment time - meaning a device that has corporate identifiers uploaded, then enrolls using the **Add Work Account from Windows Settings** option, will be marked **Corporate** at enrollment, treated as a **Corporate** device for enrollment restriction evaluation, but then will show as a **Personal** device in the admin center. Admins should expect the **Without corporate identifiers** column in the table above to determine what devices will remain Corporate or Personal in their tenant for longterm. +- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it is marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. The **Without corporate identifiers** column lists the devices that remain corporate or personal in their tenant longterm. + - Windows corporate device identifiers are only supported for devices running: - Windows 10 version 22H2 (OS build 19045.4598) or later. From 620f315d5bf07ebc4db366181d5b0be1f0e2e5bf Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 18:03:51 -0500 Subject: [PATCH 065/237] Update corporate-identifiers-add.md Line 252 cleanup --- memdocs/intune/enrollment/corporate-identifiers-add.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index 7196d2e2c2a..ffb61aa2c1f 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -249,7 +249,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it is marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. The **Without corporate identifiers** column lists the devices that remain corporate or personal in their tenant longterm. +- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it is marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. Look to the **Without corporate identifiers** column to learn which devices remain corporate or personal in your tenant for the longterm. - Windows corporate device identifiers are only supported for devices running: From 0a3bee5f86adba9c9e393f395dfd266e494b8b0f Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 18:06:08 -0500 Subject: [PATCH 066/237] Update corporate-identifiers-add.md Formatting note line 140 --- memdocs/intune/enrollment/corporate-identifiers-add.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index ffb61aa2c1f..feba386e63b 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -137,7 +137,8 @@ After you add Windows corporate identifiers, Intune marks devices that match all The following table lists the type of ownership given to devices when they enroll without corporate identifiers and when they enroll with corporate identifiers. ->[!TIP] As a reminder, corporate identifiers only change the device state at enrollment time. This means that after the device enrolls, the device state matches what you see in the **Without corporate identifiers** column in the table. +>[!TIP] +> As a reminder, corporate identifiers only change the device state at enrollment time. This means that after the device enrolls, the device state matches what you see in the **Without corporate identifiers** column in the table. |Windows enrollment types | Without corporate identifiers | With corporate identifiers | |---|---|---| From 81c1598050eccb512a9918cd2295e536d0bf32e2 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Wed, 11 Dec 2024 18:14:10 -0500 Subject: [PATCH 067/237] Update corporate-identifiers-add.md Acrolinx --- .../intune/enrollment/corporate-identifiers-add.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/memdocs/intune/enrollment/corporate-identifiers-add.md b/memdocs/intune/enrollment/corporate-identifiers-add.md index feba386e63b..9050d63eb25 100644 --- a/memdocs/intune/enrollment/corporate-identifiers-add.md +++ b/memdocs/intune/enrollment/corporate-identifiers-add.md @@ -9,11 +9,6 @@ ms.author: lanewsad manager: dougeby ms.date: 08/08/2024 ms.topic: how-to -ms.service: microsoft-intune -ms.subservice: enrollment -ms.localizationpriority: high -ms.assetid: 566ed16d-8030-42ee-bac9-5f8252a83012 - # optional metadata #ROBOTS: @@ -225,7 +220,7 @@ Follow up on imported devices to ensure that they enroll in Intune. After you ad 1. Select the device identifiers you want to delete, and choose **Delete**. 1. Confirm the deletion. -Deleting a corporate identifier for an enrolled device does not change the device's ownership. +Deleting a corporate identifier for an enrolled device doesn't change the device's ownership. ## Change device ownership @@ -250,7 +245,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen ## Known issues and limitations -- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it is marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. Look to the **Without corporate identifiers** column to learn which devices remain corporate or personal in your tenant for the longterm. +- Windows corporate device identifiers only apply at enrollment time. This means that when a device with corporate identifiers enrolls using the *Add Work Account from Windows Settings* option, it's marked as corporate-owned only at enrollment time. Microsoft Intune treats it as a corporate device for the enrollment restriction evaluation, but then after that the device appears as a personal device in the admin center. See the table under [Add Windows corporate identifiers](#add-windows-corporate-identifiers) to help you determine the ownership type. Look to the **Without corporate identifiers** column to learn which devices remain corporate or personal in your tenant for the long-term. - Windows corporate device identifiers are only supported for devices running: @@ -266,7 +261,7 @@ To confirm the reason for an enrollment failure, go to **Devices** > **Enrollmen - Windows currently doesn't support device details in CSV files. -- Apple user enrollment with Company Portal and account driven user enrollment corporate identifiers are not currently supported because the MDM does not get access to the device serial number, IMEI, and UDID. +- Apple user enrollment with Company Portal and account driven user enrollment corporate identifiers aren't currently supported because the MDM doesn't get access to the device serial number, IMEI, and UDID. ## Resources From e783fa604b52d661600991a1ed5154819777b9c3 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Wed, 11 Dec 2024 16:21:14 -0800 Subject: [PATCH 068/237] Added content for support -wifi-profile --- .../wi-fi-settings-android-aosp.md | 4 +-- .../wi-fi-settings-android-enterprise.md | 25 ++++++++++++++++--- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md index 34822016269..0612659fb0a 100644 --- a/memdocs/intune/configuration/wi-fi-settings-android-aosp.md +++ b/memdocs/intune/configuration/wi-fi-settings-android-aosp.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 01/17/2024 +ms.date: 12/11/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -55,7 +55,7 @@ For more information on AOSP, go to [Android Open Source Project](https://source When devices are connected to another preferred Wi-Fi connection, then they won't automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections. - **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device. -- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options: +- **Security type**: Select the security protocol to authenticate to the Wi-Fi network. Your options: - **Open (no authentication)**: Only use this option if the network is unsecured. - **WEP-Pre-shared key**: Enter the password in **Pre-shared key** (PSK). When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. diff --git a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md index c4fd01fe79d..a094b11fd77 100644 --- a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md +++ b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md @@ -1,13 +1,13 @@ --- # required metadata -title: Wi-Fi settings for Android Enterprise and kiosk devices - Microsoft Intune | Microsoft Docs +title: Add Wi-Fi settings for Android Enterprise devices in Microsoft Intune description: Create or add a WiFi device configuration profile for Android Enterprise and Android Kiosk. See the different settings, add certificates, choose an EAP type, and select an authentication method in Microsoft Intune. For kiosk devices, also enter the Pre-shared key of your network. keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 07/18/2024 +ms.date: 12/11/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: configuration @@ -67,7 +67,7 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo When devices are connected to another preferred Wi-Fi connection, then they don't automatically connect to this Wi-Fi network. If devices fail to connect automatically when this setting is enabled, then disconnect the devices from any existing Wi-Fi connections. - **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device. -- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options: +- **Security type**: Select the security protocol to authenticate to the Wi-Fi network. Your options: - **Open (no authentication)**: Only use this option if the network is unsecured. - **WEP-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. @@ -258,6 +258,25 @@ Select this option if you're deploying to an Android Enterprise dedicated, corpo - **Wi-Fi type**: Select **Basic**. - **SSID**: Enter the **service set identifier**, which is the real name of the wireless network that devices connect to. However, users only see the **network name** you configured when they choose the connection. - **Hidden network**: Select **Enable** to hide this network from the list of available networks on the device. The SSID isn't broadcasted. Select **Disable** to show this network in the list of available networks on the device. +- **Wi-Fi type**: Select the security protocol to authenticate to the Wi-Fi network. Your options: + + - **Open (no authentication)**: Only use this option if the network is unsecured. + - **WEP-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. + + > [!WARNING] + > On Android 12 and later, Google deprecated support for WEP pre-shared keys (PSK) in Wi-Fi configuration profiles. It's possible WEP might still work. But, it's not recommended and is considered obsolete. Instead, use WPA pre-shared keys (PSK) in your Wi-Fi configuration profiles. + > + > For more information, go to the [Android developer reference - WifiConfiguration.GroupCipher](https://developer.android.com/reference/android/net/wifi/WifiConfiguration.GroupCipher#summary). + + - **WPA-Pre-shared key**: Enter the password in **Pre-shared key**. When your organization's network is set up or configured, a password or network key is also configured. Enter this password or network key for the PSK value. + +- **Proxy settings**: Select a proxy configuration. Your options: + + - **None**: No proxy settings are configured. + + - **Automatic**: Use a file to configure the proxy server. Enter the **Proxy server URL** that contains the configuration file. For example, enter `http://proxy.contoso.com`, `10.0.0.11`, or `http://proxy.contoso.com/proxy.pac`. + + For more information on PAC files, see [Proxy Auto-Configuration (PAC) file](https://developer.mozilla.org/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file) (opens a non-Microsoft site). ### Enterprise (personally owned work profile) From 927246f4318c1e0ca883c0ffee77782d81051a68 Mon Sep 17 00:00:00 2001 From: ByteFresco <190902456+ByteFresco@users.noreply.github.com> Date: Wed, 11 Dec 2024 19:00:10 -0800 Subject: [PATCH 069/237] fix: correct navigational path to enrollment restrictions Correct the navigational path to enrollment restrictions. Previous: Enrollment device platform restrictions Correct: Devices > Device onboarding > Enrollment > Device platform restriction --- memdocs/intune/enrollment/enrollment-restrictions-set.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index aa12007f240..ee861dfc138 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -79,7 +79,7 @@ Block devices running on a specific device platform. You can apply this restrict In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment. -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. ### OS version This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems: @@ -91,10 +91,10 @@ This restriction enforces your maximum and minimum OS version requirements. This \* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal only. -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. ### Device manufacturer -This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Enrollment device platform restrictions**. +This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. ### Personally owned devices This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to devices running: @@ -104,7 +104,7 @@ This restriction helps prevent device users from accidentally enrolling their pe * macOS * Windows 10/11 -This restriction is in the admin center under **Enrollment device platform restrictions**. +This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. #### Blocking personal Android devices By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same. From 01acadcab2690fa79ac0b0a9c45df9c4c0c4a2f3 Mon Sep 17 00:00:00 2001 From: Benjamin Flamm <57767769+beflamm@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:00:49 -0500 Subject: [PATCH 070/237] Learn Editor: Update apple-settings-catalog-configurations.md --- .../apple-settings-catalog-configurations.md | 70 +++++++++++++++++-- 1 file changed, 65 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/configuration/apple-settings-catalog-configurations.md b/memdocs/intune/configuration/apple-settings-catalog-configurations.md index 86f770c4502..2e9c5229a61 100644 --- a/memdocs/intune/configuration/apple-settings-catalog-configurations.md +++ b/memdocs/intune/configuration/apple-settings-catalog-configurations.md @@ -78,17 +78,52 @@ Some settings are available in device configuration templates and in the setting ## Apple declarative configurations This section is specific to the configurations that are under the Declarative Device Management (DDM) category in the settings catalog. You can learn more about DDM at [Intro to declarative device management and Apple devices](https://support.apple.com/guide/deployment/depb1bab77f8/1/web/1.0) on Apple's website. - +### Disk Management + +Use Disk Management setting to install disk management settings on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Disk Management using the following documentation: + +|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation| +| -------- | -------- | -------- | -------- | +|[Storage management declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep2b9f009ed/web)|[Disk Management Settings](https://developer.apple.com/documentation/devicemanagement/diskmanagementsettings)|[Disk Management Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/diskmanagement.settings.yaml)|| + +Known issues + +- None + +### Math Settings + +Use Math Settings to configure the Math and Calculator apps on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Math Settings using the following documentation: + +|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation| +| -------- | -------- | -------- | -------- | +|[Math and Calculator app declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep7881be3bb/web)|[Math Settings](https://developer.apple.com/documentation/devicemanagement/mathsettings)|[Math Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/math.settings.yaml)|| + +Known issues + +- None + ### Passcode Use the passcode configuration to require that devices have a password or passcode that meet your organization's requirements. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation: -| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation +| Apple Platform Guides | Apple Developer | Apple YAML | Intune documentation| | ------- | ------- | ------- | ------- | -|
  • [Passcodes and passwords](https://support.apple.com/guide/security/sec20230a10d/web)
  • [Passcode declarative configuration](https://support.apple.com/guide/deployment/depf72b010a8/1/web/1.0)
| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml) +|
  • [Passcodes and passwords](https://support.apple.com/guide/security/sec20230a10d/web)
  • [Passcode declarative configuration](https://support.apple.com/guide/deployment/depf72b010a8/1/web/1.0)
| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml)|| #### Known issues - None +### Safari Extension Settings + +Use the Safari extensions settings to manage extensions in the Safari browser. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Safari Extension Settings using the following documentation: + +|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation| +| -------- | -------- | -------- | -------- | +|[Safari extensions management declarative configuration](https://support.apple.com/en-tm/guide/deployment/depff7fad9d8/web)|[Safari Extension Settings](https://developer.apple.com/documentation/devicemanagement/safariextensionsettings)|[Safari Extension Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/safari.extensions.settings.yaml)|| + +Known issues + +- None + ### Software Update Use the Software Update configuration to enforce an update to install at a specific time. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about this configuration using the following documentation: @@ -99,6 +134,18 @@ Use the Software Update configuration to enforce an update to install at a speci #### Known issues - None +### Software Update Settings + +Use the Software Update Settings configuration to defer OS updates and control how users can manually interact with software updates in System Settings. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Passcode using the following documentation: + +|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation| +| -------- | -------- | -------- | -------- | +|[Software Update Settings declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep0578d8b8a/web)|[Software Update Settings](https://developer.apple.com/documentation/devicemanagement/softwareupdatesettings)|[Software Update Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.settings.yaml)|[Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md)| + +Known issues + +- None + ## Apple MDM payload settings This section is specific to Apple payloads that use the standard MDM channel. A list of these payloads is available at [Review MDM payloads for Apple devices](https://support.apple.com/guide/deployment/dep5370d089/web) on Apple's website. @@ -145,7 +192,21 @@ Use the Firewall configuration to manage the native macOS application firewall. | Apps allowed | Networking > Firewall | Applications (Allowed = True) | | Apps blocked | Networking > Firewall | Applications (Allowed = False) | | Enable stealth mode | Networking > Firewall | Enable Stealth Mode | - +### Font + +> [!NOTE] +> Font files being uploaded to Intune must be less than 2MB in size. + +Use the Font payload to configure fonts on devices. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about Font using the following documentation: + +|Apple Platform Guides|Apple Developer|Apple YAML|Intune documentation| +| -------- | -------- | -------- | -------- | +|[Fonts MDM payload settings](https://support.apple.com/en-tm/guide/deployment/depeba084b8/web)|[Font](https://developer.apple.com/documentation/devicemanagement/font)|[Font](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.font.yaml)|| + +Known issues + +- None + ### System Policy Control (Gatekeeper) Use the System Policy Control payload to configure Gatekeeper settings. This configuration is located in the **System Policy Control** category of the settings catalog. You can learn more about System Policy Control using the following documentation: @@ -162,7 +223,6 @@ Use the System Policy Control payload to configure Gatekeeper settings. This con | -------- | ------- | ------- | | Do not allow user to override Gatekeeper | System Policy Control > System Policy Control | Enable Assessment | | Allow apps downloaded from these locations | System Policy Control > System Policy Control | Allow Identified Developers | - ### System Extensions Use the System Extensions payload to configure system extensions to be automatically loaded or prevent users from approving specific extensions. This configuration is located in the **System Configuration** category of the settings catalog. You can learn more about System Extensions using the following documentation: From 0ca97ee0fd97663a6158e8972067a371049ddcb1 Mon Sep 17 00:00:00 2001 From: Benjamin Flamm <57767769+beflamm@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:01:42 -0500 Subject: [PATCH 071/237] Learn Editor: Update apple-settings-catalog-configurations.md From 61099506b464e35c657066feff5ce8bd307fcd28 Mon Sep 17 00:00:00 2001 From: John Flores Date: Thu, 12 Dec 2024 10:25:28 -0500 Subject: [PATCH 072/237] [Conditional Access] Bulk Branding Fix --- autopilot/self-deploying.md | 2 +- memdocs/analytics/work-from-anywhere.md | 2 +- .../plan-design/plan-for-software-center.md | 2 +- memdocs/configmgr/cloud-attach/toc.yml | 2 +- memdocs/configmgr/comanage/coexistence.md | 2 +- memdocs/configmgr/comanage/faq.yml | 4 +-- memdocs/configmgr/comanage/how-to-enable.md | 2 +- memdocs/configmgr/comanage/overview.md | 4 +-- .../comanage/quickstart-hybrid-aad.md | 10 +++---- memdocs/configmgr/comanage/quickstarts.md | 4 +-- memdocs/configmgr/comanage/toc.yml | 2 +- .../comanage/tutorial-co-manage-clients.md | 2 +- memdocs/configmgr/comanage/workloads.md | 2 +- .../create-configuration-baselines.md | 2 +- .../clients/manage/client-notification.md | 4 +-- .../capabilities-in-technical-preview-1601.md | 8 ++--- .../capabilities-in-technical-preview-1610.md | 4 +-- .../capabilities-in-technical-preview-1702.md | 8 ++--- .../capabilities-in-technical-preview-1706.md | 4 +-- .../capabilities-in-technical-preview-1709.md | 2 +- .../capabilities-in-technical-preview-1710.md | 2 +- .../removed-and-deprecated-cmfeatures.md | 4 +-- .../changes/features-and-capabilities.md | 2 +- .../changes/whats-new-in-version-1602.md | 6 ++-- .../changes/whats-new-in-version-1610.md | 2 +- .../changes/whats-new-in-version-1702.md | 4 +-- .../changes/whats-new-in-version-1802.md | 2 +- .../changes/whats-new-in-version-1910.md | 2 +- ...f-diagnostic-usage-data-collection-1802.md | 2 +- ...f-diagnostic-usage-data-collection-1806.md | 2 +- ...f-diagnostic-usage-data-collection-1810.md | 2 +- ...f-diagnostic-usage-data-collection-1902.md | 2 +- ...f-diagnostic-usage-data-collection-1906.md | 2 +- ...f-diagnostic-usage-data-collection-1910.md | 2 +- ...f-diagnostic-usage-data-collection-2002.md | 2 +- ...f-diagnostic-usage-data-collection-2006.md | 2 +- ...f-diagnostic-usage-data-collection-2010.md | 2 +- ...f-diagnostic-usage-data-collection-2103.md | 2 +- ...f-diagnostic-usage-data-collection-2107.md | 2 +- ...f-diagnostic-usage-data-collection-2111.md | 2 +- ...f-diagnostic-usage-data-collection-2203.md | 2 +- ...f-diagnostic-usage-data-collection-2207.md | 2 +- ...f-diagnostic-usage-data-collection-2211.md | 2 +- ...f-diagnostic-usage-data-collection-2303.md | 2 +- ...f-diagnostic-usage-data-collection-2309.md | 2 +- ...f-diagnostic-usage-data-collection-2403.md | 2 +- ...f-diagnostic-usage-data-collection-2409.md | 2 +- .../core/servers/manage/community-hub.md | 2 +- .../understand/product-and-licensing-faq.yml | 4 +-- .../configmgr/develop/adminservice/faq.yml | 2 +- .../mdm/understand/what-happened-to-hybrid.md | 6 ++-- .../configmgr/tenant-attach/troubleshoot.md | 2 +- .../app-configuration-policies-outlook.md | 6 ++-- memdocs/intune/apps/app-management.md | 2 +- memdocs/intune/apps/mamedge-1-mamca.md | 30 +++++++++---------- memdocs/intune/apps/mamedge-2-app.md | 2 +- memdocs/intune/apps/mamedge-3-scc.md | 4 +-- .../apps/mamedge-5-end-user-experience.md | 2 +- memdocs/intune/apps/mamedge-overview.md | 8 ++--- memdocs/intune/apps/manage-microsoft-edge.md | 6 ++-- .../intune/apps/manage-microsoft-office.md | 6 ++-- memdocs/intune/apps/manage-microsoft-teams.md | 6 ++-- memdocs/intune/apps/protect-mam-windows.md | 4 +-- .../configuration/device-profile-assign.md | 2 +- .../device-profile-troubleshoot.md | 2 +- .../intune/configuration/device-profiles.md | 2 +- ...al-walkthrough-administrative-templates.md | 2 +- .../configuration/vpn-settings-windows-10.md | 2 +- .../developer/app-sdk-android-phase7.md | 2 +- .../intune/developer/app-sdk-ios-phase6.md | 4 +-- .../enrollment/android-enterprise-overview.md | 2 +- ...omated-device-enrollment-authentication.md | 10 +++---- .../device-enrollment-manager-enroll.md | 4 +-- .../device-enrollment-program-enroll-macos.md | 8 ++--- .../device-enrollment-shared-ipad.md | 2 +- memdocs/intune/enrollment/macos-enroll.md | 2 +- .../enrollment/multi-factor-authentication.md | 2 +- .../web-based-device-enrollment-ios.md | 2 +- .../intune/enrollment/windows-bulk-enroll.md | 4 +-- .../windows-enrollment-create-cname.md | 2 +- .../azure-virtual-desktop-multi-session.md | 2 +- .../fundamentals/azure-virtual-desktop.md | 2 +- .../fundamentals/deployment-guide-enroll.md | 2 +- .../deployment-guide-enrollment-macos.md | 4 +-- .../deployment-guide-platform-linux.md | 12 ++++---- .../deployment-guide-platform-windows.md | 2 +- .../deployment-plan-compliance-policies.md | 6 ++-- .../deployment-plan-protect-apps.md | 2 +- .../fundamentals/get-started-with-intune.md | 2 +- .../guided-scenarios-office-mobile.md | 10 +++---- memdocs/intune/fundamentals/licenses.md | 2 +- .../intune/fundamentals/migrate-to-intune.md | 6 ++-- .../fundamentals/policy-map-miscellaneous.md | 4 +-- .../intune/fundamentals/remote-help-macos.md | 2 +- .../intune/fundamentals/remote-help-webapp.md | 2 +- .../fundamentals/remote-help-windows.md | 6 ++-- .../role-based-access-control-reference.md | 2 +- .../fundamentals/role-based-access-control.md | 2 +- .../tutorial-walkthrough-endpoint-manager.md | 2 +- .../fundamentals/what-is-device-management.md | 2 +- memdocs/intune/fundamentals/what-is-intune.md | 8 ++--- .../intune/fundamentals/whats-new-archive.md | 16 +++++----- .../protect/actions-for-noncompliance.md | 2 +- .../advanced-threat-protection-configure.md | 10 +++---- .../protect/advanced-threat-protection.md | 6 ++-- ...-based-conditional-access-intune-create.md | 2 +- .../app-modern-authentication-block.md | 2 +- .../compliance-policy-create-windows.md | 2 +- .../protect/compliance-use-custom-settings.md | 2 +- .../conditional-access-exchange-create.md | 2 +- .../create-conditional-access-intune.md | 2 +- memdocs/intune/protect/derived-credentials.md | 4 +-- .../protect/device-compliance-get-started.md | 2 +- .../protect/device-compliance-partners.md | 4 +-- memdocs/intune/protect/endpoint-security.md | 20 ++++++------- .../protect/exchange-connector-install.md | 18 +++++------ memdocs/intune/protect/jamf-mtd-connector.md | 4 +-- .../lookout-mtd-connector-integration.md | 2 +- .../microsoft-tunnel-conditional-access.md | 2 +- .../protect/mtd-enable-unenrolled-devices.md | 4 +-- ...orial-protect-email-on-enrolled-devices.md | 2 +- ...rial-protect-email-on-unmanaged-devices.md | 6 ++-- .../remote-actions/device-management.md | 2 +- memdocs/intune/toc.yml | 6 ++-- .../set-up-migrate-iphone-for-work.md | 2 +- .../azure-ad-joined-hybrid-azure-ad-joined.md | 8 ++--- windows-365/business/TOC.yml | 2 +- .../business/configure-single-sign-on.md | 8 ++--- .../set-conditional-access-policies.md | 14 ++++----- windows-365/compliance-overview.md | 2 +- windows-365/enterprise/TOC.yml | 2 +- windows-365/enterprise/architecture.md | 2 +- .../enterprise/configure-single-sign-on.md | 2 +- .../enterprise/deploy-security-baselines.md | 2 +- .../enterprise/identity-authentication.md | 2 +- windows-365/enterprise/index.yml | 2 +- .../restrict-office-365-cloud-pcs.md | 4 +-- windows-365/enterprise/security.md | 2 +- .../set-conditional-access-policies.md | 14 ++++----- windows-365/enterprise/troubleshooting.md | 6 ++-- windows-365/enterprise/whats-new.md | 4 +-- windows-365/link/TOC.yml | 2 +- windows-365/link/deployment-overview.md | 2 +- 143 files changed, 283 insertions(+), 283 deletions(-) diff --git a/autopilot/self-deploying.md b/autopilot/self-deploying.md index 669dc63fb1f..45b05cbf77f 100644 --- a/autopilot/self-deploying.md +++ b/autopilot/self-deploying.md @@ -61,7 +61,7 @@ Optionally, a [device-only subscription](https://techcommunity.microsoft.com/t5/ > [!NOTE] > -> Intune doesn't automatically configure a primary user when using self-deploying mode in Autopilot to provision a Windows device. Some Intune capabilities rely on a primary user being set on a device. These features include user self-service BitLocker recovery key retrieval and using the Company Portal to install software. Using self-provisioning mode for Autopilot doesn't preclude a licensed user from logging into the device and using features entitled to that user such as conditional access. For more information, see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md). +> Intune doesn't automatically configure a primary user when using self-deploying mode in Autopilot to provision a Windows device. Some Intune capabilities rely on a primary user being set on a device. These features include user self-service BitLocker recovery key retrieval and using the Company Portal to install software. Using self-provisioning mode for Autopilot doesn't preclude a licensed user from logging into the device and using features entitled to that user such as Conditional Access. For more information, see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md). > > If desired, a primary user can be manually set after device provisioning via the Intune admin center. For more information, see [Change a devices primary user](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user). diff --git a/memdocs/analytics/work-from-anywhere.md b/memdocs/analytics/work-from-anywhere.md index 333976f1a32..a95e01fac55 100644 --- a/memdocs/analytics/work-from-anywhere.md +++ b/memdocs/analytics/work-from-anywhere.md @@ -60,7 +60,7 @@ Benefits of each cloud management type: | Manage your clients anywhere | :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | | View and take action on all Windows PCs from Microsoft Intune admin center| |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | | Modernize your directory approach with Microsoft Entra ID | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | -|Enhance Zero Trust with conditional access| | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | +|Enhance Zero Trust with Conditional Access| | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | | Make device provisioning easier by enabling Windows Autopilot | | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | | Gain more remote access with Intune | | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| :::image type="content" source="media/green-check.png" border="false" alt-text="Yes."::: | | Split PC management workloads between cloud and on-premises | | |:::image type="content" source="media/green-check.png" border="false" alt-text="Yes.":::| | diff --git a/memdocs/configmgr/apps/plan-design/plan-for-software-center.md b/memdocs/configmgr/apps/plan-design/plan-for-software-center.md index 75a6ef38505..50141b4c8e6 100644 --- a/memdocs/configmgr/apps/plan-design/plan-for-software-center.md +++ b/memdocs/configmgr/apps/plan-design/plan-for-software-center.md @@ -31,7 +31,7 @@ Use client settings to configure the appearance and behaviors of Software Center - Configure which default tabs are visible, and add up to five custom tabs to Software Center. - In Configuration Manager 2103 and earlier, when single sign on with multifactor authentication is used, you may not be able to sign into custom tabs that load a website that's subject to conditional access policies. + In Configuration Manager 2103 and earlier, when single sign on with multifactor authentication is used, you may not be able to sign into custom tabs that load a website that's subject to Conditional Access policies. - You can configure co-managed devices to use the Company Portal for both Intune and Configuration Manager apps. For more information, see [Use the Company Portal app on co-managed devices](../../comanage/company-portal.md). diff --git a/memdocs/configmgr/cloud-attach/toc.yml b/memdocs/configmgr/cloud-attach/toc.yml index 0154d1c8454..fef559d1aca 100644 --- a/memdocs/configmgr/cloud-attach/toc.yml +++ b/memdocs/configmgr/cloud-attach/toc.yml @@ -137,7 +137,7 @@ items: href: ../comanage/workloads.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json - name: Switch workloads to Intune href: ../comanage/how-to-switch-workloads.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json - - name: Conditional access + - name: Conditional Access href: ../comanage/quickstart-conditional-access.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json - name: Remote actions from Intune href: ../comanage/quickstart-remote-actions.md?toc=/mem/configmgr/cloud-attach/toc.json&bc=/mem/configmgr/cloud-attach/breadcrumb/toc.json diff --git a/memdocs/configmgr/comanage/coexistence.md b/memdocs/configmgr/comanage/coexistence.md index 3fde5474db4..97c3b985918 100644 --- a/memdocs/configmgr/comanage/coexistence.md +++ b/memdocs/configmgr/comanage/coexistence.md @@ -33,7 +33,7 @@ When the Configuration Manager client detects that a third-party MDM service is - Application management, including legacy packages - Software update scanning and installation - Endpoint protection, the Windows Defender suite of antimalware protection features -- Compliance policy for conditional access +- Compliance policy for Conditional Access - Device configuration - Office Click-to-Run management diff --git a/memdocs/configmgr/comanage/faq.yml b/memdocs/configmgr/comanage/faq.yml index d93173d7c48..baa4bfaaea1 100644 --- a/memdocs/configmgr/comanage/faq.yml +++ b/memdocs/configmgr/comanage/faq.yml @@ -104,7 +104,7 @@ sections: - question: | I've enabled co-management, which workload should I switch first? answer: | - **Compliance** is the workload that most customers switch first. If you switch this workload to Intune, you can still require devices to evaluate settings from Configuration Manager. When you configure a compliance policy in Intune, enable it to require device [compliance from Configuration Manager](../../intune/protect/compliance-policy-create-windows.md#configuration-manager-compliance). Then you can use device compliance state to control [conditional access](../../intune/protect/conditional-access.md) to cloud-based resources. This configuration lets you start using the cloud services without changing the compliance checks you already have in Configuration Manager. + **Compliance** is the workload that most customers switch first. If you switch this workload to Intune, you can still require devices to evaluate settings from Configuration Manager. When you configure a compliance policy in Intune, enable it to require device [compliance from Configuration Manager](../../intune/protect/compliance-policy-create-windows.md#configuration-manager-compliance). Then you can use device compliance state to control [Conditional Access](../../intune/protect/conditional-access.md) to cloud-based resources. This configuration lets you start using the cloud services without changing the compliance checks you already have in Configuration Manager. After compliance, the most common workloads are **Office Click-to-Run apps**, **Client apps**, and **Windows Update policies**. @@ -140,7 +140,7 @@ sections: - question: | With co-management, can I use compliance policies in Intune and compliance settings in Configuration Manager to assess overall device compliance? answer: | - Yes. Once you have your environment co-managed, and switch the compliance workload to Intune, you can use your existing Configuration Manager compliance settings and integrate them with [conditional access](../../intune/protect/conditional-access.md). For more information, see the following articles: + Yes. Once you have your environment co-managed, and switch the compliance workload to Intune, you can use your existing Configuration Manager compliance settings and integrate them with [Conditional Access](../../intune/protect/conditional-access.md). For more information, see the following articles: - [Include custom configuration baselines as part of compliance policy assessment](../compliance/deploy-use/create-configuration-baselines.md#bkmk_CAbaselines) diff --git a/memdocs/configmgr/comanage/how-to-enable.md b/memdocs/configmgr/comanage/how-to-enable.md index ba5b3ecf9b5..785c6a1fa21 100644 --- a/memdocs/configmgr/comanage/how-to-enable.md +++ b/memdocs/configmgr/comanage/how-to-enable.md @@ -38,7 +38,7 @@ Make sure the co-management prerequisites are set up before you start this proce Now that you've enabled co-management, look at the following articles for immediate value you can gain in your environment: -- [Conditional access](quickstart-conditional-access.md) +- [Conditional Access](quickstart-conditional-access.md) - [Remote actions from Intune](quickstart-remote-actions.md) diff --git a/memdocs/configmgr/comanage/overview.md b/memdocs/configmgr/comanage/overview.md index b96321668c3..71410d29bd0 100644 --- a/memdocs/configmgr/comanage/overview.md +++ b/memdocs/configmgr/comanage/overview.md @@ -18,7 +18,7 @@ ms.reviewer: mstewart,aaroncz # What is co-management? -Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It helps you unlock more cloud-powered capabilities like conditional access. +Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It helps you unlock more cloud-powered capabilities like Conditional Access. Co-management enables you to concurrently manage Windows 10 or later devices by using both Configuration Manager and Microsoft Intune. It lets you cloud-attach your existing investment in Configuration Manager by adding new functionality. By using co-management, you have the flexibility to use the technology solution that works best for your organization. @@ -45,7 +45,7 @@ For more information on the paths, see [Paths to co-management](quickstart-paths When you enroll existing Configuration Manager clients in co-management, you gain the following immediate value: -- Conditional access with device compliance +- Conditional Access with device compliance - Intune-based remote actions, for example: restart, remote control, or factory reset diff --git a/memdocs/configmgr/comanage/quickstart-hybrid-aad.md b/memdocs/configmgr/comanage/quickstart-hybrid-aad.md index 244766593df..47d49e7b391 100644 --- a/memdocs/configmgr/comanage/quickstart-hybrid-aad.md +++ b/memdocs/configmgr/comanage/quickstart-hybrid-aad.md @@ -16,9 +16,9 @@ ms.reviewer: mstewart,aaroncz # Use Microsoft Entra ID for co-management -In the cloud, identity is the new control plane. Microsoft Entra ID allows you to link your users, devices, and applications across both cloud and on-premises environments. Registering your devices to Microsoft Entra ID enables you to improve productivity for your users and security for your resources. Having devices in Microsoft Entra ID is the foundation for both co-management and device-based conditional access. +In the cloud, identity is the new control plane. Microsoft Entra ID allows you to link your users, devices, and applications across both cloud and on-premises environments. Registering your devices to Microsoft Entra ID enables you to improve productivity for your users and security for your resources. Having devices in Microsoft Entra ID is the foundation for both co-management and device-based Conditional Access. -For more information on device-based conditional access, see [How To: Require managed devices for cloud app access with conditional access](/azure/active-directory/conditional-access/require-managed-devices). +For more information on device-based Conditional Access, see [How To: Require managed devices for cloud app access with Conditional Access](/azure/active-directory/conditional-access/require-managed-devices). In the following video, senior program manager Sandeep Deo and product marketing manager Adam Harbour discuss and demo Microsoft Entra ID for co-management: @@ -66,11 +66,11 @@ Windows Hello for Business brings strong password-less authentication to Windows For more information, see [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification). -### Device-based conditional access +### Device-based Conditional Access -Enable conditional access based on the device state to better protect your organization's data. Device-based conditional access requires a managed device. This device must be a compliant device or a Microsoft Entra hybrid joined device. For Microsoft Entra joined devices, you need Intune to mark the device as compliant. But for Microsoft Entra hybrid joined devices, the device state itself is used to evaluate conditional access. Co-management provides you the additional advantage of evaluating compliance through Intune for Microsoft Entra hybrid joined devices. This feature makes sure the device configuration is intact. +Enable Conditional Access based on the device state to better protect your organization's data. Device-based Conditional Access requires a managed device. This device must be a compliant device or a Microsoft Entra hybrid joined device. For Microsoft Entra joined devices, you need Intune to mark the device as compliant. But for Microsoft Entra hybrid joined devices, the device state itself is used to evaluate Conditional Access. Co-management provides you the additional advantage of evaluating compliance through Intune for Microsoft Entra hybrid joined devices. This feature makes sure the device configuration is intact. -For more information on device-based conditional access, see [How To: Require managed devices for cloud app access with conditional access](/azure/active-directory/conditional-access/require-managed-devices). +For more information on device-based Conditional Access, see [How To: Require managed devices for cloud app access with Conditional Access](/azure/active-directory/conditional-access/require-managed-devices). ### Automatic device licensing diff --git a/memdocs/configmgr/comanage/quickstarts.md b/memdocs/configmgr/comanage/quickstarts.md index f42ccdda0a9..5f7573ae183 100644 --- a/memdocs/configmgr/comanage/quickstarts.md +++ b/memdocs/configmgr/comanage/quickstarts.md @@ -28,13 +28,13 @@ In the following video, Microsoft corporate vice president Brad Anderson introdu | Immediate value | Getting started | |-----------------|-----------------| -| - [Conditional access](#bkmk_ca)
- [Remote actions from Intune](#bkmk_remote)
- [Client health](#bkmk_client-health)
- [Hybrid Microsoft Entra ID](#bkmk_hybrid-aad)
- [Windows Autopilot](#bkmk_autopilot) | - [Paths to co-management](#bkmk_paths)
- [Set up hybrid Microsoft Entra ID](#bkmk_setup-hybrid-aad)
- [Upgrade Windows](#bkmk_upgrade-win10)
- [Get help from FastTrack](#bkmk_fasttrack) | +| - [Conditional Access](#bkmk_ca)
- [Remote actions from Intune](#bkmk_remote)
- [Client health](#bkmk_client-health)
- [Hybrid Microsoft Entra ID](#bkmk_hybrid-aad)
- [Windows Autopilot](#bkmk_autopilot) | - [Paths to co-management](#bkmk_paths)
- [Set up hybrid Microsoft Entra ID](#bkmk_setup-hybrid-aad)
- [Upgrade Windows](#bkmk_upgrade-win10)
- [Get help from FastTrack](#bkmk_fasttrack) | ## Immediate value |Title |Description |Link | |-|-|-| -| **Conditional access with device compliance** | Control user access to corporate resources based on compliance rules from Intune. | [![Thumbnail of conditional access video.](media/thumbnail-conditional-access.png)](quickstart-conditional-access.md) | +| **Conditional Access with device compliance** | Control user access to corporate resources based on compliance rules from Intune. | [![Thumbnail of Conditional Access video.](media/thumbnail-conditional-access.png)](quickstart-conditional-access.md) | | **Remote actions from Intune** | Run remote actions from Intune for co-managed devices. For example, wipe and reset a device and maintain enrollment and account. | [![Thumbnail of remote actions video.](media/thumbnail-remote-action.png)](quickstart-remote-actions.md) | | **Configuration Manager client health** | Maintain visibility of Configuration Manager client health from the Microsoft Intune admin center. | [![Thumbnail of client health video.](media/thumbnail-client-health.png)](quickstart-client-health.md) | | **Microsoft Entra ID** | With Microsoft Entra ID you can take advantage of improved productivity for your users and security for your resources, across both cloud and on-prem environments. | [![Thumbnail of hybrid Microsoft Entra video.](media/thumbnail-azure-ad.png)](quickstart-hybrid-aad.md) | diff --git a/memdocs/configmgr/comanage/toc.yml b/memdocs/configmgr/comanage/toc.yml index cc370733ad6..d2d35509d2f 100644 --- a/memdocs/configmgr/comanage/toc.yml +++ b/memdocs/configmgr/comanage/toc.yml @@ -13,7 +13,7 @@ items: href: quickstarts.md - name: Immediate value items: - - name: Conditional access + - name: Conditional Access href: quickstart-conditional-access.md - name: Remote actions from Intune href: quickstart-remote-actions.md diff --git a/memdocs/configmgr/comanage/tutorial-co-manage-clients.md b/memdocs/configmgr/comanage/tutorial-co-manage-clients.md index bfc44265277..3337d988cca 100644 --- a/memdocs/configmgr/comanage/tutorial-co-manage-clients.md +++ b/memdocs/configmgr/comanage/tutorial-co-manage-clients.md @@ -183,4 +183,4 @@ When you enable co-management, you'll assign a collection as a *Pilot group*. Th - Review the status of co-managed devices with the [Co-management dashboard](how-to-monitor.md) - Start getting [immediate value](quickstarts.md#immediate-value) from co-management -- Use [conditional access](quickstart-conditional-access.md) and Intune compliance rules to manage user access to corporate resources +- Use [Conditional Access](quickstart-conditional-access.md) and Intune compliance rules to manage user access to corporate resources diff --git a/memdocs/configmgr/comanage/workloads.md b/memdocs/configmgr/comanage/workloads.md index 006147e7215..7ea466bc388 100644 --- a/memdocs/configmgr/comanage/workloads.md +++ b/memdocs/configmgr/comanage/workloads.md @@ -38,7 +38,7 @@ Co-management supports the following workloads: ## Compliance policies -Compliance policies define the rules and settings that a device must comply with to be considered compliant by conditional access policies. Also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access. You can add evaluation of custom configuration baselines as a compliance policy assessment rule. For more information, see [Include custom configuration baselines as part of compliance policy assessment](../compliance/deploy-use/create-configuration-baselines.md#bkmk_CAbaselines). +Compliance policies define the rules and settings that a device must comply with to be considered compliant by Conditional Access policies. Also use compliance policies to monitor and remediate compliance issues with devices independently of Conditional Access. You can add evaluation of custom configuration baselines as a compliance policy assessment rule. For more information, see [Include custom configuration baselines as part of compliance policy assessment](../compliance/deploy-use/create-configuration-baselines.md#bkmk_CAbaselines). For more information on the Intune feature, see [Use compliance policies to set rules for devices you manage with Intune](../../intune/protect/device-compliance-get-started.md). diff --git a/memdocs/configmgr/compliance/deploy-use/create-configuration-baselines.md b/memdocs/configmgr/compliance/deploy-use/create-configuration-baselines.md index e7eb3ae1dd2..44a7e658137 100644 --- a/memdocs/configmgr/compliance/deploy-use/create-configuration-baselines.md +++ b/memdocs/configmgr/compliance/deploy-use/create-configuration-baselines.md @@ -79,7 +79,7 @@ To create a configuration baseline by using the **Create Configuration Baseline* ## Include custom configuration baselines as part of compliance policy assessment -You can add evaluation of custom configuration baselines as a compliance policy assessment rule. When you create or edit a configuration baseline, you have an option to **Evaluate this baseline as part of compliance policy assessment**. When adding or editing a compliance policy rule, you have a condition called **Include configured baselines in compliance policy assessment**. For co-managed devices, and when you configure Intune to take Configuration Manager compliance assessment results as part of the overall compliance status, this information is sent to Microsoft Entra ID. You can then use it for conditional access to your Microsoft 365 Apps resources. For more information, see [Conditional access with co-management](../../comanage/quickstart-conditional-access.md). +You can add evaluation of custom configuration baselines as a compliance policy assessment rule. When you create or edit a configuration baseline, you have an option to **Evaluate this baseline as part of compliance policy assessment**. When adding or editing a compliance policy rule, you have a condition called **Include configured baselines in compliance policy assessment**. For co-managed devices, and when you configure Intune to take Configuration Manager compliance assessment results as part of the overall compliance status, this information is sent to Microsoft Entra ID. You can then use it for Conditional Access to your Microsoft 365 Apps resources. For more information, see [Conditional Access with co-management](../../comanage/quickstart-conditional-access.md). To include custom configuration baselines as part of compliance policy assessment, do the following: diff --git a/memdocs/configmgr/core/clients/manage/client-notification.md b/memdocs/configmgr/core/clients/manage/client-notification.md index f720ab4ec5c..d5955f26072 100644 --- a/memdocs/configmgr/core/clients/manage/client-notification.md +++ b/memdocs/configmgr/core/clients/manage/client-notification.md @@ -121,9 +121,9 @@ Trigger clients to switch to the next available software update point. For more Trigger Windows 10 or later clients to check and send their latest device health state. For more information, see [Health attestation](../../servers/manage/health-attestation.md). -### Check conditional access compliance +### Check Conditional Access compliance -Trigger clients to check compliance for conditional access policies. For more information, see [Conditional access](../../../comanage/quickstart-conditional-access.md). +Trigger clients to check compliance for Conditional Access policies. For more information, see [Conditional Access](../../../comanage/quickstart-conditional-access.md). ### Wake Up diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1601.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1601.md index dd6550bf6a7..9edfe904457 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1601.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1601.md @@ -58,9 +58,9 @@ In the 1601 Technical Preview, we have added support for the following features: ### Improvements to Conditional Access -- **Conditional access support for PCs that are managed by Configuration Manager** +- **Conditional Access support for PCs that are managed by Configuration Manager** - You can now set conditional access policies for PCs managed by Configuration Manager, which will require that the PCs be compliant with the compliance policy in order to access Exchange Online and SharePoint Online services. With this new functionality, you can also register PCs with Microsoft Entra ID through the compliance policy, and to monitor and report on Microsoft Entra registration. + You can now set Conditional Access policies for PCs managed by Configuration Manager, which will require that the PCs be compliant with the compliance policy in order to access Exchange Online and SharePoint Online services. With this new functionality, you can also register PCs with Microsoft Entra ID through the compliance policy, and to monitor and report on Microsoft Entra registration. > [!NOTE] > Conditional Access is not yet supported on Windows 10. @@ -73,7 +73,7 @@ In the 1601 Technical Preview, we have added support for the following features: - [Prerequisites for Microsoft Entra auto-registration](/azure/active-directory/devices/hybrid-azuread-join-plan?rnd=1). - To use the option, you must create a compliance policy in Configuration Manager with specific rules described below, and set a conditional access policy in the Intune console. Also, to make sure only compliant PCs are allowed access, you must set the Windows PC requirement to **Devices must be compliant** option. Following are the compliant policy rules that are applicable to PCs managed by Configuration Manager. + To use the option, you must create a compliance policy in Configuration Manager with specific rules described below, and set a Conditional Access policy in the Intune console. Also, to make sure only compliant PCs are allowed access, you must set the Windows PC requirement to **Devices must be compliant** option. Following are the compliant policy rules that are applicable to PCs managed by Configuration Manager. - **Require registration in Microsoft Entra ID:** This rule checks if the user's device is work place joined to Microsoft Entra ID, and if not, the device is automatically registered in Microsoft Entra ID. Automatic registration is only supported on Windows 8.1. For Windows 7 PCs, deploy an MSI to perform the auto registration. For more information, see [here](/azure/active-directory/devices/hybrid-azuread-join-plan?rnd=1). @@ -86,7 +86,7 @@ In the 1601 Technical Preview, we have added support for the following features: End-users who are blocked due to noncompliance will view compliance information in the Software Center and will initiate a new policy evaluation when compliance issues are remediated. -- **Conditional access with Health Attestation Service** You can now restrict access to email and 0365 services based on the health of the devices as reported by the Health Attestation Service. Additionally, devices that are managed by Intune are included in the device health reports. +- **Conditional Access with Health Attestation Service** You can now restrict access to email and 0365 services based on the health of the devices as reported by the Health Attestation Service. Additionally, devices that are managed by Intune are included in the device health reports. A new compliance rule has been added to the configuration manager console that allows you to specify if the devices should be allowed or blocked access based on their health status. To create this rule, open the **Create Compliance Policy Wizard**, and add a new rule. Select the **Reported as health by Health Attestation Service** for the condition, and set the value to **True**. This will make sure that only devices that are reported as healthy will have access to your company resources. For details about Health Attestation Service and how the health of the devices is reported in Intune, see [Device Health Attestation](capabilities-in-technical-preview-1512.md#bkmk_devicehealth). diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1610.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1610.md index 46a5ad49347..137355f7da8 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1610.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1610.md @@ -153,9 +153,9 @@ In addition to Full Administrator, the following built-in security roles now hav Read-only access to these areas of the Configuration Manager console is still granted to the **Read-only Analyst** role. -## Conditional access for Windows 10 VPN profiles +## Conditional Access for Windows 10 VPN profiles -You can now require Windows 10 devices enrolled in Microsoft Entra ID to be compliant in order to have VPN access through Windows 10 VPN profiles created in the Configuration Manager console. This is possible through the new **Enable conditional access for this VPN connection** checkbox on the **Authentication Method** page in the VPN profile wizard and VPN profile properties for Windows 10 VPN profiles. You can also specify a separate certificate for single sign-on authentication if you enable conditional access for the profile. +You can now require Windows 10 devices enrolled in Microsoft Entra ID to be compliant in order to have VPN access through Windows 10 VPN profiles created in the Configuration Manager console. This is possible through the new **Enable Conditional Access for this VPN connection** checkbox on the **Authentication Method** page in the VPN profile wizard and VPN profile properties for Windows 10 VPN profiles. You can also specify a separate certificate for single sign-on authentication if you enable Conditional Access for the profile. ## See Also [Technical Preview for Configuration Manager](../../core/get-started/technical-preview.md) diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1702.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1702.md index 6e012644332..c1a08655f63 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1702.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1702.md @@ -105,15 +105,15 @@ See the following for more information about Microsoft Entra ID: - [Microsoft Entra Domain Services product information](https://azure.microsoft.com/services/active-directory-ds) - [Active Directory Domain Services documentation](/azure/active-directory-domain-services/) -## Conditional access device compliance policy improvements +## Conditional Access device compliance policy improvements -A new device compliance policy rule is available to help you block access to corporate resources that support conditional access, when users are using apps that are part of a non-compliant list of apps. The non-compliant list of apps can be defined by the admin when adding the new compliant rule **Apps that cannot be installed**. This rule requires the admin to enter the **App Name**, the **App ID**, and the **App Publisher** (optional) when adding an app to the non-compliant list. This setting only applies to iOS and Android devices. +A new device compliance policy rule is available to help you block access to corporate resources that support Conditional Access, when users are using apps that are part of a non-compliant list of apps. The non-compliant list of apps can be defined by the admin when adding the new compliant rule **Apps that cannot be installed**. This rule requires the admin to enter the **App Name**, the **App ID**, and the **App Publisher** (optional) when adding an app to the non-compliant list. This setting only applies to iOS and Android devices. Additionally, this helps organizations to mitigate data leakage through unsecured apps, and prevent excessive data consumption through certain apps. ### Try it out -**Scenario:** Identify apps that might be causing data leakage by sending corporate data outside your company, or that are causing excessive data consumption, then [create a conditional access device compliance policy](../../mdm/understand/what-happened-to-hybrid.md) that adds these apps into the non-compliant list of apps. This will block access to corporate resources that support conditional access until the user can remove the blocked app. +**Scenario:** Identify apps that might be causing data leakage by sending corporate data outside your company, or that are causing excessive data consumption, then [create a Conditional Access device compliance policy](../../mdm/understand/what-happened-to-hybrid.md) that adds these apps into the non-compliant list of apps. This will block access to corporate resources that support Conditional Access until the user can remove the blocked app. ## Antimalware client version alert Beginning with this preview version, Configuration Manager Endpoint Protection provides an alert if more than 20% (default) of managed clients are using an expired version of the antimalware client (i.e. Windows Defender or Endpoint Protection client). @@ -124,7 +124,7 @@ Ensure Endpoint Protection is enabled on all desktop and server clients using cl To configure the percentage at which the alert is generated, expand **Monitoring** > **Alerts** > **All Alerts**, double-click **Antimalware clients out of date** and modify the **Raise alert if percentage of managed clients with an outdated version of the antimalware client is more than** option. ## Compliance assessment for Windows Update for Business updates -You can now configure a compliance policy update rule to include a Windows Update for Business assessment result as part of the conditional access evaluation. +You can now configure a compliance policy update rule to include a Windows Update for Business assessment result as part of the Conditional Access evaluation. > [!IMPORTANT] > You must have Windows 10 Insider Preview Build 15019 or later to use compliance assessment for Windows Update for Business updates. diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1706.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1706.md index 32ab1a016db..541d9fc7380 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1706.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1706.md @@ -566,9 +566,9 @@ Setting DisallowCrossProfileCopyPaste to true prevents copy-paste behavior betwe 3. In the device setting groups to configure, select **Work Profile**, and choose **Next**. 4. Select the value for **Allow data sharing between work and personal profiles**, and then complete the wizard. -## Device Health Attestation assessment for compliance policies for conditional access +## Device Health Attestation assessment for compliance policies for Conditional Access -Starting with this release you can use Device Health Attestation status as a compliance policy rule for conditional access to company resources. +Starting with this release you can use Device Health Attestation status as a compliance policy rule for Conditional Access to company resources. ### Try it out Select a Device Health Attestation rule as part of a compliance policy assessment. diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1709.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1709.md index 73875c80b30..c681e4c87dc 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1709.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1709.md @@ -106,7 +106,7 @@ The following are general prerequisites for you to enable co-management: After you enable co-management, Configuration Manager continues to manage all workloads. When you decide that you are ready, you can have Intune start managing available workloads. In this release, you can have Intune manage the following workloads. #### Compliance policies -Compliance policies define the rules and settings that a device must comply with to be considered compliant by conditional access policies. You can also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access. +Compliance policies define the rules and settings that a device must comply with to be considered compliant by Conditional Access policies. You can also use compliance policies to monitor and remediate compliance issues with devices independently of Conditional Access. #### Windows Update for Business policies Windows Update for Business policies let you configure deferral policies for Windows 10 feature updates or quality updates for Windows 10 devices managed directly by Windows Update for Business. For details, see [Configure Windows Update for Business deferral policies](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10#configure-windows-update-for-business-deferral-policies). diff --git a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1710.md b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1710.md index 856059d44a2..757806d1d1a 100644 --- a/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1710.md +++ b/memdocs/configmgr/core/get-started/capabilities-in-technical-preview-1710.md @@ -81,7 +81,7 @@ Add an icon for your app in Software Center. To try it out see [Create applicati ## Check compliance from Software Center for co-managed devices -In this release, users can use Software Center to check the compliance of their co-managed Windows 10 devices even when conditional access is managed by Intune. For details, see [Co-management for Windows 10 devices](./capabilities-in-technical-preview-1709.md#co-management-for-windows-10-devices). +In this release, users can use Software Center to check the compliance of their co-managed Windows 10 devices even when Conditional Access is managed by Intune. For details, see [Co-management for Windows 10 devices](./capabilities-in-technical-preview-1709.md#co-management-for-windows-10-devices). ## Support for Exploit Guard diff --git a/memdocs/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md b/memdocs/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md index f78481d5b02..cd415e91da3 100644 --- a/memdocs/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md +++ b/memdocs/configmgr/core/plan-design/changes/deprecated/removed-and-deprecated-cmfeatures.md @@ -74,12 +74,12 @@ The following features are no longer supported. In some cases, they're no longer | Desktop Analytics tile and page for **Security Updates** | December 2020 | March 2021 | | Desktop Analytics option to **View recent data** for device enrollment and security updates. For more information, see [Data latency](../../../../desktop-analytics/troubleshooting.md#data-latency).|May 2020|July 2020| | Windows Analytics and Upgrade Readiness integration. For more information, see [KB 4521815: Windows Analytics retirement on January 31, 2020](https://support.microsoft.com/help/4521815/windows-analytics-retirement). | October 14, 2019 | January 31, 2020 | -| Device health attestation assessment for conditional access compliance policies For more information, see [What happened to hybrid MDM](../../../../mdm/understand/what-happened-to-hybrid.md).| July 3, 2019 | Version 1910 | +| Device health attestation assessment for Conditional Access compliance policies For more information, see [What happened to hybrid MDM](../../../../mdm/understand/what-happened-to-hybrid.md).| July 3, 2019 | Version 1910 | | The Configuration Manager Company Portal app | May 21, 2019 | Version 1910 | | The application catalog, including both site system roles: the application catalog website point and web service point. For more information, see [Remove the application catalog](../../../../apps/plan-design/plan-for-and-configure-application-management.md#remove-the-application-catalog). | May 21, 2019 | Version 1910 | |Certificate-based authentication with Windows Hello for Business settings in Configuration Manager
For more information, see [Windows Hello for Business settings](../../../../protect/deploy-use/windows-hello-for-business-settings.md).|December 2017|Version 1910| |System Center Endpoint Protection for Mac and Linux
For more information, see [End of support blog post](https://techcommunity.microsoft.com/t5/configuration-manager-blog/end-of-support-for-scep-for-mac-and-scep-for-linux-on-december/ba-p/286257).|October 2018|December 31, 2018| -|On-premises conditional access
For more information, see [What happened to hybrid MDM](../../../../mdm/understand/what-happened-to-hybrid.md).|January 30, 2019|September 1, 2019| +|On-premises Conditional Access
For more information, see [What happened to hybrid MDM](../../../../mdm/understand/what-happened-to-hybrid.md).|January 30, 2019|September 1, 2019| |Hybrid mobile device management (MDM)
For more information, see [What happened to hybrid MDM](../../../../mdm/understand/what-happened-to-hybrid.md).

Starting with the 1902 Intune service release, expected at the end of February 2019, new customers can't create a new hybrid connection.|August 14, 2018|September 1, 2019| |Security Content Automation Protocol (SCAP) extensions.
|September 2018|Version 1810| |The **Silverlight user experience** for the application catalog website point is no longer supported. Users should use the new Software Center. For more information, see [Configure Software Center](../../../../apps/plan-design/plan-for-software-center.md#configure-software-center).|August 11, 2017| Version 1806| diff --git a/memdocs/configmgr/core/plan-design/changes/features-and-capabilities.md b/memdocs/configmgr/core/plan-design/changes/features-and-capabilities.md index 9437ec5fe04..e3bdcf14e4f 100644 --- a/memdocs/configmgr/core/plan-design/changes/features-and-capabilities.md +++ b/memdocs/configmgr/core/plan-design/changes/features-and-capabilities.md @@ -22,7 +22,7 @@ This article summarizes the primary management features of Configuration Manager ## Co-management -Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage Windows devices by using both Configuration Manager and Microsoft Intune. Co-management lets you cloud-attach your existing investment in Configuration Manager by adding new functionality like conditional access. For more information, see [What is co-management](../../../comanage/overview.md)? +Co-management is one of the primary ways to attach your existing Configuration Manager deployment to the Microsoft 365 cloud. It enables you to concurrently manage Windows devices by using both Configuration Manager and Microsoft Intune. Co-management lets you cloud-attach your existing investment in Configuration Manager by adding new functionality like Conditional Access. For more information, see [What is co-management](../../../comanage/overview.md)? ## Cloud-attached management diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1602.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1602.md index 499978e72b8..b98020eafd6 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1602.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1602.md @@ -108,10 +108,10 @@ You will find these apps in the **Applications** node of the Configuration Manag Kiosk mode allows you to lock a device so that only certain features work. For example, you can allow a device to run only one managed app that you specify, or you can disable the volume buttons on a device. These settings might be used for a demonstration model of a device, or a device that is dedicated to performing only one function, such as a point-of-sale device. In Configuration Manager, you can now specify kiosk mode settings for Samsung KNOX Standard devices. -## Conditional access +## Conditional Access -### Conditional access for PCs managed by Configuration Manager - Previous to this release, to set up conditional access for a PC, the PC either had to be enrolled in Intune or had to be a domain-joined PC. Beginning with the 1602 update, conditional access for PCs managed by Configuration Manager is supported. For your PCs that are managed by Configuration Manager, you can restrict access to Exchange Online and SharePoint Online only to devices that are compliant with the compliance policies you set. +### Conditional Access for PCs managed by Configuration Manager + Previous to this release, to set up Conditional Access for a PC, the PC either had to be enrolled in Intune or had to be a domain-joined PC. Beginning with the 1602 update, Conditional Access for PCs managed by Configuration Manager is supported. For your PCs that are managed by Configuration Manager, you can restrict access to Exchange Online and SharePoint Online only to devices that are compliant with the compliance policies you set. ### Restricting access based on the health of devices diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1610.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1610.md index d5a4ec6ee29..d482a89e6c2 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1610.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1610.md @@ -196,7 +196,7 @@ You can now get a quick view of overall compliance for devices, and the top reas ## Lookout integration for hybrid implementations to protect iOS and Android devices -Microsoft is integrating with Lookout's mobile threat protection solution to protect iOS and Android mobile devices by detecting malware, risky apps, and more, on devices. Lookout's solution helps you determine the threat level, which is configurable. You can create a compliance policy rule in Configuration Manager to determine device compliance based on the risk assessment by Lookout. Using conditional access policies, you can allow or block access to company resources based on the device compliance status. +Microsoft is integrating with Lookout's mobile threat protection solution to protect iOS and Android mobile devices by detecting malware, risky apps, and more, on devices. Lookout's solution helps you determine the threat level, which is configurable. You can create a compliance policy rule in Configuration Manager to determine device compliance based on the risk assessment by Lookout. Using Conditional Access policies, you can allow or block access to company resources based on the device compliance status. Users of noncompliant iOS devices will be prompted to enroll. They'll be required to install the Lookout for Work app on their devices, activate the app, and remediate threats reported in the Lookout for Work application to gain access to company data. diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1702.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1702.md index 519aee212c3..4bc2bcbc228 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1702.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1702.md @@ -291,9 +291,9 @@ You can now associate multiple Apple volume-purchase program tokens with Configu You can now sync custom line of business apps from the Windows Store for Business. -### Conditional access device compliance policy improvements +### Conditional Access device compliance policy improvements -A new device compliance policy rule is available to help you block access to corporate resources that support conditional access, when users are using apps that are part of a noncompliant list of apps. The noncompliant list of apps can be defined by the admin when adding the new compliant rule **Apps that cannot be installed**. This rule requires the admin to enter the **App Name**, the **App ID**, and the **App Publisher** (optional) when adding an app to the noncompliant list. This setting only applies to iOS and Android devices. +A new device compliance policy rule is available to help you block access to corporate resources that support Conditional Access, when users are using apps that are part of a noncompliant list of apps. The noncompliant list of apps can be defined by the admin when adding the new compliant rule **Apps that cannot be installed**. This rule requires the admin to enter the **App Name**, the **App ID**, and the **App Publisher** (optional) when adding an app to the noncompliant list. This setting only applies to iOS and Android devices. Additionally, this helps organizations to mitigate data leakage through unsecured apps, and prevent excessive data consumption through certain apps. diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1802.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1802.md index cbc36d8ecdb..7e847b1ad58 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1802.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1802.md @@ -243,7 +243,7 @@ When this client setting option is enabled, user available applications that req ### Software Center shows user additional compliance information - When using Device Health Attestation status as a compliance policy rule for conditional access to company resources, Software Center now shows the user the Device Health Attestation setting that is not compliant. + When using Device Health Attestation status as a compliance policy rule for Conditional Access to company resources, Software Center now shows the user the Device Health Attestation setting that is not compliant. ## Software updates diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md index 8428390d250..bf1808cd544 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-1910.md @@ -129,7 +129,7 @@ For more information, see [Microsoft Connected Cache with Configuration Manager] You can now add evaluation of custom configuration baselines as a compliance policy assessment rule. When you create or edit a configuration baseline, you can now use the **Evaluate this baseline as part of compliance policy assessment** option. When you add or edit a compliance policy rule, you have a condition called **Include configured baselines in compliance policy assessment**. -For co-managed devices, and when you configure Intune to take Configuration Manager compliance assessment results as part of the overall compliance status, this information is sent to Azure Active Directory. You can then use it for conditional access to your Microsoft 365 resources. +For co-managed devices, and when you configure Intune to take Configuration Manager compliance assessment results as part of the overall compliance status, this information is sent to Azure Active Directory. You can then use it for Conditional Access to your Microsoft 365 resources. For more information, see [Include custom configuration baselines as part of compliance policy assessment](../../../compliance/deploy-use/create-configuration-baselines.md#bkmk_CAbaselines). diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1802.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1802.md index cf07d802fba..fc610ae9088 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1802.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1802.md @@ -498,6 +498,6 @@ For Configuration Manager version 1802, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1806.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1806.md index a2c23674cb3..5f55fab4502 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1806.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1806.md @@ -533,6 +533,6 @@ For Configuration Manager version 1806, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1810.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1810.md index a5f919d28c5..63e2acef27b 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1810.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1810.md @@ -563,7 +563,7 @@ For Configuration Manager version 1810, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1902.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1902.md index 5b320b9be23..3cafdcc611d 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1902.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1902.md @@ -579,7 +579,7 @@ For Configuration Manager version 1902, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1906.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1906.md index d123ffc7e05..02d4d2aeab5 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1906.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1906.md @@ -584,7 +584,7 @@ For Configuration Manager version 1906, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1910.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1910.md index 65dc846d03c..16c98dadd24 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1910.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-1910.md @@ -594,7 +594,7 @@ For Configuration Manager version 1910, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2002.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2002.md index 2ba1d862e81..01c88a56520 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2002.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2002.md @@ -632,7 +632,7 @@ For Configuration Manager version 2002, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2006.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2006.md index a07ffe2e719..efca0bed8d6 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2006.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2006.md @@ -638,7 +638,7 @@ For Configuration Manager version 2006, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2010.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2010.md index ad79d5eb5b0..bd3fa12ec5c 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2010.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2010.md @@ -678,7 +678,7 @@ For Configuration Manager version 2010, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2103.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2103.md index 2d46131ab45..0e078fcd15e 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2103.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2103.md @@ -675,7 +675,7 @@ For Configuration Manager version 2103, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2107.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2107.md index 330a26d0e89..b42190371f2 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2107.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2107.md @@ -683,7 +683,7 @@ For Configuration Manager version 2107, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2111.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2111.md index c339b60573f..2f01aba3840 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2111.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2111.md @@ -693,7 +693,7 @@ For Configuration Manager version 2111, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2203.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2203.md index 0b25cd240ef..b4d7b890cf2 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2203.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2203.md @@ -703,7 +703,7 @@ For Configuration Manager version 2203, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2207.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2207.md index 0b4294cf7f9..07337bd56e1 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2207.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2207.md @@ -723,7 +723,7 @@ For Configuration Manager version 2207, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2211.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2211.md index bb0fec2044c..04739f2c63a 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2211.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2211.md @@ -727,7 +727,7 @@ For Configuration Manager version 2211, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2303.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2303.md index 48319c11466..1b170ac637b 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2303.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2303.md @@ -731,7 +731,7 @@ For Configuration Manager version 2303, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2309.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2309.md index 5697ebf534d..eae41323de0 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2309.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2309.md @@ -735,7 +735,7 @@ For Configuration Manager version 2309, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2403.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2403.md index 87aed31f442..9869a53f34f 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2403.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2403.md @@ -735,7 +735,7 @@ For Configuration Manager version 2403, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2409.md b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2409.md index db49a3e4b4f..6b88ad44163 100644 --- a/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2409.md +++ b/memdocs/configmgr/core/plan-design/diagnostics/levels-of-diagnostic-usage-data-collection-2409.md @@ -735,7 +735,7 @@ For Configuration Manager version 2409, this level includes the following data: - Top 50 CPUs in the environment -- Type of Exchange Active Sync (EAS) conditional access policies (block or quarantine) for devices that Microsoft Intune manages +- Type of Exchange Active Sync (EAS) Conditional Access policies (block or quarantine) for devices that Microsoft Intune manages - Microsoft Store for Business application details: non-aggregate list of synced applications including AppID, online state or offline state, and total purchased license counts diff --git a/memdocs/configmgr/core/servers/manage/community-hub.md b/memdocs/configmgr/core/servers/manage/community-hub.md index 5770ebea921..20558ebfd10 100644 --- a/memdocs/configmgr/core/servers/manage/community-hub.md +++ b/memdocs/configmgr/core/servers/manage/community-hub.md @@ -190,7 +190,7 @@ If you delete a downloaded report from the **Monitoring** > **Reports** node, th When single sign on with multifactor authentication is used, you may not be able to sign in for the following features when using Configuration Manager 2103 and earlier: - Community hub - Community hub from CMPivot -- Custom tabs in Software Center that load a website that's subject to conditional access policies +- Custom tabs in Software Center that load a website that's subject to Conditional Access policies ## Next steps diff --git a/memdocs/configmgr/core/understand/product-and-licensing-faq.yml b/memdocs/configmgr/core/understand/product-and-licensing-faq.yml index 9219524e8bc..ac111f53207 100644 --- a/memdocs/configmgr/core/understand/product-and-licensing-faq.yml +++ b/memdocs/configmgr/core/understand/product-and-licensing-faq.yml @@ -101,7 +101,7 @@ sections: |iOS, Android, macOS enrollment|No|Yes| |Autopilot|No|Yes| |Mobile Application Management (MAM)|No|Yes| - |Conditional access
(additional AADP1 required)|Yes|Yes| + |Conditional Access
(additional AADP1 required)|Yes|Yes| |Device profiles|Yes|Yes| |Software update management|Yes|Yes| |Inventory|Yes|Yes| @@ -117,7 +117,7 @@ sections: - [Windows Autopilot requirements](/windows/deployment/windows-autopilot/windows-autopilot-requirements) - [Tenant attach prerequisites](../../tenant-attach/prerequisites.md) - [Endpoint analytics licensing prerequisites](../../../analytics/overview.md#licensing-prerequisites) - - [Use conditional access with Intune](../../../intune/protect/conditional-access.md#ways-to-use-conditional-access-with-intune) + - [Use Conditional Access with Intune](../../../intune/protect/conditional-access.md#ways-to-use-conditional-access-with-intune) - [TeamViewer prerequisites](../../../intune/remote-actions/teamviewer-support.md#prerequisites) - question: | diff --git a/memdocs/configmgr/develop/adminservice/faq.yml b/memdocs/configmgr/develop/adminservice/faq.yml index 6eaf17ec33f..aeb39817816 100644 --- a/memdocs/configmgr/develop/adminservice/faq.yml +++ b/memdocs/configmgr/develop/adminservice/faq.yml @@ -55,7 +55,7 @@ sections: - Add additional security layers. For example, [Azure App Proxy](/azure/active-directory/manage-apps/application-proxy). - question: | - Can I use it with conditional access? + Can I use it with Conditional Access? answer: | Yes, and that configuration is easiest if you use [Azure App Proxy](/azure/active-directory/manage-apps/application-proxy). diff --git a/memdocs/configmgr/mdm/understand/what-happened-to-hybrid.md b/memdocs/configmgr/mdm/understand/what-happened-to-hybrid.md index 11f5aaf8d30..c4b137f6edf 100644 --- a/memdocs/configmgr/mdm/understand/what-happened-to-hybrid.md +++ b/memdocs/configmgr/mdm/understand/what-happened-to-hybrid.md @@ -56,14 +56,14 @@ The following note is the original deprecation announcement: > > - The on-premises MDM feature in Configuration Manager isn't deprecated. Starting in Configuration Manager version 1810, you can use on-premises MDM without an Intune connection. For more information, see [An Intune connection is no longer required for new on-premises MDM deployments](../../core/plan-design/changes/whats-new-in-version-1810.md#bkmk_opmdm). > -> - The on-premises conditional access feature of Configuration Manager is also deprecated with hybrid MDM. If you use conditional access on devices managed with the Configuration Manager client, make sure they are protected before you migrate. -> 1. Set up conditional access policies in Azure +> - The on-premises Conditional Access feature of Configuration Manager is also deprecated with hybrid MDM. If you use Conditional Access on devices managed with the Configuration Manager client, make sure they are protected before you migrate. +> 1. Set up Conditional Access policies in Azure > 2. Set up compliance policies in Intune portal > 3. Finish hybrid migration, and set the MDM authority to Intune > 4. Enable co-management > 5. Move the compliance policies co-management workload to Intune > -> For more information, see [Conditional access with co-management](../../comanage/quickstart-conditional-access.md). +> For more information, see [Conditional Access with co-management](../../comanage/quickstart-conditional-access.md). > > **What do I need to do to prepare for this change?** > diff --git a/memdocs/configmgr/tenant-attach/troubleshoot.md b/memdocs/configmgr/tenant-attach/troubleshoot.md index dbf29c88150..9b6bd2073b2 100644 --- a/memdocs/configmgr/tenant-attach/troubleshoot.md +++ b/memdocs/configmgr/tenant-attach/troubleshoot.md @@ -193,4 +193,4 @@ If a device is a distribution point that uses the same PKI certificate for both ## Next steps - [Troubleshoot ConfigMgr client details](troubleshoot-client-details.md) -- [Enable co-management](../comanage/overview.md) to get additional cloud-powered capabilities like conditional access. +- [Enable co-management](../comanage/overview.md) to get additional cloud-powered capabilities like Conditional Access. diff --git a/memdocs/intune/apps/app-configuration-policies-outlook.md b/memdocs/intune/apps/app-configuration-policies-outlook.md index 74e4223c4a3..a4616b34af8 100644 --- a/memdocs/intune/apps/app-configuration-policies-outlook.md +++ b/memdocs/intune/apps/app-configuration-policies-outlook.md @@ -32,10 +32,10 @@ ms.custom: intune-azure The Outlook for iOS and Android app is designed to enable users in your organization to do more from their mobile devices, by bringing together email, calendar, contacts, and other files. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. ## Apply Conditional Access -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Outlook for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Outlook for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). 1. Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices). This policy allows Outlook for iOS and Android, but blocks OAuth and basic authentication capable Exchange ActiveSync mobile clients from connecting to Exchange Online. @@ -49,7 +49,7 @@ Organizations can use Microsoft Entra Conditional Access policies to ensure that 3. Follow the steps in [How to: Block legacy authentication to Microsoft Entra ID with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication) to block legacy authentication for other Exchange protocols on iOS and Android devices; this policy should target only Microsoft Exchange Online cloud app and iOS and Android device platforms. This ensures mobile apps using Exchange Web Services, IMAP4, or POP3 protocols with basic authentication cannot connect to Exchange Online. > [!NOTE] -> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). +> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). ## Create Intune app protection policies diff --git a/memdocs/intune/apps/app-management.md b/memdocs/intune/apps/app-management.md index 3df9d4ccb3d..88624873d70 100644 --- a/memdocs/intune/apps/app-management.md +++ b/memdocs/intune/apps/app-management.md @@ -47,7 +47,7 @@ The benefits of app management in Microsoft Intune include: Examples of using app management with Microsoft Intune include: - Deploying, protecting, and managing apps for specific groups of users within your organization - Configuring app settings, such as data sharing restrictions, to ensure compliance with corporate policies -- Implementing conditional access policies to control access to apps based on factors like device compliance, location, and user risk +- Implementing Conditional Access policies to control access to apps based on factors like device compliance, location, and user risk - Automating app updates to keep employees up-to-date with the latest features and security patches > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MRyj] diff --git a/memdocs/intune/apps/mamedge-1-mamca.md b/memdocs/intune/apps/mamedge-1-mamca.md index 084bbfad370..2a47cbc8c27 100644 --- a/memdocs/intune/apps/mamedge-1-mamca.md +++ b/memdocs/intune/apps/mamedge-1-mamca.md @@ -1,9 +1,9 @@ --- # required metadata -title: Step 1. Create Microsoft Entra conditional access with Microsoft Edge for Business +title: Step 1. Create Microsoft Entra Conditional Access with Microsoft Edge for Business titleSuffix: -description: Step 1. Create Microsoft Entra conditional access with Microsoft Edge for Business. +description: Step 1. Create Microsoft Entra Conditional Access with Microsoft Edge for Business. keywords: author: Erikre ms.author: erikre @@ -30,11 +30,11 @@ ms.collection: - FocusArea_Apps_AppManagement --- -# Step 1. Create Microsoft Entra conditional access with Microsoft Edge for Business +# Step 1. Create Microsoft Entra Conditional Access with Microsoft Edge for Business -The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions. Microsoft Entra conditional access brings signals together to help enforce organizational policies. It's Microsoft's Zero Trust policy engine that takes signals from various sources into account when enforcing policy decisions. +The modern security perimeter extends beyond an organization's network perimeter to include user and device identity. Organizations now use identity-driven signals as part of their access control decisions. Microsoft Entra Conditional Access brings signals together to help enforce organizational policies. It's Microsoft's Zero Trust policy engine that takes signals from various sources into account when enforcing policy decisions. -Conditional access policies at their simplest include *if-then* statements. If a user wants to access a resource, then they must complete an action. For example, if a user wants to access an application or service such as Microsoft 365, then they must perform multifactor authentication to gain access. +Conditional Access policies at their simplest include *if-then* statements. If a user wants to access a resource, then they must complete an action. For example, if a user wants to access an application or service such as Microsoft 365, then they must perform multifactor authentication to gain access. Identity-driven signals may include: @@ -46,19 +46,19 @@ Identity-driven signals may include: :::image type="content" alt-text="Conditional Access Policy Decision Making.." source="./media/securing-data-edge-for-business/securing-data-edge-for-businessCA.png" lightbox="./media/securing-data-edge-for-business/securing-data-edge-for-businessCA.png"::: -Conditional access is enforced after initial authentication is completed. It isn't intended to be an organization's frontline of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access. +Conditional Access is enforced after initial authentication is completed. It isn't intended to be an organization's frontline of defense for scenarios like denial-of-service (DoS) attacks, but it can use signals from these events to determine access. -## Conditional access compliance +## Conditional Access compliance -Protecting your organizational data involves preventing data loss. Data Loss Prevention (DLP) is effective only when your organizational data can’t be accessed from any unprotected system or device. App protection policies can be used with conditional access (CA) to ensure that these policies aren’t only supported but also enforced in a client application before granting access to protected resources, such as organizational data. This approach allows end-users with personal devices, including Windows, Android, and iOS, to use APP-managed applications, including Microsoft Edge for Business, to access Microsoft Entra resources without the need for full management of their personal device. +Protecting your organizational data involves preventing data loss. Data Loss Prevention (DLP) is effective only when your organizational data can’t be accessed from any unprotected system or device. App protection policies can be used with Conditional Access (CA) to ensure that these policies aren’t only supported but also enforced in a client application before granting access to protected resources, such as organizational data. This approach allows end-users with personal devices, including Windows, Android, and iOS, to use APP-managed applications, including Microsoft Edge for Business, to access Microsoft Entra resources without the need for full management of their personal device. -Secure your Microsoft Edge for Business with Microsoft Entra conditional access policies by using the following steps. +Secure your Microsoft Edge for Business with Microsoft Entra Conditional Access policies by using the following steps. -In this scenario, you'll create a conditional access policy using Microsoft Intune. To create the policy, you must perform the following steps: +In this scenario, you'll create a Conditional Access policy using Microsoft Intune. To create the policy, you must perform the following steps: 1. Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Conditional access** > **New policy**. +2. Select **Endpoint security** > **Conditional Access** > **New policy**. 3. On the **Conditional Access policy** pane, set the following details: @@ -79,13 +79,13 @@ In this scenario, you'll create a conditional access policy using Microsoft Intu ## Browser only access for Windows BYOD -In an era where Bring Your Own Device (BYOD) has become the norm, implementing conditional access policies specifically for browser-only access is critical towards securing your digital boundaries and ensuring seamless user experience. +In an era where Bring Your Own Device (BYOD) has become the norm, implementing Conditional Access policies specifically for browser-only access is critical towards securing your digital boundaries and ensuring seamless user experience. -In the previous steps, you implemented conditional access as a required app protection policy. In the following steps, you'll configure a policy to ensure that same resources (O365 in this example) are not accessed from desktop apps. A similar approach could be taken for mobile apps. However, mobile apps also support app protection policies, so it is important look at the scenario rather than block access from mobile apps and allow browser access only. +In the previous steps, you implemented Conditional Access as a required app protection policy. In the following steps, you'll configure a policy to ensure that same resources (O365 in this example) are not accessed from desktop apps. A similar approach could be taken for mobile apps. However, mobile apps also support app protection policies, so it is important look at the scenario rather than block access from mobile apps and allow browser access only. 1. Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Conditional access** > **New policy**. +2. Select **Endpoint security** > **Conditional Access** > **New policy**. 4. On this new policy, you'll restrict access from desktop apps to managed devices only. You'll select target resources and select apps once they select **Office 365** to follow the example in this page. @@ -110,7 +110,7 @@ In the previous steps, you implemented conditional access as a required app prot > Probably to this last control, customers should add also MFA or other options as well.* -8. Select **Done** \> select **Create** and complete the conditional access policy creation as you performed on the previous step. +8. Select **Done** \> select **Create** and complete the Conditional Access policy creation as you performed on the previous step. ## Next step diff --git a/memdocs/intune/apps/mamedge-2-app.md b/memdocs/intune/apps/mamedge-2-app.md index fbec5db404c..fda5b21c166 100644 --- a/memdocs/intune/apps/mamedge-2-app.md +++ b/memdocs/intune/apps/mamedge-2-app.md @@ -123,7 +123,7 @@ Incorporate Microsoft Edge for Business into your existing data security and man Microsoft Edge for Business provide benefits for both management and security: - **Management**: Microsoft Edge for Business is the only mobile browser natively supported by Microsoft Intune with seamless integration. To secure productivity for your organization, App level management allows IT to configure the right balance between data protection and access. -- **Security**: Data protection and leakage prevention are based on conditional access and user identities. Microsoft 365 security features extend to Microsoft Edge for Business mobile including Microsoft Entra Conditional Access, and Data Loss Prevention. For organizations utilizing VPN solutions, Microsoft Edge mobile offers support for identity-enlightened per-app VPN. This includes the integration of Microsoft Tunnel with Intune for a seamless and secure connection. Additionally, solutions that don't require a VPN are also available. +- **Security**: Data protection and leakage prevention are based on Conditional Access and user identities. Microsoft 365 security features extend to Microsoft Edge for Business mobile including Microsoft Entra Conditional Access, and Data Loss Prevention. For organizations utilizing VPN solutions, Microsoft Edge mobile offers support for identity-enlightened per-app VPN. This includes the integration of Microsoft Tunnel with Intune for a seamless and secure connection. Additionally, solutions that don't require a VPN are also available. ### App protection policies for mobile diff --git a/memdocs/intune/apps/mamedge-3-scc.md b/memdocs/intune/apps/mamedge-3-scc.md index 4f9b5184dc4..e824bc9a912 100644 --- a/memdocs/intune/apps/mamedge-3-scc.md +++ b/memdocs/intune/apps/mamedge-3-scc.md @@ -3,7 +3,7 @@ title: Step 3. Integrate Mobile Threat Defense for App Protection Policy titleSuffix: -description: Step 3. Integrate Microsoft Entra conditional access with Microsoft Edge for Business. +description: Step 3. Integrate Microsoft Entra Conditional Access with Microsoft Edge for Business. keywords: author: Erikre ms.author: erikre @@ -33,7 +33,7 @@ ms.collection: # Step 3. Integrate Mobile Threat Defense -The Microsoft Mobile Threat Defense (MTD) connector is a feature in Microsoft Intune that creates a channel of communication between Intune and your chosen MTD vendor, regardless of the device’s operating system. There are various supported MTD partners for both Windows and mobile devices. Intune integrates data from an MTD vendor as an information source for device compliance policies and device conditional access rules. The information provided by this communication channel can help protect corporate resources, such as Exchange and SharePoint data, by blocking access from compromised devices. +The Microsoft Mobile Threat Defense (MTD) connector is a feature in Microsoft Intune that creates a channel of communication between Intune and your chosen MTD vendor, regardless of the device’s operating system. There are various supported MTD partners for both Windows and mobile devices. Intune integrates data from an MTD vendor as an information source for device compliance policies and device Conditional Access rules. The information provided by this communication channel can help protect corporate resources, such as Exchange and SharePoint data, by blocking access from compromised devices. Mobile Application Management (MAM) threat detection can be integrated with various MTD partners, including Windows Security Center. This integration provides a client device health assessment to Intune application protection policies (APP) via a service-to-service connector. This assessment supports gating the flow and access to organizational data on personal unmanaged devices. diff --git a/memdocs/intune/apps/mamedge-5-end-user-experience.md b/memdocs/intune/apps/mamedge-5-end-user-experience.md index 6aa05cd9abe..7f98dc2cac7 100644 --- a/memdocs/intune/apps/mamedge-5-end-user-experience.md +++ b/memdocs/intune/apps/mamedge-5-end-user-experience.md @@ -32,7 +32,7 @@ ms.collection: # Step 5. Understand Microsoft Edge for Business end user experience for Windows -Now that you've configured your Microsoft Entra conditional access policy and created your first app protection policy for Windows, you can launch **Microsoft Edge for Business** using a managed or unmanaged device. +Now that you've configured your Microsoft Entra Conditional Access policy and created your first app protection policy for Windows, you can launch **Microsoft Edge for Business** using a managed or unmanaged device. The end user experience in Microsoft Edge for Business is designed to be productive, secure, and user-friendly. This secure enterprise browser experience includes the following features: diff --git a/memdocs/intune/apps/mamedge-overview.md b/memdocs/intune/apps/mamedge-overview.md index 4cd4f1df5e1..36697a9ddf5 100644 --- a/memdocs/intune/apps/mamedge-overview.md +++ b/memdocs/intune/apps/mamedge-overview.md @@ -43,7 +43,7 @@ This content helps you implement and secure enterprise browser configuration for The target audience for this content includes: - **Intune Administrators:** This content provides detailed guidance about configuring and managing Microsoft Edge for Business in Microsoft Intune. -- **Security Professionals:** This content includes security related areas, such as the [data protection framework using app protection policies](../apps/app-protection-framework.md), [app configuration policies](../apps/app-configuration-policies-overview.md), data encryption, and [conditional access policies](../apps/app-protection-framework.md#conditional-access-policies). You can use this content to enhance your organization's security posture. +- **Security Professionals:** This content includes security related areas, such as the [data protection framework using app protection policies](../apps/app-protection-framework.md), [app configuration policies](../apps/app-configuration-policies-overview.md), data encryption, and [Conditional Access policies](../apps/app-protection-framework.md#conditional-access-policies). You can use this content to enhance your organization's security posture. - **Decision Makers:** This content can help decision makers understand the security, productivity, and manageability benefits of Microsoft Edge for Business. In addition, this content helps decision makers make informed decisions about their browser choice for their organization. > [!NOTE] @@ -53,7 +53,7 @@ The target audience for this content includes: This guide provides the following content: -1. **Microsoft Entra conditional access with Microsoft Edge for Business** - Create an Entra conditional access policy and Intune app protection policy for browsing on Android, iOS and Windows. +1. **Microsoft Entra Conditional Access with Microsoft Edge for Business** - Create an Entra Conditional Access policy and Intune app protection policy for browsing on Android, iOS and Windows. 2. **App protection policies for Microsoft Edge for Business** - Ensure secure access and usage of enterprise applications when implementing app protection policies. 3. **Integrate Mobile Threat Defense** - Enhance the overall security posture of your organization by using the secure enterprise browser to integrate with the Windows Security Center, Microsoft Defender or any MTD Partners. 4. **App configuration policies for Microsoft Edge for Business** - Understand Microsoft Edge for Business and Microsoft Application Management can be used to protect your organization from various cyber threats. @@ -90,7 +90,7 @@ In addition to the above benefits, you can enable protected Mobile Application M - Intune application configuration policies (ACP) with Microsoft Edge for Business. Using ACP allows you to leverage Edge’s settings to better enable a secure browsing experience. - Intune application protection policies (APP) to secure organization data and ensure the client device is healthy. - Mobile Threat Protection (MTP) integrated with Intune APP to detect local health threats on personal Windows and all mobile devices. -- Microsoft Entra conditional access to ensure the device is protected and healthy before granting protected services access via Microsoft Entra. +- Microsoft Entra Conditional Access to ensure the device is protected and healthy before granting protected services access via Microsoft Entra. ## Zero Trust Methodology @@ -128,4 +128,4 @@ This solution provides insights into securing your enterprise browser configurat [![Steps to secure your corporate data in Intune with Microsoft Edge for Business.](./media/securing-data-edge-for-business/securing-data-edge-for-business-steps.png)](mamedge-1-mamca.md) -Continue with [Step 1](mamedge-1-mamca.md) to create Microsoft Entra conditional access. +Continue with [Step 1](mamedge-1-mamca.md) to create Microsoft Entra Conditional Access. diff --git a/memdocs/intune/apps/manage-microsoft-edge.md b/memdocs/intune/apps/manage-microsoft-edge.md index a98bbdc6483..25f4f3e9bb4 100644 --- a/memdocs/intune/apps/manage-microsoft-edge.md +++ b/memdocs/intune/apps/manage-microsoft-edge.md @@ -44,7 +44,7 @@ This feature applies to: > [!NOTE] > Edge for iOS and Android doesn't consume settings that users set for the native browser on their devices, because Edge for iOS and Android can't access these settings. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you'll want to deploy a conditional access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an Intune app protection policy that ensures the browsing experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you'll want to deploy a Conditional Access policy that only allows connectivity to Edge for iOS and Android from mobile devices and an Intune app protection policy that ensures the browsing experience is protected. > [!NOTE] > New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser when required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in Edge for iOS and Android rather than the Managed Browser. @@ -82,7 +82,7 @@ Regardless of whether the device is enrolled in a unified endpoint management (U ## Apply Conditional Access While it's important to protect Microsoft Edge with App Protection Policies (APP), it's also crucial to ensure Microsoft Edge is the mandatory browser for opening corporate applications. Users might otherwise use other unprotected browsers to access corporate applications, potentially leading to data leaks. -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Edge for iOS and Android. To do this, you'll need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Edge for iOS and Android. To do this, you'll need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices), which allows Edge for iOS and Android, but blocks other mobile device web browsers from connecting to Microsoft 365 endpoints. @@ -92,7 +92,7 @@ Follow the steps in [Require approved client apps or app protection policy with With Conditional Access, you can also target on-premises sites that you have exposed to external users via the [Microsoft Entra application proxy](/azure/active-directory/active-directory-application-proxy-get-started). > [!NOTE] -> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). +> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). ## Single sign-on to Microsoft Entra connected web apps in policy-protected browsers diff --git a/memdocs/intune/apps/manage-microsoft-office.md b/memdocs/intune/apps/manage-microsoft-office.md index 757629b2953..cb60445832d 100644 --- a/memdocs/intune/apps/manage-microsoft-office.md +++ b/memdocs/intune/apps/manage-microsoft-office.md @@ -40,10 +40,10 @@ Microsoft 365 (Office) for iOS and Android delivers several key benefits includi - Integrating Microsoft Lens technology to unlock the power of the camera with capabilities like converting images into editable Word and Excel documents, scanning PDFs, and capturing whiteboards with automatic digital enhancements to make the content easier to read. - Adding new functionality for common tasks people often encounter when working on a phone—things like making quick notes, signing PDFs, scanning QR codes, and transferring files between devices. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Microsoft 365 (Office) for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Microsoft 365 (Office) for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. ## Apply Conditional Access -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Microsoft 365 (Office) for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Microsoft 365 (Office) for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). 1. Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices), which allows Microsoft 365 (Office) for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Microsoft 365 endpoints. @@ -51,7 +51,7 @@ Organizations can use Microsoft Entra Conditional Access policies to ensure that > This policy ensures mobile users can access all Microsoft 365 endpoints using the applicable apps. > [!NOTE] -> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). +> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). ## Create Intune app protection policies diff --git a/memdocs/intune/apps/manage-microsoft-teams.md b/memdocs/intune/apps/manage-microsoft-teams.md index 665a5fb776d..f5d9fa40091 100644 --- a/memdocs/intune/apps/manage-microsoft-teams.md +++ b/memdocs/intune/apps/manage-microsoft-teams.md @@ -36,14 +36,14 @@ ms.collection: Microsoft Teams is the hub for team collaboration in Microsoft 365 that integrates the people, content, and tools your team needs to be more engaged and effective. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you'll want to deploy a conditional access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you'll want to deploy a Conditional Access policy that allows connectivity to Teams for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. ## Apply Conditional Access -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. To do this, you will need a conditional access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using Teams for iOS and Android. To do this, you will need a Conditional Access policy that targets all potential users. These policies are described in [Conditional Access: Require approved client apps or app protection policy](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection). > [!NOTE] -> To leverage app-based conditional access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). +> To leverage app-based Conditional Access policies, the Microsoft Authenticator app must be installed on iOS devices. For Android devices, the Intune Company Portal app is required. For more information, see [App-based Conditional Access with Intune](../protect/app-based-conditional-access-intune.md). Follow the steps in [Require approved client apps or app protection policy with mobile devices](/azure/active-directory/conditional-access/howto-policy-approved-app-or-app-protection#require-approved-client-apps-or-app-protection-policy-with-mobile-devices), which allows Teams for iOS and Android, but blocks third-party OAuth capable mobile device clients from connecting to Microsoft 365 endpoints. diff --git a/memdocs/intune/apps/protect-mam-windows.md b/memdocs/intune/apps/protect-mam-windows.md index 667771bb9c6..7cd5ac02221 100644 --- a/memdocs/intune/apps/protect-mam-windows.md +++ b/memdocs/intune/apps/protect-mam-windows.md @@ -78,7 +78,7 @@ Preventing data loss is a part of protecting your organizational data. Data loss This MAM service syncs compliance state per user, per app, and per device to the Microsoft Entra CA service. This includes the threat information received from the Mobile Threat Defense (MTD) vendors starting with Windows Security Center. > [!NOTE] -> This MAM service uses the same conditional access compliance workflow that is used to [manage Microsoft Edge on iOS and Android devices](../apps/manage-microsoft-edge.md). +> This MAM service uses the same Conditional Access compliance workflow that is used to [manage Microsoft Edge on iOS and Android devices](../apps/manage-microsoft-edge.md). When a change is detected, the MAM service updates the device compliance state immediately. The service also includes MTD health state as part of the compliance state. @@ -88,7 +88,7 @@ When a change is detected, the MAM service updates the device compliance state i The MAM Client communicates the client heath state (or health metadata) to the MAM Service upon check-in. The health state includes any failure of APP Health Checks for **Block** or **Wipe** conditions. In addition, Microsoft Entra ID guides end-users through remediation steps when they attempt to access a blocked CA resource. ### Conditional Access Compliance -Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using policy managed applications on Windows. To do this, you'll need a conditional access policy that targets all potential users. Follow the steps in [Require an app protection policy on Windows devices](/azure/active-directory/conditional-access/how-to-app-protection-policy-windows), which allows Microsoft Edge for Windows, but blocks other web browsers from connecting to Microsoft 365 endpoints. +Organizations can use Microsoft Entra Conditional Access policies to ensure that users can only access work or school content using policy managed applications on Windows. To do this, you'll need a Conditional Access policy that targets all potential users. Follow the steps in [Require an app protection policy on Windows devices](/azure/active-directory/conditional-access/how-to-app-protection-policy-windows), which allows Microsoft Edge for Windows, but blocks other web browsers from connecting to Microsoft 365 endpoints. With Conditional Access, you can also target on-premises sites that you have exposed to external users via the [Microsoft Entra application proxy](/azure/active-directory/active-directory-application-proxy-get-started). diff --git a/memdocs/intune/configuration/device-profile-assign.md b/memdocs/intune/configuration/device-profile-assign.md index 84a8e9d7e68..5aa7f42b36d 100644 --- a/memdocs/intune/configuration/device-profile-assign.md +++ b/memdocs/intune/configuration/device-profile-assign.md @@ -40,7 +40,7 @@ In Intune, you can create and assign the following policies: - App protection policies - App configuration policies - Compliance policies -- Conditional access policies +- Conditional Access policies - Device configuration profiles - Enrollment policies diff --git a/memdocs/intune/configuration/device-profile-troubleshoot.md b/memdocs/intune/configuration/device-profile-troubleshoot.md index 033ed40794f..866d264d2ae 100644 --- a/memdocs/intune/configuration/device-profile-troubleshoot.md +++ b/memdocs/intune/configuration/device-profile-troubleshoot.md @@ -40,7 +40,7 @@ This article applies to the following policies: - App protection policies - App configuration policies - Compliance policies -- Conditional access policies +- Conditional Access policies - Device configuration profiles - Enrollment policies diff --git a/memdocs/intune/configuration/device-profiles.md b/memdocs/intune/configuration/device-profiles.md index ace0952e590..75b48eb82ec 100644 --- a/memdocs/intune/configuration/device-profiles.md +++ b/memdocs/intune/configuration/device-profiles.md @@ -265,7 +265,7 @@ This feature supports: ## Microsoft Defender for Endpoint -[Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with conditional access, you can help prevent malicious activity in your organization. +[Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) integrates with Intune to monitor and help protect devices. You set risk levels, and determine what happens if devices exceed that level. When combined with Conditional Access, you can help prevent malicious activity in your organization. This feature supports: diff --git a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md index d83515a4c24..4d6d6ecb958 100644 --- a/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md +++ b/memdocs/intune/configuration/tutorial-walkthrough-administrative-templates.md @@ -202,7 +202,7 @@ In these next steps, you create security groups, and add users to these groups. - [Dynamic Group Membership in Microsoft Entra ID (Part 1)](/archive/blogs/pauljones/dynamic-group-membership-in-azure-active-directory-part-1) - [Dynamic Group Membership in Microsoft Entra ID (Part 2)](/archive/blogs/pauljones/dynamic-group-membership-in-azure-active-directory-part-2) -- Microsoft Entra ID P1 or P2 includes other services that are commonly used when managing apps and devices, including [multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) and [conditional access](/azure/active-directory/conditional-access/overview). +- Microsoft Entra ID P1 or P2 includes other services that are commonly used when managing apps and devices, including [multifactor authentication (MFA)](/azure/active-directory/authentication/concept-mfa-howitworks) and [Conditional Access](/azure/active-directory/conditional-access/overview). - Many administrators ask when to use user groups and when to use device groups. For some guidance, go to [User groups vs. device groups](device-profile-assign.md#user-groups-vs-device-groups). diff --git a/memdocs/intune/configuration/vpn-settings-windows-10.md b/memdocs/intune/configuration/vpn-settings-windows-10.md index 54dce306e9a..a59b49f8242 100644 --- a/memdocs/intune/configuration/vpn-settings-windows-10.md +++ b/memdocs/intune/configuration/vpn-settings-windows-10.md @@ -2,7 +2,7 @@ # required metadata title: Windows 10/11 VPN settings in Microsoft Intune -description: Learn and read about all the available VPN settings in Microsoft Intune, what they're used for, and what they do. See the traffic rules, conditional access, and DNS and proxy settings for Windows 10/11 and Windows Holographic for Business devices. +description: Learn and read about all the available VPN settings in Microsoft Intune, what they're used for, and what they do. See the traffic rules, Conditional Access, and DNS and proxy settings for Windows 10/11 and Windows Holographic for Business devices. keywords: author: MandiOhlinger ms.author: mandia diff --git a/memdocs/intune/developer/app-sdk-android-phase7.md b/memdocs/intune/developer/app-sdk-android-phase7.md index 6a74718ff22..9178f809678 100644 --- a/memdocs/intune/developer/app-sdk-android-phase7.md +++ b/memdocs/intune/developer/app-sdk-android-phase7.md @@ -602,7 +602,7 @@ Most notifications are [MAMUserNotification]s, which provide information specifi - Your app called [unregisterAccountForMAM]. - An IT admin initiated a remote wipe. -- Admin-required conditional access policies weren't satisfied. +- Admin-required Conditional Access policies weren't satisfied. > [!WARNING] > An app should never register for both the `WIPE_USER_DATA` and `WIPE_USER_AUXILIARY_DATA` notifications. diff --git a/memdocs/intune/developer/app-sdk-ios-phase6.md b/memdocs/intune/developer/app-sdk-ios-phase6.md index e090d24def4..635a0934108 100644 --- a/memdocs/intune/developer/app-sdk-ios-phase6.md +++ b/memdocs/intune/developer/app-sdk-ios-phase6.md @@ -171,8 +171,8 @@ To fetch the Microsoft Entra object ID for the accountId parameter of the MAM SD #### Configuring a test user for App Protection CA 1. Sign in with your administrator credentials to https://portal.azure.com. -2. Select **Microsoft Entra ID** > **Security** > **Conditional Access** > **New policy**. Create a new conditional access policy. -3. Configure conditional access policy by setting the following items: +2. Select **Microsoft Entra ID** > **Security** > **Conditional Access** > **New policy**. Create a new Conditional Access policy. +3. Configure Conditional Access policy by setting the following items: - Filling in the **Name** field. - Enabling the policy. - Assigning the policy to a user or group. diff --git a/memdocs/intune/enrollment/android-enterprise-overview.md b/memdocs/intune/enrollment/android-enterprise-overview.md index 8daa7408163..f7a0a9d27bd 100644 --- a/memdocs/intune/enrollment/android-enterprise-overview.md +++ b/memdocs/intune/enrollment/android-enterprise-overview.md @@ -95,7 +95,7 @@ Android Enterprise doesn't provide a default email app or native email profile o Gmail and Nine Work are two Exchange ActiveSync (EAS) client apps in the Play Store that support Android Enterprise app configuration. Intune provides configuration templates for Gmail and Nine Work apps so you can manage them as work apps. You can configure other email apps that support app configuration profiles in an app configuration policy. -If you're using Exchange ActiveSync conditional access for a personal or corporate-owned device, consider using the Gmail or Nine Work email app. The Microsoft Outlook for Android app, and any other email app that uses modern authentication via MSAL, is also supported. For more information, see [How to configure email settings in Microsoft Intune](../configuration/email-settings-configure.md). +If you're using Exchange ActiveSync Conditional Access for a personal or corporate-owned device, consider using the Gmail or Nine Work email app. The Microsoft Outlook for Android app, and any other email app that uses modern authentication via MSAL, is also supported. For more information, see [How to configure email settings in Microsoft Intune](../configuration/email-settings-configure.md). > [!TIP] > Azure AD Authentication Library (ADAL) has been deprecated, so we recommend updating apps that currently use ADAL to MSAL. For more information, see [Update your applications to use Microsoft Authentication Library (MSAL) and Microsoft Graph API](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363). diff --git a/memdocs/intune/enrollment/automated-device-enrollment-authentication.md b/memdocs/intune/enrollment/automated-device-enrollment-authentication.md index a8fe7e65cd3..ae33fcc55ce 100644 --- a/memdocs/intune/enrollment/automated-device-enrollment-authentication.md +++ b/memdocs/intune/enrollment/automated-device-enrollment-authentication.md @@ -50,7 +50,7 @@ Use the Intune Company Portal app as the authentication method if you want to: - Use multifactor authentication (MFA). - Prompt users to change their passwords when they first sign in. - Prompt users to reset their expired passwords during enrollment. - - Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as conditional access. + - Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as Conditional Access. - Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install Company Portal app during enrollment without user Apple IDs. - You want to lock the device until the Company Portal app installs. @@ -65,7 +65,7 @@ This option provides the same security as Intune Company Portal authentication b * Use multifactor authentication (MFA). * Prompt users to change their passwords when they first sign in. * Prompt users to reset their expired passwords during enrollment. -* Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as conditional access. +* Register devices in Microsoft Entra ID and use features available with Microsoft Entra ID, such as Conditional Access. * Automatically install the Company Portal app during enrollment. If your company uses the Volume Purchase Program (VPP), you can automatically install Company Portal app during enrollment without user Apple IDs. * Allow users to use the device even when the Company Portal app isn't installed. @@ -86,7 +86,7 @@ In both scenarios, the Company Portal installation option is hidden from the dev ### Multifactor authentication -Multifactor authentication (MFA) will be required if a [conditional access policy that requires it](multi-factor-authentication.md) is applied at enrollment or during Company Portal sign-in. However, MFA is optional, based on the Microsoft Entra settings in the targeted conditional access policy. +Multifactor authentication (MFA) will be required if a [Conditional Access policy that requires it](multi-factor-authentication.md) is applied at enrollment or during Company Portal sign-in. However, MFA is optional, based on the Microsoft Entra settings in the targeted Conditional Access policy. External authentication methods are supported in Microsoft Entra ID, which means you can use your preferred MFA solution to facilitate MFA during device enrollment. If you choose to use a third-party MFA provider, before you deploy enrollment profiles to all devices, do a test run to ensure that both the Microsoft Entra MFA screen and MFA work during enrollment. For more information and support details about external authentication methods, see [Public preview: External authentication methods in Microsoft Entra ID](https://techcommunity.microsoft.com/t5/microsoft-entra-blog/public-preview-external-authentication-methods-in-microsoft/ba-p/4078808). @@ -96,9 +96,9 @@ After they go through the Setup Assistant screens, the device user lands on the - Won’t be fully registered with Microsoft Entra ID. - Won’t show up in the user’s device list in Microsoft Entra ID. -- Won’t have access to resources protected by conditional access. +- Won’t have access to resources protected by Conditional Access. - Won’t be evaluated for device compliance. -- Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by conditional access. +- Will be redirected to the Company Portal from other apps if the user tries to open any managed applications that are protected by Conditional Access. ## Option 3: Just in Time Registration for Setup Assistant with modern authentication diff --git a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md index 3e621b94bc5..19f8436fbf6 100644 --- a/memdocs/intune/enrollment/device-enrollment-manager-enroll.md +++ b/memdocs/intune/enrollment/device-enrollment-manager-enroll.md @@ -116,8 +116,8 @@ Applying a Microsoft Entra maximum device limit of less than 1,000 to a DEM acco ### Certificates You must use device-level certificates to manage Wi-Fi and email connections. -### Conditional access -Conditional access is only supported with DEM on devices running: +### Conditional Access +Conditional Access is only supported with DEM on devices running: * Windows 10, version 1803 and later * Windows 11 diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md index 2aedbcd14cb..baf58e8c054 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-macos.md @@ -152,9 +152,9 @@ At the end of this procedure, you can assign this profile to Microsoft Entra dev - Registers with Microsoft Entra ID. - Is added to the user's device record in Microsoft Entra ID. - Can be evaluated for device compliance. - - Gains access to resources protected by conditional access. + - Gains access to resources protected by Conditional Access. - If the user doesn't sign in to the Company Portal to complete registration, they'll be redirected to the Company Portal app each time they try to open a managed app with conditional access protection. + If the user doesn't sign in to the Company Portal to complete registration, they'll be redirected to the Company Portal app each time they try to open a managed app with Conditional Access protection. Devices running macOS 10.15 and later can use this method. Older macOS devices fall back to using the legacy Setup Assistant method. For more information about how to get the Company Portal app to Mac users, see [Add the Company Portal for macOS app](../apps/apps-company-portal-macos.md). @@ -283,7 +283,7 @@ Optionally, you can select a default enrollment profile. The default profile is Distribute prepared devices throughout your organization. -* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and conditional access requirements. +* New or wiped Macs: New or wiped Macs configured in Apple Business Manager or Apple School Manager automatically enroll in Microsoft Intune during Setup Assistant when someone turns on the device. If you assigned the device to a macOS enrollment profile with user affinity, the device user must sign in to the Company Portal after Setup Assistant is done to finish Microsoft Entra registration and Conditional Access requirements. * Existing Macs: You can enroll devices that already went through Setup Assistant. Complete these steps to enroll corporate-owned Macs running macOS 10.13 and later. @@ -300,7 +300,7 @@ Distribute prepared devices throughout your organization. 1. Follow the onscreen prompts to download the Microsoft Intune management profile, certificates, and policies. >[!TIP] > You can confirm which profiles are on the device anytime by returning to **System Preferences** > **Profiles**. - 1. If you assigned the device to a macOS enrollment profile with user affinity, sign in to the Company Portal app to complete Microsoft Entra registration and conditional access requirements, and finish enrollment. + 1. If you assigned the device to a macOS enrollment profile with user affinity, sign in to the Company Portal app to complete Microsoft Entra registration and Conditional Access requirements, and finish enrollment. ## Renew enrollment program token Complete these steps to renew a server token that's about to expire. This procedure ensures that the associated enrollment program token in Intune remains active. diff --git a/memdocs/intune/enrollment/device-enrollment-shared-ipad.md b/memdocs/intune/enrollment/device-enrollment-shared-ipad.md index dc5bb6b5570..5d826bea087 100644 --- a/memdocs/intune/enrollment/device-enrollment-shared-ipad.md +++ b/memdocs/intune/enrollment/device-enrollment-shared-ipad.md @@ -159,7 +159,7 @@ The following limitations exist in Intune for Shared iPad: - Company Portal and available apps not supported: Intune Company Portal app and the Intune Company Portal website are not supported with Shared iPad. - App assignment requirements: You must assign apps as _required_ to device groups. *Available* apps are not supported with Shared iPad. - Passcode complexity can't be managed with Shared iPad: Shared iPad passcodes must have eight alphanumeric characters, and can't be changed in Apple Business Manager. The passcode complexity and length settings available in Intune device configuration profiles don't apply to Shared iPad. An MDM administrator can set the grace period, which specifies the number of minutes a user has to unlock the iPad without a passcode. -- Some policies not supported: These Intune policies are not supported with Shared iPad: app-based and device-based conditional access policies, app protection policies, and compliance policies. +- Some policies not supported: These Intune policies are not supported with Shared iPad: app-based and device-based Conditional Access policies, app protection policies, and compliance policies. - Email profile not supported: Email profiles aren't supported with Shared iPad. An error occurs when you assign an email profile to a Shared iPad device. - User-assigned policies don't appear in reports: Intune doesn't report device status or user status in reports for Shared iPad apps and profiles assigned to Microsoft Entra user groups. - Microsoft Entra federation requirement not enforced: The Microsoft Entra federation requirement isn't enforced. If the Managed Apple ID matches the Microsoft Entra UPN, and the Microsoft Entra user is assigned a user applicable device configuration profile, the profile will apply to the user when they sign in to a shared iPad using their Managed Apple ID. diff --git a/memdocs/intune/enrollment/macos-enroll.md b/memdocs/intune/enrollment/macos-enroll.md index a363bde7593..ae6f85e17a0 100644 --- a/memdocs/intune/enrollment/macos-enroll.md +++ b/memdocs/intune/enrollment/macos-enroll.md @@ -90,7 +90,7 @@ You can monitor the escrow status for any enrolled Mac in the admin center. The 2. Go to **Devices** > **By platform** > **macOS**. 3. Select a device from your list of macOS devices. 4. Select **Hardware**. -5. In your hardware details, scroll down to **Conditional access** > **Bootstrap token escrowed**. +5. In your hardware details, scroll down to **Conditional Access** > **Bootstrap token escrowed**. ### Manage kernel extensions and software updates diff --git a/memdocs/intune/enrollment/multi-factor-authentication.md b/memdocs/intune/enrollment/multi-factor-authentication.md index 6668def27e4..44515169671 100644 --- a/memdocs/intune/enrollment/multi-factor-authentication.md +++ b/memdocs/intune/enrollment/multi-factor-authentication.md @@ -59,7 +59,7 @@ Complete these steps to enable multifactor authentication during Microsoft Intun 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Go to **Devices**. -1. Expand **Manage devices**, and then select **Conditional access**. This conditional access area is the same as the conditional access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies). +1. Expand **Manage devices**, and then select **Conditional Access**. This Conditional Access area is the same as the Conditional Access area available in the Microsoft Entra admin center. For more information about the available settings, see [Building a Conditional Access policy](/entra/identity/conditional-access/concept-conditional-access-policies). 1. Choose **Create new policy**. 1. Name your policy. 1. Select the **Users** category. diff --git a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md index 442dedd32ed..3cc006d1c52 100644 --- a/memdocs/intune/enrollment/web-based-device-enrollment-ios.md +++ b/memdocs/intune/enrollment/web-based-device-enrollment-ios.md @@ -79,7 +79,7 @@ Return to **Enrollment types** to see a list of your enrollment profiles. Intune ## Step 3: Prepare employees for enrollment When an employee attempts to sign into a work app on their personal device, the app alerts them to the enrollment requirement and redirects them to the Company Portal website for enrollment. -Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing conditional access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is: +Alternatively, you can provide employees and students with a URL that opens the Company Portal website. If you aren't utilizing Conditional Access, it's important to share the enrollment link with device users so that they know how to initiate enrollment. The link to share is: `https://portal.manage.microsoft.com/enrollment/webenrollment/ios` diff --git a/memdocs/intune/enrollment/windows-bulk-enroll.md b/memdocs/intune/enrollment/windows-bulk-enroll.md index ae7609b6284..77e92c24c04 100644 --- a/memdocs/intune/enrollment/windows-bulk-enroll.md +++ b/memdocs/intune/enrollment/windows-bulk-enroll.md @@ -129,6 +129,6 @@ You can check for success/failure of the settings in your package in the **Provi When not using an open network, you must use [device-level certificates](../protect/certificates-configure.md) to initiate connections. Bulk enrolled devices are unable to use to user-targeted certificates for network access. -### Conditional access +### Conditional Access -Conditional access is available for devices enrolled via bulk enrollment running Windows 11 or Windows 10, version 1803 and later. +Conditional Access is available for devices enrolled via bulk enrollment running Windows 11 or Windows 10, version 1803 and later. diff --git a/memdocs/intune/enrollment/windows-enrollment-create-cname.md b/memdocs/intune/enrollment/windows-enrollment-create-cname.md index 4916dce2fd6..b036dec1f51 100644 --- a/memdocs/intune/enrollment/windows-enrollment-create-cname.md +++ b/memdocs/intune/enrollment/windows-enrollment-create-cname.md @@ -87,7 +87,7 @@ Alternate redirection methods aren't supported with Intune. For example, you can ## Registration CNAME -Microsoft Entra ID uses a different CNAME during device registration for iOS/iPadOS, Android, and Windows devices. Intune conditional access requires devices to be registered to Microsoft Entra ID (also called *workplace joined*). If you plan to use conditional access, you should configure the *EnterpriseRegistration* CNAME for each company name you have. +Microsoft Entra ID uses a different CNAME during device registration for iOS/iPadOS, Android, and Windows devices. Intune Conditional Access requires devices to be registered to Microsoft Entra ID (also called *workplace joined*). If you plan to use Conditional Access, you should configure the *EnterpriseRegistration* CNAME for each company name you have. | Type | Host name | Points to | TTL | | --- | --- | --- | --- | diff --git a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md index 6d76c46de27..a7381ace291 100644 --- a/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md +++ b/memdocs/intune/fundamentals/azure-virtual-desktop-multi-session.md @@ -139,7 +139,7 @@ Windows 10 or Windows 11 Administrative Templates are supported for Windows 10 o To list supported Administrative Templates, you'll need to use the filter in Settings catalog. -## Compliance and Conditional access +## Compliance and Conditional Access You can secure your Windows 10 or Windows 11 Enterprise multi-session VMs by configuring compliance policies and Conditional Access policies in the Microsoft Intune admin center. The following compliance policies are supported on Windows 10 or Windows 11 Enterprise multi-session VMs: diff --git a/memdocs/intune/fundamentals/azure-virtual-desktop.md b/memdocs/intune/fundamentals/azure-virtual-desktop.md index 052cb73e702..4a453a2f2c0 100644 --- a/memdocs/intune/fundamentals/azure-virtual-desktop.md +++ b/memdocs/intune/fundamentals/azure-virtual-desktop.md @@ -51,7 +51,7 @@ For more information on Azure Virtual Desktop licensing requirements, see [What For information about working with multi-session remote desktops, see [Windows 10 or Windows 11 Enterprise multi-session remote desktops](azure-virtual-desktop-multi-session.md). -Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows 11 Enterprise physical desktops. This treatment lets you use some of your existing configurations and secure the VMs with compliance policy and conditional access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine. +Intune treats Azure Virtual Desktop personal VMs the same as Windows 10 or Windows 11 Enterprise physical desktops. This treatment lets you use some of your existing configurations and secure the VMs with compliance policy and Conditional Access. Intune management doesn't depend on or interfere with Azure Virtual Desktop management of the same virtual machine. ## Limitations diff --git a/memdocs/intune/fundamentals/deployment-guide-enroll.md b/memdocs/intune/fundamentals/deployment-guide-enroll.md index ef72e3c7235..23487ca7d84 100644 --- a/memdocs/intune/fundamentals/deployment-guide-enroll.md +++ b/memdocs/intune/fundamentals/deployment-guide-enroll.md @@ -105,7 +105,7 @@ If you're looking for more control, including where the terms appear, consider c For more information, see [Terms and conditions for user access](../enrollment/terms-and-conditions-create.md). ### Require multifactor authentication -Require users to authenticate via multi-factor authentication (MFA) during enrollment. If you require MFA, people wanting to enroll devices must authenticate with a second device and two forms of credentials before they can enroll their device. This is a one-time conditional step, and ensures that the person on the device is who they say they are. You can enable this behavior for all platforms except Linux by using a conditional access policy with an MFA policy. Microsoft Entra ID P1 or P2 is required. +Require users to authenticate via multi-factor authentication (MFA) during enrollment. If you require MFA, people wanting to enroll devices must authenticate with a second device and two forms of credentials before they can enroll their device. This is a one-time conditional step, and ensures that the person on the device is who they say they are. You can enable this behavior for all platforms except Linux by using a Conditional Access policy with an MFA policy. Microsoft Entra ID P1 or P2 is required. For more information, see [Require multifactor authentication for Intune device enrollments](../enrollment/multi-factor-authentication.md). diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md index 45cbe84fbbc..bed921c0dc4 100644 --- a/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md +++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-macos.md @@ -149,14 +149,14 @@ This task list provides an overview. For more specific information, go to [Autom - You want to use multifactor authentication (MFA). - You want to prompt users to update their expired password when they first sign in. - You want to prompt users to reset their expired passwords during enrollment. - - You want devices registered in Microsoft Entra ID. When they're registered, you can use features available with Microsoft Entra ID, such as conditional access. + - You want devices registered in Microsoft Entra ID. When they're registered, you can use features available with Microsoft Entra ID, such as Conditional Access. > [!NOTE] > During the Setup Assistant, users must enter their organization Microsoft Entra credentials (`user@contoso.com`). When they enter their credentials, the enrollment starts. If you want, users can also enter their Apple ID to access Apple specific features, such as Apple Pay. > > After the Setup Assistant completes, users can use the device. When the home screen shows, the enrollment is complete, and user affinity is established. The device isn't fully registered with Microsoft Entra ID, and doesn't show in a user's device list in Microsoft Entra ID. > - > If users need access to resources protected by conditional access or should be fully registered with Microsoft Entra ID, then [install the Company Portal app](../apps/apps-company-portal-macos.md). After it's installed, users open the Company Portal app, and sign in with their organization Microsoft Entra account (`user@contoso.com`). During this second login, any conditional access policies are evaluated, and Microsoft Entra registration is complete. Users can install and use organizational resources, including LOB apps. + > If users need access to resources protected by Conditional Access or should be fully registered with Microsoft Entra ID, then [install the Company Portal app](../apps/apps-company-portal-macos.md). After it's installed, users open the Company Portal app, and sign in with their organization Microsoft Entra account (`user@contoso.com`). During this second login, any Conditional Access policies are evaluated, and Microsoft Entra registration is complete. Users can install and use organizational resources, including LOB apps. - In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apple Configurator** enrollment and create an enrollment profile. Choose to **Enroll with user affinity** (associate a user to the device), or **Enroll without user affinity** (user-less devices or shared devices). diff --git a/memdocs/intune/fundamentals/deployment-guide-platform-linux.md b/memdocs/intune/fundamentals/deployment-guide-platform-linux.md index 86e7da5a8f2..cb18146dbeb 100644 --- a/memdocs/intune/fundamentals/deployment-guide-platform-linux.md +++ b/memdocs/intune/fundamentals/deployment-guide-platform-linux.md @@ -35,14 +35,14 @@ This guide describes everything you need to do to protect and manage Linux apps * Prepare your tenant for device enrollment. * Create Linux device compliance policies. * Add custom compliance settings. -* Enforce conditional access policies in Microsoft Edge. +* Enforce Conditional Access policies in Microsoft Edge. * Support employees and students enrolling their desktops. -For each section in this guide, review the associated tasks. Some tasks are required and some, like setting up conditional access, are optional. Select the provided links in each section to go to our recommended help docs on Microsoft Learn, where you can find more detailed information and how-to instructions. +For each section in this guide, review the associated tasks. Some tasks are required and some, like setting up Conditional Access, are optional. Select the provided links in each section to go to our recommended help docs on Microsoft Learn, where you can find more detailed information and how-to instructions. ## Step 1: Prerequisites - Microsoft Intune, Microsoft Entra ID, and Microsoft Edge power the feature and capabilities for Linux desktop management. Microsoft Intune powers the device management and compliance capabilities. Microsoft Entra ID powers conditional access, which is used alongside Microsoft Intune compliance policies. Microsoft Edge is the web browser app used to provide protected access to Microsoft 365 web apps. + Microsoft Intune, Microsoft Entra ID, and Microsoft Edge power the feature and capabilities for Linux desktop management. Microsoft Intune powers the device management and compliance capabilities. Microsoft Entra ID powers Conditional Access, which is used alongside Microsoft Intune compliance policies. Microsoft Edge is the web browser app used to provide protected access to Microsoft 365 web apps. Complete the following prerequisites as an Intune administrator to enable your tenant's endpoint management capabilities: @@ -71,7 +71,7 @@ You can enforce device compliance policies based on Linux distribution type, ver | [Create a device compliance policy](../protect/create-compliance-policy.md)|Get step-by-step guidance on how to create and assign a device compliance policy for Linux devices. | | [Add custom compliance settings](../protect/compliance-use-custom-settings.md) | With custom compliance settings, you can write your own Bash scripts to address compliance scenarios not yet included in the device compliance options built into Microsoft Intune. This article describes how to create, monitor, and troubleshoot custom compliance policies for Linux devices. Custom compliance settings require you to [create a custom script](../protect/compliance-custom-script.md) that identifies the settings and value pairs.| | [Add actions for noncompliance](../protect/actions-for-noncompliance.md) |Choose what happens when devices no longer meet the conditions of your compliance policy. Examples of actions include sending alerts, remotely locking devices, or retiring devices. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy. | -| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) conditional access policy| Set up a conditional access policy to protect and grant access to Microsoft 365 web apps in the Microsoft Edge browser for Linux. Conditional access blocks noncompliant devices from accessing protected work apps in Edge, and grants access to compliant devices. You must have a device compliance policy for conditional access to work with Linux devices. | +| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) Conditional Access policy| Set up a Conditional Access policy to protect and grant access to Microsoft 365 web apps in the Microsoft Edge browser for Linux. Conditional Access blocks noncompliant devices from accessing protected work apps in Edge, and grants access to compliant devices. You must have a device compliance policy for Conditional Access to work with Linux devices. | ## Step 4: Enroll devices @@ -81,7 +81,7 @@ Enrollment is supported on Linux desktops running: * RedHat Enterprise Linux 8 * RedHat Enterprise Linux 9 -Employees assigned Intune licenses can enroll their personal Linux devices into Microsoft Intune whenever they want. During enrollment, their device is registered with Microsoft Entra ID and evaluated for compliance. If you've applied a conditional access policy to Edge, users will be prompted to enroll their devices before they can access Microsoft 365 web apps with their work account. +Employees assigned Intune licenses can enroll their personal Linux devices into Microsoft Intune whenever they want. During enrollment, their device is registered with Microsoft Entra ID and evaluated for compliance. If you've applied a Conditional Access policy to Edge, users will be prompted to enroll their devices before they can access Microsoft 365 web apps with their work account. As an Intune administrator, you don't need to do anything to enable enrollment for employees, other than what's described under [Prerequisites](deployment-guide-platform-linux.md#step-1-prerequisites). However, it's important to provide them with help resources in case they need guidance during enrollment. @@ -93,7 +93,7 @@ As an Intune administrator, you don't need to do anything to enable enrollment f |[Install Microsoft Intune app for Linux](../user-help/microsoft-intune-app-linux.md)| Employees must install the Microsoft Intune app on their personal device for enrollment. This article describes how to install, update, and remove the Microsoft Intune app for Linux in the Terminal app. | |[Install Microsoft Edge web browser)](https://www.microsoft.com/edge)| To access protected websites and files, employees must have Microsoft Edge web browser, version 102.*X* or later. After they enroll their device, employees can sign into Microsoft Edge with their work account and access websites and files. | |[Enroll Linux device in Intune](../user-help/enroll-device-linux.md)| This article is for device users and describes how to enroll a device with the Microsoft Intune app, and includes system requirements, prerequisites, and next steps. During this step, Microsoft Intune registers the device with Microsoft Entra ID and creates a device record in Intune. After registration is complete, device compliance checks begin. | -|[Check device status and resolve compliance issues](../user-help/check-status-linux.md)| This article is for device users and describes how to resolve compliance issues in the Microsoft Intune app. Compliance checks happen during enrollment and thereafter when the device checks in with Intune. The Intune app notifies employees when they have a noncompliant setting on their device. Intune determines compliance and actions for noncompliance by using your device compliance and conditional access policies. | +|[Check device status and resolve compliance issues](../user-help/check-status-linux.md)| This article is for device users and describes how to resolve compliance issues in the Microsoft Intune app. Compliance checks happen during enrollment and thereafter when the device checks in with Intune. The Intune app notifies employees when they have a noncompliant setting on their device. Intune determines compliance and actions for noncompliance by using your device compliance and Conditional Access policies. | ## Next steps diff --git a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md index a5c2b973cf4..cd62749c294 100644 --- a/memdocs/intune/fundamentals/deployment-guide-platform-windows.md +++ b/memdocs/intune/fundamentals/deployment-guide-platform-windows.md @@ -64,7 +64,7 @@ You can use Microsoft Entra Conditional Access policies in conjunction with devi | ---- | ------ | | [Create a compliance policy](../protect/create-compliance-policy.md)|Get step-by-step guidance on how to create and assign a compliance policy to user and device groups. | | [Add actions for noncompliance](../protect/actions-for-noncompliance.md) |Choose what happens when devices no longer meet the conditions of your compliance policy. Examples of actions include sending alerts, remotely locking devices, or retiring devices. You can add actions for noncompliance when you configure a device compliance policy, or later by editing the policy. | -| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) conditional access policy| Select the apps or services you want to protect and define the conditions for access. | +| Create [a device-based](../protect/create-conditional-access-intune.md) or [app-based](../protect/app-based-conditional-access-intune-create.md) Conditional Access policy| Select the apps or services you want to protect and define the conditions for access. | |[Block access to apps that don't use modern authentication](../protect/app-modern-authentication-block.md) | Create an app-based Conditional Access policy to block apps that use authentication methods other than OAuth2; for example, those apps that use basic and form-based authentication. Before you block access, however, sign in to Microsoft Entra ID and review the [authentication methods activity report](/azure/active-directory/authentication/howto-authentication-methods-activity) to see if users are using basic authentication to access essential things you forgot about or are unaware of. For example, things like meeting room calendar kiosks use basic authentication. | | [Add custom compliance settings](../protect/compliance-use-custom-settings.md) | With custom compliance settings, you can write your own Bash scripts to address compliance scenarios not yet included in the device compliance options built into Microsoft Intune. This article describes how to create, monitor, and troubleshoot custom compliance policies for Windows devices. Custom compliance settings require you to [create a custom script](../protect/compliance-custom-json.md) that identifies the settings and value pairs.| diff --git a/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md b/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md index b486c540b5e..dd6cee60baf 100644 --- a/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md +++ b/memdocs/intune/fundamentals/deployment-plan-compliance-policies.md @@ -40,14 +40,14 @@ ms.collection: ### Defender for Endpoint -### Conditional access ? +### Conditional Access ? --> # Step 3 – Plan for compliance policies Previously, you set up your Intune subscription and created app protection policies. Next, plan for and configure device compliance settings and policies to help protect organizational data by requiring devices to meet requirements that you set. -:::image type="content" source="./media/deployment-plan-compliance-policies/deployment-plan-compliance-conditional-access.png" alt-text="Diagram that shows getting started with Microsoft Intune with step 3, which is creating compliance and conditional access policies."::: +:::image type="content" source="./media/deployment-plan-compliance-policies/deployment-plan-compliance-conditional-access.png" alt-text="Diagram that shows getting started with Microsoft Intune with step 3, which is creating compliance and Conditional Access policies."::: If you’re not yet familiar with compliance policies, see [Compliance overview](../protect/device-compliance-get-started.md). @@ -198,7 +198,7 @@ With robust device compliance policies in place, you can then implement more adv - Integrating device compliance status with *Conditional Access* to help gate which devices are allowed to access email, other cloud services, or on-premises resources. -- Including compliance data from *third-party compliance partners*. With such a configuration, compliance data from those devices can be used with your [conditional access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access). +- Including compliance data from *third-party compliance partners*. With such a configuration, compliance data from those devices can be used with your [Conditional Access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access). - Expanding on built-in device compliance policies by defining custom compliance settings that aren't available natively through the Intune compliance policy UI. diff --git a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md index 73427bba58d..043334a5e3a 100644 --- a/memdocs/intune/fundamentals/deployment-plan-protect-apps.md +++ b/memdocs/intune/fundamentals/deployment-plan-protect-apps.md @@ -187,7 +187,7 @@ For more information about app configuration, go to the following topics: The Outlook for iOS and Android app is designed to enable users in your organization to do more from their mobile devices, by bringing together email, calendar, contacts, and other files. -The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as conditional access. At a minimum, you will want to deploy a conditional access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. +The richest and broadest protection capabilities for Microsoft 365 data are available when you subscribe to the Enterprise Mobility + Security suite, which includes Microsoft Intune and Microsoft Entra ID P1 or P2 features, such as Conditional Access. At a minimum, you will want to deploy a Conditional Access policy that allows connectivity to Outlook for iOS and Android from mobile devices and an Intune app protection policy that ensures the collaboration experience is protected. For more information about configuring Microsoft Outlook, go to the following topic: diff --git a/memdocs/intune/fundamentals/get-started-with-intune.md b/memdocs/intune/fundamentals/get-started-with-intune.md index 5cfa06bac1c..92f66fe2403 100644 --- a/memdocs/intune/fundamentals/get-started-with-intune.md +++ b/memdocs/intune/fundamentals/get-started-with-intune.md @@ -39,7 +39,7 @@ Microsoft Intune is a cloud-based service that helps you manage your devices and This article provides an overview of the steps to start your Intune deployment. -:::image type="content" source="./media/get-started-with-intune/get-started-overview.png" alt-text="Diagram that shows the different steps to get started with Microsoft Intune, including set up, adding apps, using compliance & conditional access, configuring device features, and then enrolling devices to be managed."::: +:::image type="content" source="./media/get-started-with-intune/get-started-overview.png" alt-text="Diagram that shows the different steps to get started with Microsoft Intune, including set up, adding apps, using compliance & Conditional Access, configuring device features, and then enrolling devices to be managed."::: > [!TIP] > As a companion to this article, the Microsoft 365 admin center also has some setup guidance. The guide customizes your experience based on your environment. To access this deployment guide, go to the [Microsoft Intune setup guide in the Microsoft 365 admin center](https://go.microsoft.com/fwlink/?linkid=2224812), and sign in with the **Global Reader** (at a minimum). For more information on these deployment guides and the roles needed, go to [Advanced deployment guides for Microsoft 365 and Office 365 products](/microsoft-365/enterprise/setup-guides-for-microsoft-365). diff --git a/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md b/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md index d7cc3df9326..0f76f1f27fe 100644 --- a/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md +++ b/memdocs/intune/fundamentals/guided-scenarios-office-mobile.md @@ -50,13 +50,13 @@ You can use App protection policies to prevent users from saving work files in u - Data relocation policies like **Save copies of org data**, and **Restrict cut, copy, and paste**. - Access policy settings to require simple PIN for access, and block managed apps from running on jailbroken or rooted devices. -App-based conditional access and client app management add a security layer by making sure only client apps that support Intune app protection policies can access Exchange online and other Microsoft 365 services. +App-based Conditional Access and client app management add a security layer by making sure only client apps that support Intune app protection policies can access Exchange online and other Microsoft 365 services. You can block the built-in mail apps on iOS/iPadOS and Android when you allow only the Microsoft Outlook app to access Exchange Online. Additionally, you can block apps that don't have Intune app protection policies applied from accessing SharePoint Online. -In this example, the admin has applied app protection policies to the Outlook app followed by a conditional access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail. +In this example, the admin has applied app protection policies to the Outlook app followed by a Conditional Access rule that adds the Outlook app to an approved list of apps that can be used when accessing corporate e-mail. -![Outlook app conditional access process flow](./media/guided-scenarios-office-mobile/guided-scenarios-office-mobile-02.png) +![Outlook app Conditional Access process flow](./media/guided-scenarios-office-mobile/guided-scenarios-office-mobile-02.png) ## Prerequisites @@ -120,7 +120,7 @@ The following settings are applied when using the **Enhanced data protection** s In this step, you can choose the user groups that you want to include to ensure that they have access to your corporate data. App protection is assigned to users, and not devices, so your corporate data will be secure regardless of the device used and its enrollment status. -Users without app protection policies and conditional access settings assigned will be able to save data from their corporate profile to personal apps and nonmanaged local storage on their mobile devices. They could also connect to corporate data services, such as Microsoft Exchange, with personal apps. +Users without app protection policies and Conditional Access settings assigned will be able to save data from their corporate profile to personal apps and nonmanaged local storage on their mobile devices. They could also connect to corporate data services, such as Microsoft Exchange, with personal apps. ## Step 6 - Review + create @@ -131,4 +131,4 @@ The final step allows you to review a summary of the settings you configured. On ## Next steps -- Enhance the security of work files by assigning users an App-based conditional access policy to protect cloud services from sending work files to unprotected apps. For more information, see [Set up app-based Conditional Access policies with Intune](../protect/app-based-conditional-access-intune-create.md). +- Enhance the security of work files by assigning users an App-based Conditional Access policy to protect cloud services from sending work files to unprotected apps. For more information, see [Set up app-based Conditional Access policies with Intune](../protect/app-based-conditional-access-intune-create.md). diff --git a/memdocs/intune/fundamentals/licenses.md b/memdocs/intune/fundamentals/licenses.md index bd538e0c96f..da78ff7a575 100644 --- a/memdocs/intune/fundamentals/licenses.md +++ b/memdocs/intune/fundamentals/licenses.md @@ -109,7 +109,7 @@ You can purchase device licenses based on your estimated usage. Microsoft Intune When a device is enrolled by using a device license, the following Intune functions aren't supported: - [Intune app protection policies](../apps/app-protection-policy.md) -- [Conditional access](../protect/conditional-access.md) +- [Conditional Access](../protect/conditional-access.md) - User-based management features, such as email and calendaring ## Confirm your licenses diff --git a/memdocs/intune/fundamentals/migrate-to-intune.md b/memdocs/intune/fundamentals/migrate-to-intune.md index edb56701467..740aac8b982 100644 --- a/memdocs/intune/fundamentals/migrate-to-intune.md +++ b/memdocs/intune/fundamentals/migrate-to-intune.md @@ -136,7 +136,7 @@ To evaluate and migrate policies from Basic Mobility and Security to Intune: :::image type="content" source="./media/migrate-to-intune/recommendations-page.png" alt-text="Screenshot of migration evaluation example in the Microsoft Intune admin center after migrating Microsoft 365 Basic Mobility and Security policies to Intune"::: - Not all device settings correspond exactly to Intune settings and values. So, they can't be moved with precise one-to-one mapping. You need to review and possibly adjust these settings. - - The conditional access (CA) settings that control the Office 365 services are the same CA policies in Microsoft Entra ID. So, you don't need to review or make changes to them unless you want to. + - The Conditional Access (CA) settings that control the Office 365 services are the same CA policies in Microsoft Entra ID. So, you don't need to review or make changes to them unless you want to. 4. Select an item in the list. The **Compliance policy recommendation overview** page opens. Review the instructions. 5. Select **Details** to review the recommended settings and group assignments: @@ -206,13 +206,13 @@ This section describes what happens behind the scenes when you migrate from Basi - [Configurations policy mapping from Basic Mobility and Security to Intune](policy-map-configurations.md) - [Miscellaneous policy mapping from Basic Mobility and Security to Intune](policy-map-miscellaneous.md) -- When you complete the migration, your migrated policies are in Microsoft Intune admin center. The new policies include compliance policies, device configuration profiles, and conditional access policies. The new policies are in the following locations: +- When you complete the migration, your migrated policies are in Microsoft Intune admin center. The new policies include compliance policies, device configuration profiles, and Conditional Access policies. The new policies are in the following locations: | Intune policy type | Intune location | | --- | --- | | [Compliance policies](../protect/device-compliance-get-started.md)

Specify the device settings as access requirements. | [Microsoft Intune Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Compliance** | | [Configuration profiles](../configuration/device-profiles.md)

Specify other settings that aren't part of the access requirements, including email profiles. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Manage devices** > **Configuration** | - | [Conditional access policies]( ../protect/conditional-access.md)

Microsoft Entra Conditional Access blocks access if the settings aren't compliant. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Conditional access** > **Classic policies** | + | [Conditional Access policies]( ../protect/conditional-access.md)

Microsoft Entra Conditional Access blocks access if the settings aren't compliant. | [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Conditional Access** > **Classic policies** | ## Known issues diff --git a/memdocs/intune/fundamentals/policy-map-miscellaneous.md b/memdocs/intune/fundamentals/policy-map-miscellaneous.md index c0d9687ca8e..1610d6b7828 100644 --- a/memdocs/intune/fundamentals/policy-map-miscellaneous.md +++ b/memdocs/intune/fundamentals/policy-map-miscellaneous.md @@ -83,7 +83,7 @@ These settings are backed by the Conditional Access policy [GraphAggregatorServi This setting modifies one classic Conditional Access policy: -- **Endpoint security** > **Conditional access** > **Classic policies** > **[GraphAggregatorService] Device policy** > **Conditions** > **Client apps (Preview)** > **Mobile apps and desktop clients** > **Exchange ActiveSync clients** > **Apply policy only to supported platform** +- **Endpoint security** > **Conditional Access** > **Classic policies** > **[GraphAggregatorService] Device policy** > **Conditions** > **Client apps (Preview)** > **Mobile apps and desktop clients** > **Exchange ActiveSync clients** > **Apply policy only to supported platform** ### Are there any security groups you want to exclude from access control? @@ -95,7 +95,7 @@ This setting modifies five classic Conditional Access policies: - [Office 365 SharePoint Online] Device policy - [Outlook Service for OneDrive] Device policy -- **Endpoint security** > **Conditional access** > policy name > **Users and groups** > **Exclude** +- **Endpoint security** > **Conditional Access** > policy name > **Users and groups** > **Exclude** ## Device security policy Name and Description diff --git a/memdocs/intune/fundamentals/remote-help-macos.md b/memdocs/intune/fundamentals/remote-help-macos.md index 1965687d518..4ffaa79f755 100644 --- a/memdocs/intune/fundamentals/remote-help-macos.md +++ b/memdocs/intune/fundamentals/remote-help-macos.md @@ -56,7 +56,7 @@ The Remote Help web app supports the following capabilities on macOS: - **Use Remote Help with unenrolled devices**: Disabled by default, you can choose to allow help to devices that aren't enrolled with Intune. -- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For more information on setting up conditional access, see [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help). +- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For more information on setting up Conditional Access, see [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help). - **Compliance Warnings**: Remote Help will show non-compliance warnings if the device the helper is connecting to isn't compliant with its assigned policies. This warning doesn't block access but provides transparency about the risk of using sensitive data like administrative credentials during the session. diff --git a/memdocs/intune/fundamentals/remote-help-webapp.md b/memdocs/intune/fundamentals/remote-help-webapp.md index 2f7e86b7e2a..55e1e2002e8 100644 --- a/memdocs/intune/fundamentals/remote-help-webapp.md +++ b/memdocs/intune/fundamentals/remote-help-webapp.md @@ -45,7 +45,7 @@ The Remote Help web app supports the following capabilities: Use Remote Help with unenrolled devices: Disabled by default, you can choose to allow help to devices that aren't enrolled with Intune. -- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For more information on setting up conditional access, go to [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help). +- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For more information on setting up Conditional Access, go to [Setup Conditional Access for Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help). - **Compliance Warnings**: Before connecting to a user's device, a helper will see a non-compliance warning about that device if it's not compliant with its assigned policies. This warning doesn’t block access but provides transparency about the risk of using sensitive data like administrative credentials during the session. diff --git a/memdocs/intune/fundamentals/remote-help-windows.md b/memdocs/intune/fundamentals/remote-help-windows.md index 568e10cd49a..2cc5bb51323 100644 --- a/memdocs/intune/fundamentals/remote-help-windows.md +++ b/memdocs/intune/fundamentals/remote-help-windows.md @@ -48,7 +48,7 @@ The Remote Help app is available from Microsoft to install on both devices enrol The Remote Help app supports the following capabilities on Windows: -- **Conditional access**: Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. For more information on setting up conditional access, go to [Setup Conditional Access for Remote Help](#setup-conditional-access-for-remote-help) +- **Conditional Access**: Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For example, multi-factor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. For more information on setting up Conditional Access, go to [Setup Conditional Access for Remote Help](#setup-conditional-access-for-remote-help) - **Compliance Warnings**: Before a helper can connect to a user's device, the helper sees a non-compliance warning about that device if it's not compliant with its assigned policies. This warning doesn't block access but provides transparency about the risk of using sensitive data like administrative credentials during the session. @@ -275,9 +275,9 @@ Depending on the environment that Remote Help is utilized in, it may be necessar - C:\Program Files\Remote help\RHService.exe - C:\Program Files\Remote help\RemoteHelpRDP.exe -## Setup conditional access for Remote Help +## Setup Conditional Access for Remote Help -This section outlines the steps for provisioning the Remote Help service on the tenant for conditional access. +This section outlines the steps for provisioning the Remote Help service on the tenant for Conditional Access. 1. Open PowerShell in admin mode. - It may be necessary to install [Microsoft Graph PowerShell](/powershell/microsoftgraph/installation)  diff --git a/memdocs/intune/fundamentals/role-based-access-control-reference.md b/memdocs/intune/fundamentals/role-based-access-control-reference.md index 14ea9f58d98..66921ba74d5 100644 --- a/memdocs/intune/fundamentals/role-based-access-control-reference.md +++ b/memdocs/intune/fundamentals/role-based-access-control-reference.md @@ -186,7 +186,7 @@ Application Managers manage mobile and managed applications, can read device inf ## Endpoint Security Manager -Manages security and compliance features such as security baselines, device compliance, conditional access, and Microsoft Defender ATP. +Manages security and compliance features such as security baselines, device compliance, Conditional Access, and Microsoft Defender ATP. | Permission | Action | | ---------- | ------ | diff --git a/memdocs/intune/fundamentals/role-based-access-control.md b/memdocs/intune/fundamentals/role-based-access-control.md index f13ee07c426..40fc2b496b5 100644 --- a/memdocs/intune/fundamentals/role-based-access-control.md +++ b/memdocs/intune/fundamentals/role-based-access-control.md @@ -59,7 +59,7 @@ You can assign built-in roles to groups without further configuration. You can't - **Application Manager**: Manages mobile and managed applications, can read device information and can view device configuration profiles. - **Endpoint Privilege Manager**: Manages Endpoint Privilege Management policies in the Intune console. - **Endpoint Privilege Reader**: Endpoint Privilege Readers can view Endpoint Privilege Management policies in the Intune console. -- **Endpoint Security Manager**: Manages security and compliance features, such as security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint. +- **Endpoint Security Manager**: Manages security and compliance features, such as security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint. - **Help Desk Operator**: Performs remote tasks on users and devices, and can assign applications or policies to users or devices. - **Intune Role Administrator**: Manages custom Intune roles and adds assignments for built-in Intune roles. It's the only Intune role that can assign permissions to Administrators. - **Policy and Profile Manager**: Manages compliance policy, configuration profiles, Apple enrollment, corporate device identifiers, and security baselines. diff --git a/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md b/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md index c9dea49e46f..265e92e9a8b 100644 --- a/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md +++ b/memdocs/intune/fundamentals/tutorial-walkthrough-endpoint-manager.md @@ -108,7 +108,7 @@ Follow the steps below to better understand Intune in the Microsoft Intune admin 5. From the **Devices - Overview** pane, select **Conditional Access** to display details about access policies. - :::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Conditional access." source="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png" lightbox="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png"::: + :::image type="content" alt-text="Screenshot of the Microsoft Intune admin center - Conditional Access." source="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png" lightbox="./media/tutorial-walkthrough-endpoint-manager/tutorial-walkthrough-mem-05.png"::: > [!TIP] > If you have previously used Intune in the Azure portal, you found the above details in the Azure portal by signing in to [Intune](https://go.microsoft.com/fwlink/?linkid=2090973) and selecting **Conditional Access**. diff --git a/memdocs/intune/fundamentals/what-is-device-management.md b/memdocs/intune/fundamentals/what-is-device-management.md index 2fd75bfb51c..3ee9e542e4d 100644 --- a/memdocs/intune/fundamentals/what-is-device-management.md +++ b/memdocs/intune/fundamentals/what-is-device-management.md @@ -69,7 +69,7 @@ For more information about Intune and its benefits, go to: ### Cloud attach your on-premises Configuration Manager -Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [conditional access](../../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../../configmgr/comanage/quickstart-autopilot.md), and more. +Many organizations use on-premises Configuration Manager to manage devices, including desktops and servers. You can cloud-attach your on-premises Configuration Manager to Microsoft Intune. When you cloud-attach, you get the benefits of Intune and the cloud, including [Conditional Access](../../configmgr/comanage/quickstart-conditional-access.md), [running remote actions](../../configmgr/comanage/quickstart-remote-actions.md), [using Windows Autopilot](../../configmgr/comanage/quickstart-autopilot.md), and more. For more information, go to: diff --git a/memdocs/intune/fundamentals/what-is-intune.md b/memdocs/intune/fundamentals/what-is-intune.md index b06c27beef2..428273111e2 100644 --- a/memdocs/intune/fundamentals/what-is-intune.md +++ b/memdocs/intune/fundamentals/what-is-intune.md @@ -85,7 +85,7 @@ For more information, go to [Manage apps using Microsoft Intune](manage-apps.md) ✅ **Automate policy deployment** -You can create policies for apps, security, device configuration, compliance, conditional access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access. +You can create policies for apps, security, device configuration, compliance, Conditional Access, and more. When the policies are ready, you can deploy these policies to your user groups and device groups. To receive these policies, the devices only need internet access. For more information, go to [Assign policies in Microsoft Intune](../configuration/device-profile-assign.md). @@ -169,7 +169,7 @@ Microsoft Intune integrates with other Microsoft products and services that focu - **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)** to help enterprises prevent, detect, investigate, and respond to threats - In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with conditional access, you can block access to organization resources for devices that are noncompliant. + In Intune, you can create a service-to-service connection between Intune and Microsoft Defender for Endpoint. When they're connected, you can create policies that scan files, detect threats, and report threat levels to Microsoft Defender for Endpoint. You can also create compliance policies that set an allowable level of risk. When combined with Conditional Access, you can block access to organization resources for devices that are noncompliant. For more specific information, go to: @@ -252,7 +252,7 @@ On devices enrolled in Intune, you can: - Create and deploy policies that configure security settings, set password requirements, deploy certificates, and more. - Use mobile threat defense services to scan devices, detect threats, and remediate threats. - View data and reports that measure compliance with your security settings and rules. -- Use conditional access to only allow managed and compliant devices access to organization resources, apps, and data. +- Use Conditional Access to only allow managed and compliant devices access to organization resources, apps, and data. - Remove organization data if a device is lost or stolen. For personal devices, users might not want their IT admins to have full control. To support a hybrid work environment, give users options. For example, users enroll their devices if they want full access to your organization's resources. Or, if these users only want access to Outlook or Microsoft Teams, then use app protection policies that require multifactor authentication (MFA). @@ -262,7 +262,7 @@ On devices using application management, you can: - Use mobile threat defense services to protect app data. The service can scan devices, detect threats, and assess risk. - Prevent organization data from being copied and pasted into personal apps. - Use app protection policies on apps and on unmanaged devices enrolled in a third party or partner MDM. -- Use conditional access to restrict the apps that can access organization email and files. +- Use Conditional Access to restrict the apps that can access organization email and files. - Remove organization data within apps. For more information, go to: diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md index b4b41c64ea9..a4abcd9077a 100644 --- a/memdocs/intune/fundamentals/whats-new-archive.md +++ b/memdocs/intune/fundamentals/whats-new-archive.md @@ -810,7 +810,7 @@ Due to the rollout timelines, we're updating our documentation to the new experi #### BlackBerry Protect Mobile now supports app protection policies -You can now use Intune app protection policies with *BlackBerry Protect Mobile* (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for [unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md). This support includes the use of risk assessment with Conditional access and configuration of Conditional Launch settings for unenrolled devices. +You can now use Intune app protection policies with *BlackBerry Protect Mobile* (powered by Cylance AI). With this change, Intune supports BlackBerry Protect Mobile for mobile application management (MAM) scenarios for [unenrolled devices](../protect/mtd-add-apps-unenrolled-devices.md). This support includes the use of risk assessment with Conditional Access and configuration of Conditional Launch settings for unenrolled devices. While configuring the CylancePROTECT Mobile connector (formerly BlackBerry Mobile), you now can select options to turn on *App protection policy evaluation* for both Android and iOS/iPadOS devices. @@ -2907,12 +2907,12 @@ For related information, see [Plan for Change: Ending support for Microsoft Stor ### Device configuration -#### Remote Help now supports conditional access capability -Administrators can now utilize conditional access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. +#### Remote Help now supports Conditional Access capability +Administrators can now utilize Conditional Access capability when setting up policies and conditions for Remote Help. For example, multifactor authentication, installing security updates, and locking access to Remote Help for a specific region or IP addresses. For more information, see: -- [Conditional access](../protect/conditional-access.md) +- [Conditional Access](../protect/conditional-access.md) - [Remote Help](remote-help-windows.md#setup-conditional-access-for-remote-help) ### Device security @@ -3725,7 +3725,7 @@ Configure Microsoft Intune to skip or show a new Setup Assistant pane called **T As a public preview, you can use the Mobile Application Management (MAM) to the Microsoft Tunnel VPN gateway for iOS/iPadOS. With this preview for iOS devices that haven't enrolled with Intune, supported apps on those unenrolled devices can use Microsoft Tunnel to connect to your organization when working with corporate data and resources. This feature includes VPN gateway support for: - Secure access to on-premises apps and resources using modern authentication -- Single Sign On and conditional access +- Single Sign On and Conditional Access For more information, go to: @@ -3749,7 +3749,7 @@ Applies to: - Windows 11 #### SentinelOne – New mobile threat defense partner -You can now use [SentinelOne](../protect/sentinelone-mobile-threat-defense-connector.md) as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies. +You can now use [SentinelOne](../protect/sentinelone-mobile-threat-defense-connector.md) as an integrated Mobile Threat Defense (MTD) partner with Intune. By configuring the SentinelOne connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment in your compliance policy. The SentinelOne connector can also send risk levels to app protection policies. ### Device configuration @@ -4063,7 +4063,7 @@ For more information, see [Use Access policies to require multiple administrativ As a public preview, you can now use Microsoft Tunnel with unenrolled devices. This capability is called [Microsoft Tunnel for Mobile Application Management](../protect/microsoft-tunnel-mam.md) (MAM). This preview supports Android, and without any changes to your existing Tunnel infrastructure, supports the Tunnel VPN gateway for: - Secure access to on-premises apps and resources using modern authentication -- Single Sign On and conditional access +- Single Sign On and Conditional Access To use Tunnel MAM, unenrolled devices must install Microsoft Edge, Microsoft Defender for Endpoint, and the Company Portal. You can then use the Microsoft Intune admin center to configure the following profiles for the unenrolled devices: @@ -4751,7 +4751,7 @@ The **All devices** option is now available for [compliance policy](../protect/c When you include the *All devices* group, you can then exclude individual groups of devices to further refine the assignment scope. #### Trend Micro – New mobile threat defense partner -You can now use [Trend Micro Mobile Security as a Service](../protect/trend-micro-mobile-threat-defense-connector.md) as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using conditional access that's based on risk assessment. +You can now use [Trend Micro Mobile Security as a Service](../protect/trend-micro-mobile-threat-defense-connector.md) as an integrated mobile threat defense (MTD) partner with Intune. By configuring the Trend MTD connector in Intune, you can control mobile device access to corporate resources using Conditional Access that's based on risk assessment. For more information, see: - [Mobile threat defense integration with Intune](../protect/mobile-threat-defense.md) diff --git a/memdocs/intune/protect/actions-for-noncompliance.md b/memdocs/intune/protect/actions-for-noncompliance.md index 1ccb1736ded..f6a3266ada7 100644 --- a/memdocs/intune/protect/actions-for-noncompliance.md +++ b/memdocs/intune/protect/actions-for-noncompliance.md @@ -269,7 +269,7 @@ You can add optional actions when you create a compliance policy, or update an e - **Send push notification to end user**: Configure this action to send a push notification about noncompliance to a device through the Company Portal app or Intune App on the device. -5. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a [conditional access](conditional-access-intune-common-ways-use.md) policy. If you enter **0** (zero) number of days, then conditional access takes effect **immediately**. For example, if a device is noncompliant, use conditional access to block access to email, SharePoint, and other organization resources immediately. +5. Configure a **Schedule**: Enter the number of days (0 to 365) after noncompliance to trigger the action on users' devices. After this grace period, you can enforce a [Conditional Access](conditional-access-intune-common-ways-use.md) policy. If you enter **0** (zero) number of days, then Conditional Access takes effect **immediately**. For example, if a device is noncompliant, use Conditional Access to block access to email, SharePoint, and other organization resources immediately. When you create a compliance policy, the **Mark device noncompliant** action is automatically created, and automatically set to **0** days (immediately). With this action, when the device checks in with Intune and evaluates the policy, if it isn't compliant to that policy Intune immediately marks that device as noncompliant. If the client checks in at a later time after remediating the issues that lead to noncompliance, its status will update to its new compliance status. If you use Conditional Access, those policies also apply as soon as a device is marked as noncompliant. To set a grace period to allow for a condition of noncompliance to be remediated before the device is marked as noncompliant, change the **Schedule** on the **Mark device noncompliant** action. diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md index 1b5618f4fb0..2db78c2b781 100644 --- a/memdocs/intune/protect/advanced-threat-protection-configure.md +++ b/memdocs/intune/protect/advanced-threat-protection-configure.md @@ -2,7 +2,7 @@ # required metadata title: Configure Microsoft Defender for Endpoint in Microsoft Intune -description: Configure Microsoft Defender for Endpoint in Intune, including connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and conditional access policies. +description: Configure Microsoft Defender for Endpoint in Intune, including connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and Conditional Access policies. keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls, microsoft defender for endpoint, mde author: brenduns ms.author: brenduns @@ -38,7 +38,7 @@ Use the information and procedures in this article to configure integration of M - **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune. - **Use Intune policy to onboard devices with Microsoft Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. - **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports a devices risk level. Devices that exceed the allowed risk level are identified as noncompliant. -- **Use a conditional access policy** to block users from accessing corporate resources from devices that are noncompliant. +- **Use a Conditional Access policy** to block users from accessing corporate resources from devices that are noncompliant. - **Use** [**app protection policies**](../protect/mtd-app-protection-policy.md) for Android and iOS/iPadOS, to set device risk levels. App protection policies work with both enrolled and unenrolled devices. In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [MDE Security Configuration Management](../protect/mde-security-integration.md). @@ -282,16 +282,16 @@ Use the procedure to [create an application protection policy for either iOS/iPa > [!IMPORTANT] > If you create an app protection policy for any protected app, the device's threat level is assessed. Depending on the configuration, devices that don’t meet an acceptable level are either blocked or selectively wiped through conditional launch. If blocked, they are prevented from accessing corporate resources until the threat on the device is resolved and reported to Intune by the chosen MTD vendor. -## Create a conditional access policy +## Create a Conditional Access policy -Conditional access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online. +Conditional Access policies can use data from Microsoft Defender for Endpoint to block access to resources for devices that exceed the threat level you set. You can block access from the device to corporate resources, such as SharePoint or Exchange Online. > [!TIP] > > Conditional Access is a Microsoft Entra technology. The *Conditional Access* node found in the Microsoft Intune admin center is the node from *Microsoft Entra*. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Conditional access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with. +2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with. 3. Enter a policy **Name**. 4. For **Users**, use the *Include* and *Exclude* tabs to configure groups that will receive this policy. 5. For **Target resources**, set *Select what this policy applies to* to **Cloud apps**, and then choose which apps to protect. For example, choose **Select apps** and then for *Select*, search for and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. diff --git a/memdocs/intune/protect/advanced-threat-protection.md b/memdocs/intune/protect/advanced-threat-protection.md index 8b4d8a00323..9dc035f70e7 100644 --- a/memdocs/intune/protect/advanced-threat-protection.md +++ b/memdocs/intune/protect/advanced-threat-protection.md @@ -45,7 +45,7 @@ To be successful, use the following configurations in concert, which are detaile - **Use a device compliance policy to set the level of risk you want to allow**. Risk levels are reported by Microsoft Defender for Endpoint. Devices that exceed the allowed risk level are identified as noncompliant. See [Create and assign compliance policy to set device risk level](../protect/advanced-threat-protection-configure.md#create-and-assign-compliance-policy-to-set-device-risk-level) and [Create and assign app protection policy to set device risk level](../protect/advanced-threat-protection-configure.md#create-and-assign-app-protection-policy-to-set-device-risk-level). -- **Use a conditional access policy** to block users from accessing corporate resources from devices that are noncompliant. See [Create a conditional access policy](../protect/advanced-threat-protection-configure.md#create-a-conditional-access-policy). +- **Use a Conditional Access policy** to block users from accessing corporate resources from devices that are noncompliant. See [Create a Conditional Access policy](../protect/advanced-threat-protection-configure.md#create-a-conditional-access-policy). When you integrate Intune with Microsoft Defender for Endpoint, you can take advantage of Microsoft Defender for Endpoints Threat & Vulnerability Management (TVM) and [use Intune to remediate endpoint weakness identified by TVM](atp-manage-vulnerabilities.md). @@ -66,7 +66,7 @@ Microsoft Defender for Endpoint can help resolve security events like this scena You can integrate Microsoft Defender for Endpoint with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization. -Because you have an Intune device compliance policy to classify devices with a *Medium* or *High* level of risk as noncompliant, the compromised device is classified as noncompliant. This classification allows your conditional access policy to kick in and block access from that device to your corporate resources. +Because you have an Intune device compliance policy to classify devices with a *Medium* or *High* level of risk as noncompliant, the compromised device is classified as noncompliant. This classification allows your Conditional Access policy to kick in and block access from that device to your corporate resources. For devices that run Android, you can use Intune policy to modify the configuration of Microsoft Defender for Endpoint on Android. For more information, see [Microsoft Defender for Endpoint web protection](../protect/advanced-threat-protection-manage-android.md). @@ -94,7 +94,7 @@ For the system requirements for Microsoft Defender for Endpoint, see [Minimum re ## Next steps -- To connect Microsoft Defender for Endpoint to Intune, onboard devices, and configure conditional access policies, see [Configure Microsoft Defender for Endpoint in Intune](../protect/advanced-threat-protection-configure.md). +- To connect Microsoft Defender for Endpoint to Intune, onboard devices, and configure Conditional Access policies, see [Configure Microsoft Defender for Endpoint in Intune](../protect/advanced-threat-protection-configure.md). Learn more from the Intune documentation: diff --git a/memdocs/intune/protect/app-based-conditional-access-intune-create.md b/memdocs/intune/protect/app-based-conditional-access-intune-create.md index 7352b8095ce..71e5159966c 100644 --- a/memdocs/intune/protect/app-based-conditional-access-intune-create.md +++ b/memdocs/intune/protect/app-based-conditional-access-intune-create.md @@ -51,7 +51,7 @@ Before you can create Conditional Access policies from the Microsoft Intune admi 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) -2. Select **Endpoint security** > **Conditional access** > **New policy**. +2. Select **Endpoint security** > **Conditional Access** > **New policy**. 3. Enter a policy **Name**, and then under *Assignments*, select **Users or workload identities**, and apply the policy to *Users and groups*. Use the Include or Exclude options to add your groups for the policy. diff --git a/memdocs/intune/protect/app-modern-authentication-block.md b/memdocs/intune/protect/app-modern-authentication-block.md index 2a1f63f39cd..d5f4a111005 100644 --- a/memdocs/intune/protect/app-modern-authentication-block.md +++ b/memdocs/intune/protect/app-modern-authentication-block.md @@ -37,7 +37,7 @@ App-based Conditional Access with app protection policies rely on applications u ## Block access to apps -To block access to apps that don't use modern authentication, use Intune app protection policies to implement conditional access. For more information, see [App-based Conditional Access with Intune](app-based-conditional-access-intune.md). +To block access to apps that don't use modern authentication, use Intune app protection policies to implement Conditional Access. For more information, see [App-based Conditional Access with Intune](app-based-conditional-access-intune.md). ## Additional information diff --git a/memdocs/intune/protect/compliance-policy-create-windows.md b/memdocs/intune/protect/compliance-policy-create-windows.md index 32a36401240..bfbb092bcf8 100644 --- a/memdocs/intune/protect/compliance-policy-create-windows.md +++ b/memdocs/intune/protect/compliance-policy-create-windows.md @@ -267,7 +267,7 @@ Applies only to co-managed devices running Windows 10/11. Intune-only devices re ### Microsoft Defender for Endpoint rules -For additional information on Microsoft Defender for Endpoint integration in conditional access scenarios, see [Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access). +For additional information on Microsoft Defender for Endpoint integration in Conditional Access scenarios, see [Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access). - **Require the device to be at or under the machine risk score**: Use this setting to take the risk assessment from your defense threat services as a condition for compliance. Choose the maximum allowed threat level: diff --git a/memdocs/intune/protect/compliance-use-custom-settings.md b/memdocs/intune/protect/compliance-use-custom-settings.md index 1bc42be16ee..d43c9b5956c 100644 --- a/memdocs/intune/protect/compliance-use-custom-settings.md +++ b/memdocs/intune/protect/compliance-use-custom-settings.md @@ -49,7 +49,7 @@ Before you can add custom settings to a policy, you must prepare a JSON file, an The scripts must be uploaded to the Microsoft Intune admin center before you create a compliance policy. You select the script when you’re configuring a policy to support custom settings. -After you deploy custom compliance settings and devices report back, you can view the results alongside the built-in compliance setting details in the Microsoft Intune admin center. Custom compliance settings can be used for conditional access decisions in the same way built-in compliance settings are. Together they form a compound rule set, equally affecting the device compliance state. +After you deploy custom compliance settings and devices report back, you can view the results alongside the built-in compliance setting details in the Microsoft Intune admin center. Custom compliance settings can be used for Conditional Access decisions in the same way built-in compliance settings are. Together they form a compound rule set, equally affecting the device compliance state. ## Prerequisites diff --git a/memdocs/intune/protect/conditional-access-exchange-create.md b/memdocs/intune/protect/conditional-access-exchange-create.md index b8fed4d7100..bde9a7a186e 100644 --- a/memdocs/intune/protect/conditional-access-exchange-create.md +++ b/memdocs/intune/protect/conditional-access-exchange-create.md @@ -100,7 +100,7 @@ Before you can configure Conditional Access, verify the following configurations 8. After you create the email profile, [assign it to groups](/mem/intune/configuration/device-profile-assign). - 9. Set up [device-based conditional access](/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access). + 9. Set up [device-based Conditional Access](/mem/intune/protect/conditional-access-intune-common-ways-use#device-based-conditional-access). > [!NOTE] > Microsoft Outlook for Android and iOS/iPadOS is not supported via the Exchange on-premises connector. If you want to leverage Microsoft Entra Conditional Access policies and Intune App Protection Policies with Outlook for iOS/iPadOS and Android for your on-premises mailboxes, please see [Using hybrid Modern Authentication with Outlook for iOS/iPadOS and Android](/Exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth). diff --git a/memdocs/intune/protect/create-conditional-access-intune.md b/memdocs/intune/protect/create-conditional-access-intune.md index bf7f35120d7..7ab2da8f6d6 100644 --- a/memdocs/intune/protect/create-conditional-access-intune.md +++ b/memdocs/intune/protect/create-conditional-access-intune.md @@ -54,7 +54,7 @@ To take advantage of device compliance status, configure Conditional Access poli 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Conditional access** > **Create new policy**. +2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. :::image type="content" source="./media/create-conditional-access-intune/create-ca.png" alt-text="Create a new Conditional Access policy"::: The **New** pane opens, which is the configuration pane from Microsoft Entra. The policy you’re creating is a Microsoft Entra policy for Conditional Access. To learn more about this pane and Conditional Access policies, see [Conditional Access policy components](/azure/active-directory/conditional-access/concept-conditional-access-policies) in the Microsoft Entra content. diff --git a/memdocs/intune/protect/derived-credentials.md b/memdocs/intune/protect/derived-credentials.md index bbcb6d33ddc..c9068245c99 100644 --- a/memdocs/intune/protect/derived-credentials.md +++ b/memdocs/intune/protect/derived-credentials.md @@ -118,7 +118,7 @@ Before you configure an issuer, review that issuer's documentation to understand Depending on the issuer you choose, you might need staff to be available at the time of enrollment to help users complete the process. Also review your current Intune configurations to ensure they don't block access that's necessary for devices or users to complete the credential request. -For example, you might use conditional access to block access to email for noncompliant devices. If you rely on email notifications to inform the user to start the derived credential enrollment process, your users might not receive those instructions until they're compliant with policy. +For example, you might use Conditional Access to block access to email for noncompliant devices. If you rely on email notifications to inform the user to start the derived credential enrollment process, your users might not receive those instructions until they're compliant with policy. Similarly, some derived credential request workflows require the use of the device camera to scan an on-screen QR code. This code links that device to the authentication request that occurred against the derived credential issuer with the user's smart card credentials. If device configuration policies block camera use, the user can't complete the derived credential enrollment request. @@ -128,7 +128,7 @@ Similarly, some derived credential request workflows require the use of the devi - Users aren't notified that they must enroll for derived credentials until you target them with a policy that requires derived credentials. -- Notification can be through app notification for the Company Portal, through email, or both. If you choose to use email notifications and you use enabled conditional access, users might not receive the email notification if their device isn't compliant. +- Notification can be through app notification for the Company Portal, through email, or both. If you choose to use email notifications and you use enabled Conditional Access, users might not receive the email notification if their device isn't compliant. > [!IMPORTANT] > To ensure notifications related to device credentials are successfully received by end users, you should enable app notifications for the Company Portal, email notifications, or both. diff --git a/memdocs/intune/protect/device-compliance-get-started.md b/memdocs/intune/protect/device-compliance-get-started.md index d91abdb84cb..a64f89c7e84 100644 --- a/memdocs/intune/protect/device-compliance-get-started.md +++ b/memdocs/intune/protect/device-compliance-get-started.md @@ -129,7 +129,7 @@ Intune includes a device compliance dashboard that you use to monitor the compli When you use Conditional Access, you can configure your Conditional Access policies to use the results of your device compliance policies to determine which devices can access your organizational resources. This access control is in addition to and separate from the actions for noncompliance that you include in your device compliance policies. -When a device enrolls in Intune it registers in Microsoft Entra ID. The compliance status for devices is reported to Microsoft Entra ID. If your Conditional Access policies have Access controls set to *Require device to be marked as compliant*, Conditional access uses that compliance status to determine whether to grant or block access to email and other organization resources. +When a device enrolls in Intune it registers in Microsoft Entra ID. The compliance status for devices is reported to Microsoft Entra ID. If your Conditional Access policies have Access controls set to *Require device to be marked as compliant*, Conditional Access uses that compliance status to determine whether to grant or block access to email and other organization resources. If you use device compliance status with Conditional Access policies, review how your tenant configures the *Mark devices with no compliance policy assigned as* option, which you manage under [Compliance policy settings](#compliance-policy-settings). diff --git a/memdocs/intune/protect/device-compliance-partners.md b/memdocs/intune/protect/device-compliance-partners.md index 37d5f1fc4f7..26a79e999c1 100644 --- a/memdocs/intune/protect/device-compliance-partners.md +++ b/memdocs/intune/protect/device-compliance-partners.md @@ -32,7 +32,7 @@ ms.collection: # Support third-party device compliance partners in Intune -Several third-party device compliance partners have been evaluated as a supported partner solution that you can integrate with Microsoft Intune. When you use a [third-party device compliance partner](#supported-device-compliance-partners), the partner adds the compliance state data it collects to Microsoft Entra ID. You can then use the device compliance data from the partner along side the compliance results you collect with Intune to power your [conditional access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access) that help to protect your organization and data. +Several third-party device compliance partners have been evaluated as a supported partner solution that you can integrate with Microsoft Intune. When you use a [third-party device compliance partner](#supported-device-compliance-partners), the partner adds the compliance state data it collects to Microsoft Entra ID. You can then use the device compliance data from the partner along side the compliance results you collect with Intune to power your [Conditional Access policies](../protect/device-compliance-get-started.md#integrate-with-conditional-access) that help to protect your organization and data. Third-party partners support one or more of the following platforms: @@ -86,7 +86,7 @@ The following compliance partners are supported as generally available: ## Configure Intune to work with a device compliance partner -Enable support for a device compliance partner to use compliance state data from that partner with your conditional access policies. +Enable support for a device compliance partner to use compliance state data from that partner with your Conditional Access policies. ### Add a compliance partner to Intune diff --git a/memdocs/intune/protect/endpoint-security.md b/memdocs/intune/protect/endpoint-security.md index b9e8fdfb8ed..686eb78733c 100644 --- a/memdocs/intune/protect/endpoint-security.md +++ b/memdocs/intune/protect/endpoint-security.md @@ -111,7 +111,7 @@ To learn more about using these security policies, see [Manage device security w Endpoint security policies are one of several methods in Intune to configure settings on devices. When managing settings, it's important to understand what other methods are in use in your environment that can configure your devices, and avoid conflicts. See [Avoid policy conflicts](#avoid-policy-conflicts) later in this article. -Also found under *Manage* are *Device compliance* and *Conditional access* policies. These policies types aren't focused security policies for configuring endpoints, but are important tools for managing devices and access to your corporate resources. +Also found under *Manage* are *Device compliance* and *Conditional Access* policies. These policies types aren't focused security policies for configuring endpoints, but are important tools for managing devices and access to your corporate resources. ## Use device compliance policy @@ -125,24 +125,24 @@ The [available compliance settings](../protect/device-compliance-get-started.md# In addition to the policy rules, compliance policies support [Actions for noncompliance](../protect/actions-for-noncompliance.md). These actions are a time-ordered sequence of actions to apply to noncompliant devices. Actions include sending email or notifications to alert device users about noncompliance, remotely locking devices, or even retiring noncompliant devices and removing any company data that might be on it. -When you integrate Intune Microsoft Entra [Conditional Access policies](#configure-conditional-access) to enforce compliance policies, Conditional access can use the compliance data to gate access to corporate resources for both managed devices, and from devices that you don't manage. +When you integrate Intune Microsoft Entra [Conditional Access policies](#configure-conditional-access) to enforce compliance policies, Conditional Access can use the compliance data to gate access to corporate resources for both managed devices, and from devices that you don't manage. To learn more, see [Set rules on devices to allow access to resources in your organization using Intune](../protect/device-compliance-get-started.md). Device compliance policies are one of several methods in Intune to configure settings on devices. When managing settings, it's important to understand what other methods are in use in your environment that can configure your devices, and to avoid conflicts. See [Avoid policy conflicts](#avoid-policy-conflicts) later in this article. -## Configure conditional access +## Configure Conditional Access To protect your devices and corporate resources, you can use Microsoft Entra Conditional Access policies with Intune. -Intune passes the results of your device compliance policies to Microsoft Entra, which then uses conditional access policies to enforce which devices and apps can access your corporate resources. Conditional access policies also help to gate access for devices that you don't manage with Intune, and can use compliance details from [Mobile Threat Defense partners](../protect/mobile-threat-defense.md) you integrate with Intune. +Intune passes the results of your device compliance policies to Microsoft Entra, which then uses Conditional Access policies to enforce which devices and apps can access your corporate resources. Conditional Access policies also help to gate access for devices that you don't manage with Intune, and can use compliance details from [Mobile Threat Defense partners](../protect/mobile-threat-defense.md) you integrate with Intune. -The following are two common methods of using conditional access with Intune: +The following are two common methods of using Conditional Access with Intune: -- **Device-based conditional access**, to ensure only managed and compliant devices can access network resources. -- **App-based conditional access**, which uses app-protection policies to manage access to network resources by users on devices that you don't manage with Intune. +- **Device-based Conditional Access**, to ensure only managed and compliant devices can access network resources. +- **App-based Conditional Access**, which uses app-protection policies to manage access to network resources by users on devices that you don't manage with Intune. -To learn more about using conditional access with Intune, see [Learn about Conditional Access and Intune](../protect/conditional-access.md). +To learn more about using Conditional Access with Intune, see [Learn about Conditional Access and Intune](../protect/conditional-access.md). ## Set up Integration with Microsoft Defender for Endpoint @@ -162,7 +162,7 @@ While Intune can integrate with several [Mobile Threat Defense partners](../prot To manage tasks in the Endpoint security node of the Microsoft Intune admin center, an account must: - Be assigned a license for Intune. -- Have role-based access control (RBAC) permissions equal to the permissions provided by the built-in Intune role of **Endpoint Security Manager**. The *Endpoint Security Manager* role grants access to the Microsoft Intune admin center. This role can be used by individuals who manage security and compliance features, including security baselines, device compliance, conditional access, and Microsoft Defender for Endpoint. +- Have role-based access control (RBAC) permissions equal to the permissions provided by the built-in Intune role of **Endpoint Security Manager**. The *Endpoint Security Manager* role grants access to the Microsoft Intune admin center. This role can be used by individuals who manage security and compliance features, including security baselines, device compliance, Conditional Access, and Microsoft Defender for Endpoint. For more information, see [Role-based access control (RBAC) with Microsoft Intune](../fundamentals/role-based-access-control.md). @@ -282,5 +282,5 @@ Configure: - [Security baselines](../protect/security-baselines.md) - [Compliance policies](../protect/device-compliance-get-started.md) -- [Conditional access policies](#configure-conditional-access) +- [Conditional Access policies](#configure-conditional-access) - [Integration with Microsoft Defender for Endpoint](../protect/advanced-threat-protection.md) diff --git a/memdocs/intune/protect/exchange-connector-install.md b/memdocs/intune/protect/exchange-connector-install.md index 111c9470bc3..a8113173ad6 100644 --- a/memdocs/intune/protect/exchange-connector-install.md +++ b/memdocs/intune/protect/exchange-connector-install.md @@ -45,11 +45,11 @@ To help protect access to Exchange, Intune relies on an on-premises component th > [!IMPORTANT] > Intune will be removing support for the Exchange On-Premises Connector feature from the Intune service beginning in the 2007 (July) release. Existing customers with an active connector will be able to continue with the current functionality at this time. New customers and existing customers that do not have an active connector will no longer be able to create new connectors or manage Exchange ActiveSync (EAS) devices from Intune. For those tenants, Microsoft recommends the use of Exchange [hybrid modern authentication (HMA)](/office365/enterprise/hybrid-modern-auth-overview) to protect access to Exchange on-premises. HMA enables both Intune App Protection Policies (also known as MAM) and Conditional Access through Outlook Mobile for Exchange on-premises. -The information in this article can help you install and monitor the Intune Exchange connector. You can use the connector with your [conditional access policies](conditional-access-exchange-create.md) to allow or block access to your Exchange on-premises mailboxes. +The information in this article can help you install and monitor the Intune Exchange connector. You can use the connector with your [Conditional Access policies](conditional-access-exchange-create.md) to allow or block access to your Exchange on-premises mailboxes. The connector is installed and runs on your on-premises hardware. It discovers devices that connect to Exchange, communicating device information to the Intune service. The connector allows or blocks devices based on whether the devices are enrolled and compliant. These communications use the HTTPS protocol. -When a device tries to access your on-premises Exchange server, the Exchange connector maps Exchange ActiveSync (EAS) records in Exchange Server to Intune records to make sure the device enrolls with Intune and complies with your device's policies. Depending on your conditional access policies, the device can be allowed or blocked. For more information, see [What are common ways to use conditional access with Intune?](conditional-access-intune-common-ways-use.md) +When a device tries to access your on-premises Exchange server, the Exchange connector maps Exchange ActiveSync (EAS) records in Exchange Server to Intune records to make sure the device enrolls with Intune and complies with your device's policies. Depending on your Conditional Access policies, the device can be allowed or blocked. For more information, see [What are common ways to use Conditional Access with Intune?](conditional-access-intune-common-ways-use.md) Both *discovery* and *allow and block* operations are done by using standard Exchange PowerShell cmdlets. These operations use the service account that's provided when the Exchange connector is initially installed. @@ -62,9 +62,9 @@ Follow these general steps to set up a connection that enables Intune to communi 3. Validate the Exchange connection. 4. Repeat these steps for each additional Exchange organization you want to connect to Intune. -## How conditional access for Exchange on-premises works +## How Conditional Access for Exchange on-premises works -Conditional access for Exchange on-premises works differently than Azure Conditional Access based policies. You install the Intune Exchange on-premises connector to directly interact with Exchange server. The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune. This process allows or blocks e-mail access. +Conditional Access for Exchange on-premises works differently than Azure Conditional Access based policies. You install the Intune Exchange on-premises connector to directly interact with Exchange server. The Intune Exchange connector pulls in all the Exchange Active Sync (EAS) records that exist at the Exchange server so Intune can take these EAS records and map them to Intune device records. These records are devices enrolled and recognized by Intune. This process allows or blocks e-mail access. If the EAS record is new and Intune isn't aware of it, Intune issues a cmdlet (pronounced "command-let") that directs the Exchange server to block access to e-mail. Following are more details on how this process works: @@ -87,7 +87,7 @@ If the EAS record is new and Intune isn't aware of it, Intune issues a cmdlet (p 8. The Microsoft Entra Device Registration saves the device state information. -9. If the user meets the conditional access policies, Intune issues a cmdlet through the Intune Exchange connector that allows the mailbox to sync. +9. If the user meets the Conditional Access policies, Intune issues a cmdlet through the Intune Exchange connector that allows the mailbox to sync. 10. Exchange server sends the notification to EAS client so the user can access e-mail. @@ -184,7 +184,7 @@ Follow these steps to install the Intune Exchange connector. If you have multipl 4. In the **User (domain\user)** and **Password** fields, enter credentials to connect to your Exchange server. The account you specify must have a license to use Intune. -5. Provide credentials to send notifications to a user's Exchange Server mailbox. This user can be dedicated to just notifications. The notifications user needs an Exchange mailbox to send notifications by email. You can configure these notifications by using conditional access policies in Intune. +5. Provide credentials to send notifications to a user's Exchange Server mailbox. This user can be dedicated to just notifications. The notifications user needs an Exchange mailbox to send notifications by email. You can configure these notifications by using Conditional Access policies in Intune. Make sure the Autodiscover service and Exchange Web Services are configured on the Exchange CAS. For more information, see [Client Access server](/Exchange/architecture/client-access/client-access?view=exchserver-2019&preserve-view=true). @@ -288,9 +288,9 @@ In addition to the in-console status, you can use the [System Center Operations An Intune Exchange connector automatically synchronizes EAS and Intune device records regularly. If the compliance status of a device changes, the automatic sync process regularly updates records so that device access can be blocked or allowed. -- A **quick sync** occurs regularly, several times a day. A quick sync retrieves device information for Intune-licensed and on-premises Exchange users that are targeted for conditional access and that have changed since the last sync. +- A **quick sync** occurs regularly, several times a day. A quick sync retrieves device information for Intune-licensed and on-premises Exchange users that are targeted for Conditional Access and that have changed since the last sync. -- A **full sync** occurs once daily by default. A full sync retrieves device information for all Intune-licensed and on-premises Exchange users that are targeted for conditional access. A full sync also retrieves Exchange Server information and ensures that the configuration that Intune specifies is updated on the Exchange server. +- A **full sync** occurs once daily by default. A full sync retrieves device information for all Intune-licensed and on-premises Exchange users that are targeted for Conditional Access. A full sync also retrieves Exchange Server information and ensures that the configuration that Intune specifies is updated on the Exchange server. You can force a connector to run a sync by using the **Quick Sync** or **Full Sync** options on the Intune dashboard: @@ -305,4 +305,4 @@ You can force a connector to run a sync by using the **Quick Sync** or **Full Sy ## Next steps -Create a [conditional access policy for on-premises Exchange servers](conditional-access-exchange-create.md). +Create a [Conditional Access policy for on-premises Exchange servers](conditional-access-exchange-create.md). diff --git a/memdocs/intune/protect/jamf-mtd-connector.md b/memdocs/intune/protect/jamf-mtd-connector.md index 16ac3d814cb..f9fdf5ba124 100644 --- a/memdocs/intune/protect/jamf-mtd-connector.md +++ b/memdocs/intune/protect/jamf-mtd-connector.md @@ -33,14 +33,14 @@ ms.collection: # Jamf Mobile Threat Defense connector with Intune -Control mobile device access to corporate resources using conditional access based on risk assessment conducted by Jamf. Jamf is a Mobile Threat Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from devices by the Jamf service, including: +Control mobile device access to corporate resources using Conditional Access based on risk assessment conducted by Jamf. Jamf is a Mobile Threat Defense (MTD) solution that integrates with Microsoft Intune. Risk is assessed based on telemetry collected from devices by the Jamf service, including: - Operating system vulnerabilities - Malicious apps installed - Malicious network profiles - Cryptojacking -You can configure *conditional access* policies that are based on Jamf's risk assessment, enabled through Intune device compliance policies. Risk assessment policy can allow or block noncompliant devices from accessing corporate resources based on detected threats. +You can configure *Conditional Access* policies that are based on Jamf's risk assessment, enabled through Intune device compliance policies. Risk assessment policy can allow or block noncompliant devices from accessing corporate resources based on detected threats. ## How do Intune and Jamf Mobile Threat Defense help protect your company resources? diff --git a/memdocs/intune/protect/lookout-mtd-connector-integration.md b/memdocs/intune/protect/lookout-mtd-connector-integration.md index a654e1d033a..9d1a2975a3d 100644 --- a/memdocs/intune/protect/lookout-mtd-connector-integration.md +++ b/memdocs/intune/protect/lookout-mtd-connector-integration.md @@ -138,7 +138,7 @@ In the Lookout MES Console, select **System** > **Manage Enrollment** > **Enroll - For **Disconnected Status**, specify the number of days before an unconnected device is marked as disconnected. - Disconnected devices are considered as noncompliant and are blocked from accessing your company applications based on the Intune conditional access policies. You can specify values between 1 and 90 days. + Disconnected devices are considered as noncompliant and are blocked from accessing your company applications based on the Intune Conditional Access policies. You can specify values between 1 and 90 days. ![Lookout enrollment settings on the System module](./media/lookout-mtd-connector-integration/lookout-console-enrollment-settings.png) diff --git a/memdocs/intune/protect/microsoft-tunnel-conditional-access.md b/memdocs/intune/protect/microsoft-tunnel-conditional-access.md index 1b95225dfd6..cb8227603f5 100644 --- a/memdocs/intune/protect/microsoft-tunnel-conditional-access.md +++ b/memdocs/intune/protect/microsoft-tunnel-conditional-access.md @@ -54,7 +54,7 @@ Before you can configure Conditional Access policies for the tunnel, you must en If you'll use Conditional Access policy to limit user access, we recommend configuring this policy after you provision your tenant to support the Microsoft Tunnel Gateway cloud app, but before you install the Tunnel Gateway. -1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Endpoint Security** > **Conditional access** > **Create new policy**. The admin center presents the Microsoft Entra interface for creating conditional access policies. +1. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Endpoint Security** > **Conditional Access** > **Create new policy**. The admin center presents the Microsoft Entra interface for creating Conditional Access policies. 2. Specify a name for this policy. diff --git a/memdocs/intune/protect/mtd-enable-unenrolled-devices.md b/memdocs/intune/protect/mtd-enable-unenrolled-devices.md index 4348ba1e34f..42bd5ee5b1d 100644 --- a/memdocs/intune/protect/mtd-enable-unenrolled-devices.md +++ b/memdocs/intune/protect/mtd-enable-unenrolled-devices.md @@ -37,7 +37,7 @@ During Mobile Threat Defense (MTD) setup, you've configured a policy for classif [!INCLUDE [mtd-mam-note](../../intune/protect/includes/mtd-mam-note.md)] -## Classic conditional access policies for Mobile Threat Defense (MTD) apps +## Classic Conditional Access policies for Mobile Threat Defense (MTD) apps When you integrate a new Mobile Threat Defense application with Intune and enable the connection to Intune, Intune creates a classic Conditional Access policy in Microsoft Entra ID. Each third-party MTD partner you integrate with creates a new classic Conditional Access policy. These policies can be ignored, but shouldn't be edited, deleted, or disabled. @@ -55,7 +55,7 @@ Classic Conditional Access policies for MTD apps: - Are distinct from Conditional Access policies you might create to help manage MTD. - By default, don't interact with other Condition -To view classic conditional access policies, in [Azure](https://portal.azure.com/#home), go to **Microsoft Entra ID** > **Conditional Access** > **Classic policies**. +To view classic Conditional Access policies, in [Azure](https://portal.azure.com/#home), go to **Microsoft Entra ID** > **Conditional Access** > **Classic policies**. ## To enable the Mobile Threat Defense connector diff --git a/memdocs/intune/protect/tutorial-protect-email-on-enrolled-devices.md b/memdocs/intune/protect/tutorial-protect-email-on-enrolled-devices.md index 91c680daea5..bb72ec2e80f 100644 --- a/memdocs/intune/protect/tutorial-protect-email-on-enrolled-devices.md +++ b/memdocs/intune/protect/tutorial-protect-email-on-enrolled-devices.md @@ -210,7 +210,7 @@ When the test policies are no longer needed, you can remove them. 3. In the **Policy name** list, select the context menu (**...**) for your test policy, and then select **Delete**. Select **OK** to confirm. -4. Select **Endpoint security** > **Conditional access** > **policies**. +4. Select **Endpoint security** > **Conditional Access** > **policies**. 5. In the **Policy name** list, select the context menu (**...**) for your test policy, and then select **Delete**. Select **Yes** to confirm. diff --git a/memdocs/intune/protect/tutorial-protect-email-on-unmanaged-devices.md b/memdocs/intune/protect/tutorial-protect-email-on-unmanaged-devices.md index 39e63e69c80..04fc7b38015 100644 --- a/memdocs/intune/protect/tutorial-protect-email-on-unmanaged-devices.md +++ b/memdocs/intune/protect/tutorial-protect-email-on-unmanaged-devices.md @@ -134,13 +134,13 @@ When you configure Conditional Access policies in the Microsoft Intune admin cen 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** >**Conditional access** > **Create new policy**. +2. Select **Endpoint security** >**Conditional Access** > **Create new policy**. 3. For **Name**, enter **Test policy for modern auth clients**. 4. Under **Assignments**, for *Users*, select **0 users and groups selected**. On the **Include** tab, select **All users**. The value for *Users* updates to *All users*. - :::image type="content" source="./media/tutorial-protect-email-on-unmanaged-devices/conditional-access-users.png" alt-text="Begin configuration of the conditional access policy."::: + :::image type="content" source="./media/tutorial-protect-email-on-unmanaged-devices/conditional-access-users.png" alt-text="Begin configuration of the Conditional Access policy."::: 5. Under **Assignments**, for *Target resources*, select **No target resources selected**. Ensure that *Select what this policy applies to* is set to **Cloud apps**. Because we want to protect Microsoft 365 Exchange Online email, select it by following these steps: @@ -258,7 +258,7 @@ When the test policies are no longer needed, you can remove them. 3. In the **Policy name** list, select the context menu (**...**) for your test policy, and then select **Delete**. Select **OK** to confirm. -4. Go to **Endpoint security** > **Conditional access** > Policies. +4. Go to **Endpoint security** > **Conditional Access** > Policies. 5. In the **Policy Name** list, select the context menu (**...**) for each of your test policies, and then select **Delete**. Select **Yes** to confirm. diff --git a/memdocs/intune/remote-actions/device-management.md b/memdocs/intune/remote-actions/device-management.md index 22fe7967a19..993ab0cb676 100644 --- a/memdocs/intune/remote-actions/device-management.md +++ b/memdocs/intune/remote-actions/device-management.md @@ -74,7 +74,7 @@ This article shows you how to see the available remote actions, and lists some o - **By platform**: View lists of devices by the specific platform. - **Enrollment**: Opens the enrollment page and lists the different enrollment options for each platform. - - **Configuration**, **Compliance**, **Conditional access**: These options let you create new policies and view & update existing policies. + - **Configuration**, **Compliance**, **Conditional Access**: These options let you create new policies and view & update existing policies. - **Device cleanup rules**: Automatically removes inactive devices from Intune. For more information, go to [Automatically delete devices with cleanup rules](devices-wipe.md#delete-devices-from-the-intune-admin-center). - **Device categories**: Create [device categories](../enrollment/device-group-mapping.md) to help organize devices and build dynamic device groups. - **Help and Support** provides a shortcut on troubleshooting tips, requesting support, or checking the status of Intune. diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml index 3bd30650994..223d0c32887 100644 --- a/memdocs/intune/toc.yml +++ b/memdocs/intune/toc.yml @@ -421,7 +421,7 @@ items: items: - name: Overview href: ./apps/mamedge-overview.md - - name: Step 1. Create Microsoft Entra conditional access + - name: Step 1. Create Microsoft Entra Conditional Access href: ./apps/mamedge-1-mamca.md - name: Step 2. Create an app protection policy href: ./apps/mamedge-2-app.md @@ -1578,7 +1578,7 @@ items: displayName: group; category; categorize; security group; - name: Require multifactor authentication href: ./enrollment/multi-factor-authentication.md - displayName: multi-factor; enrollment; MFA; verification; conditional access + displayName: multi-factor; enrollment; MFA; verification; Conditional Access - name: Create terms and conditions policy href: ./enrollment/terms-and-conditions-create.md displayName: intune; enrollment; terms and conditions; policy @@ -2161,7 +2161,7 @@ items: items: - name: Overview href: ./apps/mamedge-overview.md - - name: Step 1. Create Microsoft Entra conditional access + - name: Step 1. Create Microsoft Entra Conditional Access href: ./apps/mamedge-1-mamca.md - name: Step 2. Create an app protection policy href: ./apps/mamedge-2-app.md diff --git a/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md b/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md index 8a77d9abc1d..6c6501b708d 100644 --- a/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md +++ b/memdocs/intune/user-help/set-up-migrate-iphone-for-work.md @@ -89,7 +89,7 @@ Set up your new iPhone. Complete these steps on your new iPhone unless otherwise 4. Initiate the device enrollment workflow: 1. On your new device, open a productivity app, such as Microsoft Teams, and sign in with your work account. 2. Complete the MFA requirements or passwordless authentication using Authenticator on your old phone. - 3. You'll get blocked by conditional access and prompted to enroll your new device. + 3. You'll get blocked by Conditional Access and prompted to enroll your new device. ## Step 3: Device enrollment When you open a productivity app, such as Microsoft Teams, and sign in with your work account, you'll be prompted to install the Company Portal app for iOS and enroll your device. Complete these steps to finish setting up your device for work. diff --git a/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md b/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md index 326ec4a3ef9..44d5421d3b1 100644 --- a/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md +++ b/memdocs/solutions/cloud-native-endpoints/azure-ad-joined-hybrid-azure-ad-joined.md @@ -75,7 +75,7 @@ To join Windows endpoints to Microsoft Entra, you have some options: ### Organization IT benefits -- Using conditional access, you can allow or restrict access to organization resources that meet, or don't meet your requirements. +- Using Conditional Access, you can allow or restrict access to organization resources that meet, or don't meet your requirements. - Settings and work data roam through enterprise compliant clouds. No personal Microsoft accounts, like Hotmail are used, and can be blocked. - Using Windows Hello for Business, you can reduce the risk of credential theft. @@ -171,13 +171,13 @@ Microsoft Intune, which is a 100% cloud solution, can manage Windows client devi The [High level planning guide to move to cloud-native endpoints: Intune features you should know](cloud-native-endpoints-planning-guide.md#intune-features-you-should-know) lists some of these features. [What is Intune](../../intune/fundamentals/what-is-intune.md) is also a good resource. -On Hybrid Microsoft Entra Join endpoints, you can use on-premises group policies objects (GPO) or Intune to control policy settings. It's possible to also use a combination of GPO and Intune, but this combination adds administrative overhead and complexity. If you enable [co-management](../../configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Microsoft Entra features, such as conditional access. +On Hybrid Microsoft Entra Join endpoints, you can use on-premises group policies objects (GPO) or Intune to control policy settings. It's possible to also use a combination of GPO and Intune, but this combination adds administrative overhead and complexity. If you enable [co-management](../../configmgr/comanage/overview.md) (Intune (cloud) + Configuration Manager (on-premises)), then you can use some Microsoft Entra features, such as Conditional Access. For some guidance, go to [Deployment guide: Setup or move to Microsoft Intune](../../intune/fundamentals/deployment-guide-intune-setup.md). -#### What device join states are required for device compliance and/or conditional access? +#### What device join states are required for device compliance and/or Conditional Access? -Both Hybrid Microsoft Entra Join and Microsoft Entra Join endpoints support [compliance policies](../../intune/protect/device-compliance-get-started.md) and [conditional access](../../intune/protect/conditional-access.md) when managed by Intune or co-managed by Intune and Configuration Manager. +Both Hybrid Microsoft Entra Join and Microsoft Entra Join endpoints support [compliance policies](../../intune/protect/device-compliance-get-started.md) and [Conditional Access](../../intune/protect/conditional-access.md) when managed by Intune or co-managed by Intune and Configuration Manager. #### Are there limitations for Hybrid Microsoft Entra Join? diff --git a/windows-365/business/TOC.yml b/windows-365/business/TOC.yml index 93968802c2d..b05ed96c59a 100644 --- a/windows-365/business/TOC.yml +++ b/windows-365/business/TOC.yml @@ -39,7 +39,7 @@ items: href: restore-overview.md - name: Identity and access management items: - - name: Set conditional access policies + - name: Set Conditional Access policies href: set-conditional-access-policies.md - name: Configure single sign-on href: configure-single-sign-on.md diff --git a/windows-365/business/configure-single-sign-on.md b/windows-365/business/configure-single-sign-on.md index 70a997b9179..cedec00d7f1 100644 --- a/windows-365/business/configure-single-sign-on.md +++ b/windows-365/business/configure-single-sign-on.md @@ -39,7 +39,7 @@ To enable SSO using Microsoft Entra ID authentication, there are four tasks you 1. Configure the target device groups. -1. Review your conditional access policies. +1. Review your Conditional Access policies. 1. Configure your organizational settings to enable SSO. @@ -53,7 +53,7 @@ When SSO is enabled, users sign in to Windows using a Microsoft Entra ID authent - Users benefit from a single sign-on experience and can reconnect without authentication prompt when allowed. - Users can sign back into their session using passwordless authentication like FIDO keys. -- Conditional access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session. +- Conditional Access policies, including multifactor authentication and sign-in frequency, are re-evaluated when the user reconnects to their session. ## Prerequisites @@ -186,9 +186,9 @@ To configure the service principal, use the [Microsoft Graph PowerShell SDK](/po Remove-MgServicePrincipalRemoteDesktopSecurityConfigurationTargetDeviceGroup -ServicePrincipalId $WCLspId -TargetDeviceGroupId "" ``` -## Review your conditional access policies +## Review your Conditional Access policies -When SSO is turned on, a new Microsoft Entra ID app is introduced to authenticate users to the Cloud PC. If you have conditional access policies that apply when accessing Windows 365, review the recommendations to [set conditional access policies](set-conditional-access-policies.md) for Windows 365 to make sure users have the desired experience and to secure your environment. +When SSO is turned on, a new Microsoft Entra ID app is introduced to authenticate users to the Cloud PC. If you have Conditional Access policies that apply when accessing Windows 365, review the recommendations to [set Conditional Access policies](set-conditional-access-policies.md) for Windows 365 to make sure users have the desired experience and to secure your environment. ## Turn on SSO for all Cloud PCs in your account diff --git a/windows-365/business/set-conditional-access-policies.md b/windows-365/business/set-conditional-access-policies.md index a34132c0ce6..cb258e421ee 100644 --- a/windows-365/business/set-conditional-access-policies.md +++ b/windows-365/business/set-conditional-access-policies.md @@ -1,8 +1,8 @@ --- # required metadata -title: Set conditional access policies for Windows 365 Business +title: Set Conditional Access policies for Windows 365 Business titleSuffix: -description: Learn how to set conditional access policies for Windows 365 Business. +description: Learn how to set Conditional Access policies for Windows 365 Business. keywords: author: ErikjeMS ms.author: erikje @@ -29,7 +29,7 @@ ms.collection: - tier2 --- -# Set conditional access policies for Windows 365 Business +# Set Conditional Access policies for Windows 365 Business Conditional Access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional Access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. For example, a payroll manager wants to access the payroll application and is required to perform multi-factor authentication (MFA) to do so. @@ -51,7 +51,7 @@ Conditional Access policies aren't set for your tenant by default. You can targ No matter which method you use, the policies will be enforced on the Cloud PC End-user portal and the connection to the Cloud PC. -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional access** > **Create new policy**. +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional Access** > **Create new policy**. 1. Provide a **Name** for your specific Conditional Access policy. 1. Under **Users**, select **0 users and groups selected**. 1. Under the **Include** tab, select **Select users and groups** and check **Users and groups**. If the new pane doesn't open automatically, select **0 users and groups selected**. @@ -63,13 +63,13 @@ No matter which method you use, the policies will be enforced on the Cloud PC En - **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07). This app may also appear as **Windows Virtual Desktop**. This app is used to authenticate to the Azure Virtual Desktop Gateway during the connection and when the client sends diagnostic information to the service. - **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c) and **Windows Cloud Login** (app ID 270efc09-cd0d-444b-a71f-39af4910ec45). These apps are only needed when you [configure single sign-on](configure-single-sign-on.md) in your environment. These apps are used to authenticate users to the Cloud PC. - It's recommended to match conditional access policies between these apps. This ensures that the policy applies to the Cloud PC End-user portal, the connection to the Gateway and the Cloud PC for a consistent experience. If you want to exclude apps, you must also choose all of these apps. + It's recommended to match Conditional Access policies between these apps. This ensures that the policy applies to the Cloud PC End-user portal, the connection to the Gateway and the Cloud PC for a consistent experience. If you want to exclude apps, you must also choose all of these apps. > [!IMPORTANT] > With single sign-on enabled, authentication to the Cloud PC uses the **Microsoft Remote Desktop** Entra ID app today. An upcoming change will transition the authentication to the **Windows Cloud Login** Entra ID app. To ensure a smooth transition, you need to add both Entra ID apps to your CA policies. > [!NOTE] - > If you don't see the Windows Cloud Login app when configuring your conditional access policy, use the steps below to create the app. You must have Owner or Contributor permissions on the subscription to make these changes: + > If you don't see the Windows Cloud Login app when configuring your Conditional Access policy, use the steps below to create the app. You must have Owner or Contributor permissions on the subscription to make these changes: > > 1. Sign into the [Azure Portal](https://portal.azure.com). > 1. Select **Subscriptions** from the list of Azure Services. @@ -77,7 +77,7 @@ No matter which method you use, the policies will be enforced on the Cloud PC En > 1. Select **Resource providers** then select **Microsoft.DesktopVirtualization**. > 1. Select **Register** at the top. > - > After the resource provider is registered, the Windows Cloud Login app appears in the conditional access policy configuration when selecting apps to apply the policy to. If you aren't using Azure Virtual Desktop, you can unregister the Microsoft.DesktopVirtualization resource provider after the Windows Cloud Login app is available. + > After the resource provider is registered, the Windows Cloud Login app appears in the Conditional Access policy configuration when selecting apps to apply the policy to. If you aren't using Azure Virtual Desktop, you can unregister the Microsoft.DesktopVirtualization resource provider after the Windows Cloud Login app is available. 1. If you want to fine-tune your policy, under **Grant**, choose **0 controls selected**. 1. In the **Grant** pane, choose the grant or block access options that you want to apply to all objects assigned to this policy, then select **Select**. 1. If you want to test your policy first, under **Enable policy**, select **Report-only**. If you set it to **On**, the policy will be applied as soon as you create it. diff --git a/windows-365/compliance-overview.md b/windows-365/compliance-overview.md index 342c1b46a38..757e7d2083e 100644 --- a/windows-365/compliance-overview.md +++ b/windows-365/compliance-overview.md @@ -44,7 +44,7 @@ Windows 365 leverages other Microsoft services for compliance, including: - [Microsoft Purview](/purview/purview): A suite of data governance and compliance tools. - [Microsoft Entra ID](/entra/fundamentals/whatis): Identity and access management, formerly known as Azure Active Directory (Azure AD). - [Microsoft Purview Compliance Manager](/purview/compliance-manager): Tools for managing compliance across your organization. -- [Microsoft Intune](/mem): Enforces device compliance and conditional access policies to protect access to Windows 365 Cloud PCs. +- [Microsoft Intune](/mem): Enforces device compliance and Conditional Access policies to protect access to Windows 365 Cloud PCs. ## Microsoft Intune capabilities for compliance diff --git a/windows-365/enterprise/TOC.yml b/windows-365/enterprise/TOC.yml index be0355e5881..eecc3d841cc 100644 --- a/windows-365/enterprise/TOC.yml +++ b/windows-365/enterprise/TOC.yml @@ -181,7 +181,7 @@ items: href: forensic-evidence-set-up.md - name: Identity and access management items: - - name: Set conditional access policies + - name: Set Conditional Access policies href: set-conditional-access-policies.md - name: Configure single sign-on href: configure-single-sign-on.md diff --git a/windows-365/enterprise/architecture.md b/windows-365/enterprise/architecture.md index 924fde7b5e0..34d1937f44c 100644 --- a/windows-365/enterprise/architecture.md +++ b/windows-365/enterprise/architecture.md @@ -107,7 +107,7 @@ Microsoft Entra ID provides user authentication and authorization for both the W - cookie persistence for the Windows 365 web portal - device compliance controls -For more information on how to use Microsoft Entra Conditional Access with Windows 365, see [Set conditional access policies](set-conditional-access-policies.md). +For more information on how to use Microsoft Entra Conditional Access with Windows 365, see [Set Conditional Access policies](set-conditional-access-policies.md). ### Active Directory Domain Services diff --git a/windows-365/enterprise/configure-single-sign-on.md b/windows-365/enterprise/configure-single-sign-on.md index d1b329f1655..d20d54f4b1e 100644 --- a/windows-365/enterprise/configure-single-sign-on.md +++ b/windows-365/enterprise/configure-single-sign-on.md @@ -38,7 +38,7 @@ For information on using passwordless authentication within the session, see [In To get started, following the steps to [Configure single sign-on](/azure/virtual-desktop/configure-single-sign-on) for Azure Virtual Desktop with the following caveats: - If the Kerberos Server object isn't present for Microsoft Entra hybrid joined provisioning policies, a new error appears in your Azure Network Connection (ANC) [health check for single sign-on](health-checks.md#supported-checks). -- If you have conditional access policies that apply when accessing Windows 365, review the recommendations to [set conditional access policies](set-conditional-access-policies.md) for Windows 365 to make sure users have the expected experience. +- If you have Conditional Access policies that apply when accessing Windows 365, review the recommendations to [set Conditional Access policies](set-conditional-access-policies.md) for Windows 365 to make sure users have the expected experience. - SSO can be enabled on any provisioning policies. You can find the **Use Microsoft Entra single sign-on** option under the **Join type** on the **General** page. This can be done when [creating a new provisioning policy](create-provisioning-policy.md#continue-creating-a-provisioning-policy) or when [editing an existing provisioning policy](edit-provisioning-policy.md), with an option to apply SSO to existing Cloud PCs. - When provisioning Frontline Cloud PCs in shared mode, [hide the consent prompt](/azure/virtual-desktop/configure-single-sign-on#hide-the-consent-prompt-dialog) so that users don't see it with each shared device. You can use a dynamic device group based on the provisioning policy name to scope this configuration. diff --git a/windows-365/enterprise/deploy-security-baselines.md b/windows-365/enterprise/deploy-security-baselines.md index 73594dd74db..175ee49381b 100644 --- a/windows-365/enterprise/deploy-security-baselines.md +++ b/windows-365/enterprise/deploy-security-baselines.md @@ -62,4 +62,4 @@ For more information, see [Use security baselines to configure Windows devices i For a detailed list of the 24H1 settings, see [Settings list for the Windows 365 Cloud PC security baseline in Intune](/mem/intune/protect/security-baseline-settings-windows-365?pivots=win365-24h1). -[Set conditional access policies](set-conditional-access-policies.md). +[Set Conditional Access policies](set-conditional-access-policies.md). diff --git a/windows-365/enterprise/identity-authentication.md b/windows-365/enterprise/identity-authentication.md index bd36d73aa95..00cef96eb47 100644 --- a/windows-365/enterprise/identity-authentication.md +++ b/windows-365/enterprise/identity-authentication.md @@ -104,7 +104,7 @@ To access the Windows 365 service, users must first authenticate to the service #### Multifactor authentication -Follow the instructions in [Set conditional access policies](set-conditional-access-policies.md) to learn how to enforce Microsoft Entra multifactor authentication for your Cloud PCs. That article also tells you how to configure how often your users are prompted to enter their credentials. +Follow the instructions in [Set Conditional Access policies](set-conditional-access-policies.md) to learn how to enforce Microsoft Entra multifactor authentication for your Cloud PCs. That article also tells you how to configure how often your users are prompted to enter their credentials. #### Passwordless authentication diff --git a/windows-365/enterprise/index.yml b/windows-365/enterprise/index.yml index 2b7edbbb6f8..5fef3f2c623 100644 --- a/windows-365/enterprise/index.yml +++ b/windows-365/enterprise/index.yml @@ -90,7 +90,7 @@ conceptualContent: text: Deploy security baselines - url: set-conditional-access-policies.md itemType: how-to-guide - text: Set conditional access policies + text: Set Conditional Access policies footerLink: url: security-guidelines.md text: See more diff --git a/windows-365/enterprise/restrict-office-365-cloud-pcs.md b/windows-365/enterprise/restrict-office-365-cloud-pcs.md index bd087454bfd..e94166f5bef 100644 --- a/windows-365/enterprise/restrict-office-365-cloud-pcs.md +++ b/windows-365/enterprise/restrict-office-365-cloud-pcs.md @@ -37,9 +37,9 @@ This article describes how to limit access to Office 365 services. You can use t 1. Create a Microsoft Entra security group to manage which users are controlled by the new policy. Add to this group all the Cloud PC users who will be subjected to the new policy. Only users in this group will be restricted to using Cloud PCs when accessing Office 365 services. If you want to change a user’s access, you can just remove them from this group. -2. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional access** > **Create new policy**. +2. Sign in to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional Access** > **Create new policy**. - ![Create conditional access policy screen shot](./media/restrict-office-365-cloud-pcs/create-conditional-policy.png) + ![Create Conditional Access policy screen shot](./media/restrict-office-365-cloud-pcs/create-conditional-policy.png) 3. Type a **Name** for your new Conditional Access policy. For example, “Restrict Office 365 access to CPCs”. diff --git a/windows-365/enterprise/security.md b/windows-365/enterprise/security.md index f2f46f5b6f3..2adcda27ec7 100644 --- a/windows-365/enterprise/security.md +++ b/windows-365/enterprise/security.md @@ -54,7 +54,7 @@ As described in [identity and authentication](./identity-authentication.md#authe - The Windows 365 service. - The Cloud PC. -The primary control for securing access is by using Microsoft Entra Conditional Access to conditionally grant access to the Windows 365 service. To secure access to the Cloud PC, see [set conditional access policies](./set-conditional-access-policies.md). +The primary control for securing access is by using Microsoft Entra Conditional Access to conditionally grant access to the Windows 365 service. To secure access to the Cloud PC, see [set Conditional Access policies](./set-conditional-access-policies.md). ## Secure Cloud PC devices diff --git a/windows-365/enterprise/set-conditional-access-policies.md b/windows-365/enterprise/set-conditional-access-policies.md index 62acbd9f643..c207ed79385 100644 --- a/windows-365/enterprise/set-conditional-access-policies.md +++ b/windows-365/enterprise/set-conditional-access-policies.md @@ -1,8 +1,8 @@ --- # required metadata -title: Set conditional access policies for Windows 365 +title: Set Conditional Access policies for Windows 365 titleSuffix: -description: Learn how to set conditional access policies for Windows 365. +description: Learn how to set Conditional Access policies for Windows 365. keywords: author: ErikjeMS ms.author: erikje @@ -29,7 +29,7 @@ ms.collection: - tier2 --- -# Set conditional access policies +# Set Conditional Access policies Conditional Access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. Conditional Access policies at their simplest are if-then statements. If a user wants to access a resource, then they must complete an action. For example, a payroll manager wants to access the payroll application and is required to perform multi-factor authentication (MFA) to do so. @@ -51,7 +51,7 @@ Conditional Access policies aren't set for your tenant by default. You can targ No matter which method you use, the policies will be enforced on the Cloud PC End-user portal and the connection to the Cloud PC. -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional access** > **Create new policy**. +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Endpoint security** > **Conditional Access** > **Create new policy**. 2. Provide a **Name** for your specific Conditional Access policy. 3. Under **Users**, select **0 users and groups selected**. 4. Under the **Include** tab, select **Select users and groups** > check **Users and groups** > under **Select**, choose **0 users and groups selected**. @@ -63,13 +63,13 @@ No matter which method you use, the policies will be enforced on the Cloud PC En - **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07). This app may also appear as **Windows Virtual Desktop**. This app is used to authenticate to the Azure Virtual Desktop Gateway during the connection and when the client sends diagnostic information to the service. - **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c) and **Windows Cloud Login** (app ID 270efc09-cd0d-444b-a71f-39af4910ec45). These apps are only needed when you [configure single sign-on](configure-single-sign-on.md) in a provisioning policy. These apps are used to authenticate users to the Cloud PC. - It's recommended to match conditional access policies between these apps. This ensures that the policy applies to the Cloud PC End-user portal, the connection to the Gateway and the Cloud PC for a consistent experience. If you want to exclude apps, you must also choose all of these apps. + It's recommended to match Conditional Access policies between these apps. This ensures that the policy applies to the Cloud PC End-user portal, the connection to the Gateway and the Cloud PC for a consistent experience. If you want to exclude apps, you must also choose all of these apps. > [!IMPORTANT] > With SSO enabled, authentication to the Cloud PC uses the **Microsoft Remote Desktop** Entra ID app today. An upcoming change will transition the authentication to the **Windows Cloud Login** Entra ID app. To ensure a smooth transition, you need to add both Entra ID apps to your CA policies. > [!NOTE] - > If you don't see the Windows Cloud Login app when configuring your conditional access policy, use the steps below to create the app. You must have Owner or Contributor permissions on the subscription to make these changes: + > If you don't see the Windows Cloud Login app when configuring your Conditional Access policy, use the steps below to create the app. You must have Owner or Contributor permissions on the subscription to make these changes: > > 1. Sign into the [Azure Portal](https://portal.azure.com). > 1. Select **Subscriptions** from the list of Azure Services. @@ -77,7 +77,7 @@ No matter which method you use, the policies will be enforced on the Cloud PC En > 1. Select **Resource providers** then select **Microsoft.DesktopVirtualization**. > 1. Select **Register** at the top. > - > After the resource provider is registered, the Windows Cloud Login app appears in the conditional access policy configuration when selecting apps to apply the policy to. If you aren't using Azure Virtual Desktop, you can unregister the Microsoft.DesktopVirtualization resource provider after the Windows Cloud Login app is available. + > After the resource provider is registered, the Windows Cloud Login app appears in the Conditional Access policy configuration when selecting apps to apply the policy to. If you aren't using Azure Virtual Desktop, you can unregister the Microsoft.DesktopVirtualization resource provider after the Windows Cloud Login app is available. 9. If you want to fine-tune your policy, under **Grant**, choose **0 controls selected**. 10. In the **Grant** pane, choose the grant or block access options that you want to apply to all objects assigned to this policy > **Select**. 11. If you want to test your policy first, under **Enable policy**, select **Report-only**. If you set it to **On**, the policy will be applied as soon as you create it. diff --git a/windows-365/enterprise/troubleshooting.md b/windows-365/enterprise/troubleshooting.md index b61b9586331..1235c44fded 100644 --- a/windows-365/enterprise/troubleshooting.md +++ b/windows-365/enterprise/troubleshooting.md @@ -45,11 +45,11 @@ For connections using the Remote Desktop client for Windows to access Cloud PCs, After the installation, the optimizations to redirect audio and video to your local Windows endpoint don’t work. The user must close Teams and sign out from or restart the Cloud PC to activate the Optimized status. -## Conditional access +## Conditional Access -Make sure that you apply conditional access policies to both the dedicated Windows 365 cloud app and the Azure Virtual Desktop cloud app. You can apply these policies in the conditional access UI of Microsoft Intune admin center or Microsoft Entra ID. +Make sure that you apply Conditional Access policies to both the dedicated Windows 365 cloud app and the Azure Virtual Desktop cloud app. You can apply these policies in the Conditional Access UI of Microsoft Intune admin center or Microsoft Entra ID. -Any conditional access policy that you apply will affect: +Any Conditional Access policy that you apply will affect: - Access to the end-user web portal - The connection to the Cloud PC from the Remote Desktop apps. diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md index b9df59b6783..e0c3a236458 100644 --- a/windows-365/enterprise/whats-new.md +++ b/windows-365/enterprise/whats-new.md @@ -416,7 +416,7 @@ Customers that have Modern Microsoft Cloud Agreements can upgrade their existing #### Single sign-on Windows 365 clients authentication change -Single sign-on for Windows 365 is transitioning to use the Windows Cloud Login Entra ID cloud app for Windows authentication starting with the Windows and Web clients. For more information, see [Set conditional access policies](set-conditional-access-policies.md). +Single sign-on for Windows 365 is transitioning to use the Windows Cloud Login Entra ID cloud app for Windows authentication starting with the Windows and Web clients. For more information, see [Set Conditional Access policies](set-conditional-access-policies.md). ### Monitor and troubleshoot @@ -672,7 +672,7 @@ For more information, see [Microsoft Purview Customer Lockbox](/purview/customer #### New faster sign-in frequency option (preview) -When single sign-on is enabled, selecting the **Conditional access** > **Session** > **Sign-in frequency** > **Every time** option provides a faster reauthentication period of 5-10 minutes depending on the client used. For more information, see [Set conditional access policies](set-conditional-access-policies.md). +When single sign-on is enabled, selecting the **Conditional Access** > **Session** > **Sign-in frequency** > **Every time** option provides a faster reauthentication period of 5-10 minutes depending on the client used. For more information, see [Set Conditional Access policies](set-conditional-access-policies.md). ### Windows 365 Boot diff --git a/windows-365/link/TOC.yml b/windows-365/link/TOC.yml index ccb20625f66..aeb0761f302 100644 --- a/windows-365/link/TOC.yml +++ b/windows-365/link/TOC.yml @@ -33,7 +33,7 @@ items: href: create-intune-filter.md - name: Configure enrollment restrictions href: enrollment-restrictions.md - - name: Synchronize conditional access policies + - name: Synchronize Conditional Access policies href: conditional-access-policies-synchronize.md - name: Suppress single sign-on prompt href: single-sign-on-suppress.md diff --git a/windows-365/link/deployment-overview.md b/windows-365/link/deployment-overview.md index 5bafdfd1d1b..46eec04781f 100644 --- a/windows-365/link/deployment-overview.md +++ b/windows-365/link/deployment-overview.md @@ -40,7 +40,7 @@ To set up your organization's environment to deploy and manage Windows 365 Link 3. [Configure Microsoft Entra Mobility settings to automatically enroll Windows 365 Link devices in Intune](intune-automatic-enrollment.md). 4. [Create an Intune filter for Windows 365 Link devices](create-intune-filter.md) (optional). 5. [Configure enrollment restrictions to let Windows 365 Link devices enroll](enrollment-restrictions.md). -6. [Validate conditional access policies](conditional-access-policies-synchronize.md). +6. [Validate Conditional Access policies](conditional-access-policies-synchronize.md). 7. [Suppress single sign-on consent prompt](single-sign-on-suppress.md) (recommended). After setting up deployment for your Windows 365 Link devices, you can start [onboarding](onboarding.md) them. From 51de58eec1c025b5d5056f95167f9ae3efecc7c4 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 12 Dec 2024 08:57:27 -0800 Subject: [PATCH 073/237] updating the title --- .../intune/configuration/administrative-templates-windows.md | 2 +- .../intune/configuration/wi-fi-settings-android-enterprise.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/administrative-templates-windows.md b/memdocs/intune/configuration/administrative-templates-windows.md index 5dfe87fcf18..aae70458f92 100644 --- a/memdocs/intune/configuration/administrative-templates-windows.md +++ b/memdocs/intune/configuration/administrative-templates-windows.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 11/04/2024 +ms.date: 12/11/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: configuration diff --git a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md index a094b11fd77..157ccae05d1 100644 --- a/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md +++ b/memdocs/intune/configuration/wi-fi-settings-android-enterprise.md @@ -28,7 +28,7 @@ ms.collection: - M365-identity-device-management --- -# Add Wi-Fi settings for Android Enterprise dedicated and fully managed devices in Microsoft Intune +# Add Wi-Fi settings for Android Enterprise devices in Microsoft Intune You can create a profile with specific Wi-Fi settings, and then deploy this profile to your Android Enterprise fully managed and dedicated devices. Microsoft Intune offers many features, including authenticating to your network, using a pre-shared key, and more. From edbfeaf0fe3abc1e89181bb634d771caa5b61b53 Mon Sep 17 00:00:00 2001 From: Abby Starr Date: Thu, 12 Dec 2024 12:28:40 -0500 Subject: [PATCH 074/237] Update data-platform-schema.md changed the name of single device query based on customer feedback on the docs --- memdocs/analytics/data-platform-schema.md | 49 ++++++++++++----------- 1 file changed, 26 insertions(+), 23 deletions(-) diff --git a/memdocs/analytics/data-platform-schema.md b/memdocs/analytics/data-platform-schema.md index c3a619b2159..08a6e257998 100644 --- a/memdocs/analytics/data-platform-schema.md +++ b/memdocs/analytics/data-platform-schema.md @@ -43,7 +43,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -58,7 +58,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -83,9 +83,12 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. -| **Property** | **Type** | **Description** | +| **Property** | **Type** | **Descripti![image](https://github.com/user-attachments/assets/e2a2397f-382c-4c6b-b32b-4f556a8af687) +![image](https://github.com/user-attachments/assets/638ce28b-c318-4881-96c6-675d147f84c7) +![image](https://github.com/user-attachments/assets/392d055a-e500-4cc3-bd03-53b720e4ea2f) +on** | | --- | --- | --- | | ProcessorId | string (max length 256 characters) | The DeviceID of the CPU. | | Model | string (max length 256 characters) | The model of the CPU. | @@ -107,7 +110,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -129,7 +132,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -147,7 +150,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. > [!NOTE] > This is a parameterized entity where you must pass in the path of the File you want to query. For example, pass in `FileInfo('c:\windows\system32\drivers\etc\hosts') | take 10`. If a directory is passed, it will return info on the files in the directory and sub-directories. @@ -174,7 +177,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -188,7 +191,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -204,7 +207,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -221,8 +224,8 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. -Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only supported for Device query, single device on-demand. +**Supported for**: single device query on-demand, Inventory. +Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only supported for single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -237,7 +240,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -256,7 +259,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -287,7 +290,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -311,7 +314,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -329,7 +332,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -349,7 +352,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | ReportId(Key) | string (max 256 characters) | Report ID of the App crash | | --- | --- | --- | @@ -365,7 +368,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | @@ -386,7 +389,7 @@ Note that PhysicalMemoryFreeBytes and VirtualMemoryFreeBytes properties are only **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. > [!NOTE] > When constructing the query, you must specify the log name and look back time, for example: `WindowsEvent(Application, 1d) | take 1`. @@ -408,7 +411,7 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand, Inventory. +**Supported for**: single device query on-demand, Inventory. | Property | Type | Description | | --- | --- | --- | @@ -426,7 +429,7 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. > [!NOTE] > You must pass in the registry key you are trying to query. For example, `WindowsRegistry('HKEY_LOCAL_MACHINE\\ServiceLastKnownStatus')`. @@ -444,7 +447,7 @@ possible value:CRITICAL\_ERROR,ERROR,WARNING,INFORMATION,VERBOSE | **Supported platforms**: Windows -**Supported for**: Device query, single device on-demand. +**Supported for**: single device query on-demand. | **Property** | **Type** | **Description** | | --- | --- | --- | From 4d48098ea8e7a93f6cf43d18313da1d0f4cb6251 Mon Sep 17 00:00:00 2001 From: Abby Starr Date: Thu, 12 Dec 2024 12:31:08 -0500 Subject: [PATCH 075/237] Update properties-catalog.md adding an additional known issue --- memdocs/intune/configuration/properties-catalog.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md index 70b0c358afa..7fbc741c51c 100644 --- a/memdocs/intune/configuration/properties-catalog.md +++ b/memdocs/intune/configuration/properties-catalog.md @@ -132,6 +132,8 @@ Collection of properties can only be stopped (deleted) at the category level. To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category. +If a properties policy is deleted, you will be able to see the last-collected data in Resource Explorer for up to 28 days. + ## Supported Properties Inventory supports the following entities. To learn more about what properties are supported for each entity, see [Intune Data Platform Schema](../../analytics/data-platform-schema.md). @@ -163,4 +165,4 @@ You'll see a **Resource Explorer** tab for Intune collected data and a **Resourc ### How can I troubleshoot this feature? -Client logs are available at `C:\Program Files\Microsoft Device Inventory Agent\Logs` and logs can also be collected via Collect MDM Diagnostics. \ No newline at end of file +Client logs are available at `C:\Program Files\Microsoft Device Inventory Agent\Logs` and logs can also be collected via Collect MDM Diagnostics. From e1735454952fa9d056d270ef1f6862bc254f8f0f Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Thu, 12 Dec 2024 10:15:51 -0800 Subject: [PATCH 076/237] 2501 id items --- windows-365/enterprise/in-development.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/windows-365/enterprise/in-development.md b/windows-365/enterprise/in-development.md index 420d86d9dae..29e6aa59d02 100644 --- a/windows-365/enterprise/in-development.md +++ b/windows-365/enterprise/in-development.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 10/02/2024 +ms.date: 12/12/2024 ms.topic: conceptual ms.service: windows-365 @@ -78,7 +78,15 @@ End users will be able to manually run connectivity checks on their Cloud PCs fr The remoting connection report will be retired on December 31st, 2024. After this date, refer to the [Cloud PC connection quality report](report-cloud-pc-connection-quality.md). - +## Provisioning + +### Windows 365 support for Spain Central region + +Windows 365 Enterprise will support the Spain Central region. For more information, see [Supported Azure regions for Cloud PC provisioning](requirements.md?tabs=enterprise%2Cent#supported-azure-regions-for-cloud-pc-provisioning). + +### Windows 365 support for Mexico Central region + +Windows 365 Enterprise will support the Mexico Central region. For more information, see [Supported Azure regions for Cloud PC provisioning](requirements.md?tabs=enterprise%2Cent#supported-azure-regions-for-cloud-pc-provisioning). @@ -87,7 +95,11 @@ The remoting connection report will be retired on December 31st, 2024. After thi ## Windows 365 app--> - +## Windows 365 Frontline + +### Concurrency buffer usage alert + +You’ll be able to set up a new alert to monitor concurrency buffer usage for Windows 365 Frontline. ## Next steps From 6a58a42f1003001d39d0bc0793c0c06b45eacad4 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 12 Dec 2024 13:40:47 -0500 Subject: [PATCH 077/237] Dec 31 blurb DA deprecation For 24563742 --- memdocs/intune/fundamentals/whats-new.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 7490981d7f9..3cb36760a4e 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 12/09/2024 +ms.date: 12/31/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -75,6 +75,13 @@ You can use RSS to be notified when this page is updated. For more information, ### Tenant administration --> +## Week of December 30, 2024 + +### Device enrollment + +#### Intune ends support for Android device administrator on devices with access to Google Mobile Services +As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, as well as Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see [Intune ending support for Android device administrator on devices with GMS access in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443). + ## Week of December 9, 2024 ### Tenant administration From bc61a7585780ae823df7ff87e63f3079c7cf5d55 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 12 Dec 2024 13:44:25 -0500 Subject: [PATCH 078/237] Update whats-new.md Acrolinx --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 3cb36760a4e..8b524d4af38 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -80,7 +80,7 @@ You can use RSS to be notified when this page is updated. For more information, ### Device enrollment #### Intune ends support for Android device administrator on devices with access to Google Mobile Services -As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, as well as Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see [Intune ending support for Android device administrator on devices with GMS access in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443). +As of December 31, 2024, Microsoft Intune no longer supports Android device administrator management on devices with access to Google Mobile Services (GMS). This change comes after Google deprecated Android device administrator management and ceased support. Intune support and help documentation remains for devices without access to GMS running Android 15 or earlier, and Microsoft Teams devices migrating to Android Open Source Project (AOSP) management. For more information about how this change impacts your tenant, see [Intune ending support for Android device administrator on devices with GMS access in December 2024](https://techcommunity.microsoft.com/blog/intunecustomersuccess/intune-ending-support-for-android-device-administrator-on-devices-with-gms-in-de/3915443). ## Week of December 9, 2024 From 17b697eed27d6284b21f971f36f96db429448a68 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Thu, 12 Dec 2024 11:04:55 -0800 Subject: [PATCH 079/237] change --- windows-365/enterprise/in-development.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/in-development.md b/windows-365/enterprise/in-development.md index 29e6aa59d02..1061950502f 100644 --- a/windows-365/enterprise/in-development.md +++ b/windows-365/enterprise/in-development.md @@ -99,7 +99,7 @@ Windows 365 Enterprise will support the Mexico Central region. For more informat ### Concurrency buffer usage alert -You’ll be able to set up a new alert to monitor concurrency buffer usage for Windows 365 Frontline. +You’ll be able to set up a new alert to monitor concurrency buffer usage for Windows 365 Frontline in dedicated mode. ## Next steps From 5ebd59052bbb57915e162d176f1f886ffe686258 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 12 Dec 2024 14:06:40 -0500 Subject: [PATCH 080/237] Update enrollment-restrictions-set.md Formatted bold type --- .../intune/enrollment/enrollment-restrictions-set.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index ee861dfc138..34734c1625d 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 04/02/2024 +ms.date: 12/12/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -79,7 +79,7 @@ Block devices running on a specific device platform. You can apply this restrict In groups where both Android platforms are allowed, devices that support work profile will enroll with a work profile. Devices that don't support work profile will enroll on the Android device administrator platform. Neither work profile nor device administrator enrollment will work until you complete all prerequisites for Android enrollment. -This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. ### OS version This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems: @@ -91,10 +91,10 @@ This restriction enforces your maximum and minimum OS version requirements. This \* Version restrictions are supported on these operating systems for devices enrolled via Intune Company Portal only. -This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. ### Device manufacturer -This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. +This restriction blocks devices made by specific manufacturers, and is applicable to Android devices only. It is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. ### Personally owned devices This restriction helps prevent device users from accidentally enrolling their personal devices, and applies to devices running: @@ -104,7 +104,7 @@ This restriction helps prevent device users from accidentally enrolling their pe * macOS * Windows 10/11 -This restriction is in the admin center under **Devices > Device onboarding > Enrollment > Device platform restriction**. +This restriction is in the admin center under **Devices** > **Device onboarding** > **Enrollment** > **Device platform restriction**. #### Blocking personal Android devices By default, until you manually make changes in the admin center, your Android Enterprise work profile device settings and Android device administrator device settings are the same. From 39e2ef764ad33d3cc93f37313ff63812b7d69c1f Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 12 Dec 2024 11:53:19 -0800 Subject: [PATCH 081/237] erikre-docs-30497169 --- .../apps/app-configuration-managed-home-screen-app.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 9339cde7335..b44958dc1dd 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 08/12/2024 +ms.date: 12/12/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -206,11 +206,12 @@ Enter JSON data to configure all available settings for Managed Home Screen, and In addition to the list of configurable settings listed in the **Configuration Designer** table (above), the following table provides the configuration keys you can only configure via JSON data. -| Configuration Key | Value Type | Default Value | Description | +| Configuration Key | Value Type | Details | Description | |-|-|-|-| -| Set allow-listed applications | bundleArray | JSON - Example 1 | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | -| Set pinned web links | bundleArray | JSON - Example 2 | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | -| Create Managed Folder for grouping apps | bundleArray | JSON - Example 3 | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. Note: all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Set allow-listed applications | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | +| Set pinned web links | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | +| Create Managed Folder for grouping apps | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. **NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Widget | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the "Time" widget, define the package name as "com.microsoft.launcher.enterprise" and widget class as "Time". | The following syntax is an example JSON script with all the available configuration keys included: From d1fe0040d647c26bcfea95a9ff56463978509885 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 12 Dec 2024 12:07:06 -0800 Subject: [PATCH 082/237] erikre-docs-30497169 1.2 --- .../apps/app-configuration-managed-home-screen-app.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index b44958dc1dd..139903a84c6 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -208,10 +208,12 @@ In addition to the list of configurable settings listed in the **Configuration D | Configuration Key | Value Type | Details | Description | |-|-|-|-| -| Set allow-listed applications | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | -| Set pinned web links | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | -| Create Managed Folder for grouping apps | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. **NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | -| Widget | bundleArray | See example in [Enter JSON Data](#enter-json-data). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the "Time" widget, define the package name as "com.microsoft.launcher.enterprise" and widget class as "Time". | +| Set allow-listed applications | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | +| Set pinned web links | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | +| Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. **NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the "Time" widget, define the package name as "com.microsoft.launcher.enterprise" and widget class as "Time". | + +### JSON Data Examples The following syntax is an example JSON script with all the available configuration keys included: From a8fe666dfc0c52abccf014c0200876dcd7881f30 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 12 Dec 2024 12:13:21 -0800 Subject: [PATCH 083/237] erikre-docs-30497169 1.3 --- .../intune/apps/app-configuration-managed-home-screen-app.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 139903a84c6..6c1883d3503 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -210,8 +210,8 @@ In addition to the list of configurable settings listed in the **Configuration D |-|-|-|-| | Set allow-listed applications | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | | Set pinned web links | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | -| Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. **NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | -| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the "Time" widget, define the package name as "com.microsoft.launcher.enterprise" and widget class as "Time". | +| Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically.

**NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | +| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the **Time** widget, define the package name as `com.microsoft.launcher.enterprise` and widget class as **Time**. | ### JSON Data Examples From c90c8ac1623435f88e7137325ddc40938e9724e4 Mon Sep 17 00:00:00 2001 From: Jacob Scott <49541449+mrjacobascott@users.noreply.github.com> Date: Thu, 12 Dec 2024 14:19:16 -0600 Subject: [PATCH 084/237] Update intune-us-government-endpoints.md Adding *. to important note to align with the similar change made to the commercial endpoints doc https://learn.microsoft.com/en-us/mem/intune/fundamentals/intune-endpoints?tabs=north-america --- memdocs/intune/fundamentals/intune-us-government-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-us-government-endpoints.md b/memdocs/intune/fundamentals/intune-us-government-endpoints.md index a98b4d7793d..8f88a56b12f 100644 --- a/memdocs/intune/fundamentals/intune-us-government-endpoints.md +++ b/memdocs/intune/fundamentals/intune-us-government-endpoints.md @@ -44,7 +44,7 @@ You can modify proxy server settings on individual client computers. You can als Managed devices require configurations that let **All Users** access services through firewalls. > [!NOTE] -> The inspection of SSL traffic is not supported on 'manage.microsoft.us', or 'has.spserv.microsoft.com' endpoint. +> The inspection of SSL traffic is not supported on '*.manage.microsoft.us', or 'has.spserv.microsoft.com' endpoint. For more information about Windows 10 auto-enrollment and device registration for US government customers, see [Set up automatic enrollment for Windows](../enrollment/windows-enroll.md). From d72f954332a764187a27b285c8708d41d0a5f23b Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 12 Dec 2024 15:55:13 -0500 Subject: [PATCH 085/237] Update enrollment-restrictions-set.md Style --- memdocs/intune/enrollment/enrollment-restrictions-set.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/enrollment-restrictions-set.md b/memdocs/intune/enrollment/enrollment-restrictions-set.md index 040173e38de..b9b24e89dff 100644 --- a/memdocs/intune/enrollment/enrollment-restrictions-set.md +++ b/memdocs/intune/enrollment/enrollment-restrictions-set.md @@ -81,7 +81,7 @@ In groups where both Android platforms are allowed, devices that support work pr This restriction is in the admin center under **Enrollment device platform restrictions**. > [!NOTE] -> Device platform enrollment restrictions use assignment filters. The update from Microsoft Entra to Intune to process user, group and filter assignments typically happens within 15 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group. +> Device platform enrollment restrictions use assignment filters. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after. ### OS version This restriction enforces your maximum and minimum OS version requirements. This type of restriction works with the following operating systems: From 5476f9a526e9b9c650a26ebb32df55dae5faae3e Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 12 Dec 2024 16:02:01 -0500 Subject: [PATCH 086/237] Update create-device-platform-restrictions.md Style edits --- .../intune/enrollment/create-device-platform-restrictions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/create-device-platform-restrictions.md b/memdocs/intune/enrollment/create-device-platform-restrictions.md index 65fdc406d16..8c7f70a2fca 100644 --- a/memdocs/intune/enrollment/create-device-platform-restrictions.md +++ b/memdocs/intune/enrollment/create-device-platform-restrictions.md @@ -133,7 +133,7 @@ For example, you can use a filter to allow personal Windows devices to enroll wh For more information about creating filters, see [Create a filter](../fundamentals/filters.md). > [!NOTE] -> Processing assignment filters takes added time at enrollment. The update from Microsoft Entra to Intune to process user, group and filter assignments typically happens within 15 minutes. It's not instant. This time can affect enrollment assignments. Admins should enroll devices after several minutes, not immediately after adding the enrolling users to a group. +> It takes extra time to process assignment filters during enrollment. The update between Microsoft Entra and Intune that processes user, group, and filter assignments typically happens within 15 minutes. It's not instant. This amount of time can affect enrollment assignments. You should wait and enroll devices several minutes after adding the enrolling users to a group, not immediately after. ### Supported filter properties From 5d31bc07f6e93f5bcb2333f7aa0fff8426b1e951 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 12 Dec 2024 13:09:43 -0800 Subject: [PATCH 087/237] erikre-docs-30497169 1.4 --- .../intune/apps/app-configuration-managed-home-screen-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 6c1883d3503..2020c4cd077 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -211,7 +211,7 @@ In addition to the list of configurable settings listed in the **Configuration D | Set allow-listed applications | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to define the set of apps visible on the home screen from all the apps installed on the device. You can define the apps by entering the app package name of the apps that you want to make visible. For example, `com.android.settings` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | | Set pinned web links | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve [Managed Google Play web links](./apps-add-android-for-work.md#managed-google-play-web-links) to your devices. When you do, they're treated like allow-listed applications. | | Create Managed Folder for grouping apps | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically.

**NOTE:** all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | -| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the **Time** widget, define the package name as `com.microsoft.launcher.enterprise` and widget class as **Time**. | +| Widget | bundleArray | See [JSON Data Examples](#json-data-examples). | Allows you to add widgets to the home screen. Managed Home Screen provides and maintains a **Time** and **Weather** widget. You can also add a custom LOB widget or a third-party widget using JSON data. You can define the widget to be exposed by entering the app package name and widget class name. For example, to expose the **Time** widget, define the package name as `com.microsoft.launcher.enterprise` and widget class as **Time**. | ### JSON Data Examples From 19936e8362cffd3012cfe75da5bd0366b245acc6 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 12 Dec 2024 13:25:58 -0800 Subject: [PATCH 088/237] holder --- memdocs/intune/fundamentals/whats-new.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 7490981d7f9..105959e0182 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 12/09/2024 +ms.date: 12/12/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -75,6 +75,9 @@ You can use RSS to be notified when this page is updated. For more information, ### Tenant administration --> + + + ## Week of December 9, 2024 ### Tenant administration From e08458a59b1d64095926fdcf3a40f8f8c5cf2e55 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 12 Dec 2024 13:30:10 -0800 Subject: [PATCH 089/237] fixing link --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index f5165cbe641..87df1af39c9 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -82,7 +82,7 @@ You can use RSS to be notified when this page is updated. For more information, ### Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint -You can now manage the Microsoft Defender for Endpoint CSP setting for [tamper protection](/windows/client-management/mdm/defender-csp) on unenrolled devices you mange as part of the [Defender for Endpoint security settings management](../protect/mde-security-integration#which-solution-should-i-use) scenario. +You can now manage the Microsoft Defender for Endpoint CSP setting for [tamper protection](/windows/client-management/mdm/defender-csp) on unenrolled devices you mange as part of the [Defender for Endpoint security settings management](../protect/mde-security-integration.md#which-solution-should-i-use) scenario. With this support, tamper protection configurations from *Windows Security Experience* profiles for *Antivirus* policies now apply to all devices instead of only to those that are enrolled with Intune. From 1965ce73052aa780db8298f4404f91848832ef2f Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 12 Dec 2024 14:11:53 -0800 Subject: [PATCH 090/237] erikre-docs-30467181 --- .../apps/app-configuration-managed-home-screen-app.md | 4 +++- memdocs/intune/apps/manage-without-gms.md | 6 ++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 2020c4cd077..db49c80a223 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -37,7 +37,9 @@ The Managed Home Screen is the application used for corporate-owned Android Ente ## When to configure the Microsoft Managed Home Screen app -First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above that reliably connect to Google Mobile Services. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above. + [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] + +First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above. Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so will save you time, minimize errors, and will give you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen. diff --git a/memdocs/intune/apps/manage-without-gms.md b/memdocs/intune/apps/manage-without-gms.md index bfea7580abe..4b92cde69ef 100644 --- a/memdocs/intune/apps/manage-without-gms.md +++ b/memdocs/intune/apps/manage-without-gms.md @@ -37,10 +37,8 @@ Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Micro > [!NOTE] > These GMS related limitations also apply to Device Administrator management and Android (AOSP) Management. -> [!NOTE] -> Microsoft Intune is ending support for [Android device administrator management](../enrollment/android-enroll-device-administrator.md) on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. -> For devices running Android 15 or earlier that don't have access GMS (excluding Microsoft Teams certified Android devices), Intune will continue allowing device administrator enrollment and will maintain limited support, since Android Enterprise management is unavailable to these devices. However, device administrator use on these devices is still not recommended, since Google's device administrator deprecation means there could be future functionality impact outside Intune's ability to mitigate. -> For more information, and to learn about alternatives to device administrator, see [Ending support for Android device administrator on GMS devices](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-intune-ending-support-for-android-device-administrator/ba-p/3915443). +[!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] + ## Install the Intune Company Portal app without access to the Google Play Store ### For users outside of People's Republic of China From f841a80d96588f4a70a5a4db1c89c68b1fe9c8ad Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 12 Dec 2024 15:01:51 -0800 Subject: [PATCH 091/237] What's new additins --- memdocs/intune/fundamentals/in-development.md | 16 ------- memdocs/intune/fundamentals/whats-new.md | 45 ++++++++++++++++++- 2 files changed, 44 insertions(+), 17 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index e8bbe9676c1..50bd8187bc5 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -89,22 +89,6 @@ Applies to: ## Device configuration -### More Wi-Fi configurations will be available for personally-owned work profile devices - -Intune Wi-Fi configuration profiles for personally-owned work profile devices will soon support configuration of pre-shared keys and proxy settings. - -You will find these settings in the admin console in **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**. Set **Platform** to Android Enterprise and **Profile Type** to Templates and then in the **Personally-Owned Work Profile** section, select Wi-Fi and select the **Create** button. - -In the **Configuration settings** tab, when Basic Wi-Fi type is selected, you will see several new options: - -1. Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key. -2. Proxy settings, with the option to select Automatic and then specify the proxy server URL. - -It was possible to configure these in the past with Custom Configuration policies, but going forward, we recommend setting these in the Wi-Fi Configuration profile, because [Intune is ending support for Custom policies in April 2024.](https://aka.ms/Intune/Android-customprofiles). - -For more information, see [Wi-Fi settings for personally-owned work profile devices.](../configuration/wi-fi-settings-android-enterprise.md#personally-owned-work-profile). - - ### Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows We're updating the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation. diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 105959e0182..4e9d9bd8866 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 12/12/2024 +ms.date: 12/18/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -76,7 +76,50 @@ You can use RSS to be notified when this page is updated. For more information, --> +## Week of December 16, 2024 (Service release 2412) +### Device configuration + +#### Ending support for administrative templates when creating a new configuration profile + +Customers cannot create new Administrative Templates configuration profile through **Devices > Configuration > Create > New policy > Windows 10 and later > Administrative Templates**. A (retired) tag is seen next to **Administrative Templates** and the **Create** button is now greyed out. Other templates will continue to be supported. + +However, customers can now use the Settings Catalog for creating new **Administrative Templates** configuration profile by navigating to **Devices > Configuration > Create > New policy > Windows 10 and later > Settings Catalog**. + +There are no changes in the following UI experiences: + +- Editing an existing Administrative template. +- Deleting an existing Administrative template. +- Adding, modifying or deleting settings in an existing Administrative template. +- **Imported Administrative templates (Preview)** template, which is used for Custom ADMX. + +For more information, see [Use ADMX templates on Windows 10/11 devices in Microsoft Intune](..\configuration\administrative-templates-windows.md). + +Applies to: + +- Windows + +### Device management + +#### More Wi-Fi configurations are now available for personally-owned work profile devices + +Intune Wi-Fi configuration profiles for Android Enterprise personally-owned work profile devices now support configuration of pre-shared keys and proxy settings. + +You can find these settings in the admin console in **Devices** > **Manage devices** > **Configuration** > **Create** > **New Policy**. Set **Platform** to Android Enterprise and then in the **Personally-Owned Work Profile** section, select Wi-Fi and select the **Create** button. + +In the **Configuration settings** tab, when you select Basic Wi-Fi type, several new options are available: + +1. Security type, with options for Open (no authentication), WEP-Pre-shared key, and WPA-Pre-shared key. + +2. Proxy settings, with the option to select Automatic and then specify the proxy server URL. + +It was possible to configure these in the past with Custom Configuration policies, but going forward, we recommend setting these in the Wi-Fi Configuration profile, because [Intune is ending support for Custom policies in April 2024.](https://aka.ms/Intune/Android-customprofiles). + +For more information, see [Wi-Fi settings for personally-owned work profile devices.](../configuration/wi-fi-settings-android-enterprise.md#personally-owned-work-profile). + +Applies to: + +- Android Enterprise ## Week of December 9, 2024 From 11a976301f4230dd7f2137970b561a543f18624e Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:45:20 -0800 Subject: [PATCH 092/237] Update properties-catalog.md --- memdocs/intune/configuration/properties-catalog.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/properties-catalog.md b/memdocs/intune/configuration/properties-catalog.md index 7fbc741c51c..1f4feccdda0 100644 --- a/memdocs/intune/configuration/properties-catalog.md +++ b/memdocs/intune/configuration/properties-catalog.md @@ -132,7 +132,7 @@ Collection of properties can only be stopped (deleted) at the category level. To stop collecting properties, navigate to the **Properties catalog** profile, and remove collection for every property in a particular category. -If a properties policy is deleted, you will be able to see the last-collected data in Resource Explorer for up to 28 days. +Even if a properties policy is deleted, you will still be able to see the last-collected data in Resource Explorer for up to 28 days. ## Supported Properties From b97b3aeb584f78fc18316da956598420e7315728 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:57:32 -0800 Subject: [PATCH 093/237] Update data-platform-schema.md --- memdocs/analytics/data-platform-schema.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/memdocs/analytics/data-platform-schema.md b/memdocs/analytics/data-platform-schema.md index 08a6e257998..d4c8540107b 100644 --- a/memdocs/analytics/data-platform-schema.md +++ b/memdocs/analytics/data-platform-schema.md @@ -85,10 +85,7 @@ Each table (entity) in this page lists the types of queries that are supported. **Supported for**: single device query on-demand, Inventory. -| **Property** | **Type** | **Descripti![image](https://github.com/user-attachments/assets/e2a2397f-382c-4c6b-b32b-4f556a8af687) -![image](https://github.com/user-attachments/assets/638ce28b-c318-4881-96c6-675d147f84c7) -![image](https://github.com/user-attachments/assets/392d055a-e500-4cc3-bd03-53b720e4ea2f) -on** | +| **Property** | **Type** | **Description** | | --- | --- | --- | | ProcessorId | string (max length 256 characters) | The DeviceID of the CPU. | | Model | string (max length 256 characters) | The model of the CPU. | From 88effaf0e37c463b3894ae5934dd80a8005025fb Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Thu, 12 Dec 2024 17:31:55 -0800 Subject: [PATCH 094/237] add ID item --- windows-365/enterprise/in-development.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows-365/enterprise/in-development.md b/windows-365/enterprise/in-development.md index 1061950502f..308776cce9e 100644 --- a/windows-365/enterprise/in-development.md +++ b/windows-365/enterprise/in-development.md @@ -101,6 +101,10 @@ Windows 365 Enterprise will support the Mexico Central region. For more informat You’ll be able to set up a new alert to monitor concurrency buffer usage for Windows 365 Frontline in dedicated mode. +### More precise Windows 365 Frontline concurrency control + +In a future update, you'll be able to allocate concurrent sessions for Windows 365 Frontline Cloud PCs in dedicated mode for each Microsoft Entra group assigned in the provisioning policy. This lets you reserve sessions to specific groups so sessions won't be consumed by other groups, and help you control your maximum concurrency limits. + ## Next steps For details about recent developments, see [What's new in Windows 365](whats-new.md). From fe7a90c80643f5dba39da9532c587af8f5f65e2f Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 13 Dec 2024 06:56:13 -0800 Subject: [PATCH 095/237] Update supported macOS versions --- memdocs/intune/protect/mde-security-integration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 00cf256a32d..04271a2ace8 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 10/30/2024 +ms.date: 12/13/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -117,6 +117,7 @@ To confirm the version of the Defender agent, in the Defender portal go to the d With [Microsoft Defender for Endpoint for macOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac#system-requirements) agent version **101.23052.0004** or later, security settings management supports the following macOS versions: +- macOS 15 (Sequoia) - macOS 14 (Sonoma) - macOS 13 (Ventura) - macOS 12 (Monterey) From 92a1b0ae3a271590fff76de46212d2d54a605f05 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 13 Dec 2024 10:33:10 -0800 Subject: [PATCH 096/237] Article review and updates --- .../advanced-threat-protection-configure.md | 198 +++++++++++------- .../atp-security-center-intune-toggle.png | Bin 21795 -> 53712 bytes .../onboard-report.png | Bin 79275 -> 0 bytes .../select-preconfigured-policy.jpg | Bin 0 -> 287708 bytes 4 files changed, 119 insertions(+), 79 deletions(-) delete mode 100644 memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png create mode 100644 memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md index 2db78c2b781..5489ccf3899 100644 --- a/memdocs/intune/protect/advanced-threat-protection-configure.md +++ b/memdocs/intune/protect/advanced-threat-protection-configure.md @@ -1,13 +1,13 @@ --- # required metadata -title: Configure Microsoft Defender for Endpoint in Microsoft Intune -description: Configure Microsoft Defender for Endpoint in Intune, including connecting to Defender for Endpoint, onboarding devices, assigning compliance for risk levels, and Conditional Access policies. +title: Configure integration of Microsoft Defender for Endpoint in Microsoft Intune +description: Integrate Microsoft Defender for Endpoint with Microsoft Intune, including connecting the products, onboarding devices, and assigning policies for compliance and risk level assessment. keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls, microsoft defender for endpoint, mde author: brenduns ms.author: brenduns manager: dougeby -ms.date: 04/17/2024 +ms.date: 12/13/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -31,80 +31,89 @@ ms.collection: - sub-secure-endpoints --- -# Configure Microsoft Defender for Endpoint in Intune +# Connect and configure Microsoft Defender for Endpoint for use with Intune -Use the information and procedures in this article to configure integration of Microsoft Defender for Endpoint with Intune. Configuration includes the following general steps: +Use the information and procedures in this article to connect Microsoft Defender for Endpoint with Intune and to then onboard and configure devices for Defender for Endpoint. Information in this article includes the following general steps: -- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection lets Microsoft Defender for Endpoint collect data about machine risk from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune. -- **Use Intune policy to onboard devices with Microsoft Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. -- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports a devices risk level. Devices that exceed the allowed risk level are identified as noncompliant. -- **Use a Conditional Access policy** to block users from accessing corporate resources from devices that are noncompliant. +- **Establish a service-to-service connection between Intune and Microsoft Defender for Endpoint**. This connection enables Intune to interact with Microsoft Defender on devices, including installation (onboarding) and configuration of the Defender for Endpoint client, and integration of machine risk scores from supported devices you manage with Intune. See the [prerequisites](../protect/advanced-threat-protection.md#prerequisites) to use Microsoft Defender for Endpoint with Intune. +- **Onboard devices to Defender for Endpoint**. You onboard devices to configure them to communicate with Microsoft Defender for Endpoint and to provide data that helps assess their risk level. Each platform has separate requirements to onboard to Defender. +- **Use Intune device compliance policies to set the level of risk you want to allow**. Microsoft Defender for Endpoint reports on the risk level of devices. Devices that exceed the allowed risk level are identified as noncompliant. +- **Use Conditional Access policy** to block users from accessing corporate resources while using a device that is identified as noncompliant. - **Use** [**app protection policies**](../protect/mtd-app-protection-policy.md) for Android and iOS/iPadOS, to set device risk levels. App protection policies work with both enrolled and unenrolled devices. -In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [MDE Security Configuration Management](../protect/mde-security-integration.md). +In addition to managing settings for Microsoft Defender for Endpoint on devices that enroll with Intune, you can manage Defender for Endpoint security configurations on devices that aren’t enrolled with Intune. This scenario is called *Security Management for Microsoft Defender for Endpoint* and requires configuring the *Allow Microsoft Defender for Endpoint to enforce Endpoint Security Configurations* toggle to *On*. For more information, see [Microsoft Defender for Endpoint Security Configuration Management](../protect/mde-security-integration.md). [!INCLUDE [android_device_administrator_support](../includes/android-device-administrator-support.md)] ## Connect Microsoft Defender for Endpoint to Intune -The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune. +Before Intune and Defender for Endpoint can work together, you must set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. This is a one-time action per tenant. Setup requires administrative access to both the Microsoft Defender Security Center and the Microsoft Intune admin center. -You only need to enable Microsoft Defender for Endpoint a single time per tenant. +### Enable Intune and Microsoft Defender for Endpoint integration -### To enable Microsoft Defender for Endpoint +1. Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal. -Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](https://security.microsoft.com). The Intune admin center also includes a link to the Defender for Endpoint portal. + 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Endpoint security** > **Microsoft Defender for Endpoint** and review the **Connection status** at the top of the page. If it’s **Enabled**, Defender and Intune are already connected and you can skip to step #2. -2. Select **Endpoint security** > **Microsoft Defender for Endpoint**, and then select **Open the Microsoft Defender Security Center**. + If the status is **Unavailable**, continue here. + 3. Scroll down to the bottom of the *Microsoft Defender for Endpoint* page and select the link **Open the Microsoft Defender Security Center** to open the Microsoft Defender for portal and continue with the next numbered step. > [!TIP] > - > In the Intune admin center, if the **Connection status** at the top of the Microsoft Defender for Endpoint page is already set to **Enabled**, the connection to Intune is already active and the admin center displays different UI text for the link. In this event, select **Open the Microsoft Defender for Endpoint admin console** to open the Microsoft Defender for portal. Then you can use the guidance in the following step to confirm that the **Microsoft Intune connection** is set to **On**. + > If the connection is already active, the link to open the Defender portal reads: **Open the Microsoft Defender for Endpoint admin console**. :::image type="content" source="./media/advanced-threat-protection-configure/atp-device-compliance-open-microsoft-defender.png" alt-text="Screen shot that shows the patch to open the Microsoft Defender Security Center."::: -3. In **Microsoft Defender** portal (previously the *Microsoft Defender Security Center*): - 1. Select [**Settings** > **Endpoints** >**Advanced features**](https://security.microsoft.com/preferences2/integration). - 2. For **Microsoft Intune connection**, choose **On**: +2. In [**Microsoft Defender** portal](https://security.microsoft.com/): + + 1. Use the left-hand pane to scroll down and select **Settings** > **Endpoints** >**Advanced features**. + 2. On the advanced features pane, scroll down to locate the entry for **Microsoft Intune connection** and set the toggle to **On**. :::image type="content" source="./media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png" alt-text="Screen shot of the Microsoft Intune connection setting."::: - 3. Select **Save preferences**. + 3. Select **Save preferences** to complete the connection between Intune and Defender for Endpoint. > [!NOTE] > Once the connection is established, the services are expected to sync with each other _at least_ once every 24 hours. The number of days without sync until the connection is considered unresponsive is configurable in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). Select **Endpoint security** > **Microsoft Defender for Endpoint** > **Number of days until partner is unresponsive** -4. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center. +3. Return to **Microsoft Defender for Endpoint** page in the Microsoft Intune admin center where you configure aspects of the Defender for Endpoint integration. The Connection status should now display **Enabled**. + + On this page, review each category and the available configurations for platform support and platforms specific options you plan to use, and set those toggles to **On**. You can return later to enable or disable any of these options. + + To set up the following integrations of Microsoft Defender for Endpoint, your account must be assigned an Intune [role-based access control]( /mem/intune/fundamentals/role-based-access-control) (RBAC) role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included. + + **Compliance policy evaluation** - To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support: + + - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On** + - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On** + - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On** - 1. To use Defender for Endpoint with **compliance policies**, configure the following under **Compliance policy evaluation** for the platforms you support: - - Set **Connect Android devices** to Microsoft Defender for Endpoint to **On** - - Set **Connect iOS/iPadOS devices** to Microsoft Defender for Endpoint to **On** - - Set **Connect Windows devices** to Microsoft Defender for Endpoint to **On** + When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance. - When these configurations are *On*, applicable devices that you manage with Intune, and devices you enroll in the future, are connected to Microsoft Defender for Endpoint for compliance. + For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). - For iOS devices, Defender for Endpoint also supports the following settings that help provide the Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS. For more information about using the following two settings, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). + - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in. - - **Enable App Sync for iOS Devices**: Set to **On** to allow Defender for Endpoint to request metadata of iOS applications from Intune to use for threat analysis purposes. The iOS device must be MDM-enrolled and provide updated app data during device check-in. + - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list. - - **Send full application inventory data on personally owned iOS/iPadOS Devices**: This setting controls the application inventory data that Intune shares with Defender for Endpoint when Defender for Endpoint syncs app data and requests the app inventory list. + When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune. - When set to **On**, Defender for Endpoint can request a list of applications from Intune for personally owned iOS/iPadOS devices. This list includes unmanaged apps and apps that were deployed through Intune. + When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune. - When set to **Off**, data about unmanaged apps isn’t provided. Intune does share data for the apps that were deployed through Intune. + For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options). - For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options). - 2. To use Defender for Endpoint with **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use: - - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**. - - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**. + **App protection policy evaluation** - Configure the following toggles to use Defender for Endpoint with Intune **app protection policies** for Android and iOS/iPadOS, configure the following under **App protection policy evaluation** for the platforms you use: - To set up an integration Microsoft Defender for Endpoint for compliance and app protection policy evaluation, you must have a role that includes *Read* and *Modify* for the *Mobile Threat Defense* permission in Intune. The *Endpoint Security Manager* built-in admin role for Intune has these permissions included. For more information about both MDM Compliance Policy Settings and App Protection Policy Settings, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options). + - Set **Connect Android devices to Microsoft Defender** for Endpoint to **On**. + - Set **Connect iOS/iPadOS devices to Microsoft Defender for Endpoint** on to **On**. -5. Select **Save**. + For more information, see [Mobile Threat Defense toggle options](../protect/mtd-connector-enable.md#mobile-threat-defense-toggle-options). + +4. Select **Save**. > [!TIP] > @@ -112,39 +121,55 @@ Open the Microsoft Defender for Endpoint portal at [security.microsoft.com](http ## Onboard devices -When you enable support for Microsoft Defender for Endpoint in Intune, you established a service-to-service connection between Intune and Microsoft Defender for Endpoint. You can then onboard devices you manage with Intune to Microsoft Defender for Endpoint. Onboarding enables collection of data about device risk levels. +After establishing the service-to-service connection between Intune and Microsoft Defender for Endpoint, use Intune to onboard your managed devices to Microsoft Defender for Endpoint. Onboarding involves enrolling devices into the Defender for Endpoint service to ensure they're protected and monitored for security threats and enables collection of data about device risk levels. When onboarding devices, be sure to use the most recent version of Microsoft Defender for Endpoint for each platform. +The process to onboard devices to Defender for Endpoint varies by platform. + ### Onboard Windows devices -- [**Endpoint detection and response**](../protect/endpoint-security-edr-policy.md) (EDR) policy. The *Microsoft Defender for Endpoint* page in the Intune admin center includes a link that directly opens the EDR policy creation workflow, which is part of endpoint security in Intune. +With a connection between Intune and Defender established, Intune automatically receives an onboarding configuration package from Defender that can be used by Intune to onboard Windows devices. This package is used by Intune EDR policy to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies. - Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager. +Onboarding of a device using the configuration package is a one-time action. - When you configure EDR policy after connecting Intune to Defender, the policy setting *Microsoft Defender for Endpoint client configuration package type* has a new configuration option: **Auto from connector**. With this option, Intune automatically gets the onboarding package (blob) from your Defender for Endpoint deployment, replacing the need to manually configure an Onboard package. +To deploy the onboarding package for Windows devices, you can choose to use a preconfigured EDR policy option, which deploys to the *All devices* group to onboard all applicable Windows devices, or you can manually create the EDR Policy for more granular deployments, which requires you to complete a few additional steps. -- **Device configuration policy**. When creating a device configuration policy to onboard Windows devices, select the *Microsoft Defender for Endpoint* template. When you connected Intune to Defender, Intune received an onboarding configuration package from Defender. This package is used by the template to configure devices to communicate with [Microsoft Defender for Endpoint services](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and to scan files and detect threats. The onboarded devices also report their risk level to Microsoft Defender for Endpoint based on your compliance policies. -After onboarding a device using the configuration package, you don't need to do it again. +#### Use the preconfigured policy -- [**Group policy or Microsoft Configuration Manager**](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). [Onboard Windows machines using Microsoft Configuration Manager](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) has more details on the Microsoft Defender for Endpoint settings. +With this path, you provide a name for the onboarding policy and select both the *platform* and *profile*. Other settings are preselected and include use of the onboarding package without additional settings, use of the *Default* scope tag, and assignment to the *All Devices* group. You can’t change these options during policy creation, but can return later to edit the policy details. -> [!TIP] -> -> When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings (such as onboarding to Defender for Endpoint), you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article. +1. Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Endpoint security** > **Endpoint detection and response** > and select the **EDR Onboarding Status** tab. + +2. On this tab, select **Deploy preconfigured policy**. -### Create the device configuration profile to onboard Windows devices + :::image type="content" source="./media/advanced-threat-protection-configure/select-preconfigured-policy.jpg" alt-text="Screen shot that displays the path to the preconfigured policy option."::: + +3. For Platform, select **Windows** for devices managed directly by Intune, or **Windows (ConfigMgr) ** for devices managed through the Tenant Attach scenario. For Profile select **Endpoint detection and response**. + +4. Specify a Name for the policy. + +5. On the **Review and Create** page you can review this policies configuration. When ready select **Save** to save this policy, which immediately begins to deploy to the *All Devices* group. + +#### Create your own EDR policy: + +With this path, you can define all aspects of the initial onboarding policy before it begins to deploy to devices. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Endpoint detection and response** > **Create Policy**. -3. For **Platform**, select **Windows 10, Windows 11, and Windows Server**. -4. For **Profile type**, select **Endpoint detection and response**, and then select **Create**. -5. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, then choose **Next**. -6. On the **Configuration settings** page, configure the following options for **Endpoint Detection and Response**: - - **Microsoft Defender for Endpoint client configuration package type**: Select *Auto from connector* to use the onboarding package (blob) from your Defender for Endpoint deployment. If you are onboarding to a different or disconnected Defender for Endpoint deployment, select *Onboard* and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field. +2. Select **Endpoint security** > **Endpoint detection and response** > and in the *Summary* tab, select **Create Policy**. + +3. For *Platform* select **Windows**, for Profile select **Endpoint detection and response**, and then select **Create**. + +4. On the **Basics** page, enter a *Name and Description* (optional) for the profile, then choose Next. + +5. On the **Configuration settings** page, configure the following options depending on your needs: + + - **Microsoft Defender for Endpoint client configuration package type**: Select **Auto from connector**. With this option, the onboarding policy automatically uses the onboarding blob that Intune received from Microsoft Defender. If you're onboarding to a different or disconnected Defender for Endpoint deployment, select Onboard and paste the text from the WindowsDefenderATP.onboarding blob file into the *Onboarding (Device)* field. + - **Sample Sharing**: Returns or sets the Microsoft Defender for Endpoint Sample Sharing configuration parameter. - - **[Deprecated] Telemetry Reporting Frequency**: For devices that are at high risk, **Enable** this setting so it reports telemetry to the Microsoft Defender for Endpoint service more frequently. + + - **[Deprecated] Telemetry Reporting Frequency**: This setting is deprecated and no longer applies to new devices. The setting remains visible in the policy UI for visibility for older policies that had this configured. :::image type="content" source="./media/advanced-threat-protection-configure/automatic-package-configuration.png" alt-text="Screen shot of the configuration options for Endpoint Detection and Response."::: @@ -154,65 +179,81 @@ After onboarding a device using the configuration package, you don't need to do > > If you haven’t configured this connection successfully, the setting *Microsoft Defender for Endpoint client configuration package type* only includes options to specify onboard and offboard blobs. -7. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue. +6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue. -8. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). +7. On the **Assignments** page, select the groups that will receive this profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). When you deploy to user groups, a user must sign in on a device before the policy applies and the device can onboard to Defender for Endpoint. - Select **Next**. + Select **Next** to continue. -9. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. - **OK**, and then **Create** to save your changes, which creates the profile. +8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. + + > [!TIP] + > When using multiple policies or policy types like *device configuration* policy and *endpoint detection and response* policy to manage the same device settings, you can create policy conflicts for devices. To learn more about conflicts, see [Manage conflicts](../protect/endpoint-security-policy.md#manage-conflicts) in the *Manage security policies* article. ### Onboard macOS devices After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard macOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Microsoft Defender Endpoint, which then collects data about devices risk level. -For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md). +Intune doesn't support an automatic onboarding package for macOS as it does for Windows devices. For configuration guidance for Intune, see [Microsoft Defender for Endpoint for macOS](../apps/apps-advanced-threat-protection-macos.md). For more information about Microsoft Defender for Endpoint for Mac including what's new in the latest release, see [Microsoft Defender for Endpoint for Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac?view=o365-worldwide&preserve-view=true) in the Microsoft 365 security documentation. ### Onboard Android devices -After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level. +After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard Android devices to Microsoft Defender for Endpoint. -There isn't a configuration package for devices that run Android. Instead, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android. +Intune doesn't support an automatic onboarding package for Android as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for Android](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android) in the Microsoft Defender for Endpoint documentation for the prerequisites and onboarding instructions for Android. For devices that run Android, you can also use Intune policy to modify Microsoft Defender for Endpoint on Android. For more information, see [Microsoft Defender for Endpoint web protection](../protect/advanced-threat-protection-manage-android.md). ### Onboard iOS/iPadOS devices -After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint. Onboarding configures devices to communicate with Defender for Endpoint, which then collects data about the devices risk level. +After you establish the service-to-service connection between Intune and Microsoft Defender for Endpoint, you can onboard iOS/iPadOS devices to Microsoft Defender for Endpoint. -There isn't a configuration package for devices that run iOS/iPadOS. Instead, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS. +Intune doesn't support an automatic onboarding package for iOS/iPadOS as it does for Windows devices. For configuration guidance for Intune, see [Overview of Microsoft Defender for Endpoint for iOS](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios) in the Microsoft Defender for Endpoint documentation for prerequisites and onboarding instructions for iOS/iPadOS. -For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in Supervised Mode. Intune allows you to configure the Defender for iOS app through an App Configuration policy (for managed devices) that should be targeted to all iOS Devices as a best practice. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices). +For devices that run iOS/iPadOS (in Supervised Mode), there's specialized ability given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender app needs to know if a device is in *Supervised Mode*. For more information, see [Complete deployment for supervised devices](/microsoft-365/security/defender-endpoint/ios-install?#complete-deployment-for-supervised-devices). 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 2. Select **Apps** > **App configuration policies** > **+ Add**, and then select**Managed devices** from the drop down list. + 3. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, select **Platform** as **iOS/iPadOS** then choose **Next**. + 4. Select **Targeted app** as **Microsoft Defender for iOS**. + 5. On the **Settings** page, set the **Configuration key** as **issupervised**, then **Value type** as **string** with the **{{issupervised}}** as the **Configuration value**. + 6. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue. + 7. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it's a best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). - When deploying policy to user groups, a user must sign-in on a device before the policy applies. + When you deploy policy to user groups, a user must sign-in on a device before the policy applies. Select **Next**. 8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles. -Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS team has made available a custom .mobileconfig profile to deploy to iPad/iOS devices. The .mobileconfig profile is used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS. +Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for iOS team provides a custom .mobileconfig profile to deploy to iPad/iOS devices. The .mobileconfig profile is used to analyze network traffic to ensure a safe browsing experience - a feature of Defender for iOS. 1. Download the .mobile profile, which is hosted here: [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile). + 2. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + 3. Select **Devices** > **Manage devices** > **Configuration** > On the *Policies* tab, select **+ Create**. + 4. For **Platform**, select **iOS/iPadOS** + 5. For **Profile type**, select **Custom**, and then select **Create**. + 6. On the **Basics** page, enter a *Name* and *Description* (optional) for the profile, then choose **Next**. + 7. Enter a *Configuration profile name*, and select a `.mobileconfig` file to Upload. + 8. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue. + 9. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it's a best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). When you deploy to user groups, a user must sign in on a device before the policy applies. @@ -222,10 +263,9 @@ Further, for devices that run iOS/iPadOS (in Supervised Mode), the Defender for 10. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles. ### View the count of devices that are onboarded to Microsoft Defender for Endpoint +You can view a report on device onboarding status from within the Intune admin center by going to **Endpoint security** > **Endpoint detection and response** > and selecting the **EDR Onboarding Status** tab. -To view the onboarded devices from Microsoft Defender for Endpoint within the Microsoft Defender for Endpoint connector page, you need an Intune role that includes *Read* for the *Microsoft Defender Advanced Threat Protection* permission. - -:::image type="content" source="./media/advanced-threat-protection-configure/onboard-report.png" alt-text="Sample view of the onboarded device report."::: +To view this information, your account must be assigned an Intune role that includes *Read* for the *Microsoft Defender Advanced Threat Protection* permission. ## Create and assign compliance policy to set device risk level @@ -235,7 +275,7 @@ If you're not familiar with creating compliance policy, reference the [Create a 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Devices** > **Compliance**. On the **Policies** tab, select **+ Create policy**. +2. Select **Devices** > **Compliance**. On the **Policies** tab, select **+ Create policy**. 3. For **Platform**, use the drop-down box to select one of the following options: - **Android device administrator** @@ -263,7 +303,7 @@ If you're not familiar with creating compliance policy, reference the [Create a Use the procedure to [create an application protection policy for either iOS/iPadOS or Android](../apps/app-protection-policies.md#app-protection-policies-for-iosipados-and-android-apps), and use the following information on the *Apps*, *Conditional launch*, and *Assignments* pages: - **Apps**: Select the apps you wish to be targeted by app protection policies. For this feature set, these apps are blocked or selectively wiped based on device risk assessment from your chosen Mobile Threat Defense vendor. -- **Conditional launch**: Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**. +- **Conditional launch**: Below *Device conditions*, use the drop-down box to select **Max allowed device threat level**. Options for the threat level **Value**: @@ -291,22 +331,22 @@ Conditional Access policies can use data from Microsoft Defender for Endpoint to > Conditional Access is a Microsoft Entra technology. The *Conditional Access* node found in the Microsoft Intune admin center is the node from *Microsoft Entra*. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with. +2. Select **Endpoint security** > **Conditional Access** > **Create new policy**. Because Intune presents the policy creation user interface for Conditional Access from the Azure portal, the interface is different than the policy creation workflow you might be familiar with. 3. Enter a policy **Name**. 4. For **Users**, use the *Include* and *Exclude* tabs to configure groups that will receive this policy. 5. For **Target resources**, set *Select what this policy applies to* to **Cloud apps**, and then choose which apps to protect. For example, choose **Select apps** and then for *Select*, search for and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. -6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**. Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**. Then, select **Done** to save the client app configuration. -7. For **Grant**, configure this policy to apply based on device compliance rules. For example: +6. For **Conditions**, select **Client apps** and then set *Configure* to **Yes**. Next, select the checkboxes for **Browser** and **Mobile apps and desktop clients**. Then, select **Done** to save the client app configuration. +7. For **Grant**, configure this policy to apply based on device compliance rules. For example: 1. Select **Grant access**. 2. Select the checkbox for **Require device to be marked as compliant**. 3. Select **Require all the selected controls**. Choose **Select** to save the Grant configuration. -8. For **Enable policy**, select **On** and then **Create** to save your changes. +8. For **Enable policy**, select **On** and then **Create** to save your changes. -## Next steps +## Related content - [Configure Microsoft Defender for Endpoint settings on Android](../protect/advanced-threat-protection-manage-android.md) - [Monitor compliance for risk levels](../protect/advanced-threat-protection-monitor.md) diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png b/memdocs/intune/protect/media/advanced-threat-protection-configure/atp-security-center-intune-toggle.png index 02f3b4cfba5bb8879969b625632822a35ae92924..f46587c815025d85ae21a11aed34666bda4663af 100644 GIT binary patch literal 53712 zcmb@tWn3K3(kMJYfZz$bcnHDW9TI{B5AM3S6WmFF5MY5MxF)!}ySwXRi@W>cy!_93 z&UxPZ?S8oR8|mrksjlg&uBoo73H_`njfGBv4gdg_%qIyI0C-{XT>kSC@%gwQM6LCF zLU2}*76(d3$abGEURZok_y7RqQ5g5e$j{ekj-Rxh0f6w`KRZG)K@a|OC83L?mW!%` zxr@8;7c=0qv6a0GtD>aZ8y;2;cpyCbxkZ(kmW;WK3?uOJ`2rarK|lr&o=dXNJL&(F zpJ@T;5s>~>{|_}B2#5go^I7M4w+eajuX@Yp@;~6gi3sc<{qOnz=n{Co@e>tz@!XD` zlZzeU@4s>W(;xERf8+W6T>b|TpRpqTtEGwn|8wbop5kC<|L3ldiZh3S7o{q&~m&CyXwv^?#) zC`^5sGWx|!X79${Lzuf}>-L;QznYSgyQ`~fv;Ooneh=v7w>SUZek`}|JtBN~_2S># z=__2G*Z))gAdD57^xuYQ-z60ObK{lL#|+y4V#uXZ#`_O~uF0Qyq5p&W<(k!}DT)7L z=6+}W_CMG>Nd7OoF@`kyUojhDj=DAD1Cp*!KmUu{@Q_$q!Hc9<-3r&bn#RPp@H_7~ zjOdz)zHC+1@9Mri?b~j1kvG3%BisA`lE8M(oS8EiJOI|NKrb)X{#aOzIrj21-0Tq@ zJwUP?+15g?CW^p9oUQPZn!L$Y=HNfXcP+2ZNhlOsd-*3_xI|`DXyX8F=>d}MTx6d^ z5ZF;r+JdfU4)VXwI7GQ5EDaXinf!O4M(4SHBzMf%wazZ!{=K5np$G z-iKkenInWC27PUR@C`Cla80B%nS9Xw-)E=9NO{Iz`a5aft2VtD2l0>68+8D*rWS+5 zduHPcp%!eWq{NGP>}GuXauQx`fGs*?2=E_7!dMLP)OC3h{4Y-`&y^$~Ew08VmXv6u z95GS-mvd5&`FZ)u#yaFPE~VlRLun=*z)Scg{v+q)WoQ&j==6|g`I@Q~XY6Z)fJ~b0 zePULJNXMO)MLZ4#?a+GlVjb*|V9SjOhmNv079ZfjFM+=cvK4as-Ll`seM*0}G<(&( z6jJ#qtEZl#!Dk{wj>8<}65{aLz^6-k~A(HZ(YSY){@CsU*a9+J3qd ze6-ZJ(ddd)GPp6h>!;Q{rsWDWOq+-fS&(xMW73U?!`A5N6{mMPNT(Fjf%lWAI`{3M zHK*xqH5h&7Gb4)AkYk|Jl{=!0t$TXimuJg7#NeRfbU7S%j-AU){kD+UOH_(3-3qu z8d5wPR~XS=&lpAHaUmruFP6dGdSdvtQktMIukG>|_=Ma7POwE`TE9^CW8-IL)~HeU zvhrGIcEVUSwV33gKVWSIS7X1_;^@HU_ifuwa{yr50zMw+%2i4h6mGjJFWYd)CdxLv zJ(Wl-Rvp`!o1~4x`cl54l6N+dTUw-jx-^ID3hzb;Fmd+q;Y}Xhd_-~*%T`=E-C|;j z_n~B&xz~lCi-orE7~eGzls4U*iwIx<0o`uciR@;#DcT=>Wu*VDw4OvBy$n^Oe=nsn z+Nn$!`DIUtMYY!u9^mu{1iOh2UU=JHA2bnubc)92k3smrX0Zfn%^gB(2dTK*)iWoY z?b5MDT~>1Y_k2MoAq=QAi5}!J0N*w`xBZPP$DlS=@-+2j!ZO#h0EH?EwGtUZ>9{XkXC?#=n z&UR|_@%E0Fly$j%LY@N-w2Nl(3q4XmNU#}{rWV;9nQ8<4*aZXE>|zmV2DMp zp82G$CEDklWsfJ9^(9y*TZIv;ZT*zr79FsxZYs`JDA8ad_(E=S8tlVs6s^cIFdA9! z_f~mz$$6ylPR!SMri>z{iE4eXeKNn=+IVGWRTP^r&W9rYVeEstde&kqW%3{iztdV) zxd=;yj+u9*R`;8*LB1Nka5MC3MI~*mQ~JNtEUxaOw&4RdT>MyRi@nnW^S_mdHzsOo z+*r0wJcN0JFJu$5B#TS}hKU>*q79~(77MsJ@Z%kR^Vas`Ge%GZY224+A=pK&!k#WW@j`QCu586>(3r;c=?`(xTP0a?!G+@hDT*$(MNhi*brExTCN9 z)mZ~4CTYxX^K$uO4MsJ=Bok-)kG|#|o9jgAuHx}4;~$%Y$iBW`*%5Q>s0ezOdqD-d1+MwJGh& z9L1!Q`(Cl-yqV-Stv_yClj_Nl_`37#XAR-WnyoF5mIeH7cZJ84iqWL?h~w34Gps&V zPY)#OaPq@01a^%c%4L4@`vJJvlJo9Wsg1efA3@jgy?8jSjb(KC)!w#EYyC`?RNS|F zBnM$J=ksn{ZL|APN-;j`F5Qr~a@@e1LE*cF!OoD=nx3dQ{Jk6%d_A5DM zA%i3yo7*X5rkO`C%>rJrPd_4(VjlLPtSS7S^Z&eS=`vm#T`r|R6L-d@=WA46g+yNP z)&&Eeg(&>ief;nx@KYznc`tLDa3o34?iP~BWzl-OP%Qil%@`1bZ@?XfDe652^YKvO z{_u&Q&}dpVt*66$TP!5td(PrHr9x8EL3M;K+cNBOZ&83NXIQu4w)Y32K%h_!<9c5s z8%q+u*?iG68O_z}DsfXm05I7T7o@t}D(G}pr9DZfkWhIv=!`~?4fXT6nJi@SDN#;r zeuyHn%aMa!W8b8chq+XG7Sz z^r6h>VA1u@z0cdVYt+eqG_?0kxGrnl?oR7t5zW8sjIP!$!>A-o%-`03PIq{DB?a!m zd`ZO~MUer+L8cA4l6;_Qo~dL#5fNKK3+|mYT#`Mo4NPYl{XGJ2jD$oFtaRsc?yqnhpT=l~i_%EDkTsttH}=Rsev6aV8y- zXXuv2>qcywLtXOPhB{jjs5C1+Ym50!66y%cVwIAgnoH;yjgF!}vz`a%R$teAz5LG%Bm;xgH55ai69K@2++)A75{{w!+HQ*Y z;&$p|vcG^+?j5`M;%}$ZS{$+2KUpdTYK+<9`D*l+%wgkwV1M6JShM?pBzmf1rpCZK z&uvlv-9j!;EKEmGwH~di+R|d<)AjBGL6vf8QDo?kCKpj0Ab_KQ;ILvZWeTI!&ofX{30#D4DK5ojsucYaQ}P{cxFw=6(-{ zJRpt618vl!Dk8pw?}L)|_w@DcSePk~yVlUI$tcX_0sP?dHX(YKwfj>95yV?1GCp_N z_i{463xO*u{@79|ZhyWa-QOZlZQ)PH$W;&X(Ck{-i!|L~9msJE1={9nk+r;k^XkNt zEUf+T)Ob~3Zkhy+{DVg0hdVRsra5cs?oHhj1-lMWE+}P$82rKJBX@pzeB`?t z?MuCr>CGQMk}Ys-Njf#+%z7!ClZsXNpj+|K!FGpkxOAz6)KX~Zo$K&t2gS+MeJA%) zg0fqdhkGMa35nS#(p=A)_{FdmUn+#}qVUfAL$+YcDKhV;SY0-9v5Oi0S{YKD$0oPD zRA785yhXt6W@jJ#@JDbRDSUYKT)?X(`S>78(LkiqztaPORED&IDYhxVbD3;e7~1*0 zFc-C@QjJW40b^|EYU z*ke0t#|jhQ%y0ehqf(ggFN0hghv>;I#SnY;qXe&1jzn9Si1+0=N7UN7fR6TBPJ`5a z7TZHqTUFXZuD|7|-;z2qfhz|GGJ$9RReDR{cN|>d(>Kca7#wv}bkf$G<=6Os;7fRaoUmP7B|0v@T73)m} z_VRLXs{OEPiKq;a@QDDD1m?+odhgZ2MLRp`db&@daT%C96Ed5MipQR8xSv8$Ro z#gdW4S)Q#L)t)Y@fvMocB77J0;>x9Rb?){%iuZ!kTtM*A2c(ean%DQrq1jj{bZn#j z;e;3aT-H;N{?1uUDIOk$H;yMqlYG|rnC-BXTt)vNFW6P5h zGqzzg>|HLCp&tV0y;{i-9%5n=xxuBuG(%zg&yJ2KJJp4>*Efv?U(Rj1WqCq6#iauE zpH|l`hIXJ9Ygwy-w}PZJvaXdc10R;TsJRRW#ey!Qwq$hEEqNQR+A9l=#}_h$!f1r`esI!BLFZfe_@B zNGTqvs-*xI9bb6qJx+Uog5ZZgRPA4peD}kSf>K2&!9*g|PArus3_5JwB)Pn5=Fjn(P$Hv;T23v!I{43+^4a!3KSHx$N zy_T}&DEDwbx1#VUP1tX*<9X40w_)pMBcq!9VX5cz#M!Ov*$0@`9BmOm00I?30e0(% zuj%w{eSZ&Mx+w@2f9(MQ#MOJtzFE7*FTofHz3sR_S${`+Y)3$q4!Jl;-ix|}occnZ ze9#0E&}m$$4YZk8&PAb^fdT^@42VI@WP0>}%QOmk#*1AqNpwQAMWp4EIc<6_v~9%h zjhBOy8=<3n=O=}|Rk$*8zB~)v%RHuen!Of2Lec|M8v5DBm9yCGel=TjSS%01%tgV> z)jHCo3i#a}AdEwn;pjGJF*_!dI6^x!snqwBq#wr8DZRge$%zBJXDIF9}~$H>|A)vsaspH=;*Oc-r>O!@W$6c7Sowslk`N(-1_>%7)3 zr88MmDv7J(_*PfVxaIAxV@9OU?o=ZPCCN`|W&H35XytY*BCi#T9?JI@*v?GDef_e1 z_!sbfuD4^dN@BaPJ`mWb@`ZuH2s46iw3m>AX{3M+6KOUlTKphFSO+bho&9#Do!xKI_oL?IXM&pI_4IG!eViGl0h;BoF7%Q^ZShC44}~=Xc%= z+typ_8hae6DZx={7_F%+cRn>WrEv{*ujJVp)d|Dkwrz?36FzQP(CpgU(`2R& z|1z&TuRzr80w*Blo`ox`#fTK~3e8`fZiNQ^ z6sZp(V86ymW4i4vZ!?n63|F5UR@z@12aU(RRoAYh;KxrW`$O(tbgY^~j{3LF_&SM$ z|7ej-dSaoGS6%&8i?2WDAo!#R!3}5mEgi*o1(cJ6WudaxY?b`aI#-w26u583CX^sb z0M*LL0Sa^Cc=%}iyO6`>t3xFrH`}MH^UU#0PVlzvWa{;iZ-`=&NB{%d50S?QHX-+; z>(y;?3tUOeikjOZvCV{>7Dp`_baf zB+eb1#HQ-wV<4@<3Ag)$@EIw%TEMfQsN82Vpc8b76;vfe>$no`R z##rpF`%8_?*(6$xiXq0Q6Gprslu_Ambqw>SM5zs2*23PiLZ~wXb&XH6h zcOUqzw6}x#506K@o=6IqTq3Ez?^D$B!Q$h>_VR%+xvClBiZe3{O9X9m#=(3^Y6$DL zY!zl9xWVZ?Bo-dC>nozCFvq8KaCZcK#^%=wH&JVNYt;8sIU331gs3L^UoQ2v<@Hi& z1z~KSd1yv1=~JR489wmds&I9Gw#LM%)-N3!g@ke>Cd6zIiyJX0Sp4c5z))JqKpj5G%`!FonvRNv9%C!l0 z>5s*0rGDntEDmM|1)PzNb=DH)Dq#9iAbdm;Fk;`C=FCQORUjMRjIuZ!>$x{jum3zB@Gpa;lqZ8BUVQ{ z6}tft!RkfR--Sc#LzbBu>FR?qj3P)t04Pw0F}8n$gt`+bL!xD+*y|X#pm=f{3~9_{ zq=|W|L-Q3DE)IJe^?1GewGKUSY+9KyI*(iG1ptxBRiigU&mLJU3>;#LE~xrpQXl1i z8G*%w!fzRUZp@mD@T!SA|To1P+l9%q*_KTq;MMZUS zB_B0fA9`H;`-E<8P)Ygh@9#}f_)KqZmEy54s}ZGgm6@`n@(aLz4n29QGFU3XI@0d8 z>W%WWnn~NOU441KWXx0&Wuw^LD9$Hr_BC-_xpF9OccT@OdF^ixa{BtpcLn~cll=!K>-c<+=YS!~(0R2!TT!B}6UUobIVg|UA2t>+6aZ;&*E_nG+$F#+dQF_~sj5e_*KvjQYXaj@s^p+?eMO0~a~v04MG64@HuZakfmNh3mtqfD}r+48-CKek&}V zyPEWCFCt#rE8B-hEjo+A+;-&4K(hJiTn;S7xgY&w{$^1xhtq(I9A5tAcI;0{< zbUje9NLRpUKmvyq7A@)1Dm5bc6KV*CaiI8DyOeLeij>3~R%}&-Mm01QAWn;;qR{js zpZTn5(l#2GshwZc;xJDTF%M&)LR(vUW-rcZXJHH0BJc2LIDk{sX&Ph4lHrmEkouMtKd(Nsz9suy3)K!pW*?qR} zS7z^pTNVIl+2$HFv#8r{xBdJ;-J_VmN!tgTZ+ebEvU_Dmn#={sCvaLD{UjaDnohvH zr^xJ$BoiH4Ciy8-s9Y|Bf~%@b?X$RHh4i40X8A^Anel_vLPGh&9 zU3u@_lQ*+>)6yv&K_*a8i)56gD#Nhd@(>b{IyI`=_H1t~E(dm2pT8tyH@_%D@ZA<` zHQ(9+NO@oCBYGiw&42NrKuW!~W+;dQ6@ zVqF4<<+Rj7+lP4KZpflErW0Q?+)Ktkk2rrlWWS`dKxI_-$v)}jA5Drk5zDy0DYq?>T4 zqmnI}d4m$5Ad;*|w|FC-7g8I!w*x_Z5jk^!L&x9B)${8Pr)A}T8H&%cwtSM&QEnt&-j&VRan(ix?-=4}0F zr4)AYzCk`C=Mqy2^XP!hi;x~5>|XyYP6$CSyLZVrcXXf%x#0XyEc&z*K9oTVj3s_9 z9>P~ok1QQ0tlrU`qCJ0S@boSWQCD> zn!{yWpEeHq^~=+I-@NjDpRqQE7PdGp+kbng^}721#j*YIIFk|oL-haasP_NU;JNo; z91Bd0`X!g@YBiE>>zwD+$f2$#n}IwY)tv#=(YGVH2hC2YRAJ!)Yo%X3B4abDk|Igg zMFYh*tRI+b3BS*uyOzTJJgZTXOrT2@|Px zKG)1;QWqY56ghm_;1!cw>v~vd5i=Y*$Jkq)Z9aHt9NYYbdb}}Mzl5N8e`MvK#=L&E zN*ao5Tx!5NYGn7sEwdLY$KWb>_l9l%NXB2evl+u!SzERi;gQfal+OS5Q763&`Xj)i z`bsSO=CQw7%&(F~*?4_|YwXg0zeC~G6XR14#*0(R;mVTqwS21C zXC*dG?{-S&2Z(WAl#rLG=(8R0m~6AY1?wCgK5_{C_VmF8d|N!*b%0_A4{DXrPjh_G zkkC1-)Lsx%P{t)l{i!m)^l;udjOBTFARTpGNy|k8$rDPrKHtZZqGH7Z27!By72z8~x+(>^Z{W z^RK+CjNis_yZ0s~Xf5TSV%#(TdZrX(=-HFc#ITtp=6%zKKREZDaz`B2XYY_siI&V= zeYnd>QWWe)h7PnX8IK38M1}C*JS-#$&tLdd7b~@`Zr}RME|<`0dI~ij`J^7n^g`Ag z`P~S~mZB#p%$QjU8skdU9zu&A2WQDt)eqWFOvs-`DRL}Ay9u;(7PQdPre@Q%d~AeB zF(~e$xQ?voYue^VdcFetByypD{xZrI@Odx`TtD=(4O6b) z#k?IMI1A==BSajb>}FDGt8gS~x=5{EPI^s$zby+4PMEDsxG(!TOR=?6k}=9ArOtMp z`aRCNQ;LbX*Yz$d4^jSopX9dpMJGFF{nb2Nw`?o0mI(8l(9Q5{S=z|h3~WWUA)1_G ze9B^1RLmUoL?vWtYz4M5ZuggUdaUF}l(Vs6q5{fbx5Hi!f${NJZhI|5%k7_WwO=5F zw=7)2NYAA%st(fbpHRXFV_^Jbs_7Yz^(0^4q`l@8kMc+G_utM;^_EF8hP z;dP5lQzYjh($MTmsl$&>P5q^;Hr;W02(te$IeasYHjHSYZs76^CT`{P1HHrJi-^DR zb2qqmF04I=ADlJ8&I9vU;+mAbCB`K3&TIW;LRP!P$TZV^l~KKcS6SRbdozc5cZmYp zbHgiZ3~EHQ2BO|v&B{~+)i#(?7;J{9B@F`GJ@ura#KiTRSR|x|hK(UQzd?N2`t_ds z_TuGTS+;qaXDO-r2SK)gjGs?e_K%?ZgNrFatmV1UOEf59pkl1%Vq}x;{C;%{f<0A@ zt@Do;pL}^*w7(@veJyJ(?KE|#0`Vjg9BMNTOs4hzvq-PsaA~-;BM#haqI(NC0L6Jlx zHlf>AVdDocs^U$zYTV*Rxd2tsoa*1luWZp6Lm!uhW<9 zSyvAb)Sf4oXwd(*nUZB?8`~Q15uNA@JEp)2A7L%Aa@+qbY36$}pc73O@SMV$)K50z13qIWR$L~VS|P~;lO z=(C}5qo%_;JbVWLi$BQ-h$&)YqJJ@TT$Q9@D}hi0U8%S49yas){=$a? zhbRR{i3z%JRi=sGO$)6QNj=XOdcno;wJ&q`5zAE+3ERvyn&9{h1$1kla*Wp)p3exBQwmN zl3wP1#XTdvbBjK_1Ed(Lc#OnEs9;xXlf?0ESegSXf5U|C>g#g2s&mB`8^{dnNF*T{ z@M;?t)#SrOMMs@!(CdEYdq2dJuOp{&6hHYqay~_Qvh|v_j_XrWQqsNM*+k*9M`%g*2pg2r!ducuyX|$XW0Hc@}o#<9RNsu{OD)<`%_CJq_mPdlaujOc6hDo7gE=l)Oc@c-f?SX1Jl{z zAP8irqX4Bwv#byRcyfbbbp-LB7tK|8X9})Mj*e=QI)bVgiOu%Sdr^V+zt8S8*%lQC zhvf%LHOpZS!|O%z*2>ymUNq~nv3gBTd<+7mDzq1H=QRR5TK`8iqvF)n{gor|UY!h2 zJJ9wGDz3K@PrR*m=OhWf-2DxRY`_B` z(;Tl~yPHH;aMHx3#Km|87Tfe)x3H%6o6pA$e7iS!ZC5xf3@gUn8B2QYx9(=EqG7LL z&f|7^TE$~Hpi_CAGez7iJxZ~bW5+nq&uES3a!84rozmh$$09}Z%flJOFum) zFsJKACZOOdZe5M3TQ}!gDD|^~cXPg8w_khLljjg(qlAM2j1}5^S)W)a(#z_Hz6Ik= zU_9pleWj=&BTU$vJPrz3W_*>5AHl-dReR}Jxq9!X&8Vcr%6CQ(y6Uc4fK}pGGNVTb zDloBsj5YhFf0s-o+kyUIScvoVBY{5s=_|*Gg-sO+{oC+IdjIQ(m3Jqb_ z;cl#5$0NzBDqz^(ss~%JZK{XcFv`h>F&MI%?kiY3&d#BEXBJ<17eT!8HmfbGKu*Aar7!VdU@NR* zVC_zzxP{8Mne2rvdRB0)yPXIqUR47&`c|5zLhboQJ-vy~unuCL>e9o&TvzszC^4r?14WtW=Oi?4<+Q+$fg*Lo0#GIL7P449 zHR_VWPs7a24w;BvaL4L{nqH~Yx6N8qhr0qQi-ZVQTt3LWTQhpP)86^F;|PdJ3fglE zqbF5B@Xj_9&E5PB#_ik!5=%5MWn}&}&FENx+IDr{#B>VLL+~a;{W+NC(ArERyd=(! zr(ZKb#|+hEptB&B=J5NMU-ShZN?*?g@jJ2nY~gIZiobKM?apaHv65_5oSpRj`HIwZ zjf)|+@r+wt#m+NXu%t}Ejt0{SS1Tzio@?P~YWE$twWbMEbd64dEbcgZri}RuQtAEi z5gak;F=Czwm*Z}!f{qM^c+x^kSM5OBOam`E1vP79j;Y}Z1G>iF%edN^4qQ};-)bBy zh|SXl9gB@x2nm)RdaZ(&y#dU%|6My@doM# zixURp51gYBpklm}Q~`TR>RLB04NUTOouy;E$+RAA_1*CD`WP;eJz)T)FfT#i-UF$Kw2r051F_{!4L_x2Lp%eu%^Qd&sQIyz9e1t%ptXvcSS}}6K@nn^L;7{eHJ66Nymim%S73dB4RZC`dU8{bnQ!+O;Q2g zL|6=S?ozW4MFdJjSklx<=N&dJv}&3Vs%9Z4Oc;r=QW+CmTVh`Q^+SrLRzh;L%f1)( z;Z&ia10MoujKD9Vj*%b>XqXKr9@iiZzsCtchXC6DqV#mpGb4f3%0t~OWlkhKP<+zX zP&&~>2syN&W)`kHf=z16YTKB}80fg&$0pzoaO4@XSs-APWr*(Hw|ulHA(#rY$r{M{ zws9?Fj2wAxf$Hk;Vsb5`3oqoV*E}{J$~_(1O&eQqQzG)5uZBecx0hb}R4}$@TFe+% zEq$E+VFYIc&-6D@Z^~>9bx~boXLZ&#!+{QDXc6WyscdSjX2{Y2bUR@v3r)mqB9a)y&XD_3A>C&Q|bzkYK)`QGXr zRbaKjCV6@G*IU&Ze0;)<&38*paUm(*!B=j0mSLH1j~8W1CU(tO7$Ym)|M-;*T-fAB z8rG$0Qs);l(=*C5#NCBlT$K|U6?6LCB@ILOh@E6UXqS)JbQpn$a+Bc_P(I#p66fE? zi=Xmr9W<>Of4^OiuHah3Qwb-q&-{)u>xf{J%ydMtI&f z_2YLh^yPYXhmXk^GO!egwd=bjLsvBi?E-HvuWI&}sIvy@T^SCBVh?U>k{}xwvahj; z=a-c~B_=ulBOq5VQiCfl47}_OG%l*SVQuY!Fmit8_Y)I8V6EgW@#+TZn$QwWZo3rGaUNihE8!L5H19=l!AMr1t6J|p{(ll(_beuegR>|YP?C&$l4oqaK zsy}?ka;h}@xPQpvU>9K@Qxz9WWMM`tz0{|M;d>YCrThGG*G~2DgQs)VqLa?soS%^{ zKzQ+bP%>&J7U-~3n{+>G>MARz{xS&iy4qj29yb44BYJr-Vpy6LqcOuhMITWyFy!TC zwDWVE3MLrTHOB|{uimsK2if37J2T1-49C9z+geE@`L#ii=6>T>xJ>XSLG>k1Vkq%& zm1{t2Z8LHslXVhTS2fLQ-w63O(>=`V$wUiS5K zo~BqhzHr}jg?r_D9(ajlPfpAy`MnycdC@oTru0>B@62|Gw%oCa z5?rR|Zekf5+cU*ecE4}nE%-I3>8Pkf^`hg(w@4NnTmP7WM=rUfS(p1+3k#V>hM250 z?k;xs?T0ydx6^KRBZ|uzTbkYoRK5|qk}X&yj;E1;DY4KGg*Q8vc2heV;V5CSB18C( zd*+ag-6z5dk_%Ni(RDFrsC*G^J?#>Wy<2Wiy^wgPmX-SYM&%kvsjn!-7NK$0qb)wP zoRt}h1v~@YB)yM;-rjCP<7jKg-_bIX;|7nJ?;ZCq#qHoPARJOjze&Z|()i)2gRUSj zgjiNhK<^vg`iHl zg4UCMI2a@}UBGl@AqoQ>3u4Xu+m}ocTYr8o&IwyQ!j)Y~NcIQZT7~`Ry?f8PLExgn zzJXF!yLM2xga5;$w*$pU`*WqN*yHJZD4YIoW5_QRWe_EkaY6|19JBXb3XfPYK@Awf z!OLrScTw*o$7?t+X$;{Yq$BgNy1I{tZ|ybuV&rGJiXGKInHTUf(SY09o9Z;E137wn z&UUKCEo3t$F$@HMpSdNy07J4bDUU+QU0QMo!A0@kVLz}If4OHMgCWxmSAE|!vL?-z zA+Nq#QP!t_uOf!X6OmRIxhN zYexBf{Br0Tx&NRr)9!2&q_JP5RY6oEm&X`Vz7zidUuvK(;h?L5mWU;l@#jq6Lo=&_ zwTZ!gBP~{4pvi$DZs_RSLwCa50xO8C3=~h_ub*GfPV{jCj|g`rEx(`Fzck~dgZ=UppO_vTA*PXeXWsN1<+R5;ID>Ylp8v2m?GNHn!H+&$mBen7^hE0k&z z*n6~SZXZ1sr!cB>xq#WJsjnv9LY&O9wo**8z{#uM*|lX^Osw7H~evk zO~&vz8sRhaIX$<*We&Z)yd;nlYo_i5fmJ&nI{&a4c-Em5?j76din z-W*$9F1s}$s2K>HdNw2U5d|A`eVQ5e0|T>gpY9i{Q;n_E02$Nsfm zyEcXfC0$yE&byVWs{&S(o&97uj3G{sEwSsl zz8=N*<#_0Pi}k5Vap}+ErLffwhcd%_+pt;8eM>Eb-84ekn&jK)fQ=5zBc`jf5 zyIm`~_WULvkB^Lrn{scB>v$9+p=sAKtbWTUKtpqJ>E@~cijAN26t{F|*Pc~d%1vTr z3b`}6SQ!%?bhoG><>(PufJSOH-RQ+(f)`yL8i`P}Ls~BO54|AIFFv;5Y|aXc%kKtp z6<^Z0kG@OB2xE0#ICxFkQGow)J#NrJerH)|%G$sH@pn9*OUs06=%H*JYEnE z`{wh>@Q=4ek2hZ3fv~-?=PCE_KHd+;^c8QK1P^T6+GISj!PB~E!%L~+G(|U*&ITrjhGb$PR;#8 z{KA*83OhlC$tAwR;QI>w8$rAtP%_DAE3cEY))HPR_{C|hw|KnhX=_P!xpo^^TSvsW z>~%l^KUeXdsgXP&pB5tl zdUk84zLfk)A}j(R!0_a!F*P&Ez7DYAip-Ed-7Iw{7asNuXEs3w_LmHEv7E8AOa~2q zvkleGw}ME(%kP+b`^yUi00@N&k{H=h+6 zJ&llLGSCy39-SWDBf!kH;tnfC8SK@xf({rlI3~Q_6EA1L%U}+!alowNQkv?Xs!GAF zjE^`YIkr4I?-av#Xk|jaLZP#etQ&=5s+vtXAdr;_atT!M6YiP8M?HK4a0GPAC zY15ySN`Rjlr}~?aD94E}IM904IU%%JDgUS@m^*hq!VXMoD0W&thxL2p%`l^sNIW zw*Ae9oK80Y(25)`3R!L~4BjIEZ9O)72jjfilE{MOohIc#Kn6WJcj&5&u%QK=hK=$+ zkUTcRcB1^_trx+QQ?B7F~_DIKBM zpnDO}hDQDEfWLSc7qjlnK)k-)Ve2gTIohUW{{gJo!VRSNh6T&SdU9ptFJlz;+|4J8 z?KYZksv+33GQ}YRZ-QP)?UYMbM6gUVoC-`;UE16x^L4up6b|0Ys+B=B$aImOkmvs zm{t28^r+yZ-CFaT*_Je5g{P_1@JYa#Rv``g2g!(Z%Hg_LvtAAW@|pw<88MeR?k$;0Vz~YzK2OF{}uH1Xxb9 zcK5iM`zI3cO4#OuL!bt8ya?~tP-xX|=iTj~>^VBRO_x_@wPbQ$COh%#lY%{sg*)Ffl9ZfvK0&1updM?~7 z2m6bWfVgn?v6$G01=;X0^z({oAIcgD)@%g;6o3nvD>K)_Ap#szxb6Nn2TD!7LuKER z=&nY)Yd-0DD+T~e?(r?uQY#GuMH{9we;@Bn&XFbeU)jbc{(`b{)kwiUm6KMx9DNoO z1p)@E%v4dLE+?!Yuq!M;-m8a(zRsKGvtFM19_jJo(3g~p`=+l)TU2Eus)nh{fu)R0 z`5%BNh&nr^0tNe8#YGU=VUxR9%F45j{q~mwugUHqBocdKV>_;9;8lPqSI*eT0#{Y- zU8fD8?PhHp*jEtMTHmC}Q)&0`hKAvfIjHM|+3rsC>B_}{70`-GeKqzYX4W&a;_XB8FI8~*zZ2-2ZQ z#}5$@7`hos5Kua#o1s$}x|LE=q#Nn(hM_y98>Bmjq2oX2+@1Tg)>&uG-CXST?l<@Q zJkR&@eLvLQt@w8$e9Y8I_oKaBFg`#Q;^d6{9b2K)%!4Aw{&RTwck1E*RrTSCV0EF< zq&o!f)bFOZ30p5vCOY}3Rv{;_EIQp_F4|RMC$;zo3Q&o=2Y&yT&Hec$tzYfEQcdII zApC(2c~!(j0myVyzPQaA(l`+Gy%!P`($%%r)kP-7UvyyBc<5hSqml=T4eBHPK=;@EjT(%VONzpb1v8+Pc@{)c@n*?U}>r?O-MkI z0&bxd19#ufG|ZLXeIa?-+>-S=j@;Z$-~Rel2%#jIFu`jZTk9;}*2l84=3?gZ)Wo{M zckx3sj~TOBwyfofLQf0%k(B&)^Off{v`Utf_+aOB?A_KKFPhw(-@w>57@OqgHkrNgZjSAd>CPZSw^oK6kAf zv`-Z_@|a7AnI&X&%Wv~K^li8+$queGCf2QwJAozKIhqCoH(+JOfK9khrD`Fqe%38{ z`Nds5iIC)&m;o4#I29gblWDT3OF?dw2^_vum$+Dll}7ZrCF3?LHI>E?C`Ps^A$DT5$FH!sg|0Bq_U?*1x@LOQt*z}LWEcUXrk)yuJ~-xw^Z#^7p5ay)TBZ;$^%3&d!}$gH<~{-bK>d3&oi8n&O9|0uP_+rh|Ji z0t=--m}ogxl;_Y@*3?0rtxI2{{1@aYQXbvV;OXp!D^c~ns?lH#b^yUGzKX-~Zu7jK znVWNb*!lYL+iI838IdF^%6RvRh`$IbwuzOU9p9c}^(AM#ud;*v z$SU3RT+Yo)fkXasfA7uE%=CfT6wbs^)DDSniHQXoyJ(Si_9RNW=q77!alZ)oPumKr1;||_=H~bUT53XF=Kw+eRK(VTWD=7msvUl4e)7(p zOhQX)=u99=I8B=&1sa?6jOd@wy&IJhGrC$DEc**f&oN&}`t1jLR17|QN~I!$qFQR{ z_b>2p5MCZcKz!ePf)SbfO->YSq59BNY+K28I)Ln-vmi~z$#RsMglg#yW7RAbnj5k0 z3t)1`KMUmP7RR8QmTI`UwdLS=fA$ITE}rZ6h7)N6Ht+aUq$LV7=M7d2UKCZ%f_kcHm6Jl5Meh!x#&&Ya z5&s;6xFiV{j|q%?M%ms(0KZhnp=TL2w>`<~1E@GC|otRqC=i|4+M4+@YTd z7(`lMk>CUzlnTBN^8zt?@BKr|ibCvNrp4r-Rg_bbG&pE4mvp~cCHHri{+AtTWA8cV;$#>#e;C7rL@#J#5CE??eDltx)}q7CH2Gn>xu0}DobuP(O-_M|c^ zXtvJ=B;$Pl-Y7Cv(B8P9xc+<8nzI)(D(f_MD5`qDx5yHN@;+?zW&Y)|vZJqSIL-6+ zOt|Iv!^Kne2hGJ$FP=;{&Z3u1ft(g2yVTvrFTM5pqv}NfiQUl<2hM!$xEkau*cNPd zhdz052XQ6#ySn*(wG1>R%ZI1+Cr#)@`m9f-7mUd6AQRH=-F}ARqm&(GT8^~h!yzfc z(ojWTHc^W&l}(y^+BkgyT+Yz?O%Y*R%zT7Rv=fI<{dKKpWC6!Ygz(c;pLO)=AAkLZ zWtr$NI@Fw9Bngr)LuI2ba~i0Hb#Dwf5A-kHz~Pu)^NCs< z8KSUb*mgIlj=+yJ;Cs{*eEp3I@%E8j|7r0*qQDG75SnoyJ{Tint+D`~3-&)Zoo{m7 z@zncD_WCg>w%m4;c91dXTQ;&SpW}R=a^~89UfurNN`~%6QO|Ss>2`3tI-G2V5~P9) z?8}0$qE|Jf7)7gHDK8GLcq~U4wvK|swb-AlMdqWT6(UkY!zJc5atYx*zGxnD3;{aC z9v+Qn=mdEtxXL9VM1daq2}@E;Kgs(ccfYH=;w9-EhZKs>&ag4hPW?tDFxWis)9=?O zqAvWdHtOV=qJ0DxL(p*pn+@zUzhFLfR!=9x$jE}ysA-XkAs`@v!tL*oR-35x*p&Ki zxwQW3eYd=?js!itXedb;7a5uSJK^=!*Ywh6{3nNhRmI^5%=LQy+A*RALllo##N|rF zFeB3=im<00?Pto5{`p7)PHAm}ui`=#_n0gZovRbU8@1-UUtE2yro%qItxrwm3GMEi zUxuCkb*G7VdtfIgf=mBGGr^%eBde37{DfMc`uM2qRzE5vq z^hkI9wLU(xhiv65J0k&Y51yl_AD%}WCQ*|kibidr4F<7=rPVSk@yn}>s#ysiGyJWV8hT3g>llUE%p#%8HXlbu;@)F=2Av zHJWS~@70J~{W==ZYr3=~%t0yeZ$~Xt#dUb~RTg4i@WctFW(t2aCHq?5$2}dUXgU!*bzK0nfu?l7&+xQf!lXXI5S;vyn zKYOOL${iuBd1Wuw$fl}6QxssScO_i?OVS$qsc=$Az6@XD;oi-E7|1cA)O-2oO&RZ* z{>ljY!0622SYNa4A?PhtM5R!1&%c91`@yr0p*FaHL0bATD0sz!t52fpgb#e*6kT2GTvtD1WD=Cg@A*T^DR= zhB`wpwg~t!fy!`XsFC5LNJ$jrc;{fl)Y1I>>+7qZ&D&RyQO*}Y6#E$OD`eQy#kW{1 zyoXJMK){ke6+K$ZVMWBS-DzGzU}igh_Ga{MFLIyes<*Boe6?3`?_x9D&D zc*MMH9c1~jbfyD`w$9U~aRW+HYxFgZzRcgLysEEsu7-A~;g!^kG_?pVEiGt&6|!@u zb<|OnR%~g7=s-$7F(it=q7*&LmFt-L{GPb^)}xLzVOEY-UzEa@k_}zol9a9k;{J{h z&Dj2srS`8y?yk6tP8R@Bb)I2$56PuqzhzIny~aKB1X-baGl4TARYx(w!!4;LvFUa3 zp3S5E+&kxz01)M$4N|qURCe@pa{8dBg~Z!s=`Y)pm4Dk2cG1sW(buQ42eD(VG#sKY&fVXtzCI_Dn|DN%#403%*Pc!k zWc2z&3qgE{RRpN7dHjrs&JAJG!ajrCpQ`fS9q2b&&mPga`S6>LY@*VX;)q{fcR!yz z#Bz~$&iemrj8Xb5+t8cjk4vtX6TMO%f5=?15dQM#2D|>}qDfT1N{#2DSWa)G0j2j< z(?<{*kk2o`v?G^-A7D>Pw$U?Dw3vB`uNI*ym7`rC4M^OMq^)VCdhR-#l?#a0rr(GxGPykDwhb;+uu#i4^qumj0>Q_A`|FjS|3$>4a9w zH&gPS61?jPE9$vS8Mfc4%erjLFF{RZUiD!rhC-TWl~Jq|UzL5n`}dOe{460S^y$&+ zm4zx}ObSt|?350Cxh$z3qgMk9AhS8NX&d6>EUbA=`Bht%X?w|Fj7*z;kT7H${74QQu>{9~8btst*jTuLu{}-Qm+r z&E-8!R?Lka8#EiFcwTCw1QLeNJhIrb2V-{hrLgAL3FA=$DI4?-22r-8XF7ny`R(1} zP^rA^YhD0Y+^L0!s(-gsIJWN1A;U0e;ph%@)sq04v2N=w_F}&n)QTDwFSS zOl*nwD{hpM-2e%&=jUa_{V@Psgk9>%mh)9EMAwyj%u4NyxQ&T83+FE`5002oi>hz! zOg!9DopsuFMjj9wUQX@d`&K6MxsDvM%cWjC`gOi{bT zK_^;?$`o;7s-Z9BIq2gbW<3zr{APjIZ2et-xoU9q@kC%d^7+-(Tk;XQ@nPryThWBT z*jmgPxPM&C1Raw;tQVh}AJcNJEqyHu1+Z%JX5l{f6Ybxqa%a{jABK} zQL&&EO(_ugOT~`}s&jv^f3j?_lO)qd6;n3Ov6;C*35a1jT5vP^!}(RPl<6q_){&ya z?;)Gd`MgvqEnsA1n=L{cvqQ9ex#n!?>9`dV}PtIeE4E+~YCV07FpMUuEc z0DRmKS+S>ynMvqebK@iBt1-46B_}cW+wJMA+}Y)4l-UIR@gn#guWUx+?*%il1wDu3 z_WY`Ia(+<2j1c$9x^G@&2V$Sk`HN96!bmw;V6cbyV?VFW4A4Q#P4|uoDYvF9{ne2n z=C%SQKf;KnJ${+D>n@!%&f)6|T^xi+14&-aD^~-wWI({mu5uhh{dSfoR1{k|{U?h( zG8kRQ%)HHqM>9o&x0}$PE*@(kMsB`v`%`O7OXN~Loz>$)h7Nf8(G<%@f!vFfjta+E z)h0I_Ehcsbjz1eAXBsv=249^Vc-6-cdK^C2a1_OMBG#Px-xDK}nVAt_FMiTX(C*{y zGIi`oIr!?zI`m6k>s z{VS6`E8#AUF_1gAAITet62L`%i6J!y5cMSCdch{lQ0t|mtK<#!_9>qC!^0Cnx{Y5K za1QAePkc~F8{IZnpR6Ob7OUKM#|;|II=@$pTk;y~0bj|u9DaqLOoDlgZcjYQf3N+9 zu1EHUCxDV#_R^*Bq#ArUS02y5-E{I;czy}>Z*^W|vgAI9IgAq!)2Dog@9n?Z${@dk zlm}@4SxHl@Q1DdKdd)wfusgsO=1%pFl z(bnp1d`*lF_6!DJE5}jCtL(Hq3*Y@gQS&L_!$F<nJ_G{d6DJM+uc)^X>{n(sFReuKwfAFU|RRRyIHF^_n$|vyDqK)|_(o@#Zu-a_>yC>_an5lLf zB0fe_q<+GTd+(AlA6mm{KYfTNlTJca(8}3aju>L)u^829LCA1T)kIfre(*ugLf!PD zk~8BGGFM@=$Wf+5C0kBcMCIGXtSL$bT)d9MnzP6`%R6HKI&)n*FdrmIkzq3qu=P-o$T)ZNspy!pTnb?xveEJRq#sh?BT>kzY3i5dmKv|>ZUDAX)!+EK^Zj z$);az*17zK_LzO|aZ$G9yjl7 zi0cdbKfw>@WU(-sc=So8s*DFlbZ8jn#0`axr^0pEI@al6tH!)sfXJG4MQfeN7blyU zwBTWqvGk^MiTcr@QOAfX6O{ixrn;Axe3`;XU!AWDO!u*@NV6(vx)>TshR)ix#B{$1 z!LIXyMv3Sq2@n1LX#u?GUR%7Xc3ho^gzt`K3S1ZX$d9i|J+j3$pR63j{q;V|PSkoi zYv<`X_`4T}6lBn_9yhWSIqcc>SvHktDDBz{wmKbS89=^RIJb}Il|}VkW<29G<81vq zIy}>;VV&PHi*={k3IoM>X95OM@PZ-x9Ecmu+U0NK8x+1D4u&U!(prqC1eoNtecGn7 z7Ajh~6rP5cifd zKw!K^MPf>OCU}8y&%fUhr(+GG4SxH-gK>7t^kG7}sJNtngrJL>v3--6l}D!7x9FFO z9o0uX&|Wyt(W_OXI;;KP=uj=6+U;iM0qTHABKyDl5eizh=bsn?tO7f&c%SLco?n|| zf$qznHeiFrhemCJ-krat;ab$6KnYlaZuE1lf*cY)UMtzb!wDm)b#C{AE=uC09;F}? zi}x`v9>6JzIy8(gXjRl+qU4 zpB4#hN!$G1Hs3i%>%xn41$VFR53VI+O-b0cmMD8A@@^!psUZS=|KH zx8_ag1Scjhfh?l<#4llu-*WC+kl>XfR)}Lh|Gpw-)vYFsiJkmtjQcsE=*rN=%e*E; zkuKFR2T2WgMv7=)g}kg>e}G#&8lF5=Zae=R96?9_4MxikR=ipu zNE0f~Y!D^I#aqDoyx{7EPv+T%CL2X_@Z3W>ODT;4mV2W`)}dhug1$s=-F)4tU>l( zZm_m=G!5J9> znsarQVIAFTei2B`$~4;sc$AU47vWS*wj1%ve3|P6c^_+f$oS1O*;b*bp=bU}a zSERh~Rt}#SDxRkN8P6-jJ3L8eJiW}dN@X0O70DpQYc2Rq>aomaBPDE6CMS@i;XQjndOnESJ1SLtG5uh^bz}>p zB{=^vlFC?29%W! zD%e(^%(W+$@R0%vY@UN}7_VtQz(h(VbW;*i)cy`=V_Y5|JJ{xEslY<6D=p&e&3lDR zmpWg6r$%xZ%N$u0-dlJ@9v`x9)sgmE78$&}+TXV8#Q+o)ExdR(7i^6=ENOtOtApCc zo3}!*JVHFqy!Z&9@{Pbf?rQ7 zYm1QC6hG#C?LQElGOvit&6(c}?gvX#!>bPuV)R3;i77_(mNhY|e<3$}e;!-Gvth)F z($cqThkrKjQo!=oiniuTZ6m%tg#NbBicflXW!~m&av^we*Ju0P-&aa?fV;c2xVR%5 z>QHG)JG4-IYQDcMOWJg?y86kf1!rVpyd4;EGvwBz{EshRG;1eA!2(6!&v9|_U1|U; zj?u!Y^Of)So-SLV^~{GSDjBC-f51dVKq;XKAVQnwstA8oQ(Dt8FN2)&z6U3*%| zAWhd-VRa_sh8_Wq&F`8%nIBUw&*=~GMc)2YB_FjT;nwvE!B6F$j7C!)V8|^RRw!z~ z+(*`JWbA|v$nmJFIa87k2ef^2aJ#|~!lzoD3Q=u{C*7{q#Y-XFcrhJV%_}_J|63V_ ztoXGl_s~Zh>{i*)Bk4L@t8&Qre+~UOxH)BtEpF}0KR8XX?0scN$WQxUDuiQi!VypO zQjhi{iQk5DajT>&Rv&$+6cJ7Pc)I-oAAFb50ps7(Z{oDb^h2YLOmODkv4*#&FJ^7) zE@4Da*=lH7@*#zpXls9e#e5kiI9OU5jv@dQ^i<`N`&I=SqlIEsyrp%QA5HmitXQuN z(fT6~tC45Gr>in8vRF97p*Plw}@kz%6+hHqi^csM=a61J9qD` z!rP~!mC&wB96#Oe!97i^q zxUXoV=E$AkjeD2+M+^$58~zWkckwPc*N#|Lc%E~@22b1WcRVtgL_2YSyQ|49y&_jK z&e3Y8$He7S)}N=LQQQpk7!D$61`cm~A-I%ZUr9fM^mSwhleUoD|mRkwW@Wc$6iV3jIS! z+=+ge|hyD{^F`;(O=5fU-wjsF5b}VN~lkmkvp3wUA z6}9DgiAlS{b9xK!xSaRKZiU~h;C(n-3FEC8O~R`e=b6Ds!-jJ+8H`>{xr#S+Z-ZLe zvwz&|lJEZ!r81(Pwa+%#(0RSvy8?Ty?m&3aQK)6R$WXW&7jK(Ed9j6si}f9_iV(fr zRPNssC_gp&JAw9GYSJtUJ~Fd2AA7V5J-1!e=P5~qUYq2<`0&vGzday&{3~{*&xTFr zurEnOI1d_Er7U4*cP?uuI7Bbb2|dki?CdZo5Rp1&$D>=nFwJbY-PeT2$C z4?l$3VVqyz>)}7HUC{UVw_B?HdfJkETAqAn@psO7R)0)9>Wf7tU>A5I)~{bbXCmjt z`3uClo}Y-1P*c&j~|E4rOoP@y37u%ee~ zRCI9Fq#9qp+silH-lkDu+{_@_rwu)w_TKCt^?ck6Bu_c{>Cfu9Gw7(r{%Ga+z0rH9 zCiqKsON*hutx>ilJP1u*3;0et&_&XK# zoQ2wNJ^S$cJzAD(i`o7lZScl6UVO(cKUfyK|139r#KBpwkw8NFMVxuHQ>Lzvm!aZ= zeKyMbsNEk7!&=G&uGPk95=f-GTUxt@ak&Htc?Rp(*&J{>np|r7PsE0KNbuF>3#7~ zs`{k4lIUGu`FZI}TAJFTjaNu7X6i>QZ*fryt);8A8H*mIR+c00OD>FWUNCWqtwiJbIx-qUl154U`vKNhMSc;_F*I^;faJKY0B&8#F=FOZuG@cizeDTnU_FzbTbTpg| zOoa`Fxi;8bOj93AYKdRhL0bF47c`D~k2Mj^T`5;_nk#EA;*Q{?0W-yh3oC-`pE$>GyTIS+w~T{&`z9#nOY z?KBY}LHVnNH2e?Z1I!TH$S=dmXA_IPQ+-If=vDmw)C8i)T6%jj%6_XQI4T9~-zC8j zeljcyAr7}Rv1i+Idg1>I?2p>p%SNu+q{w@CI@aUQR{m?ep_b%A+g}??M;jAea+oOt zSMwk_6OxA%`8ZkLH8t zZ~QHJ4jkXQV3LVJ#fKAbR9YwP160VUD!T4-Na-rSx}4HNF=P50|Qm2?(&%4Xy4 zVb%itGuH?297Zu&^+YO-_nSDQ_onLtc8h7`Qmx1Sj&skvZLOT_1+9wD73G)Uy+z%_ zcWA3#zURxyIS-{7ZUIkgl{-#BB2f&fr~pYODaA$;Xu2~NHA@@S{C=A|Ic#M@;_HR8 zp-7K!A@wQ2@N%Y173c+(?Fp?BV+P$pyX!B8^YQoK+Ka?KRh+q2Q819j%qOC;v$t+m zqy%=W`E5(f?Q{1%kKVwA?be;(7+ao|g%gp)%`0ejH9UOJJT)#|@{&DW@b6#>I&gO} z05>N=3P}hMuioQ08dPjyc+MvmzvakfK_1ZgqdL57g*Bg*!#4;{+6-(tt4j6nLHf@= z&;8z?-X)V(@HItW7$4w3-oiEF44#F;Nfh^O(SW{$?0a(0vWLHhc(N7YzOrn-mYT}I zU$e|bzp_vHQg-;`?qhltQEt1aKTa~6*xjhW7B;j3{6N5;tEc!lihC6GmpQHT#ERqS z@)%&`MeQz|RXk%*g&aM~4OW29{J8h~w82PJU})+UAd&93b8{SF^CtRx26UD!gKQ6J z=Cv3Wlxm_ixdj599gF)t4KcT^q*M<~XL!5$d;C<06hs|fXXPKot~+kT|NDk$w_;_~ z24jy4!poFb-xSYhd)h+(9sqo8XSeN1ofRS?qxHu9=<!n?t5)V=uEU2ys$0Z9Bj6K*Mvp|LIEVSoHw06DkS_Emz?!2U`rCGpQZtL zJ&D8}?~Bal%PR%$MQhzV$leL9Cl0R^jM2~-%O|diBwB*&IOK*tDUFiAVSVfd!oEK; z8LU_~9W(Fj9kYjwDFq$2eh@)t$8anH>;H9K7eEz~WJL5DoNU)pcUGz<`+8mryg>_D zABi{ujsC-v_bP&hZP#l?H1i=G!j`Q&M&fM?Zflpp7l(D+3Gqg2=Qwjp=Uo1;$=@yP zUah^4wakb8rVq&=LGw1_-(F)qm9;Tlh2oOmo zs&|o>Zf(EDRT)Fq5`|wx8q~U(7)dS0oN|yrGW4QVag36uYI1(O)#wcNorCLb{d zt>9L*@G@$cY-E-2vqtZc)Zs2hqZkR{MsuUQRyot0`af~&q)G+dM2=Lqts1ADZH1JF zaPhQ39!}o1PUJC^n%{)R0;>}bp{O!_kdT$f1|(ug-SU5lTMTiUnAmByT>o0w^wLEI zl6smNl+u*qRDRT-AM$uE$mc90Wer8LZp-hrC<7cR1^v6jyX{6tzwPX8nw)#$Vep%a zo1JVVZ+eSU`Fv)5U4FVklAx~K5=q9#X*F`uP;iG@I7MKOSD{8u#y{TNzuaI%v)+LU z{MA}+`^AdumXJuw^rnijOjnS88u7;!Wku8JdTV`N6T|7qH*`d=rm*6+fP&s1oG@Mb z7wVxYrRmGr9&K)E5@%-EG z3Bs(K=C_dkIC~r6HVRA7?#JBoMzeQ+b4>cKBvPpA z*?}igus#EAr`%w2Ekhb5pz3DwM1Db0E~R@rWX#uf?5nspzl2_2UgcSkO%8yYfM&^| zBgohD3h0>s;=;kI4BDgAc7LaT0JgXV^E?343;p$mtQt1o948mwYxqt($ptHu4b8HJcc@aBj;7#26(FdT_?NY3i=X$v6|zllWXBj zgOQl+L>jp}ri=D_Tb|*T=of&MwW71BPtNH4Pr@dqV#9vtGwKGL?k}1Bcesi(PNeEv zCxQKnxXv#C6)nbh3A}p2>@=I>DDO&s2>IQV|1g=qGDO>jHRe`O;{aKFcMbH{DN6{d zjIRS>?z`6w-la6wgN?C_Tu5@*#ok$ShfYZXK3AUfnzc(Z{6U)o0F4XR!)=n)2v84c zcntN0Ci~^QAe%$6nulWZl`cuFwFO2Z-c>_RPZzh4htYT;03eeNuEH90J`HA-5gwA> z$09PHeVyOAg63YLVSFs+Hj}@PLWLdIlo*vR<_a2|&uPfK{+B$?kt8&qTEZUI=5a3b zM+uPm@GnS5ewV-<$&U}io{X)|6$`X~HO_SCt>EdTOPjO;4D6 z!WD!mQ^<`cXQ<`0KHU%2Nkdyq4=rWLl@7LXT$zBkTNXT=rEj3w>($4uQ_?d3GBK2ne`} z7+x=P5S@ReI#!0AnI})8fLD#Gqw}yGC@>^Q-0g}-!RLr5T_r)DMh5pM9w~B`8#=-f ze(O04qRnf)yi*oC0@Q4i`wJa)wG^}m^^K7aJR^K+3fRtF{o(G&@p^JSWnr< z9;b-$y9#Z4!+R2upV6X6qP}VE6bA>)uk9;xLxUP4T{qBx+Is3C8zt46ZzjtRB1U8z z#69RhuAO5v+njaUvDeQ7f**to#Q69Kua)*3=6QX6Sc}4nX|^_KwU)>a-g<)y{F-ia ztx7uQOW}JxAmljV%wTo7xo)w|ec(#r}*egx`wW`SlQ) zaPG^U9xeH@No8|i7YDY1HUkL+$D z;aG12@|O>H@k7jOk#!l1HS7=dj|w(mNlfxDy#nl{R@039iFim;D_ASy^7ywVn&g0r z^F7k@qpFSqfY=W;)i8C#w=n5+AP`RnBw^y;e3tEJ9A#^b10op(jp@~uIW>weWPnS& zJN}6nMLfp`OnPZm8!s72`t}@FS)D|mojK7&Y(7jnT{`AQ&!zybwwV!OVg530>(PVcRSmpwe%4xkOQO+ox`j_v{^n{((7|yFs$HIi&+7< ztJafsxA%0sPM>6a-Bn#H|MHqPs#wiU^i?>a1z8Z01$jK*xopF6o5oKf$@yHnM(@1_ zSXI0iJgFw+zW@5^rt{k#b`^>Vt^#Ce1})Rq>CD27RVL&h_e}KE_YB?^8>2zSV{fk7 z?UPD}wA+7;I`$>zOtI+}>WN?v*~ zqew#T+JrTsmd%d|WXKXi_E1$;obn8X(zz7EuELG03~E`2xlc$(guCKG9Pg-)TlI87 zglY*N(-&LdN^Qi*tVnP}_f>`xv1{qte-%n%4bN`Lt5#z7BjjO!H_ zfp;r{t>&Av@>S-#K`z_Z1BRQ z)H51I7HQcMrmnz#V)rdJLcH;VENkBe{VE25>4oyk;btiDf{z#VD-9)_G6PwqVM6tr zntw*Da)%vGSKnkTlyh_Bjfl9PxalXqIt-_eN*AIv`hx=eoheA4haG-V!;u`Ao}G=0 zUjZZz^|;3zz%hUAK4Nm+b)6l99d?RbfXU?=Z}w$22d=k46iCtF;X!j`%#jESuOfW} z^H5=N#Om!*Rgi^fAYnG5cdo%flw>Y97e&Iz^Ljdiqg^ysh4}+@-USLo-m|C4w;(o^ zP?Dl3o0mrl1>iM!4gEJKpUllBN!C!1zU0c7KO!Pn!bX2I2QwLrrwFR7Z*48k*2N0j zXp}Ed?w@tD%l$n0i>B?_=G!ZP{3Elh|Lt-Aqq{91Mg%7Y{*=q}KupO`4elU98~K*X z=cBxb9fuZ6o02xD-|6{19wuFxq{i&3Etx3djcS1# z?N1iFZcMsdP^+iSS_U}S833f@r7t_9{g%B2+lWkpz6IlMe8*k zX|zrzYYSWaK&c(l1aQ<{{MlJV<2xrmFB8>L{iau&{#r~VfZP2a1|2Syly4UTc3+;$ zOOI^U7p73^d9P6)^ocrTjrsX#efq8%!_ILop1FXV!~ObH?0y*whBdsLYW{X**XX20 zecDR0k^OFY42|@6%7}Lfh<&7mb}fKV@}l{YvLFAW)*%WIcuNsNB#DUzl()E>UH9I* zzQO<&t1BE=+_~~31BoOHna>w9d}UuB;_g%vyIaAvmadIh{?gn1iu-u9)-3R6b@~|V z`&cn8WLiUEdi%WpiUyXz)Q?FAVhaaXdAomfy5`yg$m()wZW%yzI)ncOO$(7;r$-FE zrUbI+&JSWZ1Rh8dREniP={cV+w;hu@_v~E7+!iZL@k){rvW*g~A*(Lz@<<>-WS)2X z2JJ!SwZ$mFI~{?j=UVH2#Iy~bBpDiI!}f~E!&1x-me-P>7A7@QVoT6D2juA+?D05e zCdlXvo_0l9__zOP)V$7` z65HopYp{_BlFoBw%S)H^+uNeI5nKs*M?R3TY%TUMuDf82f8+q*>E+_@= zz`W({3^g_4AG*K)!D(w-Sv=pKZAsmU@X&)~r94 z9FrAfF4TGrh4-^?@z>{vz`&5L@R#sWaF-d4t`OwxA-%{RBLWdwV5HaTCHpbevo|Ga zT&rTq=Rbo$jrG$qUHAisC$c^_zPkB472HiMpf)AH=Wqv|lYiCAbp%Iz4K!g4in=rH zEH%$GD9+;QOJatd&m4USpFJJ@NM?I@dg2AW+d^2{j+ChM`U?0j?rF%fe8EMcVW0=` zSn~d1g({{IPKb3qy!)J(xgKZ#q#vgl!>ys=S+Q^Rf)y7j)%ys8A%dVZ!a+%3X4r zgkZXeBipRsOK0^lKqd93SVhkJgv@)hu}kyNVlw2@3R8ZU@4A<&lRi!E@wH1Q6mj)6 zK5elcwyn@G?SC2u-%X^MyynSeOR=2ABvzNfPO*^ndwFpG;oS3iE@dA$#kE~(k z$!R^eX$hN`w{PCq>T`3#l+)_QJf3>Snlqz%6qm)MTRH7oH)N1Qpal8y+gEcOBRY?U zK}bN5u5Gb8gaz!!V!PI5QjzYcIfd)c2H&s!3H6V(=F05cHpv_#NP#c(;xhC#FS4$| zZYO2?v60={=W=yEI-KB>k=vUR0$$RLNQOPR$xuk(yzkz^`^smE|ycD*}Ai+(QEcYY0DXSJ$E)gZk;DRsu(=O9re$O^CedzzQbRFdaL8*OVad_LE z;FCG+8L~t?`x_hq3 zhC={q4&{7O+@Z(@k%fjxE0| za>qP)02?VnDOztkIO<;dad>5#l;_;M8Q5PdefnrO6?S@> z>aM8n<+-#N3=V7I2u4z8Qm#gerNi4`x|W9Z#nsJCAEH#PCH<^}sUQ(mcdO&4ApJXa z#;*ClzuIhrEzfR9-ExzWT&LqPOE^ZGb89IK!qIHC(QZ_Ki8yuCba_~zcwFjF%~(qb zsp2}^V&aG}AT?n>DWn4%L@6%jM;Mgsw)!=}|Ne|>6|vl0Eo8Bu!yc6z^W|%it&m;| zasR^5JXz>yL{szCnVq*FPo0oNpTuk=&`oEu0SBX0C~d_~%$o(D&3`*Iwh0?~ z>J-=+@VKAY-t&ycbCNJUT-`yiNVESoDg#Pn+Zxk><(a=QracYCAs4@oAKMH;TplRBuX)1|;wt1yt6l)|&VeLOh2^Uif=U26yA=j)z;4^ezdceH4HG46G5g@v5! zVco0gd}fcXF?|m>1dvzlY1f@s1Fzsl&3BZU zqf6IaXup*xV-H8Ve}Xz2FM2|R{;-EPtQ-sO6>snuwF_Eq6S$8m zQl_`@i|dsnl6>@OFDxLOG&z9 z@j4^=VqW!Y$>x%aj@rRLHmoIGqR1FJj_&8-r4#Sr8Uz`n`OdKUTA8^$!G?3TS0)$# zj%z;^8xNUOca{87{T%)Cuv!DTy5mCAqY+?jyHzQOp+&T)XZkiuxH^xN|L40h$-u}- zU)c?xt1W}O_NxLt`3Eb{*kV{gF}SM$6LA1pv{3+{^q0wlNwCoBo> z9uf#HL9+Pbt_y_VZo%C>!QGwU?ymdp{rf*3;O#oKRi|oqcBH3gdZzoj+QmWI7^4?0 zqsy(MVxykVRayt*heL;lL&rlU{Sf|Ut~AlayZ$@U!4{0rBbS7mw#p9=cU!a~1X6wa z-(4n}KV)#N84yarz8~b39n=gnS@bHzER%(-yC z3Gji3+gso5;A= z6c^2-8CVZbhikXcJ8*~#AjH1+4j0F5>x)TnDg5$B>_yLz(Yvo-e!l{MFLF`T?_{Pm zw9q8LMx37|xQEp}lmP8rM%&R_MLO1+XR|at| zL}gAaTB{pdin1GM`m?{RYt(&o3x3INlR4dsJ97HB8a+!xHp)0g%k5F(xoo)^R|Eeu zsVD<_*#-LOct2z~UC;-C@1x$U+~8yc>*XNuN&fh;gcs;8BKOxN3IUy_`KfpSQd9~V`;=gnglL7NG4 zc8A;L#`Y&F0Szpm^X$x@bd*AX$=VwgcpFsnF0NZQ9FrbUv1I7wkS`Lf6Nla$r=hdI zt~jGv!2-v52UidmJ%A8}SSRkcW}{+QxQ*42 zYMEKR2F9Y&c;$;fD;^1O9LTU>e;g(QrLWeqv)K2xQO?jIa^?|G?H%fRUOlbKN@ui| zw>2g2D3tZX`!UnQ(MMy!>f4Ioi|D|RB;kWHRY_Yk?UvJ&3u1i0;Rh+#cf01JeEn&F z&V6ZtK)pw?iIEK8H8~^Kg+!*dIJzMNK5yKXrpTIG)i;qOn6W799ppFmq&*-CqJq13*BL@phY2TGhzT?zpTJ&DK3>a1W4l zAU+mfqo}n~{q~E?Bo5JU?^tE`*5rYW{&2n-+~{T#V>^Vba0OnK1{~;_qS~FTJSS_h_^9oGliH00-&lgzX9}kn2(odh7ixq3(%Omy z>NM_j>bO8h-=#m#mxhu2L6*_x?%ngHmX@WZmgQc3&CS|DS=%(v&z@2hIi@$;7cM`> zK+GTh{#oVS>DqF37aTvRL6I<5KkIj*{;K`n`GXI9@zzaw2+OkgH;*2{SU^W{&oHIH z+v|J@fK2+cCx*Jyo14uot;~=)lN{$h+fq@_8e!H6&0i^rDG1RvWu(L^)2^>RjBGI$ zj{9lKF>)Dsh7}zaraUGIe>iHDM`q>AnoLx@jO2MycH8kT?&t2CJHG$f4EXQA>gF~L zs_VvLf1_s(Ho7+>3(liSc@=l)OU1amy$qI16ykrLE7o)NM--erc z`rG-uM@mA;B{>3RX#j;whx^S20$m6iGT^!pnHZhs63mkz*iG~+_vByYKvJsJwdU`r9s%*>B4h3Tpj0@ALv0#HW>eJ>boghZf zfpQ<{HtH0BfIc^p*t4%%V#3KUfLsbb6IY+S*3N^r#^Y8JOrJ5d9(0~a7RPAP8V0)T z;OGh8MWgSxv*(%e<|a{G2b}XNlYiIGXX?ClL2j*=9kJcLD|@sa0iNg~ARv&9pL%W$HJ`XQq2q_R>00JcIf zyHRx2;|2o(AeF}Vriq##a4-~g?jaGiS~(0_mqo3b~cZM z^_eWGzwrP*y=x9wuvyFMyWUd7l7WvZE7|QUePyC598gFuC(BKZYq#5vbWb zvxs}4WZ-6x0N*1KypQTs_^O`ca3M|BJjw28l(-D3wR!&|TO)*09Qr-%M4#JgYN&C; zUjfVh(l*ecELj?T5Sh_X+tG6te(|cPv7)4KDWB~j?Bsa?8;5ZZ@AtqNbE?m)$AYepn z`p2@*+!l(bdgoMk+!w8&kaX`IWMm+H3j~JQ*g@Ct1~?=M`w)pXGDJZiM)1zXNHtCK zdq%J>Ud`wN7%`w+Ej()CT5d#lM_?G``hSb-E z&VY}5A2>#s7|LLxk!v6!J>L_CG90WU?j^$Ie?%h3{YA@)(@&&4ek8xZ~ z0dGp0Crw`{Ik?O$?nl`gw$qDY82s_T|v8t6LopYg= zR1hL6yuk4$Z9zac+Q^5@T(SKN3bEihaIQ2Oi%gBNa^lqxP$)cd#O!_7E!PWRwE5Fv zO5heu?_nr~9N#m6H{B464>D2>rDEZ>%ySfi$a7$1WTobPyV`3!1zaYk`Iu(8f*}6G z``hqn@kRH_nuP@x4$rl@{m~4)hxyf z;DZ4B%6T+p3s2|S7&FlMqaxDHG~&h@41^CefAu5WaDVkOXAh{QSx`*F00YEeR7ze$ zOD6fk+UY~b?*PqL&9xc(w)^{H`x)DXiU*zVJmvAr?uVD9bf^TK!gAYK+Az>=jqstD z9uF!YnEI+S=VRoJKq8WljGi=^ZKd;hsy!`n?rdLEN*t;$YTJQu-&u=P*4SN~60s{% zEC>wvfGS+fmAo(JgDLsTR%2SfuWDB7$4|CXd%;jmD}`k2Eo>lGC}5)Gn8NEiT**x& zR=*JJaR^Spnr!H9#hk&DzEhv=Z!viHJy+YU=~GZ-3gobPOhz5FH%J!7;D<#Td5oAK^AoLg@3`6VdGttpL(-*BL zMm``6KN(mq*DCdJB3IeN}^hC~!+lcGEW`H4qd3E2II!X~wdLduJ;Q*JU5rhS$_thWLjAFP$(=Gx ztnd5=x`^mCgis2k^IP-1>wj*l3umMEI-L8yRCG9f($;=$V^TSe)wjXH#X0jgXt(eE zPEuv9Kkft?Wz&5)@LR&aqfoKu$Lf+*p24fan}oMURW5bsr3H|0=JpHmX|1n4zA6P; z$;&v*CTxhGdQ>Fc zna;fkMN_91z7XEecC_h_iDmpp(+Ef+3;*aV9A|8tJZN{l@vk-KBCWsh0d*}+{8<(} z?fyC3R-zAS;du{YHR!#xUJQp37phZYKOMJ$kyY+P)*vI8B`eiyX*X@pTeo-atC_B0 zbQq%v!?d;y1eK4zTR9BS=Bf)x46@{x+^Dxv9|%Q7t*rO{HLmmq1DQF)0X1P2G3jWE zn@ALDmKOH5C=wX2O{-30I@*dDT!lL819$Q&=+c&;d;ic>rJi3#)YmQv{%XA*oL((i ztvTyW-N^gV)9&XZ&i8=x7KGt*jZ4qQ$~HDuUFD-ykVni}-LL&q!?7pxCQS|lle2zq zW@3$U8}hNO z$ao$LQp!y-YG-vZ!;wO4eZc)4Uf#^$_FdRZk=hJ)`D)l_is4T|e6McHP*Kr4%1tfZSKQhQ6RhZeV-=op6bLV8fZL7IJ?tqwA zfgEDqkYM|xhLpM-K|mtL`o3mXHyQy9Lz_8n@xUR@g=s4BuOqm9<)}E-@d5!#W)DA1 zk5Cbk8G<@pDF+LT{4_LzPZh6jrrEbDwqyDL32G)|dn%AB{M=tL&t4H% z=4g94IIr&a%JF$UY#TqfTt`U9gVeIHew|K0#J4uLHxaVEy?Hp~uFuI0{bt+t;dcHn z%Hgw6LK_^`w0PS7{kJNw>=<{|&IGCtDu56Cnv2+?rCO=JZwysTfuASN&Zbs+fMj0t z{>B`&f9!__2njU`xt+YBrt-RQ>PabU0RRRd3n%&Ud{m_U;T-d-sC?D?e!1oRha_?s zusilQ3e2yS!6|Cra)&g?akcqqPfa_uXK+eKj^XIg@@Vh26)5}((3Jq$#!{u7g0RiA^p z?OwnU&Pl{4PDI;QB*RlBt}jvC&4guP3MA7aUjPY(mP~BSjEC)O17k6S6We~UV_QBP zf_+G2s3tezj;3}aM2QKbo5s#lzZ9m#R3#>m9$$`4xL1m0@|?9~Dq<`;E~Jb3vsm*Y zME{BtVK^+@P8bs$!`Mx8l0G)yaxgWAiau^YdC*CZQtM%TMUKEkMA8Lq_@}yqG zRhkl==Qx@Xu^^Jq#c4LG%wcZA3B1BYlcAk!=TpWO9jKu6P|tF+CNU$KAfFlRpl=|` z0?>uXgRkSYi4$kP&_92^X+18Kr)6HjRZ|Qm) zrr^I!4%y<GL)E%Q1?^Rcj3OgTv_Ue${giHS33lIkaJ zmfml`gv9m-hu&{K;>+V7$*F5!Bo}j(CU!|NUMgTHg5#{L%7_yod@g@_!rYtn6{7Hv z8R+QVh)&tw+;lP3)fVO|5rbCqUW8_Y=(2alN1!-h7;Kl5qlv{2ICMQu2Ex!AkPJ7W5Q^ls$Ohq4Wu-(J5KS&=A)AWV7Com4xC^uF7(r84)!b zV$k1TErus8gjX;nBh#Z6nXshjwspsOv{wPV}sj62>JnvH}2 zH9kH8$+GLEPH0Xsv0Lfizr(8E>D@Wd)@{RHt+$HyBBACDxw;JEl@H^Hv^<3*!T#nk zsYmj;q#sKsh^DfJ;V1nZnbk08)H<@)paX9TAzexaNkqa@6A%l``1g{YY@@91Q&; zvoFz>zpn6IJ6@us*v6r`9|=XuW3>zc>l4WQhD~lp!wBJwqA+%DyaEv*oi7Z(N{M^G z)B7k-C=(Epa^k0MdfDOpkoQsBYVlEDMiM`8W_|FeY3-wysPOw=AW6gzju#W2^i^bJ zEVgnd_muUOze*b#QYucOVo;rI0obo0Z4Fz!?IV#wO;4Gz4C@mUrjfOL>1B+dm_#D` zS>z*sItfCwXi8s$jF$aD+F5atMrU{ycMcKj%g`+H_J=_cM97hie*0bG1bkDa3$CK$ z_;Px|{c2*mY?7#UR=`=Owdgg0*U7-+PAo8{qxVIvXV~L5R+SqDY}Q>y41AC$W+Lco z`$~x~g`Yw(qx1dD-STD;Tg>H3E*L+S7^&WZ_mLkQkBaH3NXo$WdSOA&$RVqYoe1>R zTCrIS#84*Rjsqmhu<@d^5UDH+Glr9=2~5-Y zR8$1HzR!G;GM*8=M$l*HQF+Pn17;NDb)xmWg?+us2ddbm6>n)TV9MV=NjPWE^edze zOr;#Ki|sh!-B42c(6m_tF)%Npr*{|f8r%kaP&3tV5#(#k`X;li(XYZABbe-sN)Z&G zQhpePqhpRB`bQ;4tl50A2tRH48=iM<)1@(>mxl0}i=+!=0zQX{T!OH#8Bq7BFDANm)mc}&3x`t0 z_9m4ptbr}=Co7D>Sb8N|#aHW5%cT0EmLIgx6c4VzHyPreUgWZdw)&l#wb6xThtP@g*Hl-R{ceb?T~Ii` zrheQ?mEG2tt1x!Ik$|ycJU`ez7rKz9u54j|vv=Wi(UhJ$f7YhX_*PRt>;5zo*$;DU zgC`ihwKlCtKa5f?*LTexD;B+eSyx23YMqf1ZZ<0$o`$)H&bJ|fae(S2yU`k-2Q8ZuX+b=_0O*G!coXO`c~ zEfHz(mgkRJOk92WpMk29+UwJiC$rL~y^A0MplOT@$4s=<%RX*;fIlJq(OccO_wU_t z7GZoUeTr3aO3I;K8{AX?6#7MZh2g)?GJ4S6y0WUXj!jGHp`77Yk-;j`dOJ}qRg>5| ziZ}9y9`_%!Sut9G+|Eoq3_JFwDbs2_N_(o6hU3)1egf3)w@Di;6l_sjuU-l0m%i~3 zGe77Ln@|e$+eShz7;a_nGOY3NG9nqQ(z3qluMVy|DnpTVo+|9LjB*nBp@C52x}4|B zpE%~F-$Hf4WZEtgW>U0mr0x-VqX1_5UF0&OnulSV^QCO4<_*l-pSYgU>+ zQN@lPr8!A|Mr5vpDfIBS;6XnUF))#7EHmGXdF$M%cD(1@@+*dHAi}zF>gz&x9Qhe{ zlL)Xj+s#Z%o)^}!wXdEk zF8Y!t4GnQoU1xiVtLiLR-Dlaie~{wg2JTxxj@xg(!b8nWLa>*)gkf8YR8j zSoEqZSloD@GWOW?_@z%Q*sr;%C8)Of9-9xvFXUGeA4%Dkt+->`%0SgjlX29mDSmKh zze02U^Sv3RwXF!$0lG56y>L?|6(FO!i`!73a6pYn#*@j&C^5de*X%oi%o1A7;)$W-WYrbW>0)qVv;ie!u1LY4&%-Q?sJi=t>z5 zVJEO?R106su>V!U9~@_WQZZ;53c{3t^?f7+W9y&w_V$dSi{G6dw3>02tqyeNRu)w-wOe3@U`nAO&^eg0ByuBI_Ar@{Je^-0a_Kf89g z+xayx5_52e>Bcs7kT10Qm9lAc3Hzt{-8z2gAeZcxEx(m_^WDC?gS7{lCAX zC#svzTb(6=;Z;95;a~UukY?x!@ppfG;M=r3JpMd4s+hPMC`eRAT@*RAgq7mbV>-&)USqlLE>*R#R0k+7Y& zifA)*s~pajER{{QZ(^G&{HmPh|=Rl z#!uW#BoOAE|85ww%+*W(k4f_DhOdJ7heJZExKo)HdgNEC)QQ>^iHmjZv zm6yP;cr*K_@3C25mc5)vIrVuVd$S4eCXKx9R2gu90i=y@WxtAtpdMR(cQ>uqmf-tv zEVU~=1$=yfTF7fn@Mce$rv2f}#hjwVYePzf_lOJSpNPwzkvS%!M{%-&0B*N6^^2mX z6VWEq?=us&Z*3$#$^8;9#c0y5bJ-H@yujzZEpz(_!&=pS2U$B=xxGk;Z|0eH4@Bs~ zZ%pNK54+Q8dt;-f&uie7d}zcU?3h=yh))Vi*9t%^MrOw48ZJ|l5z45e+DGXLoN_v^H5&FI-G z6acuLm%_|x+gUa@FLcAJUvavgj~bJncS^kYqvUydwUvebzTxEfF9OiC6*~QbQ%H@H zP5WT!q1}7q84c^zNYaC<*Y+}=_`6zb%vc&!@Z_^X^ye;gF7Gw}=Kjd?rFzrx?7xGw zx0&A-jMEL@v&tzwe$z#GbZjakS~PAK>3_p_hV`yy4JIR^S5i&r$h>JQ~`w-pRxQ5r_y(*v3PCwTC=B^z5 zi3pLC$@A@5L)vJ)d^X z<=dwlC)K*1Ws~5ELgW&EPu?VTph~<|J)<2BA2dBUzB_*m;KHJPKdvh^=sPjg;xrb_ z_@{JnR9VN#yDP~07o47 z?fOuB&h~cZ?uQ&qXd5gbf?2cX#PFboo@3u6?P2hQOL4%y(B-4BP~I1LAv6irljPWE zNs8~h@bdt^9Tv~;PahzsPT??fYYf0IUtUO>?XmI080d8Y7)`csv+6rfj=6|%`iiSb zS29ffrLIB=bDy|fO#Ec-y0J(vX8YEwW;A6FO{@YOY|P0)q|~D;TijfnXgp0Mz`@4D zx;YSWZ;+D%fMRW1)MkbV7Ur^0a^i^{j?Bzlm{Stz{M0`Le3!!`!N(^o%o22xPD`47 z(JQx04&bNd=kv!EMt;QBL_~blU90Jae~7{F?863kPx_lZ>EkD)(7NxN&iyV)*kI%s z=BK-=EJ7iaLLlG67AFumE2_PC7zbjbv&*h|4dcfon6TU~^k~J2E8Ou(E%k#;Y=X+Q zwi}}`T=lqd(2GATLAP@DPCW;S>>O0|+T>q?|6~gjQInGwUM>4T1hnG?D2|XZVVTNg z@x(+W$m1(&#`?>D2m@pevI*7E16D*oQOkUso_?95PFEOHBWXo6h>A{*JdF)tQ1fj~ zD>8Gzf(w{lsDbQvPzV`3pE$=?3_MGFIAIE24mMUbI*XludQo4qN}VU~TfYel`K8k8 zhYUnl{%)#kG^7z>I}7tHA-?WWtR zs1b}B81Q%C(>GbQRNq&vX&f#`rZNEqEmg}K1h3uxWX6JE{zf^egxxdeMud>tYMP>8C!NOqx zvnZzq4q&9OAKXtLPKN&*6&U||U}5)DO1-O=7}IBN!J4F$zg*@;0p64zRgIE8#`r+T zxZdP;EIC8AKQRE%IDIUhXTtj!F$L=o(YGU>)p6A;ei^QuP@iOaHtwsCj404Kr(tIE zlu*V&?-Y?ZQlyaHetvg{VhI5D=F(=mt$}nBnaEvV&~xvMsBr+Bqrb3k6tcW)o+#GH?4-O1TCbMuLQ~%5fsYF%XdUsOHwPstM#0*&4nCV3Z9ndyoq+aRR@P z5T*~vCA1qoi2e0xO`_&hN(qgh#6Y2>KcUy&WbiI`J;WKKDVGfXk_spb>RM;UV?hQF zGQ5aZy1ZHOZbqQHIO?ZZf7~C!0Ozv3<#uuKyg||}F4G`8GLpeZB}nFHcqhLGr`K0^ z(~KMk`+=~O~ryaa8Y`ZV=;{ zcP;0lUXTKkh>^|B{d325Ow;$(y0q13@-=;^%08o75c3bbZ|8Nyq_g_V$dWM&za;y| z-ASg2n8IQLd>U#tU7^eL!W9nVsYV1objXCr7HL}AtCpt zA#b6_cbNQNQ~oNwV3xbri$pdrYj@94j7RIiQ^HceY>$!O4ukFUhX;csNZ!-E=9FR~ zD&gSMoGw**O()EzL-c8pdOvp;I9*uOqp&@no07)?eE#U)YbCUP-wxVO4#F*9#rmj( z4U0=nm}Qc+XqoxB0HYw1A}pHvkdGUAlAiWg%ed(6f*7GBK#(fT@Gkd8h6q8k>cU$$ z@4n9zBWk1nv06GIhLH0@kD}~ny{lVj?v^i#TyC%m(4o6;{mIlq#x*kt$$?k%r*>uX z6jEqwwUTp^{z62mF#YRKBaI6w)*R=*;zIx!5F=BUmkq{Nion+5Ms0{lu=V2vBgMOlIjMA;UCRKwEWP%kS}_I67{V&?1yCm&8j3Kk-lYY>M_W8PplB1jK4ybgCI^ z>aT9&fE6O6F*T5VT1)rkWWy6dGHi6*@Aw*LA9^3EW{o)PYa5yTB=F;5No4sj|4oZh z+Y44~0#!pkGpFKt#{VWMVTXvYNCY#tC|^tQZ|R={gIhn0O)HCAfZi)PgW2 zIq@s%?7cnA21S=Vvq(D$m?#~HlVh3mU8i$S;qOUyIvJI!(@WK}d;K3YGU^2zL7K!! z7I~ttWvGwYv0Dxt<9ee2pDENrIaEl(`|{=?hQOf0r{bm16$+wJRMxNY2&=JEWZ_bK z9-_fcRP)KFqw=L@gdZS*J2OwmZRzWXfPQlPAzZeITCOI_fCb1;{HfF}_ZOcFCU$bwAf+DVtJyAb{Ozo$73`j=JW|GjiqK#dz_156O#`tSK6^8f$kiI%}V zjgyN-{;3{58)8(@ee`q^bPi_(IpP-owYrgq@1ya`jvP5Q3Sk16G{Jv|7R0{5y_)Dp zENg$+rb9R4d;Y7=AruQyw`aVfh35%<%4;L;>(yskN!X@`Dn9@iz>oh1uk>@;TwX8l ztp>O54K3`@x^MeSA0apG?LHR`K)fHf^=Y@KkWV$+y|1PQ5?A51jqvw|GWO%!<}}SW zN399pvfz;aYaLt<(YPnt^>@?!WW!2r@asjGLB9Ix`)4Jk*9RxejSJSr6pPdbaB8@1 zp;WM0>*-D+E!o#h%+0#gr|YwNNTQDD6Xb!#0aC}y%bP-tvHPnM(tdwj-A+k40nOmd zedF@{5$e7(j#-JM0YCY_?tZRyD93yd4~S(a;SOTBw{PcwA?tgox-}=7K2n-0BuL5e zJV(R5EzCZ5#jHugq_8$wiUu|D;dwDJ2?_iFF;uOON%^)7f*%&mj=bp5oPeRuw6S z9EwjybNgp1SELs3`Se#HozwZ38!9i4xAVO^3W+30N1+)0qu+U1(J!|zIrdZ~JLm=Q zZ{LbioA&SxldlHb2kgkZ#kXSeQb$`=J7w;o$ZsjG{3q331&lu}oc(k<;6D~Mu+V^I z+YOzgYjaT0U;{^qP$AbM#aM36)2>y1L&>n+ss5Wb$JMd2T`8|)YvaRW>npZjs(4)W zUd|GA&i!Ez%)OU56hMb2bUk>qUC8dIe_|Ak@Kcs}nLJZ$&c#r^cH2{JZiQ@GDh)ON z^IH3|$asV0p1P(wT$nMlcM%LLf#zPDfcz1R~Yqfh~dsr0$) zzXH7?tg19(U+(?6%HF;+3fXPN% z537Jbp*Mq9NJ&MiQNa^C0{hx8(h(X2Obgj9VQMwvBp8oYfTpR;cqClAtY1QsAVi%0?d|W)*`bI?5_p(6Ue>`Z7 zgt(;ffX`gwtzJj7A4D*~G(x5ezs%E0bbpLG;&YRUhj)JN)A7N^t!6+ zKptCa$E!KPCyRmW$?c2u?I&4!a`go;pY_p(|J2EsBf@dLme>E#^ zPzMI+&iEcyJnXH72zYp%T;+nC*-pM};8cHFJ6XMC;C*%Y_;@02z#MG)&D0bZE0OKT z)6r8ZH>qSlG7&n0KdR3qw%4OhWcuMuk2Zs%jy_1@Cb$HrdW}y@WfVS(y z?cvqOFA@DiLqnfb>e3&cFIu;deRhvoAKfPNr&Gde!F$q^3{#&@ct%~_2ltn%w|#sO z^_PyFwJW(o_NhJmheuiesw)QZd-|*|XDiX|g7e5ghe-L6>xRFrOH-~%H%~C0W|9@P zU32yGVcXM=g1+JNTj~UJnfI?D%ipJCUd+o+cC()gj6 zx2~T(D@5tI-Ns@}FeQ1V_5Syd-24d^HLK5fC3Le{=A?*@^5o!jhsAbjib5k`O9Re)rWF83(%p8IH`R` zK^sP7b>-|`Znt}0hw})3y*)LtEHeEVXz1)zx4+ShN6fD$2>9F^Yn6+r>_t(;CM6~9 z3SLc)&bQAXWAK@`!QVfyQYIuN3DLdzWzBZ*B=Y~vIx9xE-Fl&QvmKEq6k*bSJ!p=z zL^4Pn`|)U-d%NC`3LIk42gsQ6lQhZ(mu?l8M=jOnWG&s`eKEHbv9E@BH$MMKMZvLs zrqhSF9M6TNZsUTC#N6#>3KHA@L%``<985XtvldB*e7cZLf|?f>^)U-F!J$7ag$>7S zu5O>(PXBJSLobiI`2$oo)?99I!dox)rW3_5=uL$m=YNwswXu@KbkwH0L&vEHS4CFV zA6NzvC&%O>i1f~pd-0pMq;{^h^FvH08Aq31Ka=sisvJj3@J1eRr@n8dHPbwm#b2Cw zopm!oaA|+Q^QEw)FodGps}Ylr6w11R&zkm?ag$*zie zoS;B;pw#pl?Ke*aiJZ^_!QhzYqai%5A%oNV6?f=uT7ub|6K75M;{$kbMNGp^w(w#~ zBwF-#V8*&lhe3ZN1yB6(F^DZzehLhRKLSMNeb#&7daX05=r+>V{@nz`5kI(uSiNmotw2z+uH~02A3HuXX zR_*o7GBrb$V4IlM(@5+-Bno1%=d4}VTy`eoS|J=%vqfv$XMGt{!_1_H0xF7D3rbO> zO}7x<0LIYFEM9BE``@T;e0Y(B2nBxV-!b-%GuAndXRKeY|HVg=^3JiRwR;NyoDF(* zRm`p9{2|S3(HRyLqSo{Ba6gp$Gpr9EnD&J1;Y{-_e2H9qrRfq= z4S%Bp4i&i3ea$vna1=5?^^=k7XqqKrt~{^Vbe}f`Fck#Mah5+VmUVr@BO#=CMb6?s0;~GHKQQx? z=U}!(xBA<#zyYpdt;olh<$5K2iFihG)iip1UE+-LDKXjFMX$k!aECI=brpN%DIZmC)M8HlR0=ucT9e2t{Us7|#;ZO35?Yh@5tQd#GOj}Vy>Pyv#lg)C_<0Os* zEDOBn>Pqv!?J*n`v4LD3($}{3v{&8=Vz*_n7FMorTtrjr#Q(gdFB*aiJMcIe#EN>Q z+$cwov;Uw)ow5m3=FYoUEqGSVcvgiG`TKv!vvOe|prGYrS5(yC^K2?`9p;-fYeuaR zeJ^xBF1S50eNK9QFl$)3^u^ZUV?`T*^N(sIOx!uVxDD+ZB7bf@Ngj$7B`Xv|t2l@1B*=0DRv5-R@7+XDtiL1{(#v z!mZQ%+TzuR{n>0`N(dZji9Bn z^wHHvbFbGPWwPn%{O%gLGR#p)ye61BrSL+c8h z)pI7N3$*EKs2=wR%SR@8j29|43QAMNpSx2fxtn|2v83c-?ng?1B*NXa;I)eUM1T3| zE1{5tpS_-y zog8#22^eU3nTNq*+}4Cl2n@5zlVa3Ho{a1B>m7+9WGra*kP?eQ?HF?mG?0;L|10jk zLrBkJQ1$(${Yp{W%GCbuIGprnG!A+QS@rs`p&PBZbFjzg?5bz&S;Jm?U76_rCfpqK z1tOMD;NASFn^}7bnFwP5(m(dn;}=|DdQ@S}WU6E~#o%SbVf&HAPzytOiQmgrrCsw^ z$c!WVv9}V-zkoHlgxZ$ktTzo}C2{EZ!*=D<{&cLTXPP;)xb*Ddk+ZVnTc-`aDnTqz zxM|P-*WHzWL*4!H4@UOMW5|-du{;!yiez~(S;i8ww%95}_I;TiYLH!`$XZ6oFqVul zm>DD?*&;k9W6flp&`^Z$r=I?b@BQJPd(XM|o_p@O=brcb^?tuzm#S90mfP>=#E>U6 zk%$O26=k0>HwoaShQ_(Zt*-&9G8u5VqY?%ND|jGDyuE4iE~as&rLxmFcEG?Crv*)biviiSCQA+LW z!Zjg~OwFC~&mPo#^$wIKRZ8RAoF!v9uy}!IaP# z!`A+fmseb)4bF}qbE@Z)6vWvmmnQOh4vL?5^j@CK(~YQif$?RQn#FW@GR;_7G0Kfg-%5gtcQGsHT5QLb0x#oOiGG%e7a(Ep@pMAW;VR@q z{f`k9ex1d|w@Rg*dhJJlIjE~`d>|T90J+`W)0`#NCsSHlU4Gp*c>|s9Zup1D6h3XJ z#B#(W@p#{)gh%6>k=)y{VZE;~0#cUJ(5H%nK6Q^p*UCITQI*K@Mys$+w*1tp234`2 zgWqi9ZY@I{Cs{sLm|@4o{ZINtIGmkSvdGf0C=1l;<9_>h^DG#zIq9e25~Mb)WK65@ z#m*m52pw~734B3(`Eq?UgWNs%XhJa`0N~s@-QOJo*noJ$;;rbYVr#{l##V3RL%yR1 zgzO#c?S&cBL7$DCl}%_Lvy;g4H5C;O3yk_55UI$l_8^D#2M;(vOv1vfih0z&lCo zT)@V&-KP{R!@9Yw7&JR3!ZnoJcnE4dU(3o&6h+uOk^9c zs=_L9XE10jwIO4eKh>1vU>b5hgc9HJowh=v(-rU}!W8#f(KCW z+?;sO+->RHXt0%F+kCvqr3PD5LkTT?^Eo{gYG+=aLOQyR`bI?vgDFBkz0V0fPUhIP z0Os`leJKSVk=n1~BpQC!X$9JFCqAQ>GbiyiuA$#seJx+*uF zE90?RTo&S0{>rrOGy&H`B&S$O3Z9osOHLXw47*AYCb$bn__mGO)TTZu5|va?SQ;28 zY~Xt;)N~lydjp#M4HTg%cM8TgQUZzIJCAeLge-%smv^;0Wp^o5yWISE74d;7{A{bP zaL>X*UERV=d(WkL4liF&#u9t+{-v!q-KRm^yueJ=`O}esqI^$lNLiW$LTb-*YRr$i zBd(ZCiZvi5K+UBzy{yw>h2m6FdhjyC`S)FEd+sZD`^iW(Ila-HL7UpWlva))T(%N!yx$ZDot5jCS!Q zS>ubZ?)UGQY}0)Y8%ajm%zC3<7C{`hm6UpW$d@X0z14}ly}pjEcQ4ps_t}?jj;QzF zf-)wz=W9Nm*))aOc4Ff4hVEr^B;LglUJz-LI??MAlw7mqjEt96^s8~@p6SUlqVk${ zq^~1`t=p?=#uxi7#*|Gt9U2dwxJsRi8YXXzu=#K3KfqC(Mu#vxPfkuV2TVXboHTlj zusr2Re_e?LvNFW}K0)|SKXr|8P`A=fD|CI`T8!G9ZH{A8WNo(#UTiVS3GM!Ry(426 zko8TWg`PpiyDGCd)-TThu}!w(o!xoobw^0F7jsrntQOk*8ii}Z6la9ez#PMTu^k<$4hK8lt7^B zV3gommw8mO^KzG1@!a5(+Tl@8e2Bn}Dj^8 z$^SB96q-M&eMQ&`z_7jQyl~ceD*-;>e|tSpT0bdMIZWo^y(#lA&Dvt=;g%3IoDES5 z2E)0eC$zQSRhwseIlCv>WEn~d9!ckg95}>#WxR_wR~ZDH=nAVI#d z(MqUT0)y$`Vvb7eT4x7|!^g!1o;zMj3c0G4eoPpU6=b=0y+lh)f1yw#HG5S{=l5OE z0Di0$L&{?^iQ`GzX3dq8E zfHOt@li)0hAe)@!_{b0fH+>tOFf%L1#hE3$PZp0ibP+V&oNum-;3Il7HCA1p1ye&* zJsTQa_O=)m@Q)Z2*U%l`c?H)scS-6&M_SC$wcp6K<14a!bz2B?EWAKC23465s}+yT z5)s1jjMJ9aj3@N0=o^EF`Ts09Ia`m7v>i@W56|Xb3(tSH)YEcQ?=Ua=M)$3d-L|(} z|5*UBCw_(?s#B}hehNlMqs4Db2Q}*g`(*)*0|F#I${v7|$9r_{5!9U?h@s+44@W*<<)X37X2H}SOAG)jL A9{>OV literal 21795 zcmeFYc~nyC`##)w%&aUsrKUnTR+grooP|b7EzLS<=0J)=CsA|2Aq7sEnMVbOOwEDJ z%*-h?=Ya+VO-0Rl9#BER0Z~v8_)+J4KcBPS?{BU5zxS_quO%DSa_?t9&wV}DJzV#W zxo!>FyZgxQEnBwiwYYNW#+EHRx#I6{cKss$H2(bS74d0n;0?%yEhS{ddGU`OUgxi! z-?9admD+UODgG__;EF@wmMw?Xe*A5+ty3v#RDewX_KYVKT&bh_C@49bE-hO3RwJTw}%!_wP z3KhHUZB>1H|9lKp?ol}L*QZ9E$`h|E{or?0lYY4j5+E_1TwPPMIVbOhax^s)Nv5iF zlyhIg+I2{ZfhFK@CZbTiUm6$pBHpwwkE8doQu^+GGTLpeXyiJ7#i}bs2MjAcs`B51gi(bVFyZdm0ax{m&w3$T+yva6n zjaUkw;Fpki$O$gephCGb8n}@Nta0%stY{JfZmRq`UT|5VxU+p0m~9$}7M&$Cm`-46dq+P1O2<@Wew!I{lgd zLEunZmO2+b2}Czudkmgg8OLof`>-OqY^ktwVk5*J$_o)q)o#wE3Mc7aV4=vVtyaI{ zjAvr>CvHS1*GWVAgz92d=*Dd7L?7@V1}a=h^&2;{Ze-LoGU(dEX2SYeit4@z!Po@y z_*SdUX9AzQjq5k&@S>_Fn3p#I$VaLDGcoEcIf;+k_zrXuu%vjbQ4z-v&7-6F_JoiM z%Zj5a^CGCA7(F)pYPoLPCh^Y}SdMNqlUU!v#>t>I5PH zC;R{l5S94@{@I5!nWGK?qE69RTbQDB405q+Ldrte=e#+=x~d*9k#P6z^1F0D@t_3j z$<8Y>CLv21qoUpF+*y4?>_1N!V7+*%Mnpm_>n;vcwKi2^1m_eQf2F|#xI&*${z6r$ zOZY-Xp)_ha(jK_}Nuoq*so}+7cpZ2{2jt zrde9gzxXk1JOZ%&QikbQoN$6a&UH!sRw@`Sbsl*I(hq$uxuz0v-WCzIfVz3Nv}03i zE9~tht_FHVW8~qt!!&HG;7Bx1FoZ)IxU3rx&kEv@Ue?or5DhCOJOykhb1>qrPmsGy zp%$v7@#vAEI|`3Nmub1QH>H^SksC$9q?%&J3vPw<=F9jf#2v)E1|FCL2%B#5?uQL` z&f!a95*u`KPOs#`e*GKSiET61Nqn%dvvE+p0qC{?2CeZ8T!7JDtPuSZVAiQ$@|U}@ zs8zaP2`xf|t@YWLR)JR%u}%}VSv-UBP>Q*u`#wp}q`%IsWPd-ed(bQ?QdN=-TF$Q3 zskx$?;;t?_bnd&HQ532N#94VML(912Uh!FTq<3IOFUB${^H!?h@xr$Q88o87^w;oj z+Jf)e&II+Rs|SY;(?VJWy#uIF8)QWre^X*7ulw2!QxGDktT%BBw&4iYcpxFH7)1oa znXa9~cR?2BSV|nB#rz%B_U0ftv&n#dU)O|jIJ{*V!VG~OJBBGD8~D?vpCjxjzal3E z_W@zpqG7Wm$v26|{{cj5Tb3%9ySdD~cpN=XMe~W2p7i)NN6_ZHLcE|}$YTt&hRa-_ zDDgIzryczo5T`FvI}9f36Q8ZBewMJ93<hu0!xA5Uyc~{{G`P?GCz&K?4=oOPIzyV zqBWO8W?T`QorEzq$dq_T1?!)rVNu_G{Z3&@_RdxG4>S^4Hw`Kact!XGISlF*F0Hpt zkPGG|8@;~v%(sesf27ZpNIlZoyAa>nt@GF4T-V|es3B&thieP^Q-ZE$v)!Vc|_tkA~lGob$T4Hv%i|hM+aF$U4`s=v0)qS>hp!#q&wyXU|KX&5?Be zg15T<8amSP%xv*E;Mjp!IOkrPZT7+~9K`1rI&tuvEcUdqBfe)NyRNS8Qeb@8JGSxn z)*A+(eG=<8q7es{w~lF{igMCzQX0G?Q5Kj^+RR{wtnDG<(;}2@qMXb`;(E)&T_3YH zzVa@E-N|%WE2Y9PW`BQonxazfKfLXvACfdGqM!x3*;S%>ZNcYwQa+m?DxC245kWfL z9_#=#lyfngrnUK?>}ccc4iO%UWb(jUR_cYa&#H)P{bAspp>*-a%%N4DQ z(YI0DC&2GYM)m3*a|HZ5kwn`J}X6?PDDlWY0Qv5%Gyi zki{1*)^PWbl%swvs^+F~D=evmB3+Q}cJN*9Ld!Rid{%KvmbE_npdF0q4q2s0c|YMg z57nxm`=GbuwS$5O-!{UY7xQTDaBOEM&?u$BHgmCC35ppo3 zu83ma$Voh=NlqCp#nL598#u!ialo0B z{I6+0)-iN*w}o)D8Tj|Q(K@nyfX3mjZA9kAdWxyNX=B#?Ri=mczHP>kY;Ea}^K+6vEet<2kl0YG36#+Y+BTAJ8i-z! z`yUTgR+BslC=mgqX43Aa+9rj)9z#_)Y2+ZW^x1{kiQx$HBNV-?69GFSP$6 zYS(WO99c^7^*D@T&!eTO4#>C;lQsol!ma#&8*|o{GBbeJ0rh&H@J{QG0vTDJt{UHvr&* z()RwXL1huHxCrSQX^~vNS zG`qvV@BY=rwt+HBdeScSttQ{q6zwf8VAM7qIqtT&DwCl4DyQ5)xBPS9n&x0jn%%<> z1D@x+Ui_wBU=<#8rQWxD=uWe%I&4q-L0uO{)~eX)!#>}ZcQl|nJEyf0*Ske0QA&>9 z+d-m@PAC>kd9xqZuTCgF^Ee{TN6w=VVUmmx-Yp-oU&iuODJMRvJc6coP~hX(rkUse zVe{Dw*;6$d+$pSJ(!(@FL=ZZPcti?p8CE~KF)=hF5%n`x?jD6K5;Zn%q4$TVf)n`P zt+dB_BX%b9buTD?uuAw+1TY?YA-sK(5=Vl94oR~-Ml^ho)2(y z3Z=r`D-=CS1<3G4lo@~1=Qn}e z0Nr16L%SB>*Q>onJrYa9rK+E8HoBrgL0M_}7_a*`NzQz~dKNLB19baWf;Yno@M=X) z*07zoZRQ-7VUH$?zKUkD3UTXw+Nf(&`$XUk@x~l^yP1a*5q!ZwDmnptKG z|IHL6{n_fL!@J_XpDKAS;RTdxePFgqhpHADWDA=S;DSNnIS?5^-{>;7Le z<(7lgI@DBE={S2k0kx(l+6?i#4*-^m+9v9Fl{jAen&Am}ESyCzEOkLnZUKI3KSaw=Lpk;X+n z&@Vu=fMze1Hct6POw(;lHPN%cP4Zf(jgt4Y&>lCGNRp0;<`P5#1ILksGv`H(Nqk6z znXEQpbEQv8yZ!+_CaqnbdTAUzqXMi+RHT;7O@d(70e|U?>l?Lz9xD+a7mq{~1f0m! z3{Jf|CuoE{fRftyb2&}mAohcK>T`J;R+@&ga!7P5GErlP?6*;!FU@MQWDC#h)t}}b zvq4EWxUGy*0t!i*s|j1E7|3QsnOJzrtUM=^x{~J$YVDea01NJ zgw_MNZG_dR(zrFvzJZ7(ZPX$?!v)Fr^v-C?(w6ky9^AM=0wGpX_i#JdE)&vGxspdQ zd9(?V|7v5>Ehs8@`IXbjOs>nr`Miwc5r6x@2NODA$V5cUg`#m(xQNBQaogG6X{9k> z-_^wl?bL)(!V+bKJ*@*|1GaTC*qP5-^6rYw5p&KBr}~TR3#TmzS+Wi5B9+biGx{1F ztexa8>;ZEM81{?S(9dJ^(Hd*{WIk3&hSl`W>diqZ_i%A&g`VwETdp7AUYw$_rcS7H zwX*_CJg9fUSR=cVNF#ObQmWOJMX;TzmMJu@^qDC_%mAhbs@q<~0)(fXgb7rH&a=OV zLa}7QRq1ebmdy>E$!7Q28c}rGC^(+l&8yI=MFbAAu|6ur58D2nR{#kgP19b-lQDl)V6p->W~9W8X(-^Tb8 z)uA8vU~|u>da>EY>fA7tX=mb+Oh>7ycbguM9f1b8-ozOI`f-*8 z>C>ju{gm4yUjH5@i%XBIHAC8`4IJ?rc16cFFfs&h7W0`S%vcC6r>)VMdk~I^39O`S zUn&$9*)Tm%Js%QA@1yLPF?w+ZfN{w63F-nOpP0cMZ29?9fxgIw8WW5%tJ1i{^nf`52FTB_H ziAL>~?Oq~obBN8=(tp-bGGlnd>5ore6KzwZi+i#RN@oKr@gS@gYjbVRQ+Muqa`l3(Wb zh*BN$p!u@)!n{VH6TeAg?x?P1MDdvte-}KoK!D%pmOM~|=9TD7nt6Yq+!IfQN731> zL?^B5x*SN%fASN9vLL7BI9VIV2V2cevO7DYbb>=YGI*?udu4C*vMuG;NJ1=~grnVX zi{u{C`VD^*i3J6pfU}EcKjzPD%Z_E@OE-7*?;g&*=m^jEA%59;LbjmX|LDlYYq}a? zHeV_uo6s^mT70Wu$azM!Ef>2lip1ZnNviM6T2jpnE9O{yOg;zjd9$}{H*{M9v!ph{ z|FicjFZvN~UZ;dMOORQga!MNgq*=Bay>Fx`7QX^eXmOJm`s)aHH)7pVG@s9VuC3$= zY94O~jaDv+>jB7v5^lyNj}nX5_C_opnJs{!Gu3vOe}6hK*eblkrsQ_SdtH70 zE9rv5H(EaCP@+xOVw=E%^a<_te=q!|c)pYC~w1>hxHx*6xp zC7s)is#NU|%rM|IdM-*P{FdJ@?5_D65K-JQq-SQYn*7CZ_n1RVC()5ek`~h~$O=xRo97ivE#KpVgoGg^$h0&|GOUNU< zhmsu9i!ZNwGpn9uX=yz-hO}VTs}Fr00ccaW_o2JSbfUfl8_LAeFhW2)*cfliFNV!0 zH7CZSZh#%zQcCuH_nXtKOuk}HTsPL`oW>{udw?*jOmDcZMmgmI=jJLVLaW994KYO~ zd~D-44jq52kr-kbQS@*gi&w__^3*-+y#Vhz{htWUF`SrqV@%VVVe_it80Sry17Vip z`g+*5nG1|vPVj*9&CO0)*Dtz1KiPI!R@NuQ=}kOP4ol1Lw3Q8D$wJ?wDbXc~>u0`P zo?buy=Y;BDMp~0+!}=bl2g(dBV-*S__9bmLRptsgX;P^GtS(irfp_}+%i39dhP#>M zT_#pd)#926EGRMqkL(X)eh=}niYXe8%GQaiwdlV{9NV}oYN3yDdk0vTWkcgd1z5Ow ze0Y@cH^ctb4odQcVj%M6P;}s`l0xpHh96+;w~~1I^0h2vsvu}{FP7)(BVIth1!v*D zO6{01TTs`}MtO#eQhTyt-G%_7AukOnhx?L<4|>p^V+Qoq{FwiQ?yV-kuC414HEUte zUNzAAO;{pIv%n-ki#CV#Sv_&~t)6G_vH>VQ_}#_I=vwRh%wy19H%|^Ou97N}IItB> zop;ozxV)rV|EycnqHH!Tu6-&r`*jHeOvyz0>&t*SWY^8s>c-_LFH&V0C^6ngMuMK6 z@gB@hJm*C7&{L^jz{a z%weYH)0AXncWZ4x+n$CWec553E(FOV)Z05C z#P6RaZU@;}?7h7)tc3Qu3(It*A0Mk%iXWj_5e?KOwo%MoV8eJ1FZFz1#ih7nwleG@ z;Ja5oZY}xEUc6g)CbcN>NSn@Fd8G=3oU2zx=yN}KeIQGZ;y7mW%F!Ud-E}j40jB4G zxl9>-gY}P4D!&~Bi?l|2Uqh^@@CR&{_l_Wx-jvk6{U)>+{X#cZC(W3#n#u6fcL|GC z5TvR79=xq!3!Sql#VTg!2B;pU{v|s3_8jo6b=41RVnTy;itnZduimtXt12;>o)8;z zB%CT=>;L(F2C+hKfDP;~yU7 z(+OGAjY$&~S(ml#U*6-agD-)FGY)@MT(@a$h6hz?&A8581obX2eQ=a*Rr=T*>|yi$ z?xEywX*9L;4*igi(WWqhdgRc!-cHUR#wSUBHm|n(%-Bcvd3r48HCwcTl;`K zBWy1fSGNA}1d_WASh-rA!=+IVEd@3)@?*STKs3bKG5#&Vr-4N2xI%$hYr^8~Up;k) zS3W05KVNSvhrz1KD!?n}D=<|G6N&itXF$afPrT!XakBr_FJ7Q?xnK2?x(i{COSFP2 zy#$|+Gm^H5ir8mvwaomL(wVlC*G=a3L_ue za?c+>tJOlPJ@c)yB(Rnh)U?l|(#6|t?HTrg<(^LedPNWBQuz}vF@Fa(1MPI8bdH6W zRG9XATy+izdlRdHa83%Hp|KJd8rXZrZdc7o5rYej+T|)iBE=dlhqZxt$?s2L4-M^c zdPD89|6{9jTA!+9uA~&lzFC~U-}g3Isk>8O(6JkIYs{=DsOI?W_Jb>%azifnA{V~V z-Oe)C8mw05j2IT=vTM3kdT?}@e_0~`sI&3D z2T(Xf_w;AFQ{=W}^eX+2t&s6PgQBE$PpJAMbH0;f{NMIU_ca{$Y;(EmGaLE^ukHO? z>*ph~^dHtTMr%5*>^CDuE*9+=Us^kWAuc(mv&)htBB6I zG7vK0S!6QJUJuK!qoB-rc{qoH;I6!D5Df;g)(Z}q?q2JDL^dkHdkPRfV8+k`ri?Qau_t!K`UK3_*W;1I|NlEK!ERsaD*{j%p*-7V=Mb}E> zc&jw5Otvc@6f<}0ao7$=8itAQu2B1IGnKw<3i@RuBt>-eZupCqr~aqJYnU$5^Q7F_ z=xg-^6;B6a8q2c`Lp-F%cuyUWcNcQMHhyqxvz~2{(F9)+Thb^m?d={`4tKy{W-}0?e%TROMWvA| z{Tl3T^|}Kp`JD1u5rDQ`Vbvk$$Ij{B2>7N*-jsBn_(1oDCqFqhunmDuUmJ_xYb^N3 z4wG^%!^*8-&`1{NtXARe_%iauw-=_&J}F4V6BQj(Dl6c5anRSq+wge+zT&SFaUpc9 zzrs9kaX1bEi6G0qu7PD5spQm0pB6#7vO1hK7|bR4k;G7@(spCL35fN4sdr!r$g8XY zCVL>P=ttVA&&_o)Hjtq9zvnhQOQH zmBNph6Uq&AiI=_^#l7;Tecp#h4)tPHXl08bJQqr=V*ZYa*yS`I%;$c?sve-r zqKr6QHio({8Xklw=ra`G;4rrR8GBO}vfl@%1#!g|f;ELNbb))sr7X}R4 zIa}pMf*QXti81LYs`qAEN2^gug>hE_Y)_Ga``;E|N+>c+%B16U80Y*t*Y+#24q%!d zc=Df9W{+Dz9jOvQoTlkaR%f-BcVNBC*!PLL7j?#!+>)KE$77na@n2quRA`G?UNqv) z-eRIYF&%Lw!`CUCv>#g8uT;d#h%fltBI)9W4;yjiQrTvQ)@n6vN;y#~cc0dC<+kV- zPDkwriR4g&cKVn1Vk(1fL>8e2q4StGINMUI@w-_6rDFo@OeA|fZRb&;-cZY_)^_QU z8(^#T;5FyhM%eXqGd@VwVH98XnG&4fAB~zc5~!$(He`;zvZ-5A6sl~MNoEladBy}8 zzGP-MXVq$rcePIUFr%Ms+{ooM@gutZGa9R=xebK%nvCMJ;*inZJ~g3TqRd*q%p+g@ zu@`Xl?sJdutAMv)OEpq78QWqw{)G8;^&loLZ##cXM=s;+qrjQaBVf{wEub4%RNmkF z#`Tn<{RxU8qrNwdd>a{)g;?-339s7^OU2b__n)TbW8%ow9=!6cGV-RC9L< zsyk6Gj<0|yHw-TG-SZ%5pO^4SI&`e@2vL8&iWtXj!ZYf6qR9h&nIEp5@(nNUO9W{) zWeOAes*BwETBpChgDzlo7%iY?|GQ5pb4C$NIgdZk7_lWCvw$ZdZU;nu3Zl3=$Be{V zXmZ7iy4t>V$coy9h$2$#Ax%+YJP8uSCF=!I9`_B_8tRqyA_A+AT-+H>LooL7!%Oj= zF#2$2VQ2cO#va3vH2=H@3VoKf>#hLma_^Wr1(Z03;CKq!Q1r;6R5^zM}A$; z!2hy13?WKOc}2vX6{S4LXpDgxXsp_7J|h7<844@sQ>b6Okomrh?Ou5!Hs6va+e2|WamdaRP0z+)2F||n zL{&pSy~Ws^z)2PJtT;O9YOOVjL%I~?`$}PM<|Y?Yw0pQKxs?4d>1i9!wT zgSh#Ztmj5*k#cG|UX-VSMYAQo!3*u{M9Se>+7vq*c1Mjh6c`bwt&~-yAgd^F`eghT zkcIKxcbr1SmDmukjE#F24W)Vdkh`f@^-UI6zF|2SC^_btss4|eoX+~6pQ5a_J{)&y z3Sd2hKZ$+k6lz<2J9D1=H%uh7?i4Q7Qvowi6nsx0lA=he0XVQdfYvOF%w%svP539^7-{J6Owg>s=zN4^!kzNgpYdK1S zxEN$wyfi&^=krB>!xXXYA6+sInOE^TwH5aPC=a{HbwY*&KDL%+$QQ2drJ!C)e;Y#? z=Z@IW0+|e&*lS9yReuVn*TSsn%XyWq@G*(Yyz|zC6tTUJ_OD*c?0K<($C5=|t;^uR z=P(siS^N(U$Xdv4Jhv8|6qeo`^b5=Flp||*ix(`zmRd&i)z{~hFrq6z%6DFV#NPj~ zTpQ&nU@Gye(JR?HI!{l3xU8_M+1oKa*y;)UQzg)ltr3L$dfyr0L(gP?~kq)Z^DL+Oz6cE~fLN#?0dY4K#bB*c*Lb(_iQi9V-?tl zUUc}}E5<<}31lzmApYhZhymH_66NZK&;cM1LF_YA&mWex4SgDM+L77k+-fppi+t7i z;xvaAyfW~O3W?0xq9=< zRX^g3q8IYvK^OAt@|6-yX9ulx4~e@9IP{Q}TN(F5-a_0mo^T47^DsN<{Ev@TQ*~i& z)`Q;OSaMuCyztt$xRDm~4NK^y8N9e0{zGvCsE$sFMVQ1o*wsbo?$IpF#Ax$rW#yIM z|LJg)#*9`>2>1=po|%HR&eq@{!NXkZaSi+Aa+|dZEGDkyrdj z(h-xM4BgKn6_}6)0Y4m@g8})2*E;(8AfT1R(gH`;T!xrhD)ptV3EU_pkVT$y1F?XCN}_3OPM;6*+xDrEf`cN!}`a4vQOr(n7THEWeGnR zuJI--NjFO8t*PP2RrJJrcYIYLOo1FJID}$cPt*t#Wz~XDZt!|!VO8cT~Hgd zg{fjW$dlpkU%pCWHeL1Zp{A8+br4=snpHb1jJfuO7sB>{*#piPNE-LTAq=j(Gzoe$Y z22)a~0?gDxbc{m+=5N3%qDlId(bW^+OStT9R7+K}=TCYsPJ%Fmm5=F4V6zezfb{I` zzofDAwfO-jV0EiTq3zzZ9I>Kp-8|FSaxjPg;8U{~D(JX~)20sw7@%I|nd!o>huXxr z%qV3suS`6mcC(k_H~dY8U$qfBmmcY_>k6*`f@{6z?FeDSqe~=o@yyWY-eb9U503O{ zz*WL2@dm#48;|gEoQGdojqSp}N9M5m9sQgMm_VsP70}trb#q0?dlz`fLzVR8;ln^y zVWeEWxUXc1u5MQzOY$Yh7zw|>MLl@EFRRxTyD;?fa;dL9r``Kpb|`|aS7zY39zBtT zR-p{$^k>zg?ZemYsgHFt7=w}i69p(1h;zUG8M65YiO9?!8kC8ockc2p zWTePp@KP=F-b==5pFuJ>d*th{pU{q3&jVOFO~J$uO8%jXlM9RX6wUgXeoe zQEXz9=EL@G<{cF_C{{u&H_j1~`;2+2zdZkTKxE7zPh?ZnSzfqOjwgR58*fV(*1$X# z6;t(Dr^x!FIh$ger8zzkyf+6;hMg?)7Y>zl zX;gmqnm!AVwW}95Hw)IJYf)@0lFoxTpQxuAt)&czW|y47oH+$?kH8Y0wM&r>Sy8DT zoFn=5%>B@Ry_vtrj10#5!0*;sEn>mvGK5{ZP3EX`vJJJ)pK-(5jk?wm!1LBn!e$0x zf@k~~P$?H8u81gITO_PlK|@2@e--yBB`mYxHTCZdY9*i_Tk~)F9S4j`h#m1YxYAfG< z;-frYG1;7@pyWbo{Ens`Y@E9gX-_9g{rW5}*p(^q3_W1)_PFRvvoz%rxw?y*;$zwH z=hxEp{bulfscQLkBhCS^H!xwacaRML{}5b4U{^BeDl2!YDm=q3n>(waF!;BaMv~MO z`awq12XS>_P@y~>tweh@(i|zI-wp*2XEmRMb?_7fo?p z%)_;xU4pzT6?&c?K>BzqU9y9bOqaJt@z$@jRwu+?N4qNpxs$zd@}jgoaoVf4q?Cul zw=ft<`L(lJuFqMP&d!d%x)GFv7w?}wM{M(6(DM#c)DEEQAm0;vI5lB@aAL0GT*CGQ7>*4t}_~@D|5}XmXmK)cWsXV31OmSyB}4mqwihZAj()7J%id+imvXV111U);WI2a|A+t+?j=wW^^KIJ9yQ z!~0FeXIf)tMsJ@`*PeR&A{F%3^ICtSo3^5nsPm|Ul`^hr1-dTw9@e@yS3n6@QJs2O zV3vVc_l8xr{7^)7TyalKTknixc`z9h4uREIMfeu&7y8ylsq$otx9;Yw*TPMEpG#y- zUHVDYw{@uQyd|CPs{$PAu(o@QZ6A=Z|L!KNy-O{}8IfoUCg!QYESyfPUmD{Ir>VXl z8@EA~C+*iBT^Jd*mqqU$Ip&?`xScY%abpWwMrHNGE&gb3pySVGgn;RinH_C0W!d|~ za0h31@y2#Kc!4u>{orx6`%Ng9og^MU*V*{<8eFAN_693MN{TrEy!UOVjO=d|X@kDl z`~<1qZgfOWBM)48?P@J6-z@Kf(>*=ZxmdrJN31e4mnYqwgZ2`^<_+x@f(O?rXLakk zyy_ITkI-)3ANBOkDc=h_^@>;H0;EeYxlA-)J3FSk)V zhKg&adokl%$6*TBA@ZcmMo#909YxL~oQew$$L8pD!NzL^fgb~doZmWg{-ATaHgGlb z{r=Mi{WqhF9^>SfYZkA=R&El9&MdT$a#J2o$u5`nKxc$Q;^`nQ`gVR8!){o&V` zfQ+-!Sw4o%`54-w5#VwvZ=~qhtCI4sx7}ieU$V~zm9Ry-lR8yzTVP;er_OzUu|rF8 z#s(A)ofS8g_s;kx@l|~bg*FqaZ$(ZuDiI!{X6WW<1t{-=Zd$GC<6Ijhq?d{6G3&a7 z+HQ#DrYh(V{Wz?CT3TrL4oLcSj2G2nn0-iy|i@t(NE>wr2ow+yS4K49s&T$SL(37TG{ z;bIq+y$_W}+S8#}ZEG)r@v6s5G{3nkOHrZ9Swc^y(~|xH{Dr5;H#L6ipy;a3 z*mUv-db=Jnn8O+}w<;jal+3KX;<8Y4(xR#76j#!T;AdR;*j))h0_SX{yj0nrNV+bF zHXM8g9OCcGhXLMW;--_lg4iPBN&`RM{tl+)L zqFrS_QUe;l&;s&*GQ?uj{1G-+?YivEDz_rCuJs?+bt`MWub2z(+=O^_>ICh4_}sS` z!$2+77A=&Cx$1DdVB3;ca2dA8KC0GVtBQOpE20A2RBBCR9T}1v5&H>)+}NGh4KU(L z`AzIdl{5QKUn=zk2=S_l8yZw{HfRxcQh3y4U;}L~Q)J=WdF3&ZW0+-~J%i#tJG4kv zw@|d>u%wVPDGs`s#yr4$5`^&(_IP&;LkfC+HZ~dQCYd@%x9;gzRp)>xA_riURv*umxuOA z^?%IA`GP7Zw{M~3A>p?7PgPAvp;G*u*Riaq5-~2enz=(ZnY^^2=ybSEyRpbK2!%kn zs^|KyhKP}Y^1P~~NvIVb^SM28h@%NgIGXPaFzFeZC{q$J!3a~8v2{<5tD3@8^(P*6 z`yQXrlH&^`p)v5J^J{iX8nOC!&$81vb35d9ph)wNK>D5A8-~f2hPR01U z0rEhbR!#Dne(d(BLHjYXwMPZUc*s)p46Ro=r_FGE!IX4l01^g_?);6KxDa={3A};2 zYbSnhZS9AoTXqyN$TB+6b1AwRu_GvbTL0%4(1hSs!T{ECKwJFQlD=-TtpVmVe=d$} zN42@V(bu8*=9-!PCwBGQ$UtC~eOY4qq8KBJMgXnrduz{RiVZOiK!-Kj&Np35HFu#;2VJs(?q0ZcKjc0hl9HcC~cQfpu5!Rdz*8k9?G zI;h2T(aN=!BU$kR1nBpK{LY)i--vm-$vzvumC+-4>(KdOMF%NOpos%!WDtTGQ>-gQ zYu26lriU@3o*mB}X_l;m#PUtZv7xq8G0-f)$VohX~>$A~0viI#`&DFCa8XN!kF$|I$-;CbjKg1jRe!e7O2 z+i36nv!2}je(xHD6VuQ>_s7!a=kc^pVuuxka8)ZTB6hb{&H>Q{6M=i2@hd=u7KZU) zpp!-2uVh;Yjpy94@M9?|`%KSy6|yyoHeaswRfM?=1fA*G3mJhA6}AW2unM+kHIQ<( z7JsnjC9k$B{Mh?z1EedP7o{D`%iR1f7+DO;e}uRs_Z8~@z>5ZM!&-@_l7-b9>srI# z*ZX$mJydjsRsK+BLUjb+I<}OnUCs)c*;t>K4*#fe-p2WyU6of8`L8BvGv3RTPw0!2 zvQWiIO(-Z1s=Ux$bNZ*J$=qXf!p=~VZ2eJhh`D2QNV;kvJTH6)JgD*F;;vVvACB~V zI~)WGWZ5`_;16_&ml-Yh!e=Go0(kCq7!T=)yHki>LQx#c6;~ zJo0%d5mc5}H_(3~c(8;rs!TFWlKgc%(52um?jcVqoHswbFh#4`>xuN)2*b$z(ytht zH0qWW?Qd2*SU9pF?%@AH8IJ99Skw@Jde42<>zoVqUY}>LnQVEQQq1glnxawVd3#yA zvTyelHHY9rZaV{DCoJXNRf$_NeZ;Qu~xs6@p7MM z?bN-D)8Q$969p?THaxA>m>(XYFj71mgp4bSn2>6{EmP?zIa{pipK1uLkoR!pm~6C% z(7S;15t;K(OR%>xY>Ccmz44u-rHJ%+uP54jx)|A5F!7Jk>__C2`>rEPkeIwL`k)n{ zvc)8}mH*$=PhF$=8~u_=a)SjD= z=X{&YV3FwyeZsGI0JD1h4@ocD&Ru}MRWImI970N2=eM>YA+kC>S_{> zd3a?y>_w2XSs(%SeAYS`Aka;6=iKvtu_wR8>h}=IwRN3v_%-hBjC7=&2Og~6z&^D} z7l#rmV}@VWM|R+AQcg|$b@7}RgJq@^hof%vpbpoW8R!3uAriz9#1ALosnPGW2V)T_ ze&q?mSFdSq7Nr?ZUHDUqVAh1y$-(S}_dxPu9j@qBG8712x>`XAEK8hH3nS`xX1uI@ zLad9W+S*vEM7xDsTXYi3?Ju9<0N0w=b#fFlM&!de9d~PQrQZd{AbN~+-f(nN_KkrS z_%+*s;-RJrUeLGt8v`AC6>W9(hj&~&2JE1)_u$V4_jD*q~ll?W@^kVQ6N%Z+{;rE*?@{) zDD$l3eC{d+kKc@jyNiLKr~pgb_@d8JES)z-fBB}(GuQuK5o2>`?hv}R(F940Fys1% zt0|nXVzYn68DkW&ZdDnDV!Zhlg&?jLAB9K@4iJZi0LPBCEA=?Lnaz;gESMO{yOn=H zaaH>)+vOqEBGZoFY&1;Uoam5asgun6ll5B==K z^|PpBUvnS6%YV{Wf6LDQ-Ar`Iy!R8Th!nzG=$G`___BjT%iR96HoUma`vwJif>0R~Q z5(O&**&m9y_M%=kM$FH`I{oy6tA*hC@Q+|eiL8a8hw(lnh)}U&?^D%Jv-|~|HPTc2>MR_pA0G?Hut9w^mmItZT(?wro-aw|0(Cnjf%JrAU@GV~VVisi><0j(3X3lw0bAn2@O{;#D4)CZvw2G}9O!>&+j?Dho!oXw%60BbFrLrvo)V>@wg zAFMN55Amdi{?eAJGVU26|Hd&1^Y%W>hT{#i(AZQ2>}!KlKsqr|hdayyA4NK+vv?O> zs0W5CiPR?SI{QZbFpal!aytM0@7{BTEoBCi!vl3dUdGLv9xOm|sVgtKA2UsZ&Ezhh zauRQ&9g_)z><_S?l!I2blX5OGfbDa_>H{;&z% zL-=o*O^AaK;KawGj@1#WZB->nI_cZMIFqcytn15ZeDT~ehLQN^p8J(B;EeDn+bebC z1bg^>`EeXe#_wAF?)f*+X_mhOJvMFc+{#Z*QCLz;=S-x5W+7y@&GHuC7Bb|VZpp9p zdB2BB<5`L{xzm3y_}VhKerZr+W*|mS%OV3m5`qqYQeHPvZeTNBw<_Sfki>+H1%oi3hw0g2z7VFx;K&Nk4;VBBpe#;)9u24PdqIx$cq%h z=V=hkU|{bY>&n-K1@bw_m|zqu!x)A#%fbf;{5x5|I--x`Qusx4?R9fJbM>d5`p7G1 zMsGF3<(bFBDb^4{Yn}cC23MbCkPW8?nkl<0r-1eCrBW zBGsSF*W9&PK1ESmvo|_R?@V2IeeX26%>;$`OuoTf0uOw}dr1-*qfa}yT67s zA?o5KOpG1-tdTyrd50rE?6d(-hYIF=CH{UUe@vA-wxSy}mmko)4p3>95ZHC+b5zwC zPutr9?2PM3I_e-tzE5{ly?*Rr_V;Lh*%^E1g@X!q+-V~0z6u&WM(*QMYhO|u(~qNi zG=JPvrSl~LD_k^=6OE-EZ$FM2-MVX&>j<%8HJL#dUZmIc0prL~f^O{rV0e5bG<-Jl ziL6>yN?`;XrFFaGD4-@GaZPzaHG@=F-|zCst(~oG>-Vz0p=s3K)k7DO3TC`pb3BE;6EWCDTz6POq&Zd37gw{CyL^vIYHxa#VJ;k8 zih;;-vo7M62I~)oB4d#fLd;dSy#(x1gI1I9V1r7iRrq9gaH5qrLobkaQqcTz$*#~EZf?h`N8dW)yD0R}&MIf*rnu64 zS#aE=jd#4-k^>iJkNZ_`eL>>K_F_gi?}nt-EDd?FSo=_oJLcj_mRX0M4wlCBVo#X{ zeqc>?9Wjcn4{8iZ;~}Bdf($Iyvt^`ozd=tIa`7VjTbWmp+d>oY3UW+;QDXE7Gv8I} zEf_7^XaO+0rl!3quwmkME13ezpe=Oq`rZYavE0U7spn)UkkK`a60{%qQ;ImNbv>c! z*v*jV^LjrLiYWl1uh4t$|Idp+;?2(Azm&e1EH--i(Luys!Nyy|*loh&0WyNb`e)7$HGz`vy2);eBQ##W&JzEQq2N$Y)t!e19u z0{zd|zI>aLox~02ivV=9{&Ktc^=;%z+j{?ntnJXd))hul4z{j$*mBv*)4YG4l--|# z8G+xegqzcJh&L?&c~b-a#3%8lvac1qjI+zT6g@L_ZKgX}7~LF`mtozKn!=X8IWY@Z z#9T?0Z7SVmY<=^b^QO}AMTC;+YTPIBFi9b1F4iA_w!qx_Z*KShwho10=&z$vwzsv2;fz3(@O6u7z@aV_RWzj4)V~e0;BzX#>lbx z^wS}T#9|8)cF6H)iwDgi%+x6$8k>#AjJao~l#n{C=7NiI0tpABe_F2k0BB&RT;=;P zW5H8xjI3ER9&=)uqq2eQ^e9BF*>8a&ViJO&9nB>7Td*O29oS>|^$rIocsvmnm#MN6 zV$q#F(m%f=EHzLVoE`A_{H_nN)bfFd-NdWyCSJE`po%Whn?j|H1NR0+L^L0S08WLP&N+o z_zcJWfdX$)%scw!T6A5Wb3~6E+|#KJ2WQD0pb0U4U%*0 zzO^+eoQr7GlkJm3AbLyHzlN*7NX3l1r&d?~t`m(gSY0XUJFoqlQDjYY7b{4AJpZw2 ze@?7L1x^Kk<(kk27<`7WFd#x|sX{#`(va4CFr2*0TJgUvimeqp{h^@#TzP~6{!{o7 z%_`#pA4)~F@nO_v0_~reqY`ke8E>>>McWFxZ~Pyoo9H!4V$ZdA*CvJ}#Hn0m1Ts1ei`09bV8ThyZqYKPpnx6?bp2I$HGMOFqwamY0@M+8y2IB(ojZ- zOWA&9y&QXxW6!npRI<3X{@i>R0JyDcwU+wA=q!BlrC^Jtq#iNI<8_Bftg>qz+TXC9 z{CgDT{TWfs#q|i&jctNJYvqE?L*o4d1E0VGgH$02NsltePRa76H^JWs3`W6>Y5}<_ zY1KmXv*`TOz26Hb3uW~jmbyVCJG#|5JWnR$ggjSkQs zzo&tik4V-8vGQ-0uNL*asmbp5;ETYIn@9S^58T)#i%A+?g0|Q>13?q}Z&kzwSKl7& z6+zza(1FCuS!cFWbC&{?+u>@mkRSqUAq>eKz0(8M*C&oT{PN{oEY@$FobH$irwk5_ zp2Y{f#G&)=GV*fkw>zSL2F&jfU2%;;&RW4Y@mqR?SY#sNAkura zV(++J-eTbHXqWE4k2AFo$r^4!)>IIjrU$c*S1R=*ke#A1+%0o$!ercABaJ7Wb)SlK zhC+OFDv$fd5dr6iKWlWu-*VTUEO+W20^gy_^bm3JFm7QA9K~;~aM)y4@V;~dStEGr z3=97@#`M?6T-Kh$G4IPB5DXm~`leSN|MrNxESk{%)&n@`D28C>F2{w_$?O1VHgEh0 z5EDo2Y(t{S)p;9-Q%1I0SL0&ojVOdsu9t5BCFN~6@$lpmYI1^!asmYi>k1nLK){hE zu$oSwVZf86is-y4VzA}l;m8YU(Ae-6Q4+K>W$+frsP(K(vT?Zq%UbOVr~&mDdqj88 zbWWE-2a=b!R;b!g$ac}67DuN`@=H8^%U@t1Td}GjPJup#_kv{cuwFfi&uRgvB9L70 z%Bq#qC34Bb0b>MzBb|nFTcsuPIhbqB+Ft=!yv5HXq69Kihi|f3EC-kckX(rBaHVv& z3p=9(wo&6QA)XjhdMZqAJ4aPpnj!XCGTADh#!EM>^yR!0 zOB^mFno?nPGvNrLh^3zFIoc-+GpBr4NtB%#;e;8&!%}M>bb!^~TEty%I6QE_T=CA zK))n;eb6HaZ?z|01eSf&wwJREi*lwB`H9o#2pnkYz2#vM(&^GRBlDdNE(E)XZQS;U z%&AOMP#F{O-!us!Fa|Y$0C;D}HIh|4LmZHhSAenUX9#EavvsGh-uM?YJkOH= diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png b/memdocs/intune/protect/media/advanced-threat-protection-configure/onboard-report.png deleted file mode 100644 index 97bfe933863b335c0f30398eb79c4f94eb5c68c4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79275 zcmb5WRd`$7vaV^zF>}luL(B{@+cCt<%*@PeD={-OGc&VeW|SFYW@eIG|LXO0ud|=t z`<%YeMQKV?8dEi@-ukMh!W87hkrD6_ARr)+B_%|aARwR~ARs=`!NEX4K(daohJX)1 zIxC3_LsU-@9)pd~=0dVU5D;}Sh;N3_U>n{+Lem)n0;TVt2P77?)Gr8#k0MD?Ar%k3 zvo1s*m4&ve_pb}on3dmEv5J{Oc=2a+px?!PmoAB zeh~dZB!B)f`PH7xq*+wx+8!-Fb7`0F$vKtdrngK4h$@%X&q%HYf=Cy*&ucvUGJ%c= zlavwh?Q&s7&ez9`MA&}2lu4=0l%*+OFlCXuPDImXfdg%o&;VL>xD|rL(Y7QC!)=3Y zbk?;1(nkd(6GI^$MB%4}Pa#)JHu=KQ!GW%>9$P4mY0K@S2-k*VzdUHqRtTErEfqw+ z4GE`Q$1g8%J9b@f!bm7$F)UT}rIla{uNbL!&`-pE-j7Duh;$mq={u6qt`Umhd(TSM zFQf@OhS$>89(2?_daJT-NF2DM$VSw69XCsGBSyulV2DNI7fVe^;t0P8Yv$miu# zfqP((&U{qQ?5lQEE{;vH?XAXDg*E*CjrShE?Kh%_Y+hLc+C)$;k}sN+Cq^QSL?v z-Yd|L_wHhUZR0{Lo;sQ#l)w2!$ny}=jZMSj)r{@#2?mZT&3&!LD4u!M!8R(_Bih$M zr^V5yKRJt%J~^}Czo4!J?m43X6J3SbyJ&ZXI~8xj$ZN#Lf_hrz5kg1Nf~!>FBQf;$ z;0-+DLcr@Wfl=5Jbol$j)Z`On&PF$G7J=Aw*Kewijq?%uEsA(HM16}I6Lc{^qj-OH zBY>#F*JsbzT3@u%=5qQzaLI1VZ0pdcYUE8KyB5eQvfMUmCS9ioVO1`HXYX?!#=LpD zr&8y`65q@jjx>47Z)U4HRkN(JdZLBSw75X(%@ z8E)&JMhg1AuyYZjI5P7~hXett*fy-1`qu1ws$^v3=Po+<8C+ z#3Es2LT}88aGIO@P2~NFHfLjm{K1sjw^8PCCa7i36VCmMpc3p@OVwGfv;jR*g?fI$}-dh`TE#Bn=* zRMVijt(Ead-piKC{BRG%`4&BNGoy6_&+HB@?8SOZckat?fjy*xzd9eMf1EAbBX;Bi zzW@GN6!2EyG9d??z@;2}(BCSMfuKo!fJyLar+(|$?zj@Wt(xM(Sk?dD*cv@hP^aam z5I={Uvmml@%v7X#{N#A>tiHesNNHG+!ZOlVeQX@xt_(E{Ib(jthp#mRi z!OP!w{=I~@5By()-oIiXc+ERLzi;h7I=|b;F)u|6e(X=rgqzzvLxwKiz|IUm1`T}v ztkny6zhC0}i)ixic=?~w_fnj&U=?R3&ANCl(|jm@3r{wh|@bLEchc zv!s?uL7)uT8}j&1_d=4$*7cn^&EChO2QIqwH=>3IiJr?)A#Glf5qzC}I0i1QedgaM z6Eg6PaTa_mLRM7~at+kU3;EC)O#ItL9vL0ow0_r0hY>JcjIWvm__MDtq>~q9Z4k7D zMa^F>v`bm-2OiO`nNW$_6=`-a&~bQ1G^{PTU1`<+)N83(+#PxPrPZx2XO~ETzT3uk zDiE^!2HUra`I1V0>vu^&R*7{O)3&;Nxuz-Hu9-x9Wcz6|z= zK0}K_$sndyD$BG?h=*38=XZ?1fjSUl)6GAOHH$SGru4f+m$AOZ{Eo+fkX*U(L*89& zc_l;tg={gp)@IuVYmpcF-DR$}9G1UPO}}ov7S5Cg+YXN@G_41g9uSZCZ9DHA$62OE zjb?PawBdA|gXPHWRMPZ^Ox`1RUyiqUnu~>y`S7I}cQg(^%|!7`$e?EbU8@e<4GaUO z?9;s(Y0XnhC>g1RM3341OwFQk|1kNB*59b(E7^7d<%(}$#1`COJ4 z8>sGI2;AYkZiTGV1lTq zFmJ3OPnP7NZpo{e+&lu_Bv{_GV{M&zIgkJte93%PN}v_1BH@JTZ>WX8NgfFLr9XO;=4LTFzFvo+ZS2 z>p0e#9SVnd7=b}m=M=IXYD+}z6wTWDFSF`%H`<(kbWRUn4n+u}KV^O(NJWoAh87~9 z)JRw!8F(`G&`(!43eEcM`UbKq8zxmdOPOg3jm!6)96LWM@7&1` zv=Iky5>rfuS}t6>K}$QbbvcQSI1Sq_F*I8ec&r9#lcV0wAB&$x?O@)Db&cC?b$yC@ z*nro)s=IxgsvzM-`93@R*U%=J5|^#EQUuZG(n7W*|#)A&avuG=dMD`zfj^Tkp+ zl;KPl&n*Jel0i-BVZrEe53~=9x7E6PX&Rs_1N~%=XHSAzcms=$_!{>&iFke9y;c`t zP?zuGSO9Bfvzd9Se=*P^*^|S%NXA}7x`O-;daNHR+L9?(+eO5NzjU~cD!0d+NxM1n zBcCXAMumxr3O3vOf*b6`tp5>xTr{2W8L#5< z5A3b=Zeg2)xtck$#tzlv<+y|h@YGKd2;I*N3R(Qi@gzuqgpupeZ=MPfNFdPv`Rn=> z9wo$f@H8`|L<+uu?@4P5OSjKC(V>19f9`jaQ|Nr2x{h4Ve5ER>_GXKm!V8*p;C{EY zp?V(j+Y3~-n{H=zTY2zhw{!0Dh0=Mxg+38Ow|RBmxz-WNd3~uXVO!jd&3bXd_YNwl z=2Lz37>!Pm%&dg+!TsvQ%g2vCS(d+b}1JuO9b1%|mr0#=>pINvX+$H}`Uv0U1U zc0D(t%+CiSGLBOl($zF}C&c?|Yo7BO8|#D zeS8fH2b_8(_LD%ln6^F=P8B^1?HK&=KYa4v#m4mYvznGCm2^uS;Om?VSvp1L^u9wp z+v6C66xwe{SX%YTcYlH`a5tn)h&SniCYZ~gq=`1~aCVs|R3 z2HT|GXwwCR+yzx(Bq!br2vY_g`Pch++7z=n8%js z)QW=>?8nu;6fC2rpp3tyHuHG}xZ+fGa@6%y^nah%0^SCkxCFP6jtW8g#Z;#_Jn zUuQd~J!1$OA7X!IjFRq|Y1C#e;2pXR{iF@ISKX&2wZ2`k68UWN;2ZliBf%^_Hl-FJ zJ@UtoTic{s#G@2I6o-X}aGdm-7-q-=+fxC^>W|7krfJ<~lY!_%&N2LiX7_}I@#{Y} zd6xat`KG%QHN6h@(B`Mt&Vq%ftH^7sN4rs+ zsy|}dQfd6lA2*AZcOe~$6jW$&uS0VFg-XKPt4<;zik*0Q`>jDr+L)-FZIASTDoEW| zts5<|hi~J#TTp0;%xv_L7;dQ*O5^a@Y?tGjn7iLav}9|6v$IFw8Kf9Jv9#xX^x{3w zXkW&QaJrXPZEd&rx^^>ZstxLYX1FTpzPmM~~I9u!IH-5s--WI;~iR9++ z-u?o^h3`MrovBP-Y?h(DY(m_)y>wQK;!Iqu8%sV85@Z0^Np4`k21t9Iid+!NNiB`rfVxtJ zo#Lq*Hw_YlOh#(ios=L(hW?U`pr6j($ct1J@zx;yTlYw`QF);k4{G*5lf- zW0Y}p)El~wvWH8l<+Euzcp7P(YjmVeoUwYUaFmMq^9--&>9L#KRMWDjCY9E1)cl~D zqMTy_kLYP;zvvQfzY+qFZp4LB{Ku{1$*`1BDrnlaWuus4`f7)`pZU|jw%!$Cj^P{O zzZ~K3KdBXt(+BJ&JR4WXj@c#RURZSZoU85O>$x-cL0N%mH~TT+XDmBG_&g`>u6Hc4 z*@u6719q6_lpT*P#EFHyg+^_Zn5c;8FiGgpNuDgqLgF!;L{Nj<@Y}1dPf?5u6gp;A z44@};OE$%<brxSho@g)VUq7oTI9 z@7LrFUZwTUXHau z5~vb}CD+Teoyxg2I&-Qadtoq=wc%>fs{a^t@{C&7v%?~Ds^~ntz#EIyvGA`W-n@Hl z7;~;-J7?0CWqS{)@cVuEw6nWINNuqS+VsA}G7oOs{Hyv-e30|;X5LXyuM{wjRGO=ZHPqoW%QIQJuS{@DUOaJnWLzA&v{b@X0rbPQUQl$RqAqQL63IYAS9pRsTO zK%Gv#%Py8dtz>-1FtG~VAIPi{T_oTZA038Abt~Na;(%8f;{DO}!uX=8Aho-j= zpOE_D{@;KbJH`2?^-f~t{PEHj?*%WSL417F4tu~XtP9MazXse?;de*abtcXqm%rhHttOGbsDcm zl@>wXdCTcIoGV2io2phr5Ecm5?sPyf?Uu1oORHby>;O+cZ(ncpT_K!iMTUxRRdAH} z_5>lq@}V#V)7%~r3PXx^Y4{kbFH-fmcP5}-wK-;5b$z+?x3k5@BaVhdQj3Ff!kv*` zRDan~yx2h%2Yv4%jC<)>{kn847jl79%E~T$&E_`d#aEc08!d;}zpROS8a|=@*iLF( z9%P}_N)n?*nvkQV%g(@0HuVYB)c~~EAY9yNr7~Vl;c(7eYey|uY7=!mTF{e>AL<@q z4cNb5(pUc?T=BB8pQSFS7H_`!bm=Q~qN(G)_o#osaFx}QMe5QE`OP(YPv2coCS?_ua+YZi#gk2wEYK7nZE<3}NolKm=|Ovm{li#W?wCQxO9d zGDSO?{jQm2jY&NDDf;ylz9x87K6OUS&s<=fHN5p$;K43Oyr+hcpN!7~-#@t%n4GY~_ z9R2MzGZnraGnR7Va_gidf%;Y=%Ukk$NEluI%Fqhb~1&P$p!!}9JSyHf@)^o(o2Zb@PMWK?b^CU zuhu>`Wo<=1tOt2AC2~gm`@CZSWC9%Ye@`w{FD?u z1Ry(%deI?4{PPl;N8VaS3scc+UI|BM9W*mzz4k*r;MOOd; zfB$FP^&>pWKYzu*nE{5=>;L1WE@iVRnM%S;ibn9N@%9tNSW;Fo+)nlJUc|lyM-_$5 zKj6<LAL{K7PM;3wJX9GG|9Ggzq!Q^R{R;9w%*OIz3*Kr$S=2DSh}QB z@O@{!U3X-7`$XwCNlnVxHBFUZ)ea-k524S!RNJ8l2KXwtNSxk>^?AvT{E9fvDhdYE zW-h2A4NZTJUC}b*&qHzA$00{EPt#)_u1oz2bY%tMn_Pc5?- z&A|#xS$zy+%d=1a9Lvq5mnrUY#R;nOV85Wnsy|M%-I1Bdro9ATry_MD4-Lp+TGdWf z4qT(No^g+2QKO=C?k`_dOcN-|8mR6NFmK)+rN|21tb3y?WF&BhnZJF-+&XYK-NlQD zDm>%oj|{Zn{}=)($xA;|Vl95fLva<5rrN$wCNgqi`Gi{4;3(b%8#;K09<{Kqq+sEB zk#K@KU@5WgJO3=Ff$a*--l)$~UHi zl6r%H>(KlO1yNZ)(aih!IqQsfdeDTA4!+iY7+f1~sV*@d!PA_%Nr=_IFOrx~f0hHRIFXtugAD`Q1 zI}8+POKge0S0g)RH5jA1ev;=L@3s9|ol2ZZJJ-gqw%Bq7dm|GXA(8vV=nFbgS_1f| z0oA!Lk8PAxeNzo2|c8di>J4 z#EZQ2&@Yf4I2>b>$Z?L@Exx5442>_IB9h9j+Qjx~RrkH*7c3}g>1Zb(ST3lA>=@{n zx|I|RYd?G6HzDbZnw&ZxieeE55nxf>rp)Xp#h-aX#u!%P<8QjdNQZT|Jo!{4%GQh# zE$$A*ICUyhO%@++I&#VFaNm{eq!-*1jy=NHd8{}`w{lwwe-Daw(%7U%Gmi?6=a%X_ z?GXkXRaOI6FvFKddtOPB-7vGa{kBV3r+v>#qHhu?IJoe~)Dd}wp8_5^&Q^|?qW}|@ zICfXVt@fSZRx_dF^!TgoqB>!N-+OQY?t7898NW|X!9{25opA#PPCE{A{Siq`N{f zubqbK)&$ov?S(&Ln+%~ax3{A~%nBuYuD?hR;7m^l?`*b4Yee!atFr~7;1YcBM!zv` zwX0_16%$;Y_~PVwHrKJW27VX4W3|qICuByPjXjcNWJX|TyH9dgoJj>_h!1}*f{(vHZnAz`J~$dgbaKjv zpCX`DDPShd&J})G>M^eXI&n0@6@K*yb^}8K(7f2BpxQ|zc{JSitsIfV%YWS>WD!Cp zPs4Cfb9MS%I-pao6o&NT!>9r{SwwV0Oy2CX1S6+kL8{Y}up7R3bZEUzdaU*wgm2^( z7q5L^^CqKU*Tl4KvCWu8#!HD@Rp8XCT)?SB)x$1&HWHt6;WXzpCA1MuGe1epvcYsK z;wCevAMWX~D0tUtg8Q?Dz;`18?TBqHkl)n>o0}Ydd&hbX0sGmyqx~J^Bj6=j zHx2F1Aei-@-ZVml)Jk!wySSgZ3)iP&z=H+8CI&E4Ea?F&@ z(RN;AVy3FtjXXcu^>_<&rS6X#{Kj=GJp^I z(nWnCTljIbqyYBRga+6_nlQJ_Z*o{7Mj$=aydptWYF<2#npW)JN#uTxWwG1B+-h$I z`?+#&YCh;>w4|ZT`vQ($(B%OXiN~9DTMBA$gAsl83)QYx497hPRJ77>3!J_Yi+|TY z9;|~jl-VPRDkDGLnR|72lEA-Q)55t+7a-A;>aNn>kle44QAF|H2gmU%CF_>ql3 z1yA7iI%L#f|7$sEA-1(xu1#e1-8HS6pQ#XYpVF{3J9wG-xJEjymGr&Z`QXsMF7+-QLUO+w+Fn{7G9wG z>N6T%`ii60@jV-MG!Ch>NGM(+0tZrie z9V0&z_&=Hza5Y8r$}VtPmbUw|+9} zwtxP3I}}_aGM~y+WW+57%o#`drE3YHU`}Q8BgVzWouhPYRO>Lyd=!e~zyE@S`dihq zsZ{*u?^qJu&Y1(3PIMRs6@qv0ag9sGtg>;5@mBYrwb8=H#AY3n)YBL{4zKk7csBwL ztHgSELeO1_APrbkWNKeHA}1qD#PoPOw+CPx7D=ZF3kgAZ`!pt%@t)ZyiYBi+Yog^Cl{Z1O$K&2fTq-8^U5dM2*pZC*L~j9_M}02CJoY z_c012+l=Degj-m+do&C_?r|u%BomJ&{GDOnz4Gio2Ud=^Z}!JeX#4NUaI zSbX^VzY`y3ccV5NYsDnHhTk50RN~Ed)Lk#u-im{C*9xltRQH4}nOeOLgFJ43dU8mM zFwN=s-ER>vGc?j1pB&o|p|KOH`omT~ZH373ZX7iQn@x5-M75Jwj_Ph$+!pe9i&X?R z$U5N=d>DrEc$e@Z$KtY9+xJw@-}C$(Lf%sJ|8Q7H7Z5OQfmmy)f!E2tU3 zJBb-#8{zzYa$Rd*iB*rjIxI(km+ExCx!8W+3haL4dzS))Kb+cQYdY`UA7tI#YwF%A zX%zP*DCknxNXs6CkLE(NyQjgpukx$RMm^v!!tif?W17`;RU&S5C#KYXtQo@7+aUEF zXMAi`Y8^sXKIZmh?6+CmvAdIAH;3arKpum}lMl0|D&H?S#;VGsaIVUc-o7#4*(=Li zQ*E1muW*WJ9k@*D7oMuHWgEcSE#67#ILznbb*!M%BHSYmnX}_5uJNfFi@9aB72SPh z^<(v^vMX(DTl!5`F4B{KnO(ZE1%|hvIyq%((~4uiH1{cw3Ps2T^K;N?R0YWbx zFz!Vp9v#Qe4b7D&d{hf)I{nKiO%22dp-UFo3RBbA!4f^l?)GSs#x74h!EEQaY}?Z9eeIYg#CZ%)bHUo1LOfDQfq!^Q$TEGi2w#MnEGv>3%5b+S2Ju{FCU z;b+rdfv-K%-_dF=U61|QNK`#7DTe&C5jcHO!2>HEt;S0GdR}+_m}tgtJC`5Hu?c-J z?RyPF1F+z{GtgB%5UuKnHqu#ix6-uI`}ZL%9DUom|LVb2bT3BM0=4q`rL_3Xctz+l za*FA;Qb}Du9jKf5<1^OfP)w0vahW078}q?*QjH4##a1V%eHl`9=2%RAm6H;R?grJA zjTYc7C^H?ObaRlw=ucCHeY0!&8(PrBf1*-r#9RNN`e9A*8T+qJ>t9dsxw-8 z9MyQn2j{FVEh}7TKL0~^gr9l?@@IuDGfB-)PrR}r+&Ag=Q}zL-WJmeFAuRdyJxq>Y zm*Ea&y|Zm?NwnRG@YZLXKioV`KFAG8zK|5#=+u??Aez<8>6|KfxaiMJo;Pgb+HIC= zX=qXL#^v5dk#)nn8;7_8A{-K8>~y)@znq^lqnz5$jZ6m-kh`Y3rv=qF5ItyiQ8T@M zSt5OGHM@g45A({~cWG=~x)g|Xto!|r=lf(6xm6D!I6_)Wo!)e)p{rj1`Zm_rIOT^I z!%koFQZtA}%ckCqm=@u9=d1>NvNI@=c;wWZEit<;D=_V9{rQjktsNom%2e6>rnK% zj9WyPXIswFSs$WMBhH>V9kOpC)!rkWG~WFjB=k%ReRnw4x!tOoxHF)^gN*38#lor0 zJarQq;?1KmeM`jlEPWaM8E9E1x=fl$m}?Cd1gY*{{w;Ssu1cn3lW|2KVn6BhfFDCV z?)O5ey7V7I5*G)>isZ_GPHr(kVVvLeAWYsfH~*nBb6058!MtLML!;o#2;l5EDmS+m z((R>0cTHU(7hn5%Rm;&{@BHWC7U}WE`^!y0t#QN!Ro**?O2yq&Pe-=~9S}T5``i2CoJO$SIA^}# zA;F;UqOvVncA7o$XQ0vZVb)X1LjgT620tnbf0KAtmP)TS)!=)Sw*c1RN)XjgbLopH z1-{T{wF&Jc^`eTqPMk*rZr)q`X{{Bhp6)=837q(hbMaiOlI)a3RL=@i;&>9RW$ebK zHw?>B?vwNsxQ+2Uvbzgk^VF8}%J@BQm)_x>GcIS*>HE%Td{s{J^TtN%>W55F)fhDCdz*!-)2v8N>dgj|lZ>!3uq7~Fb z%mvz{sV<>9W1YF66QGp~pB}J3vK}7LObpQGwtPe%>Xdo~m#iU- ze_WoawLN<}r_oKg<&?&QDC z8h1R$cHh&3ntP}4ZUi^*;gw;-oL?%Oj?%6iLP7Q=Q91cG@vN+d*CjiAtU~Q|Oi$nE zNr>U-a`Jj+X@h-9k{S7s6{k~4FJF7d=GdS!iXNtjd=Nj!#9yZZq%w1l5nFnUg5Pqp z#E`rUDA@B4?3zyjNm(0YAMyf*)&%S%uY{F7#Lx>zl-Xk6B>D=1d$PU8_7}}+{Vs`9 z*sbUZ7;oKsMXL2};XP&2rJeSVMpHwCssYM4k-TK$KY)VY-wu1Aq&8i%{5Xu$%Mpv* z9@U!hkAqU%2>p?$3x8$0P}cnDyQ&VVU!pz&Mmy$yRRc|y{+c4=a$x@j|EzviDU_7%fY%rH0VhrKpuckDZL zJ7)CL0g-9DT`qxzqQeod@sxqWYMK$XSOHN|bb5$E>r#ytysMg)iH+b(>o;^&meC3 zxUZPMM@LHLjZO0%{wbvAm0M+y7jJRwL*aKQ=KN;IcM#9(bR~2h3sMhQQKDx;hxsX# z6~f`#$#%K3v>e!V78yZmbi#+#yg7PQk3>c5#5&{|R@-7t@Ll&0^Q;UgK41IFEZMKuuWxymX|1lWxt0&{t|rs5)469#!QaZgzW^=ZJ=eoPJXA0S+8IwoatIaqGWtT zxS!^}z=*W8f2XZCX@PC}un_A)OKGdgHsEuxzLW53OU0pHu7}mVnDkPft*1h5Gn&-W zL7s1!!(kiaC{L=tW07~1g83z($3pzp?AWh;BL``andQBC5v?hX=_c8_vZrF(9xqUd zX?#qBnE2|bXSlo9oA*>EgHnmiRPb9L>z!nxpq6ih#Nt}~ut4PM5)YlIri#b%qh~() zD~Yp-%j=a-BY!>*m0aL)+2y@TjOeTS_RQagqu9ox8-}$A*Nk zD|<2Oj~!(e!P1@q<`Y%H?Ft4qfm{YVOZ(I8Axs`A$@p@0aqe(=TB!O@HJpD}l0Rx4 ztoaT=LDgJ@7z)|Ux`d=G`>mraB&Y~mWqPeHE2n60lO z;@;(i#oPo*XAYRtj>yyb7uQKJQSF>L4wa>9FhWr6#4#d*yh60 z%G-$#$M!F4H9Bv3F$k zaXAtv94nW}O-l$w+M$EJ!NdMx4Z+@iylr>C``Jy25QY~t_nCr!8k$|SQk+Hlc~<~Z z-01Dp)wDoLZS3%p;vL0PJB}Z zk9y$PKv#B$0d;>cQBCNREZ~NFI2>A@>pbdtuYxg6I0wyK{-2uy%`4?ODt@*p2v|E_ z$hn%6 z1SIy7wCC_;Y42G09sl36# zN;-DrufC-Bz=gH(k{1u>*O6vQHaxh@M!QceZK!bhT4>O@lWd+Z)5NUp$ZSllPqf6v zsaiAiavL4H0X+5>%EMhVM;ene&GF6=g7hep4lO~^3K;VhI7m83K8cw1H9v`A_+Sy& zS%ej)47bcZEAYd+KIm!b{%x@}#WP!se$(+(%1Su+G+16=(29Q|*DtR0u)2tBD&j#W zZWXexMN#Hw;dmFvnMmSTQ~uPVv@v@#?9D$`=rDyidkyp8EoN$8S|zYr+0wpS(1quC zx>l~|J;yC^wV4csb9M zhkBS6)Um^RetEoh#K3H{R0`vH{kj0je@_85=kHa|ZP+8-Ex2R*yql-Y5sFB6F+!{)%rZj3m|k zyy1x!r$cQ*<>I@^N6nkZ$Nl?2GEGTLDt`Enzk5cY&D%%y`!A6G73=x*-ihGr#y1Kl zm|{bcV5$$GZWaczrq)+X!Tygq`5dC;AA4~#`XVg~9 zjf5=920Udtkt%nZ6NKvp8n=p>=@JL@#2_W?r9AKrFPVt&mgFV=D{zs{+w~&9jqpyToF~~mQ&9Uhqc0T}*-cK|YFC|}NES(3; z!HNtH%S(9fzj~}#*_30It4%6ULb*=`mhuJ!rhdsn!OCC@l%c3xMO>VJ7OocV8CRo1 zEK(Gt#>Fbb8l$Z8r^bYa63MlYlb)WSU$cR5A4XttocxCSAX)cxB?>walYn0m!{J$= z10X4~k)+sNF@M~6E^E=i(lFn~FpIv!labq!sVu~+Apaz1{km;uh>XUEo}YLGWKuCc zM#WQ2GdIFHhoB2Ciqmd`RMMM)rBRdL|C``A)f!x47T{~16ua9{QRg!Rj~4<^U=|NU z*li-~6f+e$mR@Pav850h5ziMjnzLTsqvtnS0`IL)?Saxr*sCAl;+Tr^!CI%K*}`DU9Y-TVX|O zeUF>F{TdyWBgZ4LkMtFfv(no^j+eOvA`tW!vVdN#-wkWq*R}U08A1FsKVRlldPi(y zbA3mrM;uh}t^Iyq@J*vgV~@&%CU-ut^Y00{+}ap^cL-_h<0))vihn$k2lu8Ky~8=a@Rod%Re8f zL*S*i;;t>E7O;|kS+n_1+vlw$CNyiIk>UJ3>aEqp!VXHJ4>Bt5WWmuu5K+Mh-nM0u zPBD%jhE_{~OO=)Zlb!h{a0Ro9f~dhVolD*Rd$Kao>Uh^-2KfI7ptT!)ANH|pCMjHa zWTqc@7HVxGWD^^>hdGjH#;cyzjv^y?qcZ4Y^(&C{ENI5hYEgiTlNX`}-7c8!W7GL* zdG$z{3O;P$`3ftFK6V%*-U(DN?r-TNq;)Nl9_&2F#`1`}%2B5tDw;Er{xm;h?O; z()I?$ z;qLAf?(SB&yE_!_?pC8%NafTIZmYpY#L22sfGn_X5F2sLEZ#f{p?fadpb-E)8+W5A;7s$DF_G^=dUO4@ z*NQ2)vCBk#s|L8q)8A%aGdR`LME1z^u2Cok>&QvGiW0|q!Yl?|su2S2pziUbMqM~s zzC@?D!#YuRj<9p0LJ5{xL~9<03;?u)60IwtoJ|^#7dWqi{s;*Nr$g1-z=M@mpSypv zDN61R!O87Vpz=JwA*-!KlzJBnwJ`sAacbJKy^pC7vVy+wsk!<|L}r7 zR;QRLOhT?h9X)nj@OzFTJnzSc=&W$D8GhsmxPmsssi19WGNpwZH)N`9gPd$Oo7fL)jo%iOS( zU%gmV^9GzYxkOeq>=O^|bCIFQQ&d|IXvF##nGH+5mX?DL`L#B)ez@8mZ2EqWmjqL{ zjsFH!kduQ?8@%=aQFniVpx7iNSfSsmM&*X(@LTi4f_n(C9_H)|oal0m{-f{@3jpJ< zg85t8!!OiYTHo?7yaTKM_eWcwzh%D>*?(Eg+j-p0Nu-SZogkwHS@N5kmxMrjWB#f5 zSBTy?1pb*iSHc=*Gr0*-o$nMj^}Q>GN7XtyrDm4C?an!}|4KVK$?b_Uo&8&{V^%%h zlK3nBiWnFqhx`gyhg6&x3QM>uwmD4sYMa5C1=-I~v7C7;^5}hmf1*8Y|Yh_v>AW?&PZ2e;%9-1B55 z1o|Y06C1EmQlG301q*x$T`*GIx3)GbI^p31SY%~XDHFe*pDiI&{cUocv%Z#@-}JZe z%ZxQ?!TY+U;3}^{7?Hc(p=SBx)1W^nqcn{n3fpRun%q}ADI=ONl&6T?y&bC8`dNV? zUExKrQTOiW7bA2QPw-i)XDyCd-{@QxM;(q(PtpvL3u&!04*5Q~Dn|_06ewIx*q>YP zL<=^F`Q@^^HNVl-Cbc*jF$zLeni;QNFHrjHFu{r9{>di*Xd|}UWr}o`%&|wv4g$B1 z`7Q-bv+J?ccGiJ(>wJA+(^oTSmwSz-A4ju=3Q%Ez7=x(1;{{d22Io(F$3~P3X9q0F zMWNs37SiR}=5k?{kb~X!4@^V;s8B<_957_i0?oF%%=P3k?nm8!VV(Jq z$oN>pD_7N>?8{80m`U_-XRp0 zU104u6fvn4H)f5YNqBkh+`|Kxeeaygq<%1_hEnm_G>0~hGJbQrw9Muy*Tn3a$B~cj z_j|Y6mNmL}j&ky;9;rC$c6rf(>NUzH+^pGhLLJ|BV_OCkn;C4LR4Jk0D^>lk5-t)$ zokc$m#$)x}cw~yOlT^=Z{r5!<4a-fk#}-bBj_D@tiXm!~OBQHcXk`3yj;Xbq2tG6= zE#&Bx??+?Su9SDK-!23e?#zSRdti98MdoLphS&D^zS;$Ftz6X$^_={ofMac%kiSkW zu#cYbGXR)ip^I*@F^d5VvDgM&DO;Nh2j_b_1yze2Pk)LOxHL9N`BQey34wi<$W%#}#9`_Zf99~AW$Vi|37$Jx!fz;mp z-okJOAZE{Rmz&u$<^#xD__uz`p5DQt)Rewo?a{>rmomf+^n8NT(#N>hq-k~%O{>%G zh*HR6|FGJp2OroVm0+mS zOV93+W%F^a1!rXEgx$1ux(`i-wV+I$!|9AzG_27Zu4r_8+9`1!UdO8@i2%hlS!b(7 zeTmq=s+RvNCw)Y8XkvGa{(F^v9!z}#c39I_$@DZNj%J9;r2L2h!O7>Py`D0zs8#S$ zGlMexC$k}fodDC>y{g~9{=XsbHYXCV3w~34UWwjqNM5}{kq}Pt=RLKdr#)kIcO&B0 zLVE0n>Itmbc%nw4YGJ_ub7X!cn8!(+)#DXy{)u> zrdnD!mK0cY9zUX35Q`ovGl|Wxm0!5DwX0~NE}zpYHe0}#fSErIUa4UrcZ3=l=u>k3 ziO5TZ4~zDGal=(ZOm&`_4m|4V)>(DM9h~aM*I^iASTah=)mEgX&mhtsz2~+OLV<7EhE*w8=De5A}H;Ym|Nt zr5)=}ML@^JEUC0X!77`-kkPwc|L-k&x^*GoO4}tZ5!-+FUjPlTnkH-AI@*QEtqc~d z_-74*|95Tg{@*LupXUEsznI@vc>h`c{{5ET|6cUwuK`%D@b2%zG*YV)Cd|e6mTRxM zi6*s`mPUvP>KXqE-_=Y8Nbgfbg^T=Tfm^p3h<%eRWQ#C{H>qMsT|u#=jN6npJ*C9w z^Z0f6C%Dz;H2lGI!S{x!pJlZY9yU^ER`H@fdYr*huop~EevP$=!TIMm z;6i;$w_;;v-*^S4bI4IAix>tDIG|Yv(MHrHfj#t)p-5(c4}rMikQxnx?dQ8Cphhd5 zAn^lri$>cEuHU!Hg-n^3e4ATT)Kn+A5c9g0j7T;c z=*S-E^RTZ#J2EYIv>-$xf6dJ2k)VlLn=>YMQ!i=TZmR_O`pXwkg)yMpEugZg@GSNh z7d!~|4t|9qye+QB|4z!xuRsR2coguQz;}wRExH}mKw{j8fXYN<;jkJ#^0$t1p){2l zKFN)9s8~H+DR509af^`~gZnkj>HouT`^SnBCXn}#U$jr~)N=Y}WvJj;N$r?0TRg&J zJarr4@V!KUcxw1A#Y91s!ejcv42Dtf=co}B-AmIyDtNjuF2C4b*qCNH`1`jW{3At1*IATYHVWs%JfD>nWQj3%u#Zs?u(kao(AL}NG+nsB;_M+c>J6KD z*Zk|2E0QTRgwgaY@}o@PQv2uE8&eRPO>?(zM-|QS-2RZNY{Px?bF}%;wWf2#a8Qt- z%A2<~ihk zckxDCzth2xQ{G8dl?R9ENgP=iSt(+!6Ivm~@y?^Ia~X$UExu{?`r&TAjr#s>hRwDG zfkqny_T&kxL%me@2L0ITefc%Ow6qjH;b9VTHGTs3r{UHmfO4>y@Lc%ib&9fq8AouM z&4zLM_`5s0G0jj`LI8N{x_eYcRg|!pJI3dEzUG(k$i{EN0^2%zAdS~Of%L20_68(8 zV<9qV{Kk_!?Nhy)AO&X(ME+|F@sgXeH#v1?> zo7;_Sh;awXdSBQmo!LOial;R*(5x-V$mC2wvQ3d{!uxcD09l}JlbncMnMN=eT(zx5 z42^_fa{JAY#U{sCT|-G~W(%^V=^FXd>lF$j_lASSpHY=hp_0a_MB&7>_*3YI=o5(+zR%@M#apC8R;pqD{^NtL0Tml};~#Jr2k5kkoEZE3QAAhDzjX-4OHRWI&lAw!dOQ(&%~_+{UP$%>3<|MN!@&3O)&t0n zrC0+`R6?t(V(R|@&h233p&6P)>1!(z+utgQ6PIfAEp7z zY?rc+YOuc_=l&b(F5McIeh!al-(vJ&JZTsBH-Yi@jRe4j!Z)_1aR2ma(%|E(z|`%- zhW+4U&m(`q)A`vVClJ&yN@wVw$UW7N&1946D)0x!I+=nQvScLxy)-Tm>JPHL2S-`< zn2kPx0{3ms$H34yU}dF&MC)C$^WDeVe;^n}`mcapg9$t|PuO7g9G=yDCYarN8T#41 z_ce#>@8NnuDf|ni`21c?TUn0<1qBxXSU5PNgRulf0|TTeOnPPae~u~`ZEZ8fHu#12 zn8u(N7$@)|Nw;vd-K}GjB*VBH5)#tiI4c16xao|v=`=}yh6w!bBUm|Wd#V3w@am5K z@%yLsJNWO;umAsk=l8Fy{y;orvKV+s?wO9c{NoU5bZNLo$WPaKbKZ5ya^Us2_p_Mg zj*z_4R{AWQk=X!=W(_Yd=_S6X@Mqk_o|lmyQfqBZvbVx$0V5MVz((g> zz;_;s10O@W;LX-r_;fGG&!?hTb zLN8Y0fZZ2sc?9s$O;9o3FJA+DLW^H@=H4wFIn`X`7{;pu0-bk$1S@e0&j~ULOIP6R zg&Bx)N)&wtvKqeFvab5`Drb;;o+!MR=@=fwocLFRZ2|RE_VqHnbwgdQ&^SM{H!n8P zEgFVX57{(8(RUG$vmVlg1)om>#rQu2UGtFFC-z*SSo2OenT8;2Zzr95eg>Ado43@m zRPFF^1NNabH?#Qg5Uf44czerPeX&liMhJ_(_Q=UZz_g%tnRxdj@w#3<*eZL1VBu(g zx}%G_*HDqJ)2so7n7}Grs`gz9No;PA!J+Shg2;p2ShY?4Hqn(ZlV4&Dz+WG!r?T>Y zSBq;}^@765at;6}=eC~3ndk*z;C_8pFJT#p!yfW4XVIG1%bpu?YzqQPXpwL11p{At ziGqtiyMpcPL$SMBQTBC-cyaf_zBJ);!|zu1qJAtc=?6#tE>O(8@r{N;_=anAfRIM~ zWuX^+;k&OVTc+4u4qK0XkQN3QGXYpgmeo`zanqHw7IuM8H4!WNQSTZ!^(QlK;^lR= zKJ9Y<0Id)*9^gkYCp?C!u+eOrJ%~-W6Dv5oa)#k{4_)igy{}P zO0E_gZeWVwF#2V+ZQUIR*ZWGsGbiFzoU$V!4gshZ(oX1#2@cY8KRxobTvzWygG>*- za|?S`qaK}}E|}>~{tFB81fG2`4kw$C$fkv4n~rX1;m&g3>dyCP$)EWk=lS)UBC6h{ z9n5!?lkwgMkp($tPZPa2&CT)mYccT-SR>^R*2nK7FS;&$U+$+X1n|~rn%Ubv@f2MF z;?M&fdcSy}0a3cI5PN5nl1FNw4|t^YI}VnW0ypbATg3u)hmRmfexZkvZuc7($c@c% zcVOfvHHcf`0)=SrAW9t-kg2)PkYu4-&@zH{U>3H6ucqy|^6f#IUQCC^f|-1xi@a-ThPc0GL$3_^-?tGI-3AS*(qHsuT{Z6U7JDk{ zh%_^(&xxJyU5@STtsbd)(gxMK&mLYxX5a2G}e74-*616H0OIW3Ekt91-^gj$aSb3 z4!AjU4ODOw_|@EmFmI8{N|%GXNSN6bjB(GIqre69`?Qcz>0I3f+UOZ>;vE+Zyd}r{ zAHi3#bms=!SWf*)$0KWvi2>;0dSK&`SQ|G6%JJ=rg9J-`>_xmSth#tyBj;W%)>;2) z6(z^cnaziO`XJ6*cmBgqUf*Re)ju2)GsQ6}-lge=c|@;~c4qnP2klHt^Hsj_@TYEK z1Kx;JsYl0NyRYYDZwb;Pj9|3HU8st{d1GzM5h3E-5{uIX=bd%W-_a%KrKBGvD4^B7 z9rNr)d+#HMAMCbk8%?p$7_sxMc_r!VlH2}z?t20{XMw_hwb9HzBF zrxKm$Do)`;#PXTXXwJTIp8w)4QoI{RYBaGsn-4D0xlT6>fgdvS$tM~5?C&sCTjd>9 zO0fmL;2cMVR&qQYC7tRadmi6uxS7CM(4iGGuRS|(7Y7x-=3ri+CESRv2ki;qtwT4L z#3gTkF%D1u?8CWw4CR^}!hMyCcc!T#Jk|~orNfK0E8W?5Y5h%-$qsh#2|~QJPGu6! zmds9tQd8ELaMcG$g)@AYefB=2P5;4~Ui6T}Un{%1`gLIT^FGe-9HpM=Fe!FoKr((e z>1})7`xZQjiBjMPYXjE31W98vxuQs>&$5<18=LUQEMr1Y>QesK=DW=gN%qn3jTM*vm%@^KmF9?9!# zwe06W8@k^`{N&TRla;-ZPt~&hssR+UH>6Pc26%wb3<1;vod4?x)4%(`MJ?>6&asrP?^|61Uj_?W<9Dn8v=yOfGl-xxaP^%dq7b2U95 z(T{Gm&+NY|JigL;9KF!8Jf^#teDamsnh7d=^JaXDiqBO7W3KFIm1`_w-GF^9seh?^ z)2(JPfa~aNw&ok@6&nX`G!gh~0sPcI@p`}>Y#uMT5L}dS7BJ&PO4Gfsc((|KJ6Etl zAJXpSD0uLvT)-wo)-8t7n#dh4Y1tM1w6v%!kOBi+A4GC-<9?OUH+_-J3%aNHST$7o zKo=NZ$(pxM3v22&qr7nypgFFZnp4d5No#0N%?^gyutz?;Te7VQ+4O(O#Zr_=Xjkd2Jp4mWZuGXZkmhf3}jRO5JyNZKN+TL+Ar{G zK2uW#N%xcK)IYbdbiU#`&9x$TABx5j7g@8vW3hNXE(NNx z3?6)%JAxS;0Vuzu$D%IWPYTb)UR@tACrS>;GYrrb=-+YK>X=f=buI6(N7S4LZ4E!; zbPoC!Ww<*;PJbCoczaK>6uz-7$6(X@vW2tPKxcnS!)%|EAoS>7UQ5Gm?^htC6%u{L zK(EEb|Hta#^4aD~?volopiOose4b3VFT~4K~&_wh+JdBYC!J^?Fu$Wm$xX z7Map1P3gyTiSvFwHznb6$N#=~&_C=SXQ^SgfB8A=z9w(2p9ul?o?+Y$n!Q%QQC4xBB2O%&QY3pEUwjV$t z%S(gvW`{}%COWd!8OMR45;6h&Bia0X2vILr+}Bv-5YRT}MoMEt9nno#X#|lh@gEm0 z>P*&xzfS6W51jwRhxc4sHLC6f7;h-%Jk`In^pQBNr~%{{zb%68C__r266W%hVP5fe zd6|5f**sR{Ig9J7>aZ6Y0XL4ou45NkROqdSuOW+_=g=;+Wz$>Wdg%G$0R8&=ci1$` zyG9SHOm|Tm0BW7stcs)y&jHbYcvSL?CcoOQk?ufK^8m;0qtMPop@iZGshb0>v@29m;ZL!bOzt2OA^ zuNl+%;<(4 z>=jd>c-Dw@%x{DFWUywPAu-Hz1WT8;ziSg?Kv1@;t_?foB8?g^3+XuGD9BC}_d`sD z&sYx3Sv@7bCn7+fpfNkesVh0pDNi^n-}#ZQA|eEE@_pq0)wB%>k&(;ky2I@o|EG6z zWpTiT@n94wuz1osWTV)AMFe&vgNG{exDAYDT4qP!w87l_DcalU9F{IF?M^F)a`~r0 ziK|EM8R^v^6Ji`h|Gb6?{*9_%8;h#T^0IKJgK_^2OaxNU5K*BMw;R4$sgZsOK|nJ1 zWB3;hSy;sEnY>ib==(wKjo?S`nbIP$oe-^)C6=vS=wyt-wJ( zlP`~a1RTB=XziTskPhs0%17~_^{&P`JL+9~)Q068BG!Gr5FYc=-f9qG291@;Tak50 z@cPu;7-lfMj;|Ez0`stcc??(Ef+M&b!KAdRbLd&NiU$%ALfqRcrC&BaVUGDoE!S3T z^g_@Q{S=yZ@9!ZV(t2dw;rg2M(wAXxidfex8w7QApJ?>j5i^^I2_wdPo-TtWXcO!eQZr~hS_@xRn;|J1kxmm_#*f}a;&#|Ya%sTf!s zgZ}u^8LRK~_B3PvXX+nJxkjWZ<2^JRpNpDouQNWAM^2Kh@!0gA-e!9&GsAw~s|%J7 z=qD)B$BDY>zyHq~Z=Tz!-2W(cpOhbX-7kY3_eZYby#9XV{?-3I@%+C}i2Rq(^#9~3 z?lKxUfuT4Z`j$g%RfDB zxC<1Wq;cNhfjYO;O1#Rj;moxz77tBr(ag|J*eCzAtCGeGlVHcZ#EY}{x&2*P17kV| z0_tfv9umr2QZXOBo?iC{)wFz%mFe8ZkcmHZDzngpi!T!y51e!^j7G`jZcQCxbyl?7 zZL(BhJ9YUcRKM_9SX1*iq4g%WQ_FJQFGph*V+J|YHTU;*42Li)T>zOES5M|CSNS-a z*EKwjZzu#&rG2aBE0UffsU2SLMmic5WF@`vI1q|1k~r~QHh7`|Y8l}?e0#;KapQSx zNF{XJKOEi3znc-R(zFH~X292Vr+q5Xy|h*b>Ovo)c>;}j1l)w?be_loteBN8 zF3tsr=1j)HzBVRQ$=UJCMLk(i{1_jCq#Izf?HjiJimqi+QC~ zR*^lr{CKK~W*r|Ai&-qxZ4sZ50?=f?A8kCOdeixyXgDwcKQ^&~ZU|TLj1$jBImQiQ z;pfgSYT8R|vfsd%;vZP>k&>&1wSFds+wd!QPsN0aSBaspOU+A_e`=Ve1ukMBE9~*S z(WsGHJ9~d_7GBm^-70(3RC+R1jmadRg-hsjkR>^KlON2``L!YOUT%c@e9a=-xS``$ zPp)@RjS9D^)`-Z^9>GBDyi^c5PZZ!zJFO0$wt7$7uDDJ)-kYEC`?Z%}HH#sE<{!Hx zmPHZKreQ7rCNmQ{#@9@(nXcKolZ&Kv`eL2rQEB_hh1~bYMNSWE^Bk*%p}Ftfc`U(8 zPWiuZ{44D5ZRfXjh{T-)mi_7Z_-l0wyx6nmf0JDCwea_IW0XWkvC<2ip)`LM*#IPq-vpg1JXM7E4y(}p3M_4QeGy*O}Ys@Y$v1bfsa%naJi%M zcEV3hgfxv$7nY!g;clNZ%4}2$$872)Ba5JRiRHoDq?IjDpn-YbBanEiR0En9_PBrI zXTsgoN{z=Z)BKHLF?Ha|tm<{DTKx$Rss5Yaiw0MBKiHD3{7-jrKXkieXk5`xt+=c( z7rmD-lGtPXl2`#!ZStUq~?2qND)DOS< zB_r)RHBF@#Tj9j(IR`1hko#6Tf<fK#w!GF;ew^n}>yi7$DmfsZqi}Cq zz+Uy~tDqmb>6a3v4BsVEQZIww%TS3s`u{M;-QDeb`Yi`Fx?i}_ zo%?&kQLzHqYYM97CQseceF;2-Y&<{b2nj%(QtMr%qM5L4G#bwu*|L%vjUD;8khGV5 ziEDAFyhCz#_n-yX(P(=5JR_aeO+!hftr+yeSP^iyWO_$t8VAgx2~r`F^5uC!t;x4SwP9vL| zbqI%B>sz39w&_U7s7_55}I59~6 zl`DFeW|k{f``gCRiK)+)nF}nHRa&}NO7gO8sdq9hm}(QxY!wBGW|uDYtSDrHSSlS% zG2ot>>I}Hs>Lvl)NSO4gtX+S9@UwVV9+N9^80ZI;8J?C#;--Q27x-{6Nu1RieG;v$tt zjqyjnDX*i}N2)Q}MBtnOI;XuVdG$B4;L`ow1#3;l_ZKLI+gqd$is@N{kJ= zx`zMrdDo9ufPhyGFf_8wW%j3eKEGzSO)DfU^dZ&j@Ij% z992ia8&c5UtNRtDXO%v3)lRf9T$WWRi6N72hsNX`MDy>zynz*VHVEw z!S<>EH8CfPSEP2=+g}6S%W5KKY789(a({;G`r+arG96d726NTxo^LEaY;*nLs?^~XM(i06Oc`D9 z_|A7-7tQqMBf==NFQy@;fC(kkwjIAfI1LQ0$RBxY+8au-YMf~Aj#b+64yPKG`1e`f z?QP)QXr3IP*HSKh9w2Px6wfS|U8Yy2U8v6n*HX-0E=N;l|)!|#P$!*C*1Xfdedua=cqmQuD2U`vx>sG(U z2E?p*`p1+x9I5)rrj(GEpHYsKHlr9#8cH)4*dh<<)K1YoY0gBpSsk2TUU~AM zB(zsINMtrGy_aof79Yf!f+t{(5BckaDqJJ@t>G!r2CZ=#7b&nirg@p8o1&z;cK9B% zu?6M#@=CpZmZ%U&Av~G6qcXsl>7C^QTMh6Q4K7k zZ&0b*at4Q-iQH12bLr4@P+>^&jA3{nX!j*Cx%X*nl5aYe^2Zb3kiz^%p{o(TCWi@a z64J6xzE+5q(AA|$ElR_zm+HHM=SUBYf%L_nCA01&f~$+^aKMIilRGt2-d^K5pR7lE z~LfZ0~a!MKa!@mzE6)JPM7uA|7+Sg zB+GQe)Vy$)UylS?Efq?PahR%+Rt5;s|1vm%$W)ZnR;8Io&h0=z&AJKJ1E7sFxs`Oa zzF|Z~8c@VGbh8`e)LVL!m{4x95=w`8=__9-L1qGZKas9%bc{53n96MpEIyRLoFhcZ z){|#pnRATJ36i;X^-b>Yseq95pEsuE(alixNy=Erw9}HRJxU+z0G&mQDf8@pZO(I< zOc~0HA4B-`d3J$Cl!e2-T2SAK;|SSZP-zzCO*-89z~7JM!|gRjO|#9B=+GypR7Ys7 zYcCnCNzLp66FN=SmNRtCHiF&Z`+*MZK_7V>nK5fw?)$Si*r}E>8nM^2RBz z#0MM9^IjkCM(uZ{{a<&^LP^9FeWl{Ku^=iALWItPP+O+&ktX|pGS4mNCO4kpIc=k8x~ZV{QB|D&ISS%xq!~Nhqt;c+ zj}^wECyU1Iv)I}Pv*7hFZ`4|CGU=_j8@br@%v**a{C$*0zx&*3Az7!Ie{vvwl^zvR zvzmPq%mX$a4S-B)4|q4QA&Sjur~Bz)Hp_Hl&u@IN)35A!#ClKgFaHks>_48S)UNk#%|)W#l6F$|k1qfO|zvMR>RDF0q@$dm-6WG*}>S*A_1*W!IMQYKK%* z2leo?aY>SV2QoU{lO+VeqVXN{!WbAcYpeXbVJ#?-BP)YXZ0GGTQwWce?lp|1%~o_T zbTSmKIt~9cF3xGlweA^lwQxX z`AqFMZf-RMm^tHL?;cdE#m_%jJHq~KuN>B78P_|K z%r2xn;+)S7zfAL$egPzI7+KNDEcF12UkhwSbQ&yJL_M~67BOr)w|rg<_>LM=p+G0_ zULx@iW0}APEtZ!JhgFW^avRypI4$O6CogZKu7X3DvFo{& z)hE5{EZ6fAQTI67m78vhN^y-wgWbckTgRJ;i@qhBry1RWW^p0kYvtEL@0pDxrn(Jw zP?tRn{u%~Zn!{DP;B{W*{nVXM{%EOfl;XBc7|$8&)8URdbPkZf!_t`K(YvXGir2vCVHTB^d1;@j$8jLuU9>Fo#Tq`|lof zTw$$l4K>dwuy>8Hs*9%A-8*d+F;l-NtwZ%eg?_s%!eov@=->yh_*5+dSiXv9TMDEg zsvmcQz*M>gva`!&bVxXiaar`?nC~BXGI>{jRNqB6MJQ^P!$YF3EQ)ksUh|fMB%fBI zK9^g)$~A-ulcavkfVOYkA#l&HoOHH5-_X9T(IYPc6M>j&9+C*@v^7e_A;rpzi#_^fTfj(JT>ByF%H$AS*D2c3I@B`UjsOv)+L-TKB;YU?eDTkcXj+nH@==!i((x2LV#PR-+7ic-Xa zfR>m=91dN(KhOn@{STv}^#B59H5$PU=EoQTOXOdE{wFnche(IWypSoQ2`ptBsZh_A zhe}R7po5EQKjiBc5D2K9@9F8A>!VOM%zh;3W7N3!PUWnEgx+|W)LGALmd}W)0;x<_ zZy>V=sT%7-w~S#vMj*}f>&X&BG~`TrBd4BZTeTv~*MX_Yz-~~-cgNrRmr$Yaeq8AkLL>2+NsPciilB+39? zURj*l#2c(f+XB46FLodjt8Xx$wImpBwIi|g8qk@&Mz99uk8y2u)`1aUI+~t9jz*Gj zQb_@>@IUNl`wBLG_T9)P-bzL%)53`hJNTKqh=egx%=EY6eM~!8WPO-DF1;Me{~={v zKfKrG<3r%-5cw0ttk^X2N1W%dH=sf83RrMQfeEW|?3NKC#GQ(*t9+tbqE9g@a<3eP21gKQuLdw6_9Q8ScJO(Vs@yGm^**6Y?;7o+3Xtn08Qi;z2KNOFsM3#^AA-a zDyQTeO$NEKkHrDglRrplP>GGUQ8inJZwo71L}jicC+vnYS~K563g#Iz;p-dceTRSx zYs=y9&EJP>Cx`}qa0*)pCMF2j{R1Sn~oV)N2r+dF{YcG=cJz2&9Q@f2) z2Df0Nc3h-9_&iV;xeR3Xq#Fvfub3QVaEWDOke)FUNBwMN%BCu+?O#UbW!!0eVf=C2 z)x0&cMrM9Qmt$&jCT#Zc#eGs4MK6pJ_T!nOA1_~ z{)c#sfWO0z(S?Gz(E4lRNy1!ziSUYFXtG9D6B3U2y&mlyykDH!akhi>UJJttb;SBv1k*WS={_KrSb z_VF1NXe^P<|9_z<|9@3=-&EIHzbW5ghf6loIIl2e38yTwS2zQ?*W|zJG}9D&;b@Al zJBEp+8w(pvd*y+6Y(VnkgRq)>SHra+E)w7e)s(ffd~-uW6Wg-T9(WUHwIW9i`ZRoq z7hf7#+}{9+_+CDOt=RtE1TueDV9RGk*Ybuy+(H` zotzOl%y3_hg^Usr+q1wg2}D^wOWPDUKpBoknod=JZsGv8{qX|G^vP0M*xI`Onp63! zdX-yO^}XUHZ>rI4MF)wyFDT!iQAu1&nVu+B;LB9!ap6;P^89_!An*95>D6z0un~R< z?KX#TqYnT2_{c|HRP#Ncl7uKD^{Q)6m9ejB`*_<(rNOsr1yP7 z>FJ18VBc=ie>FkFc~c7#7ky`{>NWeh0%*7xj-A@fM!XF&O79b2*w2l<*l6Wt(C<1q zNiy}x#E8JjNvA$z<Kd7uoT;~CNyK9~`8}K~RUFES@my^p+8)O)`Hh;Yog0vJ@pvHR7$9y98g) zDq@7Y47W)>AKJ7W$UOOxSUS9j!z28U>0x1jZ2D5C`?oid{)q#eztZgxa*OyAt4^Ow z77KQMR|`+n3@{ohf4%(Xk1F#vul@w&8SNx7IfZUUI3{+M8!cI;?(Ia*P_|cHaLBi} zkO8+!jcdy*k!3WeVbT5TQaF07w4j{OydXyyqjjNJ%3sP z_kGQFevf(EvJ=)CKK;aZ)cRC>aKZ>3h2~j~!+|PL45QNbMXe=NB;BO?NLb z7;h-T>8zKxx}NslRP>LnNwV{K9%q6N`e!$_GXt1R4PR5+Ycip#vH*Ei%3KK!f=G=t z?_A39i`rem}@~O+Jg)wk_Irr zrj(Pg`?!bxl*r?5Qs4|I4)`Q_z<1KmkdKV!Ysf z967}e+9oScgG2I`o7@8X@*1^dx<>*3j~RZEO<^mnSCC;HUsCX>FuXqzydLM|v)?z5 z3izE46WG-9S8rHU`q-m0wqq-KS9$zs593*`A8=^cwJigi}9WQWipNh8i5{ z$=-x}B$B2+~QT-Wx*pr6@xqLo zDS~zQ6F26xcqUI=KknIz=F7m^yd&d%Ld(OYUrCco#!WxB&FBabloxTZ;WL!z^$q@z z%Cc(o7qC|{z)I`4a^zEOD!FUN`U|M|OIgloWzs4=TAD&}@mzM_foOTe{w>&l?;@&+3?j0pM1FQR~+@_OIALz6VH=jJ}fbMNNo-j zh4;EKnQ-<}Lezm|p@jG?@avJZorm4u6MwM9@U1MpEe{2#JFdoz z)G4gxkn5@z?kbXs%aIPs3#({yJd+;PJkla@Kaw<6-o!)_8db*@Rs^=?gdwLLJn@0B z`hp(hFEAfeNW_EfVS@;!nCmCqo&})icqop7C&gjs7bwb_nntlI5O@boXyLe;-2Hd= z{69Qf88cL`0$xBF=kGSBIq?5DH0*z%|DF9&3s6W7Tw^1|?Y3XpI6lY}W|l9QScFoo zLEb%7r*ST|Kz~f9AD-~>{iUn}0&F;2C>>b~8?%#%#+@dy)a>YkC>06-cU)UPN6*ZN zj)Ww_y=)q&R92{_b0L*jy(!{wj=YLSQ@U-^Yb273zv*>*RmdFe+LNL$OS3v(l<8CR zeu|r3vXw^WxRQMB)YXz^^X3Vke2)Y_`ObNpr5W;R!F%q&J>hp8psr1vx~ z&<+U%b+zue@Ao)?DHSM4g@+AX&qEFJBO5R4w*y@^>v07gK>#a0E3D(MU9)CskM~IH z$3pJZXqL&N&G{7zMh42}q1TLFt~i1gPm(qV-XXfZW|>@rAy#QhexfY&tQ$q1M&&Nf zsi~JDM*XQ27Mmt04IHXe-lh$=`aDBbV?Xmi+Eor^ReAXmkjo89N%!^E=G2ZQorgN%&O*?wiTgFUG1}nrCy!W(VZQUFe>YqLakm&G_YAEItHnix*#S=9AjL7K`iT{+*kb7x#3>P=-P0}xhY45 z2IipfnY#@pwTGP?8}!lyS9^jahZx8OGr>S2XO?!_VD_?{aNJ8fReV=l)Q4pvIK^RQ zF4}%bL`t!lL24{Q#x1;Yi5_7I%fwH-c>FxVMB%=)dV4s>Gf_5c8FB)?5?Y&}^v$JX z6f9~2V&x_R%`MZPoW@?)+Vz!>IJLdG_=#;z-S_p7pn3*xBVIjjH@FA22>3{Cm3P^- zqV>@bp3)q*Rpwfl3xNUejgcn7WQNUySu$_^2lKZu0S_}Ga3$%lU%%Fq_9N;?-*5^b z(QnN6BbqVI4No_j#N|v?m^jWvJ5Z$GN#OM%m3~vZ5GY%3QP=c-K*OV>&V_31 znxT@$nwTNJZnib7+=4TPDgaf82{m)g8EaDLwIo* zjtSvZ$K>hSA_tpW;lNz$L3CGk3ZODb!c2!NhYrPdr48XgJj>1WRe2c^?LH=-M_v&J zxe&gh6=)(uFBmAiNw6$^J!4{c*$;^p^pVho(=d~IOp$45JgIZ2*Mnc~l(u3XA3 zrHOj!+Y|J{^5MxVd~-dv#_O$d{ z8u>~E(LtG*pkeh%F`{##cRjDy*#PlSke%?FY%KfYd(8!k`N_ntRqdmaEXJcTU>J9- z_Saku$gH{ZVlNfJK2iOyBe}duHy~T76Ku&vQE}AT(z5Fh zfIzf>Hkep=k!YVX=uvm;5E&>5Z~R}(y=7EfU$^dwgy0t31BBon+}$mZ;O@cQsSw;< zf;$9vcXxujTW~0}3aMN9zwbHscHhyXPmex5Mz1d=WA9zH_S&^;&1cQ|dp^9)zbJh3 z2E;U6$fqTZbnxY@o?~Jv$*0*0B$-`s>9)91!K;12k*a^ABXO9aQ{=6R;b|8-Ag3yN z2YZ^Krr(w%_FFd9=2IF~5TKX>b>-WVklu-DuDRLi8b=q+JU-U=DQMSrqY9Hw0H|O% zl=|?kP$a0odWU^X(g_N@mY9c`AyfFU(3&?DKuGz`TI+3^eg92vd>kluZjricmAn6u zq_gUbqII&BJdqg6gl!T{ndMiVXeE5{Q4sr`P3^ z7@Ng#?`fs1oz9c6-0xVHA@r63l>Gz0<}^AOr$5=?GU6KHbW6Gg`%*F!o`2?E&E)Km zG(P>A+sk2b_YL{8PZJ|jn|5Y{<-jVeSTo8~S$~;}&CTK{dVEQ&tH?rsqH=-I!fp1~ z%MUE6oFz$Lcyn9V9ww}pvw(Vez+Svx1IUI4gxPIU6PriFKlA*bP)JF+?zLKdsBIE7 zT90q`vdpzLPQMy#5`NHRZzw28eskPz@HQkpzY3xCQHBwTm@>_AAifUiCv}R1?F92&m=dyg*y^GjVro&J3uS%nR0eS%uS4dNxkrv}L}y@Jqs; zV=WX{{5+l9XxaXQjVQ*qxD>;C(=#KJY{f91)88fSlo~PXy)1|_JLY&AV6FAn0YdLC zn0q;5(C5!jKN;)05l21&)=>{q;n*WfJsd-na;=^sX~TF^DRs7s7Lr?AHS)&cV^f&jFiRD~Pc{x1`<}%!aenvrbJ}JSy&wVjk&~ zF8WPz;mIdN#d-)=1FF}VER^yL4s!+dgG{saIXq%+uf8*X>hFWTyEXe7oWe0Euic|# z35y%ZrL~jVCIdmnme4G^Sbg%Ipx^~TO9y`0uZvN(fFNSV) zM`p=`qx zss9Jt8}jc7xWNDO6x{#1VCwDqZ=M1e|KFLqg#Z4I|DWd49?$4sUi`&FeE4@cGL){M zD#s5kNUlzRD%NRTxrP_sOD&^t7V4$E@0gBNxAIwBMUVSbWmncq6@?`2$kV7b=>iJ} z-l5QxB=w?WJ1Eq0$N?$x8geP1bNAy2zdpDHTC={W<09(qs{~fE-8|d2SoA%1>CuFf zOx2M}jS%|;#@XW&z)gzRl=Bj>my`${lu;H;HYD0STo7u*3oWSGUS-;wUV-6$5~kDs z`6f2Bz*#8o%nz&HjACCI;@^ry(I{wuuERB?^5BUhrB$M(Ve~TzCE$${0 zF0sco)EelN-_ByEd5#ho@{SkNvYQIt%l}F|I47HS`zTn4Fow2AG%i@4@FAaE!#?l| zjOW=cwW9307)xHY1HC4G*gQ=L)4eHcG82`)eP^tfLL5rA?Mb)d(N{#RBv9DD-2L25gEMWKtAQTEVIhU;GN}E@s4a1KD6%E>%tjpbvoJp0_|K2)_X_L4qW5+w zvMR4t(on<3)nI1Pm0i`5I(x^ee63X4f_7C|Pjkd{o%g}B(IATwakp_9s?qJ#dd2CK zA6~}cBh+omyw#K%q4^eL9S@n!>AF9s&rhPLc7hM$K516IHhhtATX&{!XLrBQVe7>x zz3KuN0})SOSfT=Tg$Ni`Y0ZS9RhU&hpg%&-fb5mI8Jr-qpcc|>E2u2Z)~QpZD4E=k z%RgL8<({IFwR**PI&)*>Z zr~p)uPfM1#B}g|xm2)gSkywd(;i3pQ$1zqJ5loE}NcGj2?*s*zzHZe#&%_>cW;@!x z^zGCfh@8<0%6om1X~8yrpHy8;bQ;uwd%7L*&B3cYxEy5MkXRw=!hQ&7sUvVxOvc+; z5n7;7EGVT=DPu%h{4!SuK&nMXUGL0Re;q76O#&oILj?vLrC1;SCWozy7SHSaz18k$ zLlCT}7VbU;Jg=G>#^0=)o4dxVK8l>sLK=bX-)*3{I<*|K19BKGVuF0d+aQTcU-in&Ra~u`I^97E2p=(9cypKx%bXaJ|6T$-}2!M@_mdr zjK2sH6~q-cRp6Uf(J49;{9ezW`5@=z%#CZe{C(KgTH2Y%GJK^XO=;1D9L+lA*a{`| z2Y`ZpJ?OVUBK&BqH&V_MWs)#s&O;v$-3HEq+Xowrp0C$Pym0v;sO7JbW2v(o-$TA> zZz5}L7L-)O`rP|YIA(T|SoG6m=o%exf(zbx!@M7FCmr{xv=L^IRy2IGm`O#an;2vN z*=R+&f`sob&a>HhJA}q9gm+jlLZosN*mPr6E<&FnVPqRuciW>QNG0hNt$t?;PxJw5 z**V|d@PqB`$v|6@jSwvp=WzIqRz-hmQ44`SeX;r02E@CkdQdpu9n+U|G^QMt!-ev8h`Al{Q zwz{NXVwV~c&DJx)cjiGVbk`oTRU_$=*8!!PMrVrUuY*0y$%R07(M}yWWkYx@66FNU z$yo}veT6p+o3rYrX!Mhm(QI#$wRhi>;4;^Wig7QzmDBhjTD->jn(O#eMNA7_52)r- z>-^qgs1`4-(VyxKf>IDTlc$FtX}n8aHOqNg_eIWI;eemUYxs8J?MM#i+x$B8v9;*@ z`D>UNZ8q_r8`i>Vm|ko5KPtH?-T@SiiBCbQ$6?S_%S1gAbExu>>Bq{7L&i0kpRx;5 z#TTllfM#8JpjayG>GWLOPjHgq8QhS}4ZaZRp7b>N;Cy&d6s{-3ch9-eK7DSaC=>XQ zBF0-k?j=2Np_fKU%i5{!nv?)+^A!5 zDn|6(%|}!hsbyzbLOgi$Y7v$#E>9|=iT)&N_(?p4;HO6s?m%WP(&V1dxa$!@?4zjj zr=EEhmY48*kcpQA1)7gamruMJL$WoPB1Z<{oS#HluNiZq{Sd{2-lj~djgxlNbqUgQ zmL41OC0a4_979f>b6f0d*tEa=2yrWC|Ftk^eS=KJ%Vsh=;9^*m2%Qw6>qL?5!|ZrQ z;##-8j8oCkg+$IPqekWI^D5=p@$a`xJXy>HmyVK34BzWkk2X$PuZvW(f@DG5fSV>) zSuN&N>U_2-=)cupnCtizlJUy*C>1C)s~(G6toT*eq6H%L_9w$gi-yDl4EmOb1w zT9Z;55oD&-#gCp~*mZ!med?@9ADlTbsysvx8{U|H+OrN6_o@Go$HLCSM;J^FwNCYCkIgq+o3E_v}OK zsfxEmA!AUli%{swEh=XvT!nr+eheue)dciAC@%fYFc9#+ug~ed1VDVu;YLPB|AFz& z;X!NAUfzN8^M^zrAeDb6(fR>U&I)T@>f@*M^z=t5A?RGvz6T0-d02OyQ+jSz{EyeE z8ehK9BX2M2Ivlk1LQf6)-$Nxp=btKaFi?7n#y`-RzsL6*>kULq-p?8vllQzHBuGX! zTCC9ihxgJ3t)?qh0qtM{kPr|M9G@SZ%nMwg%p0vbGi1T59{4HCTPZ0ir~@2y`G@Q; z8s-LStJb^WvBiwbPbLDMi5&nzQ8b|h2A*Ogw_;@A>X+N&xdr{dUDkvGjrCkGNO^NV zAp6mFS5+z7CP4?V-!%ueva-^IgafQW-+#;9kn;lN?jS&a3lQ|RCc8lBc=SVk-L|`) zE&?APJw1V=v^y!f_B#O-f7ki1@5mCe1U&j$oc5sof_}`zouXxukV+185dJHkApZ^W z{{MD}5(wkdY9Jfrg*ABxJowkMO}`&#f(}irpshKa7i~=N$+2MT)GFV%QSlh>tG41r zfjXjzGwG_sBi!RtKG28o-oClk>gvpjIO!v<;ii*tF#QAX(?-F@(H(i7Pgnj{{)vG# zjb(0cESvxHxI*J@S`1#|#9igdu3HqlzU%GRz#C~OoPbhm)WBL8y`JY@uSEMkq;veZ zf)z6V8x{@rY1~-e0?er9BHeGR9>?K^zU17^t(6)Ta#55Inf>LT8!M+sfzIBa6mZ;p zJ2oKg^n+lubyA`}S$hNa( z+UsbKR3!dON)UAE}Il>ZEx0;-DW-S>>`E$MYQ$3s*)ArT}KnRPVBE^I|2x8EW5 z4Dup@D;Xl8NBN;*D<{OuF2iI-U0>d6->wl8-qs6jyIX5yzJU^WjIWNA;zC~yU)9*! zy2Y4={cb^;sx>dDH2_inY$=hoa-jP$l@;iE`e>UqLq&XThLuf-Hp~8`dCmANeU7Rl ziicg_inbag%h=F+7M#Jh{kLohTlPt-LL2`*v0^aZa}%gK5X*nc|qWg%+>(+LDAH=okm8Pio=EA z#w!KJrub<#vZ6FZ5m3q;1xo74#H8^U06qy|h}L^bW7zX6eJ-vgU^P{-gl_K(trR(K zg$OKw-wnave+%n7>e2Rt8~hGm(l6#S&;{95L9b{3uRWtN!H>XJiwEl##$Eg{y+?Ym z%y}{|eDPL3L}YHfr0dzJ-MQpmxV;d2m3S(=!vTDu>bWhzQzn2*g|R#&c(9fHapF=% zO7N9r&+it)ty|Y`v;GJT?d#polhE4A&ZmdzT!c9#wzx*-%nlGGinJ~PiOsO;1?;lXx?`oVWey({~i zZmIg+$J=#)GrY?op}0z%>Ge2OP9gC1c^ZKdXJ*LNJI}{_2W3UT^pK_#YCqP?Ym&t& zZp?}mK%f4*Lq*o$lxeq;RA?}EOa*hHasoFAFw{|W-w5?9OJd3MF(n@X68tJ~{NhD2 zKA}$fwIlaJEc4(pM4?r^{drQ%JkE2%hXT}`-e-%GFWSE48t6;3J)6Isba8p!f2jV?kfV{%2L*v6IU1{rMUhbb{r2JI2u^aL2nw>NVV) z3!+ehvFv_Vpv&)XYZsiL(ooX(seU0`(~`P~4JOL8J6?nc&g-5P#vV)_l=CF7b0GpJ zr!FJEf)vfdK5?wwsCwnji80yzmB8_n!2O!MxX8i^&OJ>*R%jxdkThjKqPPMHN~#K+ z?=<0Dz)8gpU!}SG_hA{Lb&R2zUW`Nt4d1no!GDDwhyw~-d_4mn{&RL2b>mY>*2 ztEU%5hMk=%3na(X1K-a@EX56`QCvF%Pm>QJ)*&n3ic8~vgbqK5cI+Fn9Lhy`KZIhS zSKqagg}AOeQO`FwIWXzdQ=1G;H+;b`n}1&_>|Pt#ac|&J@bQoT`6J;a`z<`R^_My7 z>^*5O3y#|}>h9_{1gojFit})(MD^?53NwrI4O`!v+jPNyc!Kn2 z?6phMHj7k}{Dz+F*aXl>jw<0PUw5zwinPIni$pEl;?oWh?aW{FI^cGA#!e_!VzR3c}3!HI(4{^W5YpE{x zF4_DR8m?mexMCa!G<))FD(J6c%jZFKI4%O_67*ECuG1TcR;Es|qj?;Z7mfO4-ASu1 zcT#oGOZ+iJ%VE%6>itNT-C{PeHdIY{@>K&);)?ea{5nX(RF}8uinP$mSmma1)gQ0g zgd=b}&MWHM^CjHJWaJz^@1nwH<9*_A>QTp`;nD1Q#k4*YSQh4peB(0VdA8+y&{*9j zaEmV_IF_UE8Mi?XsEV%%8@!c$Zyv>9uw9;G0P2CMF)1>Pg8weLHxQKDm7wtbI z79?o)4!AtTY2T1lh9@g%0nnb%8yaViDuR4;F)Z{L(LE z8#!goE%r;Mt>Cz6CyUZmL7{$^K^Gm%y$O1YTH#$*eLoodi9SgWe1=I@!ETLIcEb17 zI+gyJ4neL*rMvA|_F;^AAe6EBC|0Bw8&x}=$DK>D3-9(%SUGbMFe_UKUc7S);6!j% z=pY}`FqV>Gi^n#vLdG3)+6&1B#gjD22SMU|#jJvpnhN;n_Klkb9J1tK%Z{RE5aHB% z7)cj$z0>w=>7CuvG`}VIc0x$_Yw=$UnRHeeNv}v3>bQioFVU1<)Xe?&8ksPaV}A_C{7P>1Fz%7(@I zuYS5~X9Mhs)x7q!yeqiYkG}`jGn`M>#dw#uN0%wZ_~PDxGmrcuj|B_2JuWwy&G_3H zpAFRRSAo;dkV`Z(^O%rAHoI0jB$>voP*CK--FjAKNb_nfPN^`{nWpcLi_dG-LQ+DU z#1?4Jq$a;7Z!1)c)tasy=p^3%0x@cVqAU;6fIy+EAx18&MB~8aq-q?G?lzAWv>U5Y$S-X4f8zv*A#jihIw5tep_QQ`2&-q$*odTAQ%*=YeNuuC~j(K3Pwi-%hsRe83((36yh&Mg^Mj zVU+obsbw6@Buo_HX^w}VU$?l!0CEff+U8A!dxT~M09&?OF;*tK&k3&}&O3^?)DJmW z#$=>?;w#`G4{gtW7jK6?jL%7!U@q4aA*`y#+@~LTq=<<7P0tsXJ$0ex>Ap+a(;5|P ztj|9?p9!aYC;C`~-9AM<@3+)#VXEf~O;;?jw&BduPg%Rms_+Q(GxQK8DS-qakf(Pq zcQ2YF2&}Ooxv??48#b>4T3zVJ6ae@R^l80uzxN?7tQG!W7AuSJtPJ+ex!&G54C`b# zT26Fd5gB6v$SwV?M1;mM_IA4%&-@mS%8Q_v3eyt+@aCt+Wi89VG^ZG^@(Hqo*Tzbl zz%Q$rk5%@& zo7)O`R3|X*L_o|Zr|SWGTLmim99pza>{njkSEtI#vhwQn7uIzH|-cg5-)~! zsvN!_3fBR6fxm@~_?w`or0d*}goE87ySL+b0w$zY*xJShXZ+!!u(-HyDoen4y~WAz zW}>T^ehh?rxNFOJDssRS26fIj{Dj-lN@3zI-mQB3spjYFm_ME8Y3`$m!9ZcT5AOc- zZ$r90f;Fkl-##?xB3*%aLUV=||B|R&gTMd$CnQGOgGTDm(D?tAdFKBX<^IQ5H)E%9za~5flroi}~&U~id758$J>KjJ!DDH=S z3uv)kDV|An+|L8MLf6kp=Er>IpNzJ&%2RJJFJWzf`kyaMQ49o;IQ@Bu<)t3~p~fB{ zcznYYSCnSfGDtui+yI77p`JpyVzk}=M?m23w>VE6NO-= zWyi=OjziDqL>NA-95d-&U34X`1()W zPPl{-l)}pTybldifwq}n{JhJE?vwo9MpJje=jdSe$Uo!P!%gp^1PG(N(YTHy*gqUh|Pdf;TWEl6~?KES(D=r*8~wLW+WE zjp*)4Y8jOOPny6Un2Zi=hn@+z!a!0pMMNFCc5-!y^7uc7MZ5wMk*WH+Xn+sxUo3Mgx`k52TZ8@1rW@bC2@1h2Fsvf*(gQ9cd$u0Fd(Ls%`oR(Pw3T&t z_|EtC!Q!#>l><%K598+8ok%;H(@^vnB!(pbcO!RQ;M98sdEKd*ppHH8#7E)wN2c%# z@y~wz{3z$fp15oIkIoQulyAKvb9mGafS~CJJM`UVeuo4fw`KuPpXF{JkbL1^UO0z3 zk4a#t0Su>!CEl`W_^aFVTPnSPl(r`7r*_002N|6_*q1WU7%VoW*m8<+KsSYLi24)p z@7TmENUjf>xL{M;Y2@25@0(AG5(0aU2YowlYy9Ram8mpjpwyRulSB?oj13MXe{Y_} zF(@3^fGmg`t=aYlxwId4v8F~~TSm)|KJzlu`a5KE?TruHOFfTi7M9m;=f>xk97C5t zI@Geu9D`T5%~dZ9hNjH#hV~GY?2OWd@vmy+JOGG0;YWhj4<$9i=B9o<9mSr?;l+aA zaJ8}g;pCXU#`c_gca-#!IqHewc@3mZ@(nWL+qG;INSSZ%vovow&N` zPgS1G^L<&dQ}l0;S<|bRVSJiT<7!rGK9sQA(}V^%9S5ehu|o|XQdidUEN<kzipwx+&If6+@ScI-;nWvqil4;B;f>wK9ZIXK`3vqR?5#ts4y3FnJaU5AG6h45zZNi&D< zqI3b8tTW*55$B1m{~Zg$SgNy7_OOJjQ~c2tjY5hmc;u>5xA_~bO7{HJ&C4=Lyo+>$ z1;mZuq}yK8_?7GY5yLB1`zf#>uB`a^iMZtqh0Bf&Fn4dy=%~?DEHW$d@TIW;xQE~4 zPC^9U5Sxi;rLIc z>kcf{Sj;=2Z>hTF@3|t+x7-`aH9mYH7_7DDx9ZLbXq5JwU2OKlA{HCrN8X}9jvCY7TiM3Nh*!*B? zE^iIo6M+Y&OuVh*KfitzqsOR7GHNpOT=+TBbSmuAX3=zSTnX{6N|_)zccxHFb=c0L z`rqVLr4Bnh|FV9Q-Lf_t?N-#{EaELb31hu@*COeUIjxZVy zZj^mYGE->oyLzPi6jnhh-%93JEpYK}9uiP!u@)EqfNfFztQZWFA%a^8-1^kATdx-s z{%0nd%q=VZ-BZ=;@Na?d&E2BT2GlwlT)1?G@(3brY+Qz+vSKx_S^AkV|s`FL0 zk~3Ry57H0a+$fX7f~oA~nh;4EkD*dqr9%f3aHRYZc1C%AV$MkpVY9quSXB)+BA+@Nj*@^M!|+rd27R4K>kS10@M7B;r*oy+RRrOyVABQeD#v{`cL~XxPOrJk z4j7jKorXbr7@4>0Tk5paxjA=D_AU3HdM!LCBDv5HhIJw3tP=Nyp0VaA zXmSBS;~FXF?^+WsXN63(7oHa}bijio&G^PC?q*k`?_mj7V|H;Y?b5N;cq_rP8ab9AduAE7(zV}<4Gw=NEJFj`>$CD;4pMA3uLdDfCYF#k_Q#P4yK+e9 zk>48M+vx5#JkSY`x#6vpTho%CB!xV|N-c;d8tm|m?YA>3J8^Vyv&pNt=~hHjb34Va z6KaN6OqJb(Pg?~J@&tpXTWu=0TL<0tnLX-9uP{y&6!ZNYDgOCyQT;GMC)ZWa=bdUo zAZb5s%+&Cjmy&q)d8=?5K`*X|Sde|>ps+7NX2t_GAL~`;X-h-iNcTt?`wFuE+@ zBe^@*qEm2K|C0Ypyp|07yH4`Na^f|at);5$bpruzd7<6IoG#33fJ~j%R^bm7_SGfo z_!kE;)2YT0TxN!qtU0shaQwP>Oop#z!@K@28ih|}-dZtM0mi4~c>anoA-Asfe7Itf5r(Saq>D! z+1`wV_O@|i+(Dk4&6u!GwQ5k=Rn`x^_39a=x;dL{eAfxkx;{)k!%Fi|%%ti+5ASI) zvM5%{1D=Hx!J6?$C>Xm!KfktJja4q(%lX}HEqWUsk%Q!?_c+MvUH0yB|KxcXolB%M zc7UE<+tXeBUN7W_{g9i9^@(8r4(x9Q_wDiUQo09bQL6l^k(oz@X9HjC8PM#^On~`# z$}hg=R+l4_r~7kRMMXh~-@T-yq^tk6nTn*bad|eK^A+@&iv_d5jZdGy2FMF%urhlhnx>0M@A_QN-q{?sM!@#FE~KJcoerJ_24y&w@mm3WKU zTXCH|y{sU(f`g5HhtzqkA_AtpcCh@{Ysb!Fm7J>Nq@+^qm@(*He;YpqTqkKYOHz^T8BT&4T?T3US=3kccS~w>=tF)1V-K*%Xl5(OWZ&$gjq(ECW&W zqDp&+rI|m!M^YCT#D6+9FO2vF?E73Gwi({ysht!%)HM@UH7Zq`Ljn_hN{}c2oYVCl z-kpf;6MV9OM}dVlgUNv)g511rnG-og^`m_ArRW0qErjPsrU^)9uui=ko5zETJCZl` zC^LO2XK-{0qs^LjGgfcyF6dPTcXyWeDDzE?g9kwlNHz8P{_{~pep!6@T zBODJ(_6|BM@*b|6*>~a-ttD_?I3dU51b(^rsydtWQk$P#AYazc?7wWiHHj%q3wy`M zNK7sL91)u%Fl5)xsA^!&@1e zf1US3@MmWOj+%cD60)Zg(|x^vAQvlo?-l!A+{-ti)p@F7)mcSD?zxF4ATLKeK`HFs zu2*V@xeR+9dBRP-YSATtfXCJM4p+wq*9>ewA~Qtzll7ohS)%tX#Q|mJ*5g^xtzfpY zS8WYk^d`35XRndMdx1-}2)@Cpu>6Ko@w?0jU{| z__fa|R047vbysr=d+|&B3xL7b@pzA{#V>qZWWQt%X0>HG_hjv9)#sHiJzpF(*@q%7 z{qCbO3b1_-=(*A0Q3SD(q%BYNEU}Hr>?B#%wY`0cpV0nKGpJprU2mCZzV#uq5DFau1B!e|fIKvtcRFl8DyfScr+mmWmya0rpU<0?rRnbC zr+oQHPps8wJ~ztYvtle_oh1iB`I4J2G!;f2k-p5q;2@C`dpoToJGiI zQo1i&0bN`+YyQm!HdbHiiygRaZaVLkIAQ>0+>oEcjVs+xS~hp`vxj3u-p>>GPnWfK zdv2>h+5v}QmbsH3E6hqvtTEF*PazhSCL!yX@fdpq-^gcHH!JKWT4j7anzz>~d5t62qP&Hb&%-c(HGp zN(BIai`m`W_ygk%sVaxT%UkZ)sX$(5?$cwFL&oWs)F&#yQ_|PP!XFp;~u4H42dos6TN z_sQIc_X42`dD#kmeE2RTo7Zc%?In6%Ljoc^Nh6+3XZ4LN^q%TAP4>-R1y1C6cN-Qq zuh)sJW-lz`5=S>dsg6y@Dq5!~uWghKH`*RqC6mwZPs*@kZN_anfrURq2izk>J{!-{ zW3!xornsBxl`p6Qx?LcH`4y8hg0L}N%brxiFK;>c4Js6Z5pbo+j^h`NGZ`tsAn)^B z%~p;*8nG-(w4DVRs)dFK&CR=sz*!l_y8|4-F$K+~cRTv!!8(^gZvHn%kL{}_KOxet z_J$+eqLuu^#hwl9OkP4kHyrxj6;L~P5#46{1?6nPUjT30et)k{l&kkBT}%ThI4U<3 zfU0U2r%IG76Ah{q)aIcjjbK^^%}@_Ft9NVhcvo}z3129)`7dQsyH?5fypv9*=qC`$q< zx`-FEC;aNOnZ%V?ojxcnp`(&%I1iJ*COHtCJ&h5RdoqfjzwugvAQ1+pTa*^{K-leWSzN?s7<{67C>L?XFbc!cc*574352Ryc z*|D9=sn^z2T|)28nQl83WJahe4|1OgOL#gdt4?o>7D?>}HGVy`2yrPJzU-@vRV*Q;uxSJs6ySB&sb;(+=2+2Vj_t)!obs_> zHA-q7t*D-6y&to^vi??_x)hDaIutE6?Mud6?ct;(m5OGgD>xt9XuKs6x=Y*V9+-ai z!xRwx$b+w>8=+QLcT)l!-xFBX6{>=KlrB`kk(}*(&1&!}{Oonv=1UW2(BcBu8O4oq|`?SA;`H9e< z^s^Atntbii>}>qH`-X+Xr+rdShxt3U*!K`EnK7E)Z~0+4^FPka)8$CU$n@#IM1403 z$~2fEyj#~X!z`2Oy*b1h`l^99C9&{ZP-9Bzx5V>WXbAIex0pwddo=d0%80eQ5(n@= zbRCoA#d!ZG-Nu23Q30l07)8a$_HiTKKhx!ZFQ6aOk;VskRZ*GY`Epb_tc;)g zuNi7uYG9jM5oA3EU6^LGCj-gM=^mjZWCtlXIbq`Xh{3tGG4-##O91Aa#bXeUwQMFf zRunZAWX!lVu$tgtCdZ#Jclg2j!BHok$Flo;Uyx)j3&X}QIOd0~8ED2$BArXS? zYI5u@j~Ts<*q2df-UO65b7BA7?&@9mPiNkkH|K72=@;Z7KN}g+h84v>U199`y={L0 z6QbB#tu`w?XGFDRM0)|!g)8wPt8Ck=Fb;sQ=->&IDP;*hzojEe0o4#!ud4J{;&jB1 zRCeC@hXg6P&zQQZ%oGI3Vvk1&si2{jUjfLJ6^sq1A=}fI8*bU|sH&P$ z`Z2=aX17J>1a`Xvo>X7Ts?RlZX~Z&1EF*P}OSLYTs`{l@#AQtl`zooGHhil(1jp(p zf;B1lY70~iR0?yALg{{vCdTt|VoIGZ=6!qOH!CaRzwu+np7P?J_ol75$uK;0TZ2JE z!m@)mIcOR%Xd=0>?}bhVrsSv3Y9BnH;d1N(qu6@z!)aR6HBqbn%~W~2jJqjszl1*A z`l!0cTxTrT_H~Ak#k4J&iLARO+=lsCz6__T!-#fK;ConU|SrAK|gMML_jaKWW0gkDFf%&|qx9*#> zV59>c;nPqypox|j9nxWw!Fq+=V(8LS*Ucqy-K&hLh%d&>4UP!q65!DLWA*h$x!bc6 zvmwQ+wSLJ;{}Gqs;@Go(iElYjWy+#btawLjIxpMXArx(HZW|kN+KlqMe!hqWxYFy) z7j;9<46&m?E+Y3qE}P<@h`%PpI2|SAIPsbYnB#<@FzElbxwMuqIg@fvq0OAIkf0oeOjHdpMD}L1T z_7gVDuSWU1KVMtt=Ki3g*BKxkbzIz#?&ABBW7Nk8W_0kI;#R615p0vQP zy=n!3Q_Pq)!F4*DId2pVlA;!-52=pxPzqoEP#Cq>5xFJfEgMgZf?rIqy$}Vomcr~V z^g=UAln3da1P3sbhnD9rPd$=!$sA1fLcANIv?J0}1HEu+$imh0)#^SH>~WB=^W|Zt zn~)Fg(&ybW=>(-=_(x|3uHL=GbGZ?RRAZldc?!<@zmHKJ^f_&TE2M$FtJ~|PnYbku zB$8sa9as*gm%TtOtoFwIrGML#@m6K!JO7h&;dBe;wTr-|rJpbCH~ArI?)guNtdO6d z1A1eHB4{r-z$g=sB!Z@7bs@)MmXzc_tMPJoM)l0lm_vnV$V~UZBu~I07&DPnrWATE z{Adm6E$=-VX>2CKK`DJ^uq}Ir1}{$4lvQMqwL(1jglS)>9i8wKB7%BbL31x=t;(S8 z6Scz-Q&i&-wfnxO;PrPV4-28h&~-VJ)-OZ5Ay!d3SFqd=Bm7xfG%+>9jCNtyD2g+{0~6#%)L+;{s+&iriBq<{|H|=GrYjRE_eFI>?Hd2^C9J z>$-WOn;oy6D`Q>Chg5)HO39uj173+ zxCozC-876_MSU{}+PUXn{*vu_kkhrRSAPhPopT{SD{P9&jd`nfSqd&Y#ENTGewG%Q zc3X1O;+-mvL7R&;QDtmOb~E`jI~x*NXEhXF>Oig=F{z+#%z3)%cv29c^4`XR{@YjO zfh(nNBvmdZ_|oB01JyqW{_~y*0Q#zWqoD zSs2Eglc8FY!9Gdra9*h)dD)`MVkqOgzZz6_u4P6v|JKVoAN&mSLfPCGRfiZ*Il z3K)d*Nv0`pTW+RQB<}mVlBT(nfP^(CSqULx*OGYT`qpV{q! zE~UsgE{n8Rs+yg6&u7|n)y7Xarc&U+wNOf*IVtBiG7NDvhBZwU1_*kD%mVW9JW`!! z=XoZ2%bl%kC#jybirM~vsY*_g|5BeuUVU~+!v{W+Vl>9;R=MkpEIaft_ui3;_F`4C$U(O+cDys5UxXB#}S| zst9#C6Nvb>;xoJ%*ED|xN=(PmPC-`dF|!Z0>7j*vI&UseU2=WPtmZLC#19i0{(SZ@ zVy}%GylT#;^rvfxBh#{OBzB);=Q2L=1$t<;n8)CQ`M)Bh|u+rBwUu* zyBJW8;~|2I6Baqty?H;%YguWh`DxWqgUf^Z7ONUGm>hBPO=s`sBeCUcwbmo_xpgs zA@1o67`B&5JS&Pto$p){C+7{m(#G+upns!#Pj{<(>&+9n4wPhJ#!+=sT-(U_XtDa4 z61+1JW)_o@n~ zmgMEg-G4XYe$_;}R5lIEWSp+#-%`@mrLf|QjqxQ?F^SnC1IrwuCRl!EP#ILr((yFm zkWCGL8y{C$Yf?FR<7Lh;sfQv?aB^bd^_XDT&b4>AAFmpA(5W8%ZH_1_Y+0}VXNN`n zKs`&;T|D5pF$enjwZq&efI(^2G;Ynw1`CzrO*cp~cFB?P8sXyc_N+;J>_dWK@dBr7 z*)ai!7d(f=C&LZGD8J1=zU*4pt2gnl8c={LpUNi`wdzY=#=%IyP2d27;gKB6NZ;~f zGw5pwblPnb&QvpjSDuTmAYF28xrh|K^MC5HB5Ve6#5y&(wrGso}X?y`gaxOmN(t&oY?}ha{Wf_%(8;^$TU7im~tV&db`SJ}H#rN}G-d@VM|Myd`D3 zPqc}M!c6|{Oh>3_h_^tsvSdHGh}*5msZCUti{9S&I@7HMWBg_L_iE*#o`yX8MURF@ zNe;c@Vo0{hPB406M05k$+HDr!e4a1D0+RIpB;V3;OuO@omK%b4kKaMfFcsEC%6qWH zcteG|G}`aK4(lr=xD}bRCKt;wrCA5AI+X%zU@7atoz<_^E|eXXs*cHC5R4!6ckFYm zbm;B}LD>pRE_|^_!7{Y2$E){0wZ!|2E|UZ;PK4V8tw1&gX5Czk)Fo}B`jh+`UXB&2 zD#+>Wm*-P7S&!OGdF}}eW1k0@JHZpV6(@$G|+wTcWgCRzsm<6m0XM4lqX{$ z|D-jP3vSwDn+>3A?Bv2XsQCDmSn{tET4(qY4)z1dY2_~9qy4^E0Q15TIg$CkX za-1D?p~20E)h5ooJ9t7rg3e|#raoOZwqEk=77z=@wOcjIG0=G#(;X*#oV0t*y!d+^ zc*D@hY)G?wvb@sD0kw$ZSL$uIO|}%B5n9di8;TX9qgf4T+71MNe&dKYH0s}3IqUu~ z%p(^|NXL+s-{8|JV z7%3N9-xo5%CnT@wEntzuHr=d~4K&+^KB-fcR~v+MaVcqtuTysZT;0;U z%4f{$Q}J!R;GV$C4m3XO*GZUY`GB)VGb$G_q^a%IW0w7ax?B#4z5Zr7kj71Q!~CTB zk8_9bhgow7?4y%q$JHZAIl`e5+@3#Ai)>H5PomNJyfid&K158~-DCPQcqh8#t1~IL zeNOFD-1gO;h^zBF+csaJWdGd-t$Ou+`5*J|UC6^CH_H20O0SxK+g^AwYR(MTuF*V? zJ|roh;B?0zCl{deOKlHoz{kt;Sd~7nV}Q^)nPOgUc7=vyxyQc8qrn5Ln2@JN3dToGc1pf;U@`xbQ zGu9`*UC!6{`kqGXU)K{Meu$>2rVUiYNa_a9L*`_tvFV0ARCs-7yo3YB_AvcXu^l@Y z1SJk}*GPK3n>jPA7GKV_oTZoK3-%f`@mRN?^FyhaJv#-}6XCmkwpphn1ad~PVw2=g z?Ty-RK1Y>uTS{!|F!8>!=;P2JHdFN!c++n1WB*)TN05BUnjDhGTU0rPTc{dhP3!$! z-IUajLE!R6R6EkiywLXJ;}a$sF`ts=fptO~bA?f^mt!j*g$-;vMXC8EKwrMbn~|Fh z%K@Q-13C7cN58(Fw4}d8XP!1`lj|TzcG!;NK=Yc~Yhv81W_8g+W4<0v#yxmX!970l z94(OY)vU6#y?M}v3%je>tkfNczRS@H2B6_a_Z!(r$3PE?_<(DLuCRg|O54Slqxp`= zXy3cMW;TEKJ9n4I{cq?``RDpKU2XYqpz>d5_5Xd_|6Anxe|fbg*SJ?%!vrogpDS_M zS$<8c(pO$2^*?|C3~;50B?+)SYN*)1XkEjJogZ7 z%D2xxTBzAiDkITT^lzWa;Wq%%;X1u|pMp`rM#4n%;W5otjaZ-&&z zB(+O9zLq`6orB})-WV%A8)hWxsL0YZZ_~24?T>JZHYs(gw{AWAV%RrsMY)1Lp*bOC zNFfI2IjoIsx_p4=FwP9Rlptx=8~Nbi%?E{@Kd&J$7eA4N@HUoyBe=&+y>#fI{+&KqjW z&TT4c;LEk&Wh;!1yK-d9;P)o5_h)DIYfPAa&F}lT`k9mCPbdVb`$Y5@+*8v95HGIIBH6e!KQa~W7 ziD=AH10J$31==mmF^>|JGegT0i%K)m#e+WA(Us`(AKLRBfi@K9*c*)DGc{#01y~84 z%`==~Za%axWMId!L=~Tl{%4hdH8s|{AR(hA9i8lGYVYM#&e$_TJl=hg4C)2<%rm)) zIHn=9$z>LhhG3Nelm#H;qFTwT7RfKc`;} z_1v*o8x1DJ*QsfL;bb*?0RSxvRYUON0%f7PH)i2r1T@~aqrOqVt?h*wkVnY+;d;CN)mH-n(O7YfAs7I0o;v-h6Ls(ZFJM+r=kMB z3h#24m`@Y}Caed}sHnUDot!@n$OEm)I78gyE1LLUS`M)^on2yD+8_Fa9_8Y6mxw|H)Er6sdKdTaRoRBXmqy@J(@c4$s) zu^}ELf_AwnTQrMo0Lx8l*@u6V!yFVgqpsnL9(@zUpeee3juulOF0C|MYdj>1ocuI4 z1YB=QliGa=qD;|Ws`&#}PLZLPyR~9xwfJhXi&@{h(E5_ra#AH?OL|n9>j2Qii^)l< z5w@@xNczEn_e1`JB#I8-h{yeaKYaF=l{5L!1PXQDSJYg|*@MYwq6?+-m|NH7UA5eK z!G{x{4R+Eh&@<+xvLB!8@SjQ$!u;k#cD^;ghz`VXTD$d4tXX*!+BhsG+dKT0&xsEK z?LF!Po{8g)zU#(0y8R@~+v3{*(@2buOuxeZcC!^j-QD4zF`f`vpBF zzryoUpnc*;v5ou$$c*DRd;4B@8@+VtG&2N+MpeV+ zGgD?#C*P$DRmOi@|9GBwYmQxxEweuJrDcHi`rh4H-QSNYqBw&S==;o|g1qhMK_KtG zw`bR}`+mxoJ-~!z>&K=*7BFSZ{(}3P@3vzPUq3ziGE*p1x>TnIEflynd&Bc>SIB)H z`KGW_9XAvd`CEe@$Uyr%cWU4Y!zG^iPhZE_%V%CA z3>+>S46hw}K006+heP_`$>!Bhxia3-=u!8oA0cS21w`)vT)(`ADP#46Vy9=gEBNX{ zB6(A|_%6|`C3)|+Z8vWDKLA#cs^Z!D^I@ktV41e_Z;lDJKXuq+IluZp6N2N*b!X)N zZbexY`r=d2{Kfn$eyG*AcK>j|f;G?(-^?!%OFH-BqcpP?@{G+t$a7s;Arsd|^|&8x`uT1n=5UPD~0 z53!~ISqzsqx^G#-DVbhFk#%=!CXol(&Cls=MPjSEc3;ATNImNjb)7F7;RBI@H2L}F zge1AG70qGTfv&$>1F_E7sX}{SY@Z#A{id;rV6?_QGs)QKx%D~ka9kI;U`Ze#w0)MYaPMMQKmoPOPZg^35*s7pR&9>_E^XjM~g%!eyUWczOA+W zHd7TutkBJ`E?w~2FBsz~=LV+pG$pfC|0(yp+5Fe#s{nyK1o+PzUYfC-K?((zJlpu~ zQew5I@_v$q3M%3eoxWQ=|3+v&*NTAvfm7sj|p7yPwy$gm)aC_IH3!D(W=Oh%d+9$Xf`fs>j@@J z&L}shQ+nt~qY3y5oqM499*R5>j3ZK;kLn$r-fgKj-n*+a$mFN^_uuh5VwoH)EN=yt zgK2M#rxGosp_KT3jx;Z95zKD0RD4fMD|np%Wz*+ z*vDyK5Jx};yE~49JqR^~1jzteV9chHPmj^p)W?}%kS7NgrI}Z)F2r|kyr$9W6ms_CCn7tHtc|nrNGnePw zWJU3ps>u}qP?2vLHnW>$pVJ=O_XY|?pmg)7Kd&a&R(~#*E)-9GvXn%>^B){8;ov|J zdS9f8<+GS9yY3C1ABkvyEuM4h@_#3z2;G2WzrAjxpI??$;wE+pSXdDh(TwgOt5l3;jrlJR z-eU~~O*HTN0AJ~R&?WtHO2%+FWphOWKZc|!*FPQ}N7R2bA1mr9x^`9ZUDe`^{hH-V z9~>PQ$(hQ>arLh-irTaLn1g1%`r9q6ud8P^kT+sK4-j}Tx=w7D&OSL^BZAgF^ov>a z99^;%N*F~ack#cBrU3n(BM0VfspG_xR7p)F9HL#^Gn0K8cYoK)c3p1)9Q_N(j{{u4 zKsuw=f(H*%P(salv~+}g?gH;maE1XG-FsUN-m@D3AM3Q#=T`DDzOiW&%d(CSCIe6L zeSyw59t`~8iI=m)p$%5A27*SO-{$pqcX1b%3{aHU4w#-3bBBh%nd4uNO-%gyJD)mv zv;8bOdfs&)d`H7w{YH^^zx#B=TLa?5z0P#M^|o{DmYKkWwLGU2f1ze6wlgr&zVLB` z8M5U3P-={k)^peIkVGT>-J;qZvR0#_G7)7U{f@TMiA%K=jrTng*bgstD3>%j{Zcev z+Yq_EH%>Nl@6r~J<#rn3j))tn4J7Zs5x&0(50|B__*-?v((>lp_nSr2k!>%-A0g`Z zg1sU+vvQk;f?ZU{0aX+`Znf&0r{N=??L~ev?uttx_9c58 zzp}DODO4Sue2~tl56s~UYD};fq$;~t0N}F!Ac5#Z>VPdsC-sD9jCr}|0zU4W+b1Xb z5-l+0OOL*K(G|SrT5De&I^Rlpq!lrP6WeMnP$yTO<~;LxXykF6UV(K2mbw-nqYInO!yA8pib0_tW^#h9R3M(8GPdS zS|8Z3JXNVR=ZjF5Sd=A4xmqc(ubr~_psa6;U8l6yCvjX^JuP;5c13hNG#0 zJ94#nOZG44$stX3)a{0oqtE8nMCZFDJUx0Cay^O0k0Sg9zFL@XoT<3S2Z7OHJCidL z6M4n&n*Zq|*_(=60R;W{)Q{hk=O)9!t$8Tb5%6R!$2i8fCNjpIoh~3)aAGhrME~Uo zbN3XQlN`t)%M56U;uvrJt5E++YGk0>YkRK)S*dkrC4d6|w~+VK2~)An`412)$;+yOUULQ3J#HH+ zYTc!I`7zBUxwa+a4{;TSLl%-{10K}Pb(YX*^~g+>g6AJ5;O~4U7siy~d45V!TFX$c zem&(pFnAoY`|~PRSd2u5V$U_t-VNQpV)&JB-%2gQmChVBT{ZaQedEJ3B8Gs%7JZ5G zEfuON+vSEQ3u@8bAAlI&#sAUqXORE2UVXWs6IFZZ-OuD86?yr?(zqiX3K_3>mw{9D zT5eFa)e(EotSZ?17Bt=DLZL`vN$)iBW)7a9$*u9nHvx9o#*vER^$a_3dN!=8EE(Ub zhAxM)^N{FVO>=kKI=r13GPW!d-B}dqlx)&A&ZW^9)*pD3(Q52(9V}??x*-w~=X7(E zM`T%3DWjw(kkfku*B8Pr!zY6&D#k%}U(o2H3qhuW6or3r2ad_0g-(NBKEWo2EQgLf?EdGb{F08IN+%%~W zwsjT<$=6;NVK!x(U$}`Z)30vPoe#tSxnToi!(C(rDX`iz0yM(oPLiiN-ebBUlhvAe zL3BW5j#eBP2;u_dhTg)V**Kh^6LUe!`tS@!oedXkmNLNZlWt@L|OM2e_^O9OJ*o^ff!ht#?X zlrU*ecb_yl`-hFHW$xsWEsI*e%cV}+O1?d~@?Z7w`cbPhooC%i^TB{qa`rXdrX+s% zCPvCLSn8ki;m1P0gCg)S&{h8zknbu4SZWyxYE!o_Bk@cUsUEdL%?@)ki9-%5pPN8w7eztuvS*4Oy^E4eQ-O7C8=EN=%so~Iy_XO2ZwKn8Hq&-OF zE=E_3OF)q2PQXtj@%`B#Rpc{?D(%sG1;oyhyANH>p=bn>Nwnd_#Q}S)_PTp-Tb7~8 zgjaPd+C7-5;~VB?f}^d!j`2q}_Z{=^mPBaC_&@P?^Ql@d`hE`Wl9{f-0W&a>-Iu*!{jeRXj82^JS8diGYINqUMxZHm(Dv;HPO) z(L!YKaQamg`vLu$`4OXgs)v{&_bo-O76jn&j?&^PA{US8%qcarfuuaz6F2?Kkc3rt zwGHz7l?~43{+B%)ns;X~lf&>aVIpX&yU=7Ykra6B`Bj>cZrCXu>gU;*n{v8yh??xK z2$1wu0Z@-ilZj2>NBi>;_3IeML^Tyj$!F1(-RPs2o7ZRCLoCytrN>aR&;URG?d=^h zn7V*KcZH~jHC`kxrwPWNdA+#vCd-1&T~}t|+{d(@3x4|7slLW?8z|nmbBaF8)5Mw5 zfJ)*Xl&I|QIH=f~A>LHbL!olV%fb*=0W;M&@N}ht%~vhztVZURAo8J^wnyXo z(T(+l1Pm692kKNT{EffE(+2x*LOO0_LEIB*8eQwNk9>?3caGx{-_w}yqH9QbQ@_eL z;hf*Mbk@xi5S3Q)0jH^=iMMXt`vFF^fWDWOslU0iNM7bwMPA#X4~2!ELv?Fu{rRRH zTGNq!)0L0MAySL0&u}+dbxcw)2DynOriEXXik5DP0%xPM%6!q|COwreu3llHRUfy& z0mi+0YmFRal%InE-1hCDRzAm3TJ|d2(n+}lM)vt-ghK>-KVNW%SE+#yP2H?l7Hd9) zO$IT%$Hi20fUJUi7IyJYIy5Olhb?BL)KTZc+8ad`MMP+{$S;xPXji_7qm5zx_P4yr zR#F_ocxZK8!OF!W1ojES^zl{H^NsRHuhc{K^`@;p$caU4r$=Af7S^z6GrhkxG|jQG zn`WZ**4obg`pEP5v%SD3-eJaYxBN$&HHihjDHvlr`tw?!ZKsDLEr(^goX$d2uXGW{ z9hXf{UlEcN^w072f0Ewl03cV2MdxSqzVmB?*GrfzjGykYE!m?-u7#g75_LMBG7s1Y z*Rw@~r;D~e7@VBkk6gS+Ut(#pRISef<{GJHGH8j&A_3xTVYb+YSl*slp&l4Vvsz<}N*3Uqer7ngjj%DI1${QgAT7ky#MNBGiF>DbNsb?=hBT0wX`h4Db*4Mm#eywsnZ|3np>9W|f-WtgKNndtrJfP^S;x6paJClzpC+Elf37^wD9^WY zXX`*Z*dyGu)7pRx^6+nfv?2}o`n+f$$@lkgw`K=EV?eN~Hl1H%oG$lmD+MBJoDWw- zCbPmN%V;b7Q3o)KpfGoAiDjjkxTRX+C9wYc1r-GX4carPC%<{;TkD8>l?nm#5)h!{ z#Hk0N2)rv;{hJ}mh%G=^8Xewl&*k5U|8|Tf-*yu zr|6;e`7q#pmpr)54@cLddQZMOnx=3i`4TSwpdaX_!BAN|$-N3(dj*Mfs8KP+J`Jgild*(BCtub=_wee0H9_<_dGtQHp;8B`tUz zy$#L+^msPzt@P_@MYXg`V3L8I-ht^9QqO)=Fu!K~&I=g)7~e0(ayFn9S)i-(^qh&l z8`iISnsht_eGCG8$hH0a%BinJ%f%+eZi;4Nu6!`pXR~JGA)jKm#n1OXg98THJ-pdg(P8#>EM1eRqrm#1 z(UyLv`ELyld^WlCB1a%T4gTyx4bRgfG+1tv@Fz~H9+FfCW9O^x_R3L&>BlRN(X?D`B(-j~<}D$fn8}#z-_i z_T6GmU97u+>*vSM@jzw{ZCtAbKf(L7K+gJx{l23rRv%+*@#gd}j_Z2@`Il1B^79*(55l0|vz>CmC*4InbPudCriR zQ#)GM&@-OVNqBQVZB`bVwH^n)VV_Rx6i2|#PtrvT+0}a-ALEgbe6%;nJGGfI9=E4( z(ESB*jbKHCu`zF8&^ox5p|>eS?RX*|Eq_J)e1_s;u1}^xE5G^2 z-Z-nid}#&b9eV^~eY@%9UE{LiXQa+?tajM;OAbFX(({tnqoqjBH1SK?F^YMQ8N{FK zKdTKz=#+X633(Gtb8RcLg-BSo5;U<8k{z$SuwGb52ibk1KKRC*Mz<$)g5vPKjFIZ* z0O*1zQXLDEAdO!H=R~g|{~grFGI1d9Q$}xa@>RStUVEjHgdCz+s1{I!oFsRrdOcuRJMP(S zTc=_eVSMuW0KtOT+V|P0=FJ(z`|*=)LJ<1V5tV0Wu7-KcD7v$!LxZqnj5s5$S$XOt z(P_G76FB0HGhlPr?7^p8O%qRYK#cqAXs_>!3iEB+-Vu#34xoet5K5UxyQU+KZ&;Ge zaKNF!6F(uU*4e;hj#D?1_toC7+9ppX)8^(J-IQI?6qHYnNjR-k9kR;AVayu!yR>#t zzr(8e=H@;yj|Zqx=MdyTTucf{iv3(3$0HV!5JE5fdVF0b`WT3sepqW-%UMu7OTQ~5 z!TCN?@okgs6QXFXPCip4t@v;8sH}LqUpQr#8<- z#R0J;zD-sbE%M@*AI66L*ffKzf#JKKG%c5H_SH%`$KAo1O8&CqVGY2d(g{`|8uKLY zxLDLYkJg#HLH9QZJFKq8MmB^la}rPnLP-lb(UW`Hj{?-k`h)|*siTcyk@sa*ViWS4 z+;3m*`v{JUX)m#C2yZU8Kl4;(N>1_c^`9PI`@!ck^vIEecl`C*b%$gA5ed2Ff&uZD zsO?IDEtFCYdFXM8wwO2A7OlTOUKXO3F=}dY;q^5U5p3RI7^Mtm2ux}27BuUR5QKI( zP)(W$D2#u)lgJnQ6@CKD@FLJoaL1zPkQ|k{MgK&zQDKC?th~^58pbYB(EnTD@h?rf z$NhhmZ3s-3#m<^LK18OY@3Ro>`>h*t777_U;7_63H1L~uao_sSv~xx zrJ(;mS`*mJ>S}eFoeA1PBmJ)MhQ9LMi|%YRf}Q{I51B4m`0pwgqVE6l=l$o775}T- z>eryf6e=pP{QUgs>0s|+?B>$fP&^LN(&8}Y$^DgfJr$%kgvz`0_22bpm;681AH?C& zkn5@!ncmvcc;N88i=S^@3oYCTrCrTNyGXEv?L43JY;Bcq;LCG0t4Kep3QS{zN~t$! zVLrPn!}YelBtK)P;6`B2U4&}Jio50?0qt=@hTkB`gz#iU9++J}8V|qJv!M;x!%6i2 zrEN}9#-KBhC5$&^TKas{d+@283K`Z`aqb2i=dp=vbr56z^~cK}ktbRH-oo=K1*VUv z%ibo7qe}{-r|E)t0J-#GT&cwf!-ld9Bk?J{07Z#6$$8Xlz1MED!busCI@sl=sSyoj z*y=^jLyZUJZwEiy4FFN^4uNkF%3=|x4LssK*baR){;s+H5q_IkX=|G)=CDCaYrc3dyfEE}{u}^rS*h z5dm6v{RXUdd0g}% zVQon#g$X1FJ>cn_b^5-Q#og&u;Or^9sH@sjdUagelm348R3|6Od{3n9;n!5NA2Vgk z#+4RvZTsxJjzMH)7}2rCd&Wdgr7{lfTtVhvHOHf5FB2aM&M8Z+7LN&-QOL9r?^8yP zkQL~JrNr)COIud+o`5ddl>hr*_dV|-pHAG~`P1q*kLuSmeodL^ZjBl7hdoRqJ@H9> z=&5<2%1}#?DpsIYwQp)p6>&<5^VMwBl;3B!-oBFapSrDGyfc2Oysz}kw&O9=HZFrU7HKek;%3mYQYz2II2y=X+_8FEMheuQ!}K(YekMH51-1 z-YRbY@S~0#hGKRi6dgYuGP3@hsbMc)NPL>?vP|)tcSDbck)KR4_?r2Y8zp^_&_5d4 z^ww@m(WN$;tN;A+Z1b2Nf5Ry*n&f;PUuHNeTMo;tzM?@xDVPei{t2zFMGDD|Tpb(Xy zL>ph8|7YW|OZljx=0#1sEIy>K{%nZa3TT3r=Pl;Fdwd`TX-RE=O^{pdp`s4c!BX4M zdS>@~WdrB)ELG+m$vumPex zNa*_U=`{XDs(%F*j^eg3^cyY^pW@0TaD?CsS*F$sCIF_WIA;I!2043%tp9#)ow042>d)_EF^X39Z?U~E_v6H>8mxI0>uZ) zE_DQ?CFiPLAxHFUI!}feEBKtM=<=I}R3LnhV%*&W z182Abx+Fn8HVx6xfmXDH-`Hz_o9k8TmDQNH+nsB~wP_`M9MYz0R-pyAM>1@<(EQ|1 z32SjJH00R}-dwJ|RI_9vUC7kq{Z5O`32QUHf_)#g^lXn!35ZLT0bWQ`WE znZnMmEpKknhK&;$6jx77@6$>`>#Aj3ZVfRj2-j$z#j}~?H#LWs+ z;)g*#iW#?X7kd?7Dn?I}oZ%MU7}V>kkpbffGLYmU20FVVNLLSz)W!d0d@v8-^wYPt z$v0MJd?6mX!TSD`rG%{yFJQiSuEbI_P_X`CtJJ6C*2vnPg|EjpCli9UcxW$s>5}gA zF|7{+w*~(A!`|7+w~MiztB|H%CisHq<*g^o^!v_^AzR>3kecQQz&%#vd8xrSED=1N zTwAhOF$dA-{Z<1N=VByWfjTc!GLyNaMFOz5xmqsM15lE2cz`Iyy~%Tb zM+bq3Tcig1(O#4-{lwXb66d8&=SLNl- z$%yLSv*{-HulM{3u?A~uC6da=k&Iz+yHgvEbFCLo)A&!*>|v|sPs=35s&g*&P( zM5)3YZ2sx0Nd7fGISD`tl8bJZEbr~}JQ8#@7jeVmCt+mpof3_zlL$M-?Ej-LH0{>n zKF(YOE*kLVrV+7b zli5-yqeeHvGDbe?))qa28P1bz(5i^J!(J1+N<}?#7^H0FMC#Y=I@S!R{Ixk)e`4(BLC8d^_m%}c@Vz2RMT03#sVRe2lbYnzx z-r@MDcU#o~WY`TrJC{|~*X|64|Gz8&ZhX$5*UrrR4l zwm)gL_4F#(?`U9xtf0G_W(5;4$mXi$h}*~9;gFqcKu;HTV`F0&2;_|zLtQ{5bfM2Q z3V-sdsI;1R8Jueesg@AhjAd%L|6SKM4aJ$b%tuQ&ZbbMQy#;c%_Kn^TjMe}0G3l)Hp8#}D?O*8(8Z znM_EkyESSQw!fq}1Bo7oRSIYUtY5yfVi+Qxxk7Cq3`)& zbVYR=)|^?8m?J;M-K5Cg-rgO~86LB025%oH0X=k41Y=xwA% zf$Ze>b zyFCfI!S9bEE9kmABhh1J`#bU)FEzW!Sy<$YkA?)?s|!`d12!a^z6T~#jfIs86*W=90%-_*r zwmIQorl%KLSI7NNoOlG*Zj#?a-ej-eiY+=nWXxJUgpPDLRkr%Q}v}Vvvn` z-zj+)j@wiOJG6GE!u{27JRo!=-ZynyWxJs^~=weJFC83m$+d#>^MKG31#LhJ>(@WRIwsY@3y z$_w3VAs77Dj3A3j=m)Ryv9JIamqv~?`l)h|p>yC}ieObo`gbf~yWDVw?qzWHB}g4` zg3)+7{O$pIjD7pJcV=6K`FQBSf6;*Re^t)--}*ZEyFdOXU(f&Hww;ShOMHA)kr5G^ zS|s5ne&)9;3VZ-p1J0Ly(sZk`y1wOC z1BrMlKpU@B(6!H?eE9}TX{(RH^CQ;&Q~#M-5)|Si&2~FmCK78CeEl5Bfh$6EO-{z@%XlT!wDR7er?^67Sq5wm)QQ zNaSLdYx$<-xG$7~Ntb~lih&3WZBK}TakjBcS5pcVx}_$ehdKGGY2Uq}H18(yZ)`xJ(Nt`%{^vZWxv5AEipP~5Mk1@OE2>m-kD zC#&e|M=D0(w-Xtv+L5S6MEJWsiQcu{&>A`Ak|i}NTZhXBRzbocPG+{H5&(saRWsy# zVCt^@@rx7;Gz6gObCLBy^^a#A#;(m9hjMMxmHH$t8fmm2y^5gV4UhVIcxg(9y>?m-c~M!;{H^O67P$@IR0$Tl{cG@JYNZjJI`1Z|9o7< zq``6iyUtXe+T+#aEs|IQsgO8j5~^O?IGR*_IgpuA{XNsp^+OlO`cM7Ige(0AXO9{K zq8HiO4+ROHTlfM_ZDB`gmB1~pUOu5eioymji1(L5nozLjh#sGGJV)tBsiVF0B?5v=7=JW@7)1N zZlRT2WeMNY@O+B!aX8?ZV7q&^UeU)hTNrdb(;3~uS`h1D##TquzFOb?!fo~3D{jVM z)kwEYR>A|!TOL#T21d-w~n=H2K>V%_%1kWZc0xA8VfKQ50Wov z+$dYc&z7D^n+nv})PzeS+?$c57@4I32U?c?^k?45^JW<~0du=;y^vO;8b3McM@rWl zuct+;d?~mds`SF3wh9P!ow*Cj*h74=0Cy0np3%HniuI=kI1IV08@}C6#BvQ~pP#R6 zl?sM;{nYKc$m8E2@oNw+!J3M(r!aeNZh_<)7qF$kN0|h(hMqfMXA?ptnvIsus<0CL z57(bo9ZHBFcRE#>I8-eas1QPNfvz=8%{@=V8cztFqMl^b*7iO5cIi>Wui-D?kN|=U z3*|dqk4qWW&m9hX4miaaoCIUNnXWqW9$6!uC58NQ&+&gs*V%xcLvhkuCncRZ_Uvl9 zd`;4(-*b#|E(SVN}JU{svSgvNk{7_CO@BvwdiO_VewHZ18I;NQ1Xhv=i}u-&|@sAeg!HifRmMMvup!^oQqx)(bSlt|e@@ z$|5_pqh1HUk{<<#0ZfHxEyjp^#aM%lsqq7gA@Ee4$DK__-c>-CNUNZCqgOY^Y@W$_ ztNRz4tO?sHW)Pc+fbF`sn(?Axv&oF`UaCgNly)4`Qv;i}#9K#r&T+VFJOj(o`s#<4HBP~W814}0?; ztymL%2$3!YL$KBDhesJ95ghJL7NfWJ-Hb1DhdI$bb1o>`rh0x90BatLa7G z7P!Jf6r_nr2PrB`N-QWyRk|Wo5l|osC?En-Lkkg+PC!HiX`y!#Kq&%ARC@14N+LD% zNFanHBsp=dz0ckE;ha6jz31WN56DwSGV=M&@0|SIj^pBAR<4)OwM9sdBP-m6T8_H6 z$|uEt%6sWeG|In9xnNOGdnDkx4$WdX8Lpc+fDVpf;$CkG73SQ4_LYBaEttV*y}I43 z>}=9lv0KjRmvDU&Z4K$vM*kaSdA|i zWd6Qe<8SSGG!#6p#ku}rmRDFY^}t)S+!-;-36dIaPAeu|GwMf)pKCZ;gitr9)p6i; zKpi!JE7+$ossn+RZS7O;_e*_jwPj5|J?XxA4No|C2l!ln-2bwiK<8;t5y!+wYDr!x z#mJmGS?e!(9$YFF@=p8*DVUg_z7||4AkdtUTi-yECTf~sah5d@38b9MmipMCA!nSa zLBXEB`bdjG#n0M`wjD10aWK-HniCUkAh0b>=(~$(3HWG4-3v1kNNI-~xEhLlRK1qJ!?^dT^V#|ICgydRg6MOK0f~`= zak@uqKv;z6jrYHcp*GHh?j^)5I%I=IUr4kobJQDd%7JA$5^31{zEqG7!lml9QW7ns z_58@U8pE*@3yTw?HQtlVv&cvh75nC2{vR^sjL!k38G(}Tm$k+C|~4VfQH!(KF-N>bd9EVt{4D^BE6!#F!&G2w5ho;S-#H*Otv z7P4R|G15j24mv;^k5Y^hr>kUw62boxHiOf#i}BQXkFJAm zW{XFd+#Sy46QeM>ldB!kUr*7$oi`OBXdcgj?KO|HJg5P`4xv|)W!INN$j9`lVwfLw zyd%Vo6xX*iO~on{Q7J9E$gtoCqd%2XF6C}Roq!qpqGYA*4>vE|1pr|>DYJ}G)BDtm z7tq>DN@Iwd114$n?|0%~WuTu=GQ21=E?N_Hf}+gT*X4mT#B5ZS?SmJS(ba>u)DzGD zsBYA0153)ZrO~ZLt(f;+Mx{rB&f6r?(iO2s2_tE)sAoqkVNI;IR~LyL!_zemf@KeI zRdxsbk&TbkCxLmzfCW#(vQV_ae%;r7W?$;rjSGB|Y_Qywn4~#3~0O=USw> zgwu;Ia;j>SpqJikPHTF$i&zBs7Hf~TH(Eh?sc~&268@>OuXapS1r#K`p6F})SW$Xw znQOh#ouv?b*K0Lew5KNOEkg&{al9gId*sKY1+Gf$%O3|&l9gK{S*A2vLZB%BL8UTwTrith-u0JVc*9xQ)_3Y<%)1z3RlS_UYcc@w$$$qGFAA`R?~PbcVon2V`#Z3 zk$@AeZQaI8%?s$Tqd>zrR>K-{OvZJ4ka!2?Jl#v3b;e1nCwjxz*j(`1J|CFqvLtqy z7FyX#yIm(L*sw3@5Lx)@>GF%&S4+`t`m^2qrJ*x}(}ST<4~ERhK^#g*9Pz!$f_B~e zvW(I~?bYp@`JF(#tFFDSik)7T|Ci$?rE41_+Gk?N_;c^!3 zJxWuzPI|eZzOQWMtepRB{hu_M$NlEU{{|F!4h+Sy@-N_()Z8i zBA3EH1QJN!RkdfXPe!K8?}_rAkkEy34Un|;zXz9S9gfn6Ol`5>dI9l@)|w(0iQ~M(f|BhHwS8C(DOS1}ER2fo{s@w}Es+Ql>`i}2 zA9)ph9dwpjqJ4A1TtIH5bcK0WsE9zcs4dP41s?tTQ&~%pFB$nF|@SBdC z!m8{JNtMIl(Q!9Op;2U?soch?RLC)(O%rMUFNB-gg<<1yv!;Nu8?h8@Jf~N(ml#3c z)H|*9{BF^PjsD@%RPts|l#g>)Nf$3yM&r?8qvqu+s_=wc4&}k!L&<~53?KO(eX;H| zPAE$A4xY_>8Jr||>cofIg`NiK#xJ**CY^G2Rt{%MjA+Pvn=Yqox7Q+8KgcDV5#%6D z4+1sR^-)>&0hV^}y98-^GHby>X1gad0&ZCRskD${(B{}~=J|PV%x~ukOo;$zuX(X; zTvd8{<^ur!KB%h?;kF|Z7vTQ~@%y=Zq*P7@3(i{V&E7Z()GG`k^CkEREWfN|=9o$e zP7$9ESri3^O0JZPJwCwwXP#X9JuPKR{N^LeZA=9cyWV;#ibX(nQ3%LQb#FFM%EgKCKJC$N+Hg`tOTBe-IYcM;n&wM^`*D zXyY9wKlPaE%^}14vem6k^jEPp=t42F*cXD15lW$0G)JG=)1ihBRN5sdmiK0uQ~jGW z8V;tz^CR;uAXhlp?j5VKFq06e(7I)nk_7Vo436xP{!z+adw%vi(_hXdaxu5I(&VfF zztTVNWtlB^zZ2Tx&1T`{f(Kw z<@Gl||K)8lG5@)Bd;Y)Q_FpqyO-7s3oK(E2wEw1}4WVoN z;!yNeU>@_yf;7X~t1{imkZ?pGtVS(>Hy%P$yu)ml068Q!;{9{6V35p~ClOqlq1|~{ zR8`t^;S4mz>wY-Sys({Q>#o~hK}{yx0+tRD>d8-%9?aVxzs@jt-zpbY&!+F#^9;>x zHR`EjUNb+H^aIe4_wepB=6+w7$n!s(23@*Bx75X&)}B}9_;Wg1y&RkfFYYlYM3qRv zA(Dk1`rm@ii=Hz(ThmxyeaVz{#Ye@(hneaicm_+o z7dEl2O%L3J+nWLgXpZJ)T$>FA9^>1IqJpiY=j=}f@)qm(({Mr-mI#{z+ zUI)DS1jWbjM-&P#1VXNTzE|Mjpvqi%{u5KgA|2DRTCY9xs{EM%Z`?-y+o6MNE7ssD z78cb2UUI$#eiLiVX7f+Vw7&uk&ifJWIDEEa$mYH#M5Q*&hrQOG%Q0wCudugva5#T3 z+5n^X+)kEIPUZ`$Um~mT>~+bF(K<_l9ZZxcVu@GR+2=U|Po_1s%JD;kJDGpc`Ws{( zwV6z?xsE;R&UBL?e?QDh68$DO7zG#wh1)U5X5? zJCj#%G4UP)dEwT+LXf!eY$`ID^6QB6$s37wXwCiq#!bnECsG{L!_S~KtAPcCG~n3= zMUf%^CbCV-elO;4?<+lARW45yz2$9fAmz5l)g=th<~tkP=pIZx-qVny_r-4e{~)5Q z!{m%j$Jo9=IglYD&^%+|`>?M!rz=y*u%k`=tXQtQC!$wj|5q@V$ zG;Za&F`k)EUj8b|;HB<2=@=nJ!r~G;+%SRUVS3f;Z@rvd?bQyGsWk{3=e&iO(VYJF zXnjhk&BJq-Y;TS%|2C1@DK2+WHEv-QHT6qJY;$6fyIkX#+OgjH2&I{c!yxsA46#5D zFjEKY&p~`$PS#$S(pa}h+kY_Tsj-;|vM?A~)JIZ(Gw(Vgj3Zy`e&tiG{|i&!&VNev zl!(u$Bbc@#cna2`UNys&gMWNPq%d|23X@h{{z!k_zo_*GT(rf{0$5apNjQlIr?m9O z-PtI)5Er*=#+4niso8Tl?m8V-dQU4EZPM6bm=W*67J?clD+uN-f5}~^+|;=ND)T+; zU=~@O6zxuc-m{3Xep5Ira0XJjIG9L4P$7gY#$$@#<=Ut-PS5-(;79|Qtl}8qu*5X z#%Y~~6#8%V%x3Nk1yt2}CS5my@3teSG28-`V^z$Cm74k;d4Zu+JoocnSW4$eu7}1R zNT4)S1{GofN9@v7yvS1|I+zq$Z%JPfltyJ441I%k)F@!rf@DW99OOB}hd)X#esu}u z#7YdEDWg>$Y`)>xTYewI>Xgky*L041-1x~eUH&bff$kHmrf&ETJs#jntI+LK!$;_` z{Q!Yz@dX>ri4s-)me|GY2BVJTE}4rGepL&qZ6GIwoi#vzpQ-~nnWNg0SQ5Bzk>@_CoQq)Qj0e82hJh00(%l`{^UzcgF+` zT0(GS^L5>B1xZfpP}#8EqKS1YB1P~l7Z2oFTV`JcHgMbp0+Ph%Hz-^vg%bjggl`-J zOi+5{9eywKP|9Dz96oU6qo!ReAsJolRT9MU6CU`EV@NUoa;LsUzM0#$O6$jx0tGf^ z9S=SGlV;gP49cqI6TT5%s_L*YVz9SlMiNQ*e|)IMOB^vB!14YNl831vk;8kY9>L;m*<~JBWQH~t6h_H*PjIV#7Ze4Tc z)=qQHJjOwe4(2a+CY2bAmP2;ge9Y{_>lnD}T?542Ew}FplV&peC{golu=)c0{(Sgn z`@{snZJqqit4p<;pL16W#oQKT%p3v)PMzoZn=UbFavsXB3#bq?EOs5ud`>0vEQha+ z;N9>M88%-yuGCS=ScIB`~K96LjA3YKwM5jU#dZ*&OYvK)mrRUM>wC0x2SffR-v z5jMjlzOKn1scov1Jf;7`_KJCbrcNc#oZ1jR8We}MOA^9!550|5t8L`6q9JtZ`YJG* zBgpohxI+gYQFBTY>o~^j%R%4bx3cMK&X4FldgyBrpxH>*?~ijqH0H^eb*E`Q<{{7n zfAh6mNl}W|-g-Nd#k(v(AsM}6IEJqHq(AqQ4`ETQ>1ennWASp6apvhoSXSn)$FCqI zjc+;4dbD4b^5shfqS@=s@_L#+;2@^RtX>*ggxfPwKP+GCa$lGvH%Fke#HpB`dp;^HM zLhZw$JYK97;4>B1)xlpHOQQ0R&XDk?5%l<+7&tIp!4FT;DVyG*?2r-5q_e& zrO|OD)7XWY;MWlQ8muFB2fzLGFiq3~d^hTbMRTzBGxcDnc02ERF-MJzolBvQfy||y z28Zp%m2ck4;=BxdzR06T_wyLz23D)e@jA0xa;bxoET7phVt{QE^>O9%!03k(tS2D$*w!Px_te6bw^Y_KjgK^<2iQ*qgI(ivW~=g43c*)4 zy4-^c(0mK6R;wi!;*XVpgh?MeBU02%QSRTUzAEoR+k%FO<3~#zO!>Wt5apxo`#V&j zZ_5rOje&mh^#ct-c^X>(Ue9?9e9q^jJAly3 z-d}*m%=ij@+D)KU16*&CFRU1=4Az@&bo~CdliHZ)3R$joZR19A{TSrZuWPY^Gy%lw zfYL;g%V<3Jlw{1U+Qx&6b3W#F7pWshI};a6PYKEdkpjlYxb&1S5p&+*&B-dj2ARIC zz&Ir7qH_$xeL&CY&}{o=6xu9*xu=++*!7W@%W!d0jy`jH3_&|ZUXAA(ec_-ft7WIc zTSj1eMNN9LnDezth#G^U_#zV1!%(E#V9TuuP7)?Y*jcxuGLO>xRs@C?sn^6xlb0U{ z!x6gAGp34TS_utk9jj%KtALv{EIZ9nGFBfWP*UTwYh4N{5Jn&;b>quo5QjW>c=QoX23MXI~k>S;+`2Q*?0giJSd9f!teqzo;R%mT{)+W9m6lE`$Nm8#i*|(f=ywp@NY$Ry2 zsc9{uIrE5HROK%6W9Pyk{QBVVlj5tuC%XZIKECvU2Aqx{4!!|zotkN5c(^;oZK(Rkd9Z5GVfTb47Ej6s@B`O0XHYwzTDbpGM*A6Wq!#yp^APD&*Ke z_@s=xpCGh(G1{W3k}bad#-)MU>TG!qLsT}c5aF#yMn41N=ctImU}#=tLk zX|WnLrZ|-ni#otN&suouHnIN@x0&`x$~EvM%Dx_5z;*Iw?~!_#vHq|Z*L?nbQdMiNz71%YZ4mslVJcLODXD979JA!hG=m0+hqLy zVev<@%dB2gVJDD#2HQ@7HMSnOAGL28>cgoG{^efjitzUy;Mva2JD)Jf8pjEHqkYwt z6i0g#3a{&4qRxaSSWgXhYgFk1H`iM97~)~_%%4?lYK;9qEg|?fy0r66=Qs)&MHLO8 zinJ20(?Kq9YfQ3?#+e@N2stGQ|X3^dZoGW~YZXzU|Z zeYHL%^*=@Y3GJ4{MokWwQRRgaOJ#+3e=DKiT+0Z_w^vw}r)jnet>Zg-`@IC~NXNAK zub7Z@pVEy9wpkY|dRt_`>?_y8IUiv$>yEPks}GS!SjJML6U)*P+V^hlzrSTfB&OdT zTDCahcT%dV7igb<@FUT8&?TKQ4a(={oe>g()~Lh=S`&31wJ_`K9l=7unjReH29^GW z^nBIS&OSAhHd~6*^(D<0!W@!%5~NNAUnWI=@7Ibp%*2^XWl_q1gtyBlhChHyPN_cGP;uk8%lB#L`A-)6lhw_Gkt>-_fvbEFx`wc8bqxcuW?rRgK z#C*U$pPK>ZUtyT=6KiZBSvF`5Zfg`TF)UHMdmVM}XUm!lqb%^{q{VjNr`Sb>Go5Y| z7V~3n^JxOiHXnEzj#zO6&3#Vzy3MG(2IZ z=KkB{+5al(`hUA7{5SEtVYc6JdTsepF8;?q2d$gFGS|DgGy98IG`e4sk=p;7zx$mb zWWN01etv$XWkViVlz41xEJZow-|To#xOZn{Pmjg6zO3T-dG()5-?$vAFxBhVw*w^{%5QWTei>)oC94m4z&K#qR#hb+?gFNcjmtLx`9 z9dcY~um2&MN^dZY-eY=w83#v>mGQ=uv7aCKu7@x{s?fiv|K`uX02H$QSE`(8U+>rt a8ApYVEHu0^wU0l-eBIVJ)r0Fie*GU@s~c?q diff --git a/memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg b/memdocs/intune/protect/media/advanced-threat-protection-configure/select-preconfigured-policy.jpg new file mode 100644 index 0000000000000000000000000000000000000000..4cf35040813415510eb90942fdd2a47af66a8826 GIT binary patch literal 287708 zcmeFZcT`i~w=Wt5L^??CBE2hJKv0n`L{LC#M5GHSNRvPm1f&ZHNEhiMM7p#@dJ~W? zp(KRfBoPde6khzEbI(UDro@qKi{9B z{CF8aDFG~$(}HsTIVey2=bnH5-*)lxd#Y$*aQA|m;$^_;0ze;dhSDe%)t~arpM!?_ zPf1HdLrrs*_UzezPCEK?XX)ta&YnHTc#fXo&q1j%F)}dy`S9l<|90ycT54)q2D-C! z|6KAvRh)hSu%A0KOZSAD>O9~KI~6rM)oCw4g!1OJ|GeHGqW?Ll&QR0Po~5I_1|#Ky zCN|3JQ&Ur3nwIj$l&d2szXNF4Y0ryZzJ8X&(uMBg6Het9X~pNnZq#*gSxsQXRUQOH z(KB%K@bd9XNJ>e|$f~NTYiM54(!Xh7Xk=_+dgrdSjqN=X zo<+ZmiH&;|pOBvMCNnGhZBFj{lG3vBipr`F^$m?p%`Kl>+q!#t`}zk4hlVGore|j7 zzRx38(5q|f8=G6(JJ_FxN562#_}?dg=%NBp{~KA9^1q~uokG`{KVv}mhc2o!A(WGv zorYHQ^4as(E$LjIa9mV=agOswT5(+$y_kv>hU-DV1OvCY>WT#R4{85U_CH2g)c+D? z|3TP)(uDvpQBzR{kD48z2l$D^OQ#Y!9acT|Q?W&k3ak63b6;k2lQ5zFJz3fA+Afc3 zn%vTEE9L*-i3B}yTDbmYb0c@`Sd~E<@c#MV;{WPCIDwMSO%TLFjc|jcR#ng$qT$r! zagVd`l%kG4bi1B43nvhqqKWd0Tm`C94Ln`!{7F+QAZWXH3OEJOd?mHRy+xR%lF0Pr zQN(gp$yXKM56h$e6%LN62L=jjY4SbIw?B;;S%ToFfR-Pf*tiwjJ&#p?LGl=g?J4rC zw=)|ilU&BU5bCatGxmM7{xo)8JSdiKIgR+!K#PV6W@G0hm&x%Jq6KQy*oz_DA`kO- zXld*-V?Yj=_NDU*ivBe{h{d#-2cMG~t=N-Z*BbMVTY@HA`chxOS>QgP`APqmMFNey zLB2}8&%{AK%7(=&1tqk87d1(Xm7C8#^`AQ$EO~P!bv?FCDG|vM1d4`p>sVq^oeJDw zn3h-2r-?(B!EsrLkeER}P1@J_ci#jy-lj4DaFx9eRp}R&m?Ie8+^CoF($DvNC(M1=peV7`*Kx3ZakuRP(AA_%5d4 z1Tzms-2uj}G=7dr34qc6oQ&1>>hU$9sdwXUVsL3eknqO~zWeeu2s<~;F)q&Y1Hw_y zW#>Sv$nH^P1%Gr%7b_1wU^vJo_P`l4Gm~#6_qfdY-ZWeI{lja5F`NL)Yqb9q zj+j$G+^+-f-C12OOl^Ev)lP1~noX`>Ud4jW98bu3O=EO|Ds5@-11{_9;;#YX-)Oad zjpIX(_t#GWhGy81Qvh>w)hVD~x`BFdcLE$j5Q&_HGlFG;R^jo;`psSti)XO5?$XEI z<#X_c#unto{=AJWiJOZ*UMU;eJr_(fcq<%a0O0)7kN>T3&cS4(z|Nu#iM?dSWd-ry zH6N$zr%y2o&$rfQW04n zgzmaj-^OPZjOAKyTjT9|BWe%Gkq=J+uu-FX0{_;>oKz=#gbSyDE)iW;@(c)LzB`Tp znPK4x_whNJGjlx%SrDQ&Crm9TAdPpl?oHOsE4`gz)YM$tkot;!p%8*3q)SYff%xoY zUGs#lwj;#5w^i3S2^z@Ujfyx}GG1f7EmM8Z;#k+^6cA-hX+}#&ln@TK#L|fHsqF_E zU_h~ZqGqG|HwvZw+@=-X@72^yl*iuP+>}>eb9v^Wc5)f=1e1u;IxbW%zBYQsKNtRZ6I8#Zv=v5VSPaa)nd@|wEwjM2vFLDyeOr#r-t-}r1Q!uX77S^0eB~hIH{lz^PK30xAVtVubcw*HY1*_A;Qkp? za~$i?%Z=#9$C=;t)s#F1XjVJM-Dyb^kbaF?v0#q4N{9ekv|>E=UJw|z$f7ff0^NF; zWQQG?=p@fZ!k&YW_Qq4PvRL|UI)Z!LeT&VpNHz*px|AU@CWc^67SNDbh+B<~ljP5l z{b0D~%twVEWpRF}5g)bg#q&m@;Ewzx>Rb{lzLTI9`3)%uK~;&c!coN{bj0w|9T8gj zy(7XJwp3WIDP_v|Qvx@^pxtmXjtX}FMippTsQ3QL!tK`IsTf8w{V2hkJe3;>tp@Yq znJYnvE&J$u-g8=+r1Bi0&dGcoTBzGgK2FS_@~|-t)7&;Pswq{7jL?E<{;6jowyBz%5+p z8`Fw&p?sp(xqv9WSE>qhWEK;A981eb2fOAHQn80CE+;DNu<0eOtK+W+T(5+%z{;k& z-*p75$kC$ndTvTd_Ho_7cm!YyDmvPi1VS{o#F}Y@unkVyx0i2N4>?9@S8m(uHD~V; zu>Lq7(tDx-MWC&xYSfE8AucyWIsr|k-~XUP>^lynMkcQTy2`HkCSrq*><^>=B^#RtOI znQWQm-XScGZj>3KOb0+nqdYhoO!mION&)rl4lJ$&@+1(QeAb_Ho6*Ik>t3zu;+eX#GeL_ApCirZd z!Si>C%7($U8=_qdo?AR2x>vD0M2VQVrXLvsdqVKE?KfgIK7ztCjie5;tQq>8t_b){(On2*Xch4a^dmnx zpSisBRSKqHjym8&TZZh$B~~PA^@j+;_1;XQKVB+iKT|TTYSF%FVE>ZurcYQ7)9d!_ z57;`oOqbV2H&~eESWb$HAUu%!a0CHm+c(OJ0`?+b*mq_p5N~||>y;vOG%74dd`Vxk z#>M@v6TYb54)`uOx9i`fm!QW86S+t3Db&Evd_-JVtibf20!*jWIv?Dp(P)^rKi6|> za}D|F-4(*ulF#o46(jGGzlmVXfeR3vBZiKspp>FVReKac}wbE z@uw=EIMoL2+KcHIpoqxttXL2ZNXmd|_VKS>5HKg&pZ?RLgkPLCAEjeX5-%B<5;_kUI^0__3{&Ola3NEHQ0Jy zWeBW!Nj|-4nU?;Q?jr0pMfR#kQWP8m#M?h{S@j!C!bhuM8Uc*j_&nLcS{j-`koD(M z5mYO&IOi|*a`~+8N&4e+7i|S}!f~;bdm)kELG|rhX4nB#3^@xX*+x*0R>=HSTOzba ze83ql;|5aQTu*vEI!4t6onyWp$wy(~`pqvgWH}Kor0{sYahtKoi%K!8p?PGi%;WpT0PQl^JveHBl7iP9p$Be1M zA$d|NO1frJU-G-F;ZP6*MNb6gdU;D8=_!##DC$T-&v!hv%^07E;Xnx@#$%ck0>}eK z@YG&@u&H^+q~Q)aJTtWWja=Kc;*?7!VtO~pQ_iwjsaOaq7S3{~r)_;E6+zbZ-hJ%r zF70R(SoJkO<+`1i5lsL?w3!*pNg-o7q)R{#RnFfz*5u_ukllF?WL@M9;wri~gyb;+V)$Rx3(+dGxC-6|J>hPjoBld)*fyH2=m>wf|G_ z`N|O*c}TF16gT6P!9tHzQW#oVGZ$R{Pv*)Kvi>8_AO)@KekFfS54_o?dE99 z&lxz|PPa+)q2fztvB|~yJyycImYZY2X}#eok)Y1L$T)mUuhvl!<_Y}eQOj)YXrmsB z4Q~zk+roMEhMf5`n*eUAS3j;@t*rm-gxEw!ER`+AEH?AtCa>$9R}Iux<_cXD!VD)ySQQ*z%$14e+Q$*k zSL4VNWO}E_39Ze&?TCs{(~+AQw(aogrbI?BbiMJ{WSOR{pwGP59Q?CCr#zpVhGT3Y z-$QT}q+;?F`~YqlrG@XH%XlS!Yh z^my9p+WoUE`$(Cf&%y3^S09S~Hok|f0(tV_Y62@9N2}%?%)=Oxe!pHA*8(c14Zpd; z%ieN@>!b(EVwRd9!VY7L{4P=t*#o{K+SE-FrM$SKS5GNxy*r-GWNz7y^<7tA1)j6E z_1zN-)_mwTd_j>SP)v#Zl=fW6OGS;W(F)`XU@=k=G{{ME)vm~thqe0qf~xIfzw-m~ zfn(|Vja62YvbB4P0oU|=$lsA%zlvUgFh)vz_#cSbIU|2I@;5{rE;%-)if>;qqV~pc z`b(hJ#Vx_hmhI6m%&zT#Hwm(kE@3@S%5BYs1%%7w$x{H!FUYy=*;xoeShk~KR`nF1 zyWF?>Mqi;lM?7Wq>0n)vw5hH5CtmT0Ijn&5lqwW2t+6MHhH&g)Z}{m7Eg3z5gsU^9 zo0M}Vsno4CrqlB2WFMDYYp?q~g*776n-f4=pe9Ku;R;w4uT;6K67P5L^i1w@kuFKp zPdtS&FNe~WpWWSurVq61)l)K0cnI=Dwi(#@&^cTsDNpwjSa`CDRS;}3qoi|vMTFiN zKdW$s=v3S}GxpuJz47f3Kq6k&wEj2z5+FC2aVyd@w1rGxM0kuBSe1$)Q-xNeuFg~> z=y;0jayM#?CNAvg+N-9V-}g}eZEa<&d`9yZA4w4(j`oj_JWDD*1-OCcGX@~_lJS^m z;G|AqH8M1?ry6TOG^px1vz?tlIF9o~c@)Xy0T#F3vM)qnAkV<-4PTUo z7U5pu%`{^7ns%%9k8<2+9&M@&u_6U7aFnFDqT`DYZe8-6zSLQN%mYWJ!+79a{`ML$WSBbkO~w zMjFSuoc!e*i=r|atB@uTkpqq^!>)x&BtZUSLA-iJYWGNUB4xhj}#doQm=Z$2)elgqVzjsM3Qj~Zbn@mnaL!K8k9VF@)Rc|5L{hkWh zuDmDm8LK5Tm^movPT%ti{s|Ne?jhZjc%xeRC@H}3E1_CsWuuN_4LeN|T`}6dTDCpr zthi@0v}GMgzVjilX*FLPvuJr+8(dcXIckZI6MLdoqUU3?zrN-N{GP*=;4h2pVF@?z z?Wm^aPeF_j)?KTGd1vD@Lkg`u-EP;(wf+hjUz1P+l1CS~E*252cl6FR0TC+w8bwr3 zD<2U>Nv+DBPZms6^u>*XbKW23l-^ql^0E}lNqcB5j(#l+`F9BrF;a$)-NmV4Tb{#R zpwD4fry_;%2YsKsn6as=SAU9YN>oHFI*zV=y1gUChK zqXFU~x)nzvBWaeZLN(B^7#E2p(nt9_CUd@zR+?Z_wR)Rx-W%Wgz(QS`W8P)L>LT2O z6<8fe(d7Zt&**uJ%zNOL@D*5*9($!;cGM|=9}ishmMkj`ed*{hs#L_Oq*FKQf3deK zE$S<`f$zw3U~J@f9z7n4HTk7zKBR}tJ+-eYqbuTdvXQn@MCW7nLA{|G)B$rZ33%Nv z=sc+2FY14(H-U>c_F`;*AgG14`yd9PSb{<#I8c&tl4+>a1hPB>v*WdMpJFzjD7C%uC)JEw-OLTYJpzr-G}5VH8&*=FA}`Q* z5{3?!F&lXS?@j16GMVK&YEPECJ=t`{H4L5Lqo?b#J}MZ{Xk{c8bwAVC>a%Y93Xl!V z)lAAQoq(hAk!&3xFN!BRv`|C{e60yJY9C=_#9aaPI_|+@KQnhEZO^ng6T>O$OYmbr%T>cTbpYd@kl{E1Kb;h1M+Aq}*1MxZvJM%y4`XKPT; zhHD}wN$OQXR=;Mvsp`Yk)}yDEedj-3uDp5sObjo>)tC^ybL2Cj_TJsE zUs|kVEc#IiNcY)t)6@@f?Mafjn)d6sr$EkP0!&}JeR9|IwZuz<8&8LBn-GVfI^Tjs zl8R`aeg?}`g_?8#D{g#lgnxP~pO*SVSp!t5wlS8MpO@IW#AmNn%`ehao?PY)qB~Gh zngB1DaGQCEy`2|0_B|XrOBx0bGUdk%Y^5x}foG*>O`gKa+ocZ(CVQ zg=8wn(v9TmUB;QdP19(e6-Wtv2Cx$kb1KUmQ8{n-b}eJa>t7J>ul^b&6{nVXz~TU_TA5d38wga3+4(R^lkyTOKir}G;ggN<^=ra#tPc)} zM`E*A=JEdMN}@Is&+B^?@oGM-EDHlw_yjXm_62juv*9V=#S7H2)~;D@?(VK@|1v^U z+jKqSuh&0yN@T`d6ue~104#aca zv>82AB}nkmN4HcIygM~Ugi(z#&$gu!+Hw9>+`{D#53fUjS}#M4crYK)A}Bmkt}QHot1e{5=>@Kt;e z3L4AbRPaX2|HV_nh`BhTG~tl+0q4-_mKRvxm{<0l;ibUEBsOFDFfG8Y?pfkPEbt3! zf|f@g^sL?YMQ{Fl1+LB0B_S<2l2OJIDF(?CIrdkajG0u5EaWo&H1tnv|6b4;$iFsi zxUufUtE`;QW~6Uka$nCJj>ErjgPfz4dBVb$f@v}s*mIQsSCS*{E$ z=?FdsZj?u(nM1nUM&YkIR6Z_w9plpJ75pDnc$US$J3f}OMP^R@${AUm?pi^?gjg4H zi31oQkxLF&jY%oYjV!C&%Ec!Ke?%;2-Fmy9^#Z;0>xxvXnrY*?r|yyYw(E1fAiPZ6 zz8#ht7@@e($E_)o>$xm4Mdrgp z>|-~3`_?pWFMM)!p{}GEG+GKKbM24W|GlA&RFdLvBZ_{i5P{w%*DJ9AmC@ zqCQUS2r44qf>v(TGd8S`|5rE2NA3L%Bn!4v9Jv(7LCK?2z{r5zDPV2*Bqi}eyRIW8 z%&JK7w5h_k7W95%XCc3pVI>rw>EA~FcGv%pXIF8qr*Cn1Vtkh7s@0_N-kA?C(oL?? za$gSycT&7(lsImb7i6Ltvc5|38~${Q&{b04f7s$s`8D0}VKQ}6+Zn3++Amruj%&|n z6AyVjzKUShk$A~$l7I)#xoD*TnwoEcokN`RgV6-{w>s+A6>BpGj2zAJlZ(anA`L94_t@K#$W~aX`6opD_7VaJjy znOpq;Zzu5n6!5ZVjL@!p3h*GXlJp_7VZ58V{srU=T*6VYhi8LCH=H&h-roPycKO3-#ZpLjx1+; zgISkuZGSGgpE)obA-7krWm&}H>S2-ZVP~4H zu);SaH9k6=>$l)M(lnkl?mZ@G@*>$ZJ%)$BV>Z8-dooT*#a!;d2ZmEUN)-g(!;28E zg$APFy~tOot4b{RjoIHFSI|PX7R^o5d;T>KOdd9VR)5mxuLI&NV-hJ z=0{+nNjPlGs&n&e%?Q2y+=gu(GSmV02`{wD%I8IhZQamkeP780AG3<&12bYH4q_tJc6AjSv7=?1y*0LdHqUCZ z@=99kJ{zTIOBz4Y>0EnPILm#znlO}ji>aUq?0{D(REpiroXZ0;v z1Rr8Q1NGaOE}ue8D-dO>)Uy>9W%uRjD-$7g?a<5%vXbJekKkd(P=36DUObos3%!YH z*+bIxzU>hGu-leIR>OFt>M(}*ly9*Q)`&TN_vW#|3iYosIg}n>{?r1G*O@89gfAy4d%T_2<;3HZ@ZvM$J$Xv8h&FtDmWl24M58y(ITp?Cix(I-{1ymb zS2cgP1v-zpy%=n8zFf$9Pp0gk$|z0ET>Ixw-yrwajED*J`rAE%ENakIH7`1HHK`R5 z#NVQ!iwgl}mdzJzq!A3aKrC=?XreO@C7ULmXb?f$=Be!2#*$j%t@X9JPAyUO(8$Y; zbDYUw*gyM0`Np-;);IiGJSk9Jdh(neH`sO+61}XRXFPXwz4(NKg zEAff@@rV>{Lr1E-`ntQ#7ag@vpiZw(ly}SN{ArftE@SDo>vc36wWxQBYfJE zEj+~KxpALLfU5IMOfr0F!Mf`L4kB7aWxN;G7S#+zK@dv)MT{N#if@)BvA(#bl?d5! zg8psH(X*Mg0Q<#=^hNFAA^t}>7Y@aNS6|ssVKc$eQZe>BF}9Z7m%Q^mSc2D}YU3V! z1dWp0$?FlBIW;U7#$+wu?ONTPURT{Q-IPPH9ZB#2_bN%$Qw}sWmG@mom^s#TChM$G4 zdih-MqIG+)`9Y%r$SQsCJ78pOb)mGc!R()?9gb3J<6vw1glq?Rp^HzOMkRyaT zd-gDwl`wI>W?^I^?xM!eA$K56<8eeM6e|Pq{`6Bdya#l_n=FTq%^glGFtlxQVLkyoK^|+^~nRV{~4W|Wx%_fLpN<^_|!MWLU z!WY}VL2LGy{I1apef{+Dj``=8mkdW`Tfg7d7;#qd#k8PB;^6mz(Q>6k^;t!K9oq1f z{g7T~=Gd=gzoxk>B6{U$p7Rv&bxg4LsPqDUCnV(NC>qFW5jCfG3-XGpf%Pw^*TUt!CsBFA(*sIO` zU9xR2hf0NM76_mtt4fK6*(;FV1;%iJnj2wdn5-(_&-OdG)xh7>PjsEujCDifNobi| zy*DO;n$9xcenAjYeLgGgB*j$=3^2CobFHG^W=wJ0>@PW!==Tfh)Lp(z6H)GtI%9da zUq!3F8^81Zg)kSk0)($diy$_;;MA0ymug2$Y;skoh|NqB9fn*`Zl-h0eXO1~kOgmO zWhizB$5878_5~C*L84&7-lu?O*5^c9YzxZz6p+**;)ODIM?5HEhU%F3`h$;ceAz;4 zYW#Fsq|;XtQm6w*BgPE$neW72R=I8Qq1s}$f}vr3yn5aCK$N};`acfUhU-} z1kdJq#RF{13a>VP`1;&>_Q?QkhRLuIq9lE%E`we`Kdwck#N$&tWvEPUU51^Noo zB+>;uOH{-9#~&TRXVpxae8sH41)1{@Os5En!3jV~9B<^zxwPv{#S;$x7t+kJ<0-#@ zDMd|6Uk=#uJSb#JhT%6gU+0JrCrTnGq^vyu=XSuw8@pjl{;}e$m#-&2wr08aT>Db! zElGj6Kq)Qd3SE0JY|_$~j0I%|+;H%h2%6GQZQ8l`^DxUpgskKOF z6*dtZ5puOoa;&vElg28m7qa1#@{I?vSL%JYj>ShvA*RoXOmYP^70g1egp};wJ}jDNkSlK zgXN?UrAZ%p9cWGc@_|gKOY<=d!egaXW1Qh3{(+ACZu zxpCc~gxvB>FRW;!ppVVtP&h7kQs<7x3T|qtwsBO!)!2My+L(1d@omyrO|(cZ&D)4C zA>W36=4vL?C4+v)<}ZR8@?Oq<3wYu+QiCp03lFbRiGn@Jv+0?9Qw8~Y>q2Q~DJSZ< z@_lJ($>e0f%Nj_SYB)3=?prhu?S7WkUb<7L)tTkb=-dfSIGeK)VfyQ-hk=b!=q&C> za~;>C_%b;G--wUkmW3g(CLV&8Q=*Ri);ve1?~H}8;RhVDfhoRfGru%J=24oG1vo{JD-frs^s5RhvgrX(M^AIcwY!!<`cnQnjt| zq%KtHLCWM63DQF4752f7=UaE1z_aEryH}sU#@WhO-ATRq&?#8<^038%WQ2NPVjt?0 z^AroJ>}e-%+IOzG8Sz7w(CE}ms)%GVK`DUHHf3mLBjd?N?WQJ5-o?sA%xrPFveet7W~4SS6Jkw~~rw87iDpp)GR{U^1VC{W^K?>6;1o@n2v zr-1W2Z5JH|YXY9Ow}TXZC~V|3%QPmJJ3QXz#@&caNM&BHANZi=Bdz4VQ8IpDYFi)M zSR!qTnC~`6V1YRz+79t5(kLPCyN<}l+x{6#NxmUhWrtM~o;g{_I8Q!#;xVO5Mahq0 zCmJ`;Zhq4-yINW(U=3lj3r(erv0~#ELhrJB?lM{0Ek*JgMQF1}HS_L20>(2_p;ifDyKO(Yr^PS;c@>>(Sk6CRUC8$5Xm6*Btlmtd)Gr9&Tt+>gJU^m2!&Kk4wCS^!GC9|+DX zOFhdCj$=~pnB&8a_ghhrM(Pie$jp@7LZj6hZD$z9@uxvKKBKE8_m<5u`)@aS@#9je>7T-PMR^Yxo043V!S&@{rm>0zrkrJJJXb8#O^_aY)6UJu8Bfe+l(9Me9zeNj z5S>-Qv%2W?mo9S6HEp;QGc!VsjKg7LwbSi;9&d&hV?dv0$3x0pa|c1%Hq-zf@VDn@~SE| zMws_{F-2{ND`f?r^*p}8cjG`}TJX}MPRWb@*?#BqC7h@{vz*q-PT_hR-(@Xl#8LQz z(3pz<^JJ&*Y^0W5rZE;mi}%b$|42qDLclr$d~cTQ!BXIwvDFB z&@mr#iKnfRGtZ`$mw4?pn-4O+-iT3;{>&wIA>qi=Elh$%yvs#YMosU*x{Ovp!lq?_ zV|{d@NqhL56Te3RNOfEeGpoU;*{2!q#%pjlsYtx^{qGVrafI#hqm#ap)(l)P%;XM(yeYjh+yUg+r$x+^`Fyf57zcxYtSx~r|>>+hEuIOTv# z!7IXP-;s(TE9&|yjBj1jk=EQAw53St7`AI-he@$k93%7akdYQ0+p#v*9)Gq}1loUI zsL=yL}+H(}eZ(H7d#41M1J9t~!WbNqJ zM0_9mNhas6$xvw~(z9CPr->LPceUsKcH7g7@ALddI`Vvp3y-901K<7E!%7n*A7ee7 zeu>vr44G>WK*Kn}EZ<<RTMki%vH4 zy_+0hm(!xceYGYC{p5RxqboywhbyMcjVofG>mhV@#JNIJfcj;(#ho$%Q=1LH9~KMF z7W)fj%LQi=*0j3+`<#ToZ1-P}&;Raz`T6Y66xK<_eIeDuILZA;R@=Tvtt@l>d()0x zE2#`#d(1!T0{hRaZF--v1(*6>Gg@}P>8DL*V8zg(n%glWAW}((5lY(!%8L*0iFYgY zsW+ESpJi=~{r*9~!|vf)m1clSbOJ$Ns?9(ZRoKjwq@U7m9Z$Xs43ij=cHhb^=#%! zyDL_CH7uM2CL> z&Rjvm-%F5d9yf}`zS;g}?j$+wzqxeMfEfmAp=C@vT(tH*m-1`Y=by=mHIb6x{^M-q z!IP9Cj0!Gg&acTowqZDHnHyU+#iyuqrSSYD=2y7O7n5iGx_91uNqs{qAPa_u^y@X% zr0(rvOM0>p1x2{R;_}@##|#cmC==XRc%%cl4s_ozX zeEnSPd~1EzSOx1o(K_9GJbayoz3XgMs8SbM03U|hm--^iGQ~Y&{OxE^l_Wd*(1XoE zpMQYUB|poz@`G}3Mv93Valy{Y`eBv&YKYI){^YiLMl;TTnjH0hr_D0R%BsGz$#&O$ z(ih}Yw&jA?SOvy(Ji&tcA#{y-%r~wAzaZz4h^fV!QS`6{Y9LSg@OmCYsrtI3a9*6+ z;oM6YC;kAfw7-e{x!ZLLXdFl;(qz?zT6#2N3SwiFoifS?^#_Bls$*X`-Vbv-OFt+@ zwNrvNAg$LNUt8u!+}r=oTEXA9NFL`) zKYg7}j6#0i!kOaLkz__EG|jZePEj4~UGC!xjm?Fc%~@MY0iu^=IZ~dR4WVH#@In2u zI!K#S!0;RBao{4BM;KEbj60xU`^*r3%SWs`2NHD2vwBnzFC?pE3npV=wk3p$ZsDnR z1)H}zYl>^(dV6%m?y$VFaxe;p9o%t>7?{zlg2 z{^Ro(f*I%$^qPFouSmT1*|CM&q(U;&_Ho)lEF^wZuqs_c&R$bYEUoL~O17kb4H!Iq0ZI32#L}1f(CTbaql;JwG-KR_e+FPVN zxC<}^#7v22QvfWqMB+zJ0ln>SqK#&b+8y*Ows-s|LB~a=bDPshOduVRLu+A` z3*Nm;$+r{gDRWx-%?)RB$9yP{ll`%@yfK z_Kz;P9s$GbY$})U1Ju+in6#UWh7Ww7&b2_Z)-99j7>=^lv!|T2Pr~v}0c>EeGNJ~C zy9LYP*z!4ReX{M=2VAjP_&*(a6h(5)6l zAxy9XF%`35(dzG8&nO;x)pH7sBZTtCOxGCq*bSTHd=gSkOz^p}I0O3Y4%%~_H_4FC z`EkV+0|$qG1)_Gl14v=41C}LR?r|eU6mdTP!O~GfI?yTWMC1YaOHoTjH!EIx{7W{e zn1Z$#*qiH|DBS*}OaR1Xx6l=|c_XbseIaba{H5t;0K4tep5%`{|mat%)BJElqXJg$D6XX?DZK418}ml3rhd`YXo@P)GIH_$^QJ zWJHi^jFq}CJ6EJ;136L#YZO_kYa4Y$G)tQ{7O$JKr6b35&;q7PpcUB5AivI`yBsV9I`Io9Eu1JY6%ZM{C;u~ zc8k&C?UgB_!fL0Ywp=wPv6UE`U{{G?PQha6$2-Q{hH2j@K*^d zwsfmtc!bjSB96ktMa|H?8cfmZajc#j{1se4H9~4&`SL51m2u|99G!(G`Qe=V<(i50 z%J0(N3=UgU3(IXF5xZ!LF0t)FVr={=z?#hDtC6ExKj7GbJ5vf9c*v@Q_EW9M0**x| z@f&Lb-;X;2^i`^S!fv_EypGQI$c8kn`dAfyxa=!UG^xCz>$Cl^DR?gXYe&Ed>`XzZ z=en-VItKnsb{KIOKIBt|&|QVTrC{;lLyI@=jHJk%a1Edr)LzFfnP@R5P^oZm?O%L`eI*1Jthq`RjKb zMa9!Yx-5xq1QGDXY+MAMdszo_oJzc2ac?JBS7+jBV({d?eBsW$vKF6;*B!P@qK_V> zUQm9GD%A9Tu*&}-pGT#$=s03d4lXC>6=A;}+_vrFW|deY<+BjIIg#BW%?I5io)vLD)<`J?zNibydQ_!jhE5gSW;gQrxcI6h*6!VB9_69O z&etaWf~uBaAnC z7rg@Ozr&kd>%`h71m!tt-hl})!yXb%^6gpRXvQv76JDO?Bi73sB)iHp{u#|HM>OJ*yMjPv3_U6-4)@*mdu z$s2aY7;2b#)qJnsolB#r-i3ZJ> zgQ)c>U+9DBrgKPewH95hY7DiB_($Fcsy43Ug8UzW1j>dXc)R%TM@Jz}3doUw$ESe( zr!%IyNA{hwAI6~-IosC1e`5~GEO#iXF$6z1kPCVV1{Q6)YP zjMrSfb&h5iizOn1ldbjLhMCgt7HdteN3}<25wrHJ#jB)b9<@a9RDUN?*GjFz_k}R} zICs1O1dCiP>P^<}S>~8>F;P@YtWZpa|ByH1^~hO#%_YV(T1fTr!*mRtcM4*`No{|3 zz4d8{?C{ad5iEBbIrVkF`VhWyOcb1>XoN$2Cf47W;_*k)67O2iseM;1(C!V< zk*{pWLqsrEsV}mSnA@NAP`UM?clzQ6Z28$|GHkg2AKv~ms>$vN8%MEXLli{mQ2~)I zNN=$L0s=}4MTm;j2$9}Gq9~wL>5sHLN(ntuLgb zyDUszGYUsMW(ha(+xl_X90DA~keT}qVn`=_Y!wf2T!Ke6I~JR5DOu-r+|TZ?Rj)Dd zmb7>kPdpj^kI4<6{Hy=^NBNvQX(MA;C-Z!MQ^Q-&DRZ{xiME~nqHDpmroXlDZ8KI< z=oUT!Aw?s%kuaSgaYi)Jctq9oG#uw`dHDDfiQF0WJNehH&12(3NOz+J>#`~5^g0tz z?rxgD9Jhex4;k(t@V1J=goz1?-3f5^=gL*vAAB1k>fz}rw$GNW8y_T$>)-0h!>1kk8p_S zb6*%eKt$av|huBDM|L2~^M9jCjpeI3`{flgre)RGg`0zojXg_bySOF7@3T|XqjAYO|ecijpm!{|5Is#*nDkwor~+t<)+(0 zKieMXTaGp_lFVm!p6>tNt`(Gl@+O~*aeb8h&xhnGm-yo2_#36^ zLKE%Xr3|!2BhJ%M7IILu3qh`L%kke_s0x(P*l3d;raM=g&jc*D%+$gL*hN?XPCY|2 zWO=_UF>X3HEfG$!WN9(+2#rdF_W0N8Eyb86Z|zCanwD76qp#%Yp;M5^2d_TeKhkq` z+$ydtI`O*jSjMOW=4<$&DiQgvn4KuKu;!`O82*>SS;?ms?i-B??96p4F=T+^c+4C= zDGEHFOQ3yVG&yXo#O}T=ksA7lAsb^>gP87qL_g!#DMs(#qR)!ZdS|Mv?z2k+ubDzD z>`}oF_Ne*Lu#L)frLwUolSY{)qrq8H;9Mn1e`xOBlRM%zG&y=J1ID}y$eCkk;I=IB z23Q$Ff~cU1<$LOt@w2dHfOw(y$K;@B<;AraWuyIH}kF25006Hlzxr}8rO0BH8VHF)~SCFIY!+XN+sN8}D@K7bZd`ao412cRE#Sr5*pjO*I!1+t+@u%P zVIc?hGDGDG|8Y4_2Og9tb&d&9zD*T;^P+a=%4PyFVU^F^4Rl}6-xwhFCqe1H>@V4m zp>M#o+>r>sfaHr4M(%lZTRe+L0o4V}tW?sLVeHr&`@+Ht|8eEmh+a6D9W&#fE$)o8W~hOy+d=SRkJx zQe*Wnmx?f305g=hDJ5Id3&`B1&3ALhk+&J^ka5XIPu*klD6Ry@r{8dq3)I2o@gO4a ziDn+jR~MSw(8r_Z=fezD{!WZ-H$fsQ$8gke9pRyz)rnjgITM~P46APttK;NM#EsAg zL(mi*CJH$WqCE!3WF;lF9`|y{;r|=du26YvrC0KM-3N>2dJcQbNuj*D}9hBM@R zf#JWUvACHOQ2b!_Dh=I+KB3Pz4G;;<_5#_t1DdBR?da&aI*T`e#jpY4wQHGO=nK1YREWX2g2GjA z?Ni>CkYxAdB72)3AM2tL+J5wkF3l%1pCQE9)!_LibPY5?|57W~)jyxX-$@Goh)`aP z02B*te_}HxsaccTB#SH=^>4bDEqVKTxP_O$YuweK9W(p6av7kt!XTlB^in zEXmV<-7$Y_LWY10EIcjU82esIOuTg8TffX@??tOG`(FTjmk_Ek6g<4!i2Pxk8ulkAD#8wch4UlhfOS*t?{n>gN@sc66l|4WEWf6GE z5K~J=4{dALQOwP+uj~@v=a*NjT-%bLAfKH*dPjToec5nIR&!Gz6VFn;UY>6#x-+VG z7{NqJ|H7?+a7t89raltL3!SOdzs(s1U!(%;lKa}^4*4J3gQ2gdWR73x7B>EURhbm~ z(8f*E#!bk)LQ}P1FI*8j;=?iggt06FSuvytb@+&$ba#dvQ!pfZX@v@+ZG%35dCDu~ebn^$#vay8xQs94t(}?=h+dsM zojH&pbHwe~+4`4nc-3$CeX+fm`lPvh%zV=*psu!dy(mFU@Zo)ar1kPfT{+Pp{GjZ{ zOpC=cTF=J-kZ=ghd@Csm_Yhm#;?ONJs7^nYRv&52D;h`X`<~?DtiycFnFewX;1`=y zO?TK|5vT&LzHT$ey z$G;?MsAJPx1V-ap`wd?&lxlzW?=r>+wwYT(c@^`vTV^UJ@L~DWa*Nnl0NFYXPbn>^ z=POo)(@;zLH8jrLlgkjW;4Ub7%ydCAb8!2girtiJpD#bE{Oj^b3)G~Poaf~qW$p~w z@{ZtN&kxh7?6F=Q#{^1l;2m*m8D)PW%AoRqhX!;>d}w3)VX1rFAu_;q&he9!F*zmBEr$;o@WzfFyL*os=7+DL7o*Q5}f zd$XPumj~qcO7)SRk_*Gh-p<25J>wI!B-X|IoHN`@SQ3ODK?Aj;KBA8zwT-ckA?l_x zR*Q29%{SH;*g@84ZpvZmK=;D0hw72FlM`#@j8eQmkjx25L0I4vB zJj1xS*Y?GDtiK_3AmP}{3-_*&`ufQB4=S+_%6Vgpi z)RyL9%W*)bJW3l*?Rm~TVgV$$E}#Y1^iQA!I!dGpKvQuqYjkg@rw;8rAb-mJdcD49 zkkopaA;7dkh_kVT`T4msEC}OvxznIKh_W1xS!)a`c`gMsTA%+lz9Uac$uP)0SNN+GCpp8 zFR7zWy8yViy}8!GQ|U2VTRJ9>hRzrQT=o1Kd$eH|Sl~e_U}=+Xzv#5E9fHcaostQQ^w> zqj2cXkv<>!Qk8*HpIog8pIbnMxUdm0u1pB*x|fOS*Fru1QMM9^>9o5M0e5y{+H8jCn`TpYlq2v-y5T{U>TKMyI&z(c^C({8Jifs8Vvu*r3I^ zziii$kX-ILb4T@wj-s`@;F_<4Uw?{aT{0wM)DeI*BWV~xN%BZ7c9c2=tHT=1 zplu+(6F&nEFqP4crrFMTt?kpT*rjk?UT<2`k7|aRCv6!Jv1`@%ba~?Un8A1G)zW_^ zm;d?n@(kBGuh*k?S%F2hbia61*PuA8ve&yJ_s|hir;lJO}@%ecMy}9d!Wd%>7+CThhJ$wKd7frm9R6<$j-^=MqL>fOEMJ zCRvLZI)s|pOlGl#oTZpAQEhioZb`q~%|;Y}X z=pOKuTJT$fU@I>I3P?hOE)86x<$#1)T!)eliDZ{ZVPH7j7I zJ#Ue#?Ps3GxaKWmvaX3We)!c?;&$w7R-a0IS$8aQH`O!Lkcg5i%hK$9lIs{=HAB~n zZI#@@vaXcT?=vDQ?7f_CGVX4bk{31#i+enuZ+(SF`*$tqq^z8khxlpt%OgZp?vdX} z-9PVD!l8RzoT21p?za9fNq)w2EH16iaSw0ijmz67m(XWyNA@D*Iy zlhQr&tF>J^q8yueEV3Ik_DfQdRMvn!ldfr3IyOcX`x=K?;JvJZjD z8L4)Mezke~;E{cso9J^3%|R2D&U=wa7Tt*o-!ZUnH)d(dZk44@UU6S>ztD7Z}i|Rt9!?? ziZSXLgVYF-)=6_B!4&?}((5#SEF1=dhdWQMlS?+iRS;?e4MV3gP*{NAZScRFdv#J@ zbSq&qdh_d+Siyz9{h+V6CH{@}y!+uGt~Nz*e%T0>j+!SY-0Og_ll5Uby! zabE$~$;WN%;z2#r_-*0s@e4-Bg>O}*F;I$K*0v=Mu{np~)1wyV*$UioX)-JI(`wRT z0W1CDt(#_Hhv+Y9DVmAu$&EK97i&r^FL^c$PDur^GM0?-&tZ#6M*-&?NN@wk>7N)u zIMN{V+})dEUJfk->;4P8#~DY|%&d&+5|^n_%iH8>Rdt$fa{WD5#Wv%qH!!b&72C)0 z0tZxhwkNE*$()FzwAVVFwoWh;6|uAk7&XJ{+`z&}>kagl5GCqcz;Z>{KzYK2$MHT5 zoLIp!TSSR4@@`~ypw8-D7MT0!E}sWb0*qLV)<8=bK$JCda9WMl@DYILY= zs;zT|-z_#CwF!zF-84WFBM^AKH6S`lCd?NDK9(A|C2hqJas_&+#92CwkA-&Z#+8MY zF8CS!gtC^rJIqJER|1k%jE?Ld>3ytKk#Fw*E+^0ws7yF|BQtRW%bM+8d?PK`LbeVo zDZgx)K$7O1nPP$wrx{%($l<(m46`lA#r=d@L6_`KfLU;R-dL?+S2g**p-(o#x7+UG zc8r_Q!J8lD&n*R%er%-Hz^u`3bc=p}d#fCUfr<#5eORL-Zl!8ZDkS*be_ZgSD5MfQ zQP+U!h2{#Gd-xL}Q{)w#wHe)f_g{sK2Cr8Fq!3|}{k?L+HPX4a=0*eDYIYxu&YGxs zH5uC0{M}Tvapx!nPpJLOx|ngJrqImUc&f5w3fznNJEqs&daD_TnHM>O4w(0~s7ov% z#*r<;Vp`@QPhLgED*BwhSgteloRR<0;d2gY$wLbB|8!3&7gP)MXfCNe(YEx>%NU_s z1Z9)f*4Fl&40vY^G}loC!$~q}wTv1tT(jOwa6yq_^bmHlK7Ud?xCR>!dh#v$FUhMh zf?DP{y9#-JU#(?8VZi5zXylKMbT`q7q4b9a#uehj`McrZCCu9fKGs{=`}LM4*^l$mx9ntJI>gP; zviwp!L{Ix$Y4*EDC)=`7CiDj>V8wiTZIF_eP`L^R99p?t8`y=HA;U`aj^}L2QHOXIejq?l<9j7c>?%LV%@sG%#bQZaM(xzON?lu&?!vN z6UfjU4#T=crlZ&?t=9qgdmN6CS|WTvUD(qDGw+cX=Gw8Rdn;f^`z1v(KiczYZu8E* z?kPU*Z`WNQt#PWUe$(5VL?^M8U|Eg+@t3ly!=a{!!3UrR#3W=7x(*H)_$%x=n8SVy zKsmopQ`?WhsZ~t?9XuNCJrBn#etS$la5)`(LdfnyThe{UaIJ7DD@xr2Ya-jZM3po< z7_73AR2#qy0}Og7*q;kmATjznS{Oy?HSPZg&6goYDUu_?G_{shj`*`%|GS zK(Qo=PN=DGu@HU{j+X4BM@AF;6&`-k&Hj~ zb6uhfsZX*vE4b|)y8lrbX_CUB;%)}?1oD1`+3D#|2x8a-H20+vI>MJ z?J6U#n590>Qg%UwUZb%q>w=tTR+q%hrhf|Xc)1>Yeunr_@~z&;ErCl%`~O2w)y?}K zA@jTvJ%(`~Kxdot_z%bnycct?uGif=F`hvjW@??U6zQLCI&jX8amJA#K2HC*sFc4_ z4zc$ef7cjfK0H!{9u&2YhQ1qoZPorFf6&}((5Vb-JqEoI0;d==g{F}`c^4*|<$Sm9 zbNF1!){KJ`!Bxnf-_-aUGpzwljqX|?lYQCEVa+71MU$Up|4gi;*`zMVzrr(RkkaRk zI~u^}pXAE7W=g)?V6U2N!fTfqAVmZaK}C8$4H2RD)U(Uo81rz6>`v{B;#N^8&p|kH zvgR#_r2lhjY9(S*-iJKm-!mRK^avjX10iB!MCq+C0OV`XT)0 z)i_Z=V00e-pY35RcmYD=K>^gY(oEr#^qJW~9IJ5#+7MV!TcX zGJRY@wgQJM@4Qjvno;2z24vt^WAHy%n65#UNAg+CHm=CIjuIH_KQ8_qvWfPMn2Rw6 zqu%8st=r@~RqyslCmb0OMbnJ1K8rY{>d!(aiAM>pV=m2a%EJnmMDOzb=J_iq1QLCf zkg4??+WJD)kT*SiEZjg38IiI!xAGDxVI*Soxtm804nrE1GKM*HZ=s71zdv`q zpZ1*nTk`eYN|x^Gg!Aw6!-}juC~-Q_y8Cgix$zVs6>JHlos+Lw(NEH%n(Z&%FIi9i z{#jBIR_=V_N#2|DTo_c_b&3xK7*E7Gm9l*~p|TPe_s>Mk4J|cTk0HxCTD%jo1ByMb zl(3~9JetdnNK-^TV7O(?59r`h(`{Sy%BkCw2x$Yvk$ueXO_o?PrlSlwL^!$I6z!V0 zvgp!v?cT8yFe7fE&A|vK;3D(^48_R|_~IeMWdRfu1i-xP?|dOvo$xZFVoY>m(OAvB zk>h6+D_GSUJ~Q>Z-8w`mVK4N>1>eBugC-ZVQpOyI;+BD=OPcHN#$6pT>unQ8NPk8_ zAvY+^tB7O%gsq(?MhoZggtOo3^Rmongl-TI!kN*gk6B3Y>$m$B$%Kw(ot6gV=M9pr z%xrJkb6r)*aX&5&JC17O2G8f8If`Y8ifom0X&&W){>PQMH)nz~5wI~aAAA)$nlD_B za&??Fvp-mM-_HZ$a_+MspbijlrD5i(fChCDPtS;a7>V7AF0(h?_faUClwV4@P5IFY zs)%^Ye1U4a0Y|}-NLKT_RG|{&$ml8rbX>8#Qc>QW*3gW)(0nCmUw%-z>Aug??{}qK zueOGEpIc5Vc~)Opcf(uTdC*X$ZaWEIW4h?j$Kxai?Ik~LuXqGKQ?4se2KJbSm###q zW@>aaJB;kM4vGV-&8^AcZL0x}o$Lk{s5F~ON3$IBb5G>g*)UIeo;&g4`@yBo<)HX; zELavf;@v}fo(ga8 zoY9Ooyv<`Pygk^Uv);El2%DHS*M?P~O)FVEUYBmw$6AhMoi=bZE&YU&Gca8aoa|Z7 zWL?(jYHS6@s2{IpML=VkMD>t_n-cxkHH}`SU~Sm zq%Gp&|0$m2Auq7s=xf3E0gH0pwhM^hf@$%WJW@W748dy3@Hh5IU&qQ%_LQa1mt6YU* zb49Y^G8P_5g#2;bCfiFEkQyiQjDe*D#7onCk-GnJ{nF_HAG#*CCeyC4_~$rc0EO(h z3jl^RQSCE;SPyZ4W)z1*QPC7$%5>njzFH5&?qXZC3z$3W=d-{TPhg}4o&zl4Z z|F2+0&R*pHj=i#`FFC$D%YRMSFTjHo*PX4^yBWR{b2?5)H` z+?G2_1fS0^TI8k@nYM^$47^y&W|yOdkgl?E$yJS@pz7J#xcmz~kA)|{6fMd2gKXDR z%fTv_6Q#MEw+zDUaVM&@4RT?^1iV-QluYLecFUIP^Ow9 zn>sapE`DiM=@*%E%71?DEvQy3lN!jhMvm*>X6$ci7$x=7ID{qjK>XO9 zj}7$8|9rh7Uo3i3Oz6?IH$#)ITAr6$x=;}qR78`U+C~fYGDnW2>1LI2`$nFV;5xXD zy5T`=#03+x3#VO5al^U5rWFE`{lL7=ivPG?%mUFDhR3$Gkqvw}pAOW(M!+;nR1}K# zc$ncl_Y3%-yp{~JU_1bb@=POoX1Z^n`X(--L^p?x@zKR}5By#^s)=I9X>>s<3fzT? zTQ+96PvA(+xwt*DS}>ge4leMsTSoK3b|tC!-SAhdxuFuOMQq}L*}o~gX*|7 zI~V0Vg=Dr{*qhImE>{Gh^~!f^hz7+w(OdQ>MAa1BN@q>szI{n*oB8I-S+LT^x)N|U zc%A}3#qe4JK!Qcw@`yqrrjYdnS39=(;EwTeemm#SF1Bj|@ydKHrxPrmLxIO?vjflP zKxsSwaZUA@0@aZPKU6y}J9}~6+n)*LT->CBZ};IFVtTh*M^4_RCy?9pEA%honjUd%rrxOhw>0$pkJ?%o#0E&MuJjO|%LJG3)@CWH>-mTr#6RtIqcDAdBkzoFCWocvUI zMTwd0{8PauPXc~#0$ExK2xM|bO&tJ7enuJ;F`9$jOIurp)xvf;=4ukw^>Gu6OF;)MG5wf;kBDn_WMS_07GmW zj|e@3jn;)R^%?IV^<$J~&xN=d;YH5G-IOVxYaXnw<8Qix-H*>NiLK4`prRpj!umWR z=mq`EB{sAjuYYaCy$Zjj_*N@+|550L(&;<%k=56(rA3~SD8}*%nW+8sGZF3E8l{IB z0~N69tKpXe$WuJ0BE&w=<+9*9mN|h^$^)R-oyN?j$rPSjT4Wa7Mh>;dhDPd zh*hlYPj?Cj$oBMGuiLSniiQPy&0;N7fw|k0y^g=JRXaqM=*6vB3z8T7*Kj8QgsjY( zX&OnDXorznf?zkz6QZGFijh=aJ1cUu_~UJ(tG0awDO4YSX#N}y#p27Ro3JauFC)0= z+FKUUiUAh9A=;C(O2^iOMcd%2>d{Iv!Wy4$eF9p}<=-}c_j|qI^ujCe$_EbNo}x7+ zy)y0Vn0Gxspdov`6sY~=m5ipF99*K={LWVgjH;_BD>lW}yDO;L#|oEf)C~yR;Q!~T zPOPz;QSNecQ!z`RHu#iJ|DA?0tBqAH|O>m@<;;WBSNFVVbCRj{tub{JXngwNOJG5?d(ldcZrpK zQuv`l$TYvvZ$=|9LJL=e3bmFU=Di~D)oakm##^;!nTpA>xDU);liTbV{s1^5)-mRB zWDgj(A19!z?5@z7yCu9v+M6Bxjn6c%O|eow+tiOsc`W$mPV%rnw3JW>$g}j*gV?Po z_a9*Qq{K$o9ed9~QPO!l=Ba#Gbh^JN(qWiC-Bt37Y+v7x@7oP$4AYebo_Ch1=GeIQ z3r_uIlbLJ#Psc`v_V@EIkJFXEnD8yEF0VFPrlwWqj`~@cmg(HZQ>fM6o{f9CybJ&1 zGBPgrFJNPuFXod%eA-8K!g1R%q_6a`oqpmPHxL}xosT29}z?vSmqgyHgh$**wqs|yKQca z{xR!a8*QBI+fSL1tFT@7S1-JOe*Aj2@stApn78*!dYDJvzz&+v>#~D8ODy$E18!G91(fs!~cL*fcRQ-{yRwhFQf^g%2Xk;9L8Oe?=gwqx|% zsRgh|qG5`Bck12iW+FP2bScYYpYA^o+IqQNlCh|~l>-+wE1zf~%j#eVEk+yZn}IG^ z)dbxR-gmFlF)^))hcn}AgeDu-(!_0G>XUY=d(O_a{zmm#YfntU`cLp$76!kx@Q*f4SOW2YnKr)p8k-((9S9N}&;jI(A$w}2N zK_GqiyZ9WHtbkQtGkJ33gZ%`8{-PEB?fuu;Y{`vXBcPSxl?Cf-Ru8Ag z3Al{zC$`1`$oU!P`x56gfhkMo3{-46a`^9_YzQyTg)z@Eb%IGk7MZ^fc3gaBn+}HW zI@bj(B=y}~DCwWI#&EYL+Q{P83sOg!`wa{89^+r)I<2!tZ7yYIS+DlvF@2n(RC zD(7Jg9nR>w;9HL{w}j}vd9~EW=3RFFNORu z#CE2bwuQ7+tPpF=MXeK3CI9V{^VOGcr(FC_`xz^pa8~on(lqH$ZW}UdvHcclIzzB? z;CRt>c3zgc*O#{^5rjY5zuL_;hJ`DHGFN>tXjqmMp2ZL2oL3rS!RkFZTt^5BP;J}Ef4bLXdo_U|guk2skc zwdpteCqpHBnAeQF_9o6~8J=+c73vQQOC8x6+7GMHvhrTdPxTIOj@5r!Ha=K|b}A9K zEA)EIv3r$E_*}`^b|hKmvP*$Rb&D9({67Hn{WM1o=JYwg`;V(=6=11Hx&S?d_fg(+ zOqnoVPIf`Q%zs=dhMDXr7u4?W69D<5*9yXE`-VPzFkD~!uR9Q-QG5aGA7;mc;RNy$ zz2|@Z^n~}LjEt2IsL(lK)nrCAr{_naTchVm1^0OUN1pvJ<9*|^4*5A^0!(+7Hv0=l zmgUb*2hW$Pu+-}q*u_;fs{6g9`IhLi55&X7ifRtINl5bc)O9Fu10FrV~Og_SAqg|lmH*U~3hEh+k0>|}uP z$qN|d8Ja$B9y;Z+FpwuQy4SynUke(AK{AUR-(HBejKAA>$xSrwA&DwAoeZgNIpea8&<FH3Xqj!36<>D10<7f|~J1Ye{z1j6h+Yn?ytG0iH39VjHi5Q_F{Gg4P+fxx&i z$|y4$y&m&;>q-)?Ea3(9F}yycQuo8Yc!9ic@v(n<^#&uZ0ZTp22CmtKIZ!nv*ZC1e?qW8Z$s z?fNzB2-HlDpE z?2eFjr1#=GPB;h`Kgn?enoz0N7jyTJzb(z2BvTrH9S}J@-L)fX!@rigp;z`SWS4rJ z6&Vec)2zFMbns}_o}0+^G<5cvL{XV}p?~&VoFMT4_(>*Q`rp;L1??GTNTaFCi=ekE zA%|=%%X{HH%{B8wKpc5eEBqht${D^{!xsaN=kErc#UY>6iPvy?JDy9OH!{?1v~Ob$ z?kM==W+mjnJu1Saoh4^S2UKVgm~DHaqu&gSPKff6PypsEQPvv6S;zcxnB}U4FpXN+7apX~h=W zoqwvExa?Q+6k#zGvoIG~gB+GlOOh#u)H3yRY6yH)#Zc6nv8Ki+P z>VoE#1OPzTKYO-mt1zmtYcheU)r(pfZzKgl71-m?e~MRr>(vtLKFiybwTyzHr)nOt zi^1~*2WTXD@yZ7TsC*S#^TLaBc?%VV)y<}gJc)s%yX2~zc~~f!qVciKULt*b>1uqn zkV#IBeQ{kwNzp_@%4-acWTss%LfBUcAgS`7s&x79+UQG=0a!!kF z!4`+Ru;&m!!YeWkIX5f8pcXMCY?7=1UKDV6&Q{Sj5;Ln-`t!DDM`qwcw?CP8OxRW5 zmN4m%WvmHc^dF99s!bfsCOGI_-fzk@Ypjr2%)6XmBk14f>swPD-Qqey4)j=+M4N)u z*o75XL?{5s-Pj+RPcsclhl}pcD?scbyVNIFYrNMYmnwND33zu3 zFYO(j!3Zu2u~@u}tq4Im(S}MJv60R21=w(nSJsKcCH}jLyxd+J_laJgY(~VwTt21) z07&4UaBxtwmV$`1@lIcG6s1D)K(Z1oTZi8d$&Ze&78XM3*S;(asx9&8R?n@Rs2CJu zuS}^a#?Yq#UM*G#*)zw_(%SNxowVSY4&k-YZfNew1eD7pKC9d%JuVLPDeXJ;`^-V= z|I(w9B~*y*Rs{k>8x5WSv1@{%3H@BR*f! z-#lOWBdGDubN86|H0#R-${KCd?g1(}hUO;3Ab()?Df14&Q&>WH3N-9e_N8+&117D=O@!XMMcYn>>gZ{uo1oaxC}3*9v@J-vWN%BHw!>s8V~`4Q!Ty$KKcH?&Yo!R zZQZ$=1DdY0+h9MzheiD{q?|n2EK1Ll1EnvzSj?8)?9X%xrA#}`4rdMO{M~DyzO3nZ zc3V`paAWL!euU~1Gbj51-0oVfJ~unbrxFgHpZZ+bSRX2g9OlT~8S4C0CjPawnSO@r z*f%c7II0>;(ON)Ht<%qp5T4BmGio^eJmUQwS4fx3N>T0+G0b};>WT_yWiYevK-!f_ z9n+)fnah~o#=N@S^!Uqig{IXXhl8#%D$&~l97XQivR->3kOnh{V;k2^j9H6g_}(=D zeb5Ye4-72Yc$xe_Cd|mx8a0mw)6B6+=x-T?+;1zvaBu$}&>28QA<)((Z^u5$oJEade2t-&iy$S zOTKzBQib=4v!V{KuJf6SQ>N)dDzOpSX42c!d*9N(#B^De-7LA;tDZL~9S)YRqG4Df zpTC3vk`Jc?7oZ{@eg^)P3=DKK5G3qnlpWV%LESNQ2m;^MjMX&K`xZX_5x@gTMlVfn z5&aPXAh+XdfYnAblICNg5w4~Bm_^W;1)f*V4J0?4tc9TesOQ@5z{o78jQ6J_& zl`!)d9Y~i(I+<=|(%<3PRsV6h5=ih)=y82T#jGr!lEs8$rZG>dCn>}u60P4pCo7sn z-6_l#d@x=9>ZxzQ!6SD=T#Tja6GVP5XPB^_T*vHU}h-Y-qd7InS8_<7{zEEzdgixv?iTt)R1& zxWCvy1^w-rB@ao*U-qu2s127IPt2~Q7=&XeEzI+rp9CI##h$GtI?%cr`G(Q61p4qQ zpqHZRt;q-*?l=@n^B0)Ypa&NH2KcbGj~uVrN1qR&w2{x+R(RCrEd1E_F*%fxlT3rl zNC%Ar1=Gq$PFt#;KRxTay`1>s9AK3FoUuGnb}h<{mo#V1xV@$Gfc85N)J*hlmWEZ3)*M`Peq2i#T^>1mGU(br-BNp=3m#a`#x937_%LKbGc)7;2z{Bga`m ztPW{3h^AR?F|7bEa`qift{q&Hg}7Z$RE0)qXJ7&SoA{%wzjGu7y*{U2!D{xBll;X8 zy;F#mnLF50Anyx2Y7`hY93_5a6wva)bRHUYZbpCVP>Rx54hbl%EIUE_$mcnAiK;yC zw{q)f^BaN8oPRuY3Aa0kSX*T$PTc%UlxrPbZkEJi8pl$-^M1)QSk_e{RDhVSDX#3G>*=Dx=?LfI& zJbNJoUa3%M{K9nA+rg;$U6_nVw#Wx=wXx{On54pwjh2Oq9{8X!Q&Xv;CY{>GUF9+@ zT`>ps#u9Oen1WPGcDP(&so6n*?)p+*b|K3EILc9+^C5Cenvv@!H2ilaHTZj0#G2cz zSzzU|aZ!R}bo%q8kR`d_66XX?wti$c0Z2Lzbe7+dr|73a#zPt$lQ44`%s9ek8DByKv}o4rR|@ntRUklO&vXcGcD7= zfOURz!5lnqOnmv@!QK+*F>~Egs?&}Ev$u9K&b?%p2hqUP;&h|&sE+@*VoBgcf@cy# zHs%9T+9T{@I#pM~g*IkN+iRIlI@Vsa?dTS&XcN47>LGhkg3tF|t&7l&=?d4v&EVxi z;_Tr?8O<(xr&ZD{KmlDXSwfxys-c-ISD>oc!Oh93kQ)a~gmDAX$s0e1Gf!f^LiQ2r z&I1zNi)QF(k&edhGVcWuCqJU~7^35PHyy9|K~$OfyT08h>clZyp_hg4F-iHB;GPom z0tZ|R$&1I-5fd=`vCOflZYnELCGX7Ruo1wh_k#nSCNr3xUX#OptShWbw>eh4%!?@E zW;|+_ED)~LIrobn!T{!z0KJv9&V;SWP%P(!-P*0$uE2jkN^R*9gPu6*Zr;o_sPT#a zamV5cdVei2K(q!*GwrZ@Q_-%C(T-rgWb~TYAU13MmNr;hlVhZ`)&x6s% zE6#U56B!BN!BoHij*rtYRM)Mu9ne~%j->cJ3C5GH;I>Js_rm6fR(|VHvl?X=Sg;Sn zu?bOwmak^hkEgp?B|6GH^LX)XC(f&ONlgvLEU7fUF_~4SI{PWsxA75KG(Y~Z;$f4v za?VpH%0b~kQI^Fl;8I`BV2!GRcWd%R^takp&qoKwS5Sj0nU zo2d8cHPM0;X;Er0H7gT{Mk5~~92hv@5%bi5ZxT6kc~Xo`Oo)y(5Cp75jBET*LCz$xnX)}Y>I!~v5p6c7-1t>LVl zsXn}N-JKy*P2KY?CnCI=AwU_5Mpg%(E05{iWEi3rp0cb*o86n3SEvLM$YlpSqP$|T z4Br7yBACAW=V6TkUm)?te=H-TB-eV$9t|dZv8KT=PuDT4NLBZkg-3=*Rs4!qyDx@o zsaAwju&vlX*1&t0Ff2N<_F4QIOTjTXGvQfBIaJhP`Av3ivz^H38qANY~xroVNG%4Fv4w7ehd8 zU{eAem332*V*I@}{z&RyE>Ki3p*r(Bmf@x}h53%IA+V&tWHc=*#9`Qw^NYzl)jCBF z$pCBg&2pTn4dj-poR`EAw_mY#-GTzhLsKme^e*E?i}ddoS^Kw=(cLq>>Q_`{wLR5H_W{GP&c?4_EWszAmoXVumOM zaY@gjqhPIHa_Xmsh3?sSS>~!%2+dUxo1_9GF4N(k3DOOfC!0M@O!C9JO$%}6L>SQ8 z5k$mI+m=NGt1%RUGGoL5`!~zZ)KyqykhX`PGVt?`W>2L29&MRno=U#SYj`#|+!A5R zv4pBb(`Tr<*$kwC=F;z+~x6JGrufle#mY&HFJ7_)<$9F5_Ro>fhNWVwd4QeLo zWBy-&hf8K?w39F_{&!1|D5U@q+cED}zIC9!a_y*Q{AIr0^Anr1=M;p6>(*n97&rrvd36h%crKzdUm(wj&}DY4Oi^b+YRA|(RSK|-P^AWZ}W z6oe>MYNUo9=>h@*0@6tkkP=8h!i0o)ru&p#);{~}b;rJUjC=3;gE7b;ZBFL=zW06J zr);2szi6Vx9;hkwy&ZZFrOEUBPILL{@`D|9@0q5`#E#1t^uW)F?mK61Hxvvo;XJ!d zW_N8tOQf0JwXbc<+-};^g{h;aPMKA+{CsbPtv}z&>aiiRfDH>ry za5=uJqh7D1Hk^Og{q_d?NkM+pR+@0y!IAfl9Hrj>!ze|jF>>&T)8o2Bm7p4GYGj|h;`wV{>2Tq;lYe=0Jnx>Z@1DB?>zX?Po?kQMxS)Hq2ylw*LT4T#vvfgE z;IX{k3m#e`ckYxptu8)s)2XZ2^F4KKsoo?iPyE`o1b>3-ZmoFWJ_hB1ZQZk2#$~p) z4A%*McjF#wK&2Mc)$YqLeP6^aOs=EYr;wlmzg$a9M9|vh?Cy`z<4v1M8w4Rm;nCS( zSEiAF8e_Pl+Mp_1fFygH%NZK)FkQ5V;9vspQKyU4X3DcrwI8_F8(4TBLn5Z1-95v& zDKIq4zv2~Oe4(F2#9pzsb{{Bv)v$cHT#;36QZv;w^Y(h$Upqq24W+EJ7ro1UG7Jl* zR-s}M9N-EiJc61~rWL!HDM=)0%;ev1p6Lb$vJqYnVXyMUTI@Xq+X}=c_sQVsV-SFJ z2n&Jd$2*C~Q_$MNOZWnrQtMYbdrW90v}jxO*sh3c;?;9iJq?(A=t35{5<=5lq&QU` zW+B*<0UAmYC+wR$?<9XF$h;>AIq}Rt6V9Dh4b(Yf!ajakzUT zBqbD=hvB`3MI90F(#fOD9Vk~>87J>gEDev_D;B7tlgoelo^y`!HxJiR zioaymyvp)4QOm|7Z?#0sJLu;LFUDi^ngtzSnlE{-!r><>TGlTcs$e8$_x#DW{|2&SYA?I;-a0t1UN{Vkm87I6Gx%7v%W5;(_kTJ5xR~V8dg2rLb{r#Kg`? z+c{m!w;NK0qj3vSm_Vl*Df$@dqi+-#MdR8w&r|zhcV2)dPZoYR0AB+vqkUV2LJgfFIQ(k7G znhp*wj-SQi#Aa+&S*W$lC;S{We7*IVHawk~w=?9*2n7nUD(7G5HP1U|s52HT7cF$3`FfO5Jp~5}=i+_WAE-^pj+A#{#zf(AakDcu&U=m)8_% zuBJ+TuT7~gcC<6N-<17{q1xNxF#~g6albI~LZGviar(?&!4Q0VC)|UkHMd*teK22; zxGio)_1x1FShPT%J$MF_gl2a_ z_)yJSCOuDbzP>(#QQN@g?CBI^O-*b9sRYex+b?1@Un<@IM$!w>=PBhpL<}FAZAy5M zVP<;^4bR4ttBN*k9iz)kg_p@8cew^1&Yz8mvt=#BDkqn07Ak3{7L$e4N8doZXLWX?u z(DE+U$s?doqS}Sr2-=*+6W!E!xF+^yZLp|V;{2@B2Og$-WH?839+TN*% z^&1mvM2&KXhzAXGkjX_^Tbs*ch5^p7l}S(e(YnT>3HWTQ6{UC-1XEa1ZJ&NKRO{hL zb5eu}P!dG#OmEe4u$`I^{7Y@5w$zm2vc;u{g2vac?s@ZUqAI~J_7sFs6*^l&C@DZW z*rKC(TNQwuwg*Az=gxAs2$v?KSt-Usw{RhDKDT7Uyd09-7?(cu=YCZ63n~(u4ZY4R zLvgHH4oLM3A2P_#m`q%9yHDN;{h|Y5=byC9%1W)>HT3V2*r*BdE|(NbFVA76N`#8G zAK++br9o6-$8zLCmd!AN1rLw7xOVe+`N)b{%}(9Q`#a31U-%_|%{&gyEKXwcv1lj}Dh(l=K^F)3YlUBLj- zK8b~^Ai4=t_#WQPt5(WZ6odhCx z&ncm;QFl>y5A&$*#E-hXLz;tT)f?N@*(pA=2^W=Yt?2#eu}G& zW(uL+pm)1qLtY?N)*&EVdtU*NK|R;u_c$O-XJMGuAgqD&oOV-&+^0^dMQ`h>^-Y&CNI_s7)y$^&N$ znqXMhp)%Y;!IeFt6ZI5wHN6W$GTS;z|18Ltu(gYUz@cYoo@50p`d1(cFlW#`ZzR;YU-Y@ z=b7_s8o645m|d3`WRzxnEIUO5JL6-I4|8$%XWeawL1YGGw34hq>hyUMFXn?W0ts1b zJu*r&^DOKaO%JLJ@8zEA8JcDO5-PVDR&fAe%D4N|ExZ(My;aImhKp)%wI^%NqkyK91!d#{HQ9DtCic0KQbKbtvm;9FLY8d#v0q zRMg&;r=Ao(pK6w>%DMJLe*dp884XNFQ!dHQfXR<8lbKYCBj6o|hnzw9kx`xA0e0gB zW3+38c|qs030R1~KKDJnlA~=$%M2>p8&2jiWLo&W&lqVRg{NP%tTLPR_f*NM9m~zM zHFV0qJlA?9^v(R6ZpEg$67{+`s#EFQR`J>^TZt!sT%J#`cMd=adc_OfjqkBYT_gWdc`qdo;iOy(tX;&q?|I%cYA)l0kL|PpIgp zxszkfcgV61|6S#Ws9sl}Dl19!Z_0iFe)_Sll!S#p z$ire<5Sir$P*ec;w#`Z5svXK@IO`|@N-=3GX#r6`Qlritz)a4nlwRxAgox*mgZVD> z++eYMRV1xzXg}*<3+jcxs_tZ`VY}FmA+C;TT_z6^DsZlaKO67PIy-v`#;d;`;kjig zaZjXQnd6fNNL`uyZK?P!!#?dX~i$jxL`WsQOM5-0T&ssxl2G& z5lvu3N3@Hq@1p)Fy3)^GPW}T#-d6P($GoIYOG!GjsgKsw+nvP?u}c! zS~GM?%gmxPCNj|-N$hL(QT+qj-Lal>I|h^P!BH%V+Pz|#Ki)cuEq7+T~Kmn^#D?P1bKqia}N3I+M=109Ss%vLJAJC#8wyu zm0aXFx1Xh^p4GHLRa;WT1)Hk9WTV%!Pw6kBY0C4DA0WWN<4GI^H;sVhdEnfrzLS)Q zR=N;WGq`7PNE123I_;M>c$EqD&zAF!?41fPprj|XKp+I<$8n%)!7ec35JW||6zcX- zcc`o-Lv+lYosiAxy$m1aoxpc&2Y+Xp$gf#O`c+$(-Bk!ZQtB)8$8iwZc254y@bkiB z`QfX_xsR-%YC|@txyWy*YB0-J=j1xf_(4#-$RQeO74m&c^p1Qpuy(!gxdFdiQ-;<= zE-cvLjjMkGsD?GHw|?3P-;NN3>*XYR44&6F$6BQo2G6dZ{p2V9;%fvOxKQTpY>v z`RVu$#Wg;4*>|DSe_<7Wwn{~^{wOq#$XPlf94MBeulX{?db@AFiL@0vqnwyl9mkvo zYaa1`8bK_}ozKt6gysayGbzhqx#XOU#;mvUyi|E;zYzu0c;P%_LeeEY zCH+;^>WbqX3*$1Oaau|D-#Q?ZVX4SJFkX%SMWs$xVP1aw=JmXU6z8hoIA`zg4J6~v z`5HdrN{Q!u6)Ngixt2C9Uaf(kTRo*h<^KT-kFjpQILC99F`WBaV&}x#{6;uc00B9S zM+%|ZPm#LYR+^inFSZa^zOs%NUr9LOuVL-@G8xnNIH&B(z`nv6pdjsQ){7fA=BKB6 z?G!XRcGH>(Ln8pZEk@3=d&S>ytCtBBOLl2zpyj9O_a3o#pcw!--sQ21OLPuv6;&tg zo##W(gFtPg4(>aAl1+E~&A`_<*Z@(Fb}Ma`>}%c@Nlg3NPR~~Ft#M1?J@gX!KeS7W zrN@fr8Xo6K{_wAr!bb)W?tmSB>jjF5W<#>-!e*o&z~X6_!*jtH>%iw391gQrNe08p zr6u(+absBqznA(vBjZ6HqZl@$xOKC(S)|lRqSxz3mBl7g79nQU`U&*5-wYpD+I>Nm z)+c_byF%og2${Di*I^BNCDJK0ck|Tdm+F^}ypjA?9#fap+`nZ~ynbeT)ry?#oz=Aq zlWlO=@}>=jS{9jFzOs3nJ)cztqo%l=&#hKr{$C66f8sZe$8Iv=arTyRuNc@E43}F>Ji~{dvz17SY~OkEchq?)N7!BstyA5 zPbGJ>WiB@al_DG`=8rzt${y-Yc?QT6aA1khimM&bx`SVDfmk(+EZuB~V|kt_>5+Le z2*%tQ+1H`*SzETWY;Cx}`D_}`*yw&?CN=Y~ku>{PGSZ{L@Zui&5bhXFma2|mC!s$< z7`+6e<`Nf(N2d)&F9vy98o#+6sVJyYE_gxtpX7lZ zK|Awl7*a&E&vL@@gLJy15&M^-x)DF;%EdpP{HI#Qye!~4+CWgg*WSZVB5}*~F0r5l z#oLdQ-@3hC{D!t)%X2)?V8s4i`@M&TU}{m;&f zhwKZVt%pG5)W>EPd&9SPtZS*$@SJNT_C@^;C-sH7j63C_RK1!;Gvb!g)VfvNWxj|H z97}dp>gp_Ok6_@g-XR0}w*I<_PzC!skf+$58=7gAnua#}wEBru81SU6hh1RQGhlry zqSk%%eKpA$??Yz;Ojp@%whDZF7!lwTjjhR+H2E4>>dmfK88<%IHw#9;M5*OlT!^wZ zzrw)45DpVJlpg4B(pi*m??0Yl(E%o)bHqn%q#UxpLMT#Ak%JI$mnY7W4~7=eJvgRN z9Ri)5d7x-2G@~=U&T8(0XUd67J+h?(kyqP~`d?kUiYYH)8^xoZw~Ew}P;F>onhg+7 z!rZJOC3O!aj2BMo$WINq=6gJPSc$DmvKc3e%gp_idaE?vFhTfE&at$2a={V9S0S(G zPnYX(dZCZdFCo+>K=szpGr9mtKBl`|*o<`!^DKX~72xo7PeGo#ku1gCi z75g+)1w|ig9Ic4k`hMY7zHN|OkbKiGrN>Y;x=yIeC&+0eJD9ww`OdQ%2>IkJbeOBf zITaj**C@m~NwB2m&dkau*t&js8dzm~-uU6kkh_l+F(XC{0Gk`&9Rykqvu@Ei-Dx;CMUbmtCNwrbVb#HYT5YJLgr(i^kYva8MT{GRlVZdxL=DqBvGZJXRxc1e zKyMf#9%fQN6m8cu*c(ek6( z(qw?41r%UC$3=coOU{L}^Mu}LpW@!rQLB8ih>P>6J-p>4>z$lCOEDz!a6eCx7CR%0 z9?fI`xH@pm#9uhjA~y+GBz3g$Wk5NE2uX1p<+K~`r^2R)h3P?3QM0Y+i(21N534?l zK8qZoE%04vrM_d2)H#dlz$FnUNNm2}O{d!mr%WU}ano1`dvL__k;Ux@^^)}v77v>dNlE06skvO|I2&N|J~B$kLGK=OgjrO;)BUW-I&-$ z$*5mlV)ApfAHou*Lr8+oDaCA031wMX_)EZ7p`sBsOyn5#xIiT%kgPWZ0W0((M|Rx$_8kztA+S$n5UjuaW;lYn{Uqq5 zn6!GxR51-XbnFJH0=hd9Q$VtQ)gl7j)=7)tZ@yiKiEFpYqidO-L)r)&47sF2Nx(cH z=bBWj4_3FJDVjd?k}qI8CjwQV&ILoyTF@KZApKS#zTHoIN*Ay0G~1^>!}*q5{AT!( zH10*q@C88RkceGiq$DM{kj$2_Pf+7rYz2jfNKe8`_P(UuQ4yE3OORV;e_o#2Rf66G z9;v$QDXKtLEFk4P`x&GyIvX4~Qqt^4vpLK{IK59lZ*U-7S#h6s$j0i@AT8djD$4k6O55^!eVGs9$_6%=C^;5 z?V-^d=vlOT^l{Cg_L|3q>5kEi^fPb_2a{|r|9oAUMVTzvk`O7(wOi){51 zwSw?TF;kXs9qE=#sls}PaF6l_g$+4``^U=sZZK=5G%)vgNo!d8J@#O9t~UcbhCp(} zFNM$@aO`m(G%WdS&Guz;9TeO~CjhA54A=LPprmn7l}C%ZYL`9x5KS6Jvx8l^GkJwB zH~>E3PR%RsTs~s>U@O2PO$jG zFE%V>!%QO$U*ko0D$4T`G=+JL-I5r%u9gjs|9f{_mde-Z_B}q%GQaME?AedpY=&aL zxF4vz&3>7ot~PEv;_U1wX5JaKln!J5@a|rv2m zj~DeH4o&K`9aZu3>J>U7w_}vI_Xu&1()*hD$$R+yz8s2g;lsp19Wy%ztVYebYJ$|# z_?;e&SI8^kx^HJc2;^~`E>f7Ex~uXwbvh;0FC>C{=4@+U@+zbbyvO*AZJNmqhi}0B zG%JT2B>>cI|D05aTllE{GHfO?op+6W>U98hT-bcdz>a$pVg+(bPz#y3qtM$5N6Ryw zKH$1V4%%(RJlArM@WFXD`kaar8A@i*7PT5Y;{Suuk^G751K+w^TBZe=EW{|hZG`F_ zvfE>M4u$KFQ01OV=lDHOqT#xFyA!G1amJZCR?l4a&@OR0CsA!6+tdR+72erT9;Gw8 zQm?K{TDIO1YlVFL#=B!a`AuJZbTfKV{~EW<+L2H9L>YIZ8-G6Z(LWV1o>0=?{Nu-O z23-IG&5RI7Sap3psB^GSKN@2cYJaJS=jYU`i9Q1o?g@%y!Vb=)gX&_Dg7g8TAk|Sr z)ONfK+(9uR>;$gauousE+j)c^!x~`?H{|*s&bQ^AJkVA6N~=~~%uyW@n{#~wMlS5H zTW2i%nE3p_Lid>QF%FpvQYW9+Gc(=Rv?{INzds#vNB1bR6k`lXaZsWUqWDFVbz~4H zNT}xt4f7J!_$GMF(1(!gpQukWH)WY$KT!20T!UJ_S-V~RW&NTjUQtzgdS6nCZUPZR zfHhC#X;j-49htJ!pEx#E-xJOTY(6yc3eddA^~X%u@R5xVvKx&%r4K2(E{h#Embh^| zu0*9R{$`uL%!9g+Si`_H&jHkevcJodeN_SmIL`!5`*hYhfq4q|VfChb#kZ{&Bin=( zy~f*DB+*`jsa*7_?jj8>*t&dJ>Oylg?b~}9-)495gPMp|$f_z~qT0Ipw62_!Dg}=J zIe;LZ?4?cagG)6#_!Bt>wujIed-``s^$sxFkzT|FS3kI$#_=L6NFI8rShTrsYfXt2 z+0wfJLT_Dp>?d_rqa##Ll&~v03eb+)d zf&2!Y5-W_!BdYN?_^{)FP&-nQl#~?6g5m-Ax~>G*7R(k>O^gj&Uo6kL?HY=T--=*G zngdw+$#SrAJa!mgOHBefi>BzQxGl@)(AQHUIC_8cYxc$@p=x`lCrSHW=E9d=p?uw6 z`|dTjI@kOt0_0H~pfQ#Nsak8|{37$ImiO@mR;<2~mazC;i^_vJ19Q6<3~MIHi?rL| z!F>bI^3_&8gdjO&qlXHk53T5u3oG9Z6?r0MQ~I1_mN}%hf7D+}Q#1`$-bmpRjGnrx zn(cGB_k%@h=G*(}FG1BUWi4Ya*lk`H#kr%^7p0{_+Wk11V%cedVSa@duBu(UZ1>=m z&un@Yx)dZR_!3RPIFK5W+g6g!383$sbBF2p#lU_dPVVK<=_sVz;Pu9+WFa8=+rbkW z*vqwPgFX!Gv5=1nJ)k-f$)z;!0qc@)cEDF({JyJcGF#pL<&8Wz$~`4^wp2rh&4eH> zQ>&fh%I44_E;RY5{MROC_1mFKC;EMb`jMx%23b3=Y$`f_^QtfIEhsHg$>W`#NHJ0y zAANL_o(6vfh>|gQ9FdDutq1gzQak;;GEX#lNLDo_MW4%5cP_qgN$PW$ttGqB;l-#& z8kt4~($cycqmAxlUeC1qVG=rpESK_RRNoP$OfM?M@0bppbK)uf#BF}$zaFIf$D97m zIaS=`;4fxMG8!UFVDkaEaWk10_d(aw_0EGmz6>ihPX6Q&<;o3)V_%Ph-VgeR4rD zbE5pz=7R}w>UDeC$*e{6(~C&4P@K!hiQKv@D(CcHcYYWZi6lJjcg?A96X?G52-dp{ z#F#z56nI!9zqLtqHU`IoIOU+DukM zL*aZMje~m=X@l#lrrb1DZ^x=hrOid8z$dy45EYj98sq*#GtoAbciyPQ?xX_z$lcFJGuqKS(HEK^fUerRyEm?}rfkUHulo&_n1pdT-#mQzOL?El4jE&Vf`9PGGOS zl@0I>C<2CH!L@CzBvP_(aT~M;J(E4GZBeE4&kcNk#CK2)@sq zxk#P%m=1+#C@Fo-q-3&9BJHr2C%WJ6BBy3NTFu;gUs1V#>2Ou6B|fqpWRE4mnL449 z>sE&qo5uYLU62E}C zi^lBJj}%xO5qBY6C_?zV{5m}*g#KVPT{xQ&s)I`{eMcg2BnWs2;^9t{U8R z2)yep`rPcyB=j}rDkS*NX!n1Ic>Ozn_zw+w8J__yzZt}t@a~668IXh9V?Y1RecldXcZFrfTB&4@f0pSLa;6IbqD_ifk2NaJpEjg!n*eXo?y*JIC5E34LPzBH1M zIYvzaZ+zGG7bl`cMvGxnlCmATLWVtQt#)<4ns67_CT8}#-kR3ww4SprGM=mzGK0x> z8Na#cAy!+3RU4#yr$CN{?zMq}QxzVvLZs@?AQolW&TZW^j{>WhxSO{HrMXF;7nE{N z@~l7^f>>F4paMGQX|90(unGQL@PvMC<(N0Wkhi;et;74E2o^T+gf97PY-WS4+FwUR zKv$j|Cu64TX}SXfW|_a1d_1Pc)B9)BW--%;+HH|JU)f&vF!&(Tn z$X^dIo`&|u)|(j>6K{~?I9AY&LLblN0bxI1jjP9wl`90XvwEp-!F>s`Qu(twZ{$9o zN|g8u^QA2Daf)=}Tr*6fh-VlZQV}b0AhGMI8&(^fHbq$!_UIe3uCe#pOskkO)|>Xt z9og(X@J93$BD{d(RBf6h85>V$K@Rk^fmYkQtjZ=6S`1nma!U@=S*dV0*&9WtTpMD) zlo1@vRQlqqd4o>YO7iee!=yDz?FaI+8!-3AD-0)f?M)_|+=co~55$Gt!wd7uXUoIw zJjSL&;$ZfNmtC|Gmk&Q6WlT_n7G;8*n&N7vSrl7&Q7F|32q_2D4I+PBPMDm%SmyYa z>uk;g|FiG?KJpxYH5Dab6Rw+o0GF=~whewX*H2Up3V}SzzcZ`8ZQDW&E)U$bFUPq1 zzK1Ujoup6UI3-ZeA4%j%WR(x$anYPWQ^&zD5L6cGCEXX+|D)IQL*KTUz`ew0WCNb3 zN+dl`o0PohVrK^{PhgwKu=>Y~HZmvttVy_E0YOFXJtl`66L zI3{>kYOEkO{Tv3VHE6tVZ6EJVEcFye-v3p%tg<#*dR;YjPrNU6^T*p1KDTntr!zdkXn0RiMyOZZcQQ_*;V3uFr8s*Zgz0)Vstb?PT@a4SQHp#C@eb>%E zZ9DN;5_1ByU&NeVhw`HF%LU{)6xXWo@i)t)q-dXV3D^sR`Tpchg>!N1tZt$w&tPcb zO$t+p{^YYIN48Y{M~&6+M7G+%tj!ozKhv(cp&V3p(IzZR|q?bsjUap(3gD~T_4 zF0FArH=p%0#lFw9Pg-rtV1Ja(f~E!ojpI&G`l(^6s!-{?0PwwyJq}tm=>B2~AK6hP zF?SOyaQxuzg(II|EvAC~6&L-Bv)ti39l20YA^()BtGosp0F^m);O%_!2*wRc7q`rX za)wZ;(B<_B{+d!^peCn6}P)R=5 zr}d^o9LA(4;3doL2x*s~bhpb$iyM=7Zs#_(Vg_2~cU||5Uuaz?Y;gp@l7{>&OXb5{ zYp-}7zP{$k1GM~@{w9Sn0N(uvNHSCqlwsS>*SZkhsIW;IXj4tqq+KI3MIj-c^KP|G z!w5)3fN#hL$73nW)}aKMwyV)+DVJK=Sdsk`J??MC4{>oeaDrHFO@gJZ)4}EeZWuD6 z!*eKtB5?lT?B8zAeYN%tF$OoyZ&=d~v#PPl<0kSKxs{IfVrgR@^Q6DPKws0Aq>uET z9Id1fv$~&34yd0C^_W%L=H~!BJ*XT?%b+EFT{~0*W4GB!En5d9Ou$Ol(C471_7qJeub%<9{^qI(N#CvyT~)x$oa(WT-li8TZ=r zM{>PSv03RL$T*bw3d7bKP(1F-NE?E}2$KpK%D9VIk!))y@USs2E9syq+oWfQ-77e; z>vzWvsYb>=YZU@+Sd#aWv~Ixje@3Ecuaf?GYP%&0WLl>D$?q z*%nSHQ#;=8*2c|CfXC%;Sw@O+{;#qo#VV#FI8|l0hX^3Eo`?LD0P8fy#NbF~zLQGp z-LhT-OI}y%(!wLO35-dK4<5uddxZ0*`W_F{Gx83Q&IPgy(&XDi*n_>AZ84A`r|KcT3f&;KckNoHY zz>H}_;9Lwu5@Rr6KNbXC6~yhwXqka7Xx69-0hetM-)Zw_2h!=_umU)^$?QN6L%%b`1tR%2ko9O7Ee%R?1ZQV|lEQwu8Oj=Xx?#wnn0@pJ^D=}KR< z4ZYvSkTQ8VI7EV8S%jPpr9KwJVYd%nU6_3}Wm!1yX31vm+n-6-ALE97K=A*A(f03j z&Hu8+KC%q0b@`NSMR@@@LEDMy1Tnghan^UYrpD-g;!%QF@3xbAp>^FjK1S+FLL82& ziwGr!Y%GzMcL*+toSt{$tRn{pzq2cC;@c)USDv(2b3T%({PFlCQy+x1>~he+POJXS zK&=AdvzUHQ+%I2nE5n=PXo*)L`hR-;BSzE?=d)v~n%=&aq{Fl>BDh1{Xv!HDz6G7} zSHe9ht>px{ua=%_bzBJ!O*bw?o^-u+CyImPdalf4Znnp4-wrBcE1`{08GDBRG2$t? zAZ2}%pPA_@(;d^lkJs~WM(h9T;eSj=KP%a_wJ!x_fo>q`!P5Q&#vaF|#Z(eHE)Ov$ zZ9RWKvWsE|x9_PdHnU?-8Xp^Zuha#li-@@m=Qg~$edVRWdGggxpf(?2MrMy11;^LS z&HApnb1u$eSE8|j1xuqFpMBNf9uy_xfcBD8ih>zRYKJ-2Z&0KpXJ@ zFgp?|Gl8c+!2`Hz`S{B(w)VEPzI6S_fu+jJ4Q>o>E6RQ8iWSQQ0k~)3l()Yba$6Rl zG<9_xt-b)p6^pSOD^~k)P&ZBOD~Rea&o8!$On}`iYh7%7p+QKz8+)|mF^~0a22Ex> z3NH)_`+j0V*};+iz}9bui?XZ(Wyx4jzIjlTq!J#XsSBoUvNJnQ&6R(#FNzVI7}U_e zAyn{=*6l-!Y+r0g4j{1;PLq0TPGM zCnOqozns!756!Y^iDn_yB{+Y%M$xz(J^%UT8>{|U{~y&`V&hvh(fOK{L!PZ8;N{r> zqDD(y>ZJUd>Sf!JkG7yzK}0J zz}N|4qst)RWK4W{5LK#tdeVt>tI(JSZ(VyZC5V1RuiJH&a@GN?;mjQoCC3tt}Q_z z!v+)p7Le)+K6ve^Nx4=gXIG!L9e>%u{q)O&Gq1JnZtXZp{_ThTl_xNqEzvSL*&E{5 zXtL+2hM6{f{-MvjlsT6A6(>s!SNEClGo2kfsKO>d?+<~&W$ij#Bw|LK>MWN9N#j|l zOP8SP7ugSX51w7^Q0gT0Rdq5Oo=sMHz!n_IU5*Cyah^j5vU7|e{Uad!H$#8ic!A+q z=ap?FwPhYQK$iTm2fshEk+9m%{h>tBd95}>*Si&-H+yCkTHT!rC*V$nZgrwKw9E*s z@OB7jY4I&6KI`tpeLyN>(BO6=gRbtaaq(DdwrgNS)W5y3WLzZ$F6-+p_8nd<@THxS zT;7%LGPGMS$r#Y>g1&Mv?#)E8>2Lu7_~`fG#c{QzCDV*IG~Fq{f-gn%Q`E3C2|^djnx{LOGyP$v{LLlC@Qtn@5r#%EyTEe==XdNsD)o%NgpR@zJ?8Cn7@??tJJ%7td}Jr zA(P>kkrW48-klT0MMH&7TKzm<|J7N;ASVMrX4~pJ(fr_!M8gO-}VY5oJ_dKV(NH%dFwvok+2Zn-P)4(5Sx( z_;veCdwt;7qaN6V4(IVn_vWX-ys`IE?Ca)YgP@Yog$AV5AIo^E0ZkM{N<3)Chs(N% z&(c>Pe(YrbzSOMPq;CjM-}$4>xY4|<#pcygC0 zoE-$ETo_dT;WW=@FwE|EJVoW!hPWwwyJ3iIQ2zIC+??)x9xd!-D8Mg)|PdUbRT)yk6+q0MoPbJD;77v22 zy_XIzu~@3M4DobwJFPXZxyKp5f^8~E+-*sX&ycnB3vuwT$L@`Vp*nn%)LPFU7H9=f z<-P;58|DaYQuh-S8|ED|3F@d-uKgR{1dC#{RrkA!hD08TJh2 zE|lnEO~!Ob!12WBM5frWW1Qdni}kQ0M&k=7Z>>^)m>1-}(0AL(yp*CVEwh$dgsClD z>ln;5YzVVc+1Q{Z%IJ=yc?{|6d2wy0dWx?Ek2E$;1gt&UcfWpEkMbJg2G)B(6fBVa zJMOCQIWS0oWr(vah-^m~2D99}o7a_HBMx8P&mmY=OUF4Fh$el$JIeZ5z$jlNI$Z?k zFJE{ddCoo})5K`V87AN@Hf_DUu9w)dDmJp2RXY(BA!IKt$yeeTVdA3X0Adk0c5%3gT2Bfs@7Ur#}+x|)Ng%%W4) zYkDn4^5I_-+%DE7%;w2%d}~yh9m^R|mg-Z=6U6R0zUBFaAe+=ru4OKTn0VgD>SSS( zKwv5|o#qc__$IX~puhJ`v1%?XSE34Oc9B~IrTnk`_u4j16OP9^nb?k{EUKUA@k@4f z{OI2h&@p+v)Kf3m!aG09e`)q-xk4}uE0>y3Hfn5RnpZ9(trJ)=;b6a7&}0G^a(QFd zy_&ZnxDVQ!e>kj0m{FmCuNm<49T0+#16<697n`albfjpmN$tkPj-OME($$P8>N+tVJw=I?>Snl2sa5iSO3|ymDC2nSVmiiWDI1lL;tMH8%UoV$;)wC-tuP7Y>;s4gU z$?2cW`OsDs2zyOoyEfd0KjHrUTdR z#kyTE7`uMyWh4BGjmY!jYnVrw3HjKXdqe>zkI`_|pps1t$6LuiLjX6)Nwo>{fblkwXItz-9Pi zNGw8##PZ37vBr2+euL&+;q0_Vx8k5Yf53b6Bevv?PhKiyF3QXck6ZYO-hYqVQ$}q{ z;4YCBxSVq!?0QNy_kK)m_4mUMoY1o_*Ux6ibuCX0y4$CuJ>qyT=%Pf#%KK>*Io!SD>~uSXZNdt`8W;C^Uxvn;x{Y&v9{%Evp=SdHffa(da`c( zlj2p(`?x>0J-->Gy8eK(cUf1qxhucpip^~<`-WZDoL+o;2iX+hGB`dO(9?!*#oDz~ zYTPgWW;iV_iy->S&Kz9F$%DgqG&9uooGiXzC7uqFpxV@smq0_gGStzE{BKB!(21K( z*x}u$;;&>i>e7w(lfP`vc^%ep)d))`Vo$`7?jn=JH{>X9JXx^(PjfNMVWc4$y$bWJimhrh9-w~jnF{xK}Z?@qT z=3ZK>yxLY!9R_K4gUPa+WRZe=kP~@fh3wB>!ZG2Luq{hI!B+>5oYC6e%^St{`R_X(4L&2o-9SRl7V&*q z>=(aJq~w)0L-dH@r7jMxm$&bxaeu=I!@K4)9Q^xh8Vf37=X&OM$q*vGFtmtLd)V6g zM;E54>I;F}Gj+sc7`=p5fGAHqQFmh#q0g<(0zdI~r~5{}P_HMC!Hm!cH(O^fwn9k` z+cYs;5PzRZlUV-D-LzC6lk)Q1vFb;|(GXVCT78Oo5A*}39 z-lEw?IjMtwN}9a5fa->PM`}B?BZbIYT@mV^&}Wbk?DH*Om4UnGbno55AexHZ6lbmu z|G1L;cCl$|{`C9UZn+EI)_!mEg7VB^DJ`4XwTAiVfGd3kXT`|2%_2Td<`&%VIQU~-zb5Q9|BuGRf@RXOqJ#ViGuT6?! zcP@%=?-`Mfvj}b+b(g!o(_Jf#Uxl^2w~-Xk=4x89ZxWjx862`HEIH^)G$2S`pLnb4 zXJ1nuKIyzRHS6L&IZd={y+G5!l7B#%H?>0Y^a59{_;)?Bu9&zy}IUf3n94<1?|)ao{_*0>hacbLE0uYa<* zkG^IRZisd3J20X|2vEEchet%S+}voz_d=RX2z|oSd6s=sE+C5E)v5EeCuO-t)98dUzkl@4XJAF zZH;Yt1hJmz%=D%4GCGmAh}Rb8C)XEo8)NyQMv!wr0w|W9LUprB+KoTB_~SEHFgn#s ztKT|U$T(JvqmtRwfSW`PZP>OPxAm_Z9EPQWiGZaJ6$N)ulNXj?H!~CWU_SjeLH8-) zVQBA(?i`Tp7+DpH?!@uaB|M^yKpf>k-gVJ*%>VJeTJN-9c3SWsElktcx=0xmX(w}s@M;H%~87Op*p zqr6hOCcc#5Rb_W7uU~{!YVe4tzjEN$0?P{Dr)>lNCA+Rn5#l^jpwN60n>#YCNpxl2 z6)~3UzMH$BE$E+FS6tsKt5%URwjMEt{d#EqVtL9l9~*}kGGaq-|rC+4c|9##{lM&zi|xfJi#lJWSp zf})NRoi$7{4IDNdR|V1{s8u&2fMv337@YF zi1D%u8F};C9I0UBJ!$vsFN>G{;g4KwqyHOw?;X|D+O3OY+lZ(Lh)7rIT@j=c%LW8? zKzb(|kS-uSKuA;&1cXRe5F))3dWT3C5RlL$l+b%g07HNz{+9dP-#y>C=NtE&d+t4V zoH6eA2ZD?>$Xe^2?|kQco;ja+v+1G#vZuOulQ7p#+OVAO?3;BG8@!ybZsRqaTO3`3 zOKQEAT&gTvyU$iold)=~QZUHHbZjV`PTbbH73Eak{5OWGH!?B$_ zQxjmXz|rNqC~ER~6cA~Ks7R%ncx?LCRE5abeHe%+)?w4Vn@63PfRGWNx5SA+%xOjz zJmFhI@odr90Y_;G=Y@_uq~@1VT;zbsUt-Yw&c>+qR^cQMN) zmMlCu1<3%8(QUUAD0G*0f&b(Yly4!RjbT?s?vrcK(|}Y1*yE^W74GP~Y4F*5Pq=(7 zyPKZB?t9-{+2IxPsL6!nhhl^b~d(bk0teV3B*tS2TaHeP2rk z5as~Ss2b=;AExRjV5M{?sH*6+W+%Yrf!HKW^D|#nN-SbtAE=q+Jkx0*l|+JUQ&HbR zxN91lUuTy1Y678?b<7@{N$b`=9pm{QR9bZodyNv1NrHh*+dKKQySal7Hi_jRE4@S5 zw-{g?(Y;Y)pjvC&VY~+`w-@mlm~VF2#f0-Dy(aQ?U|xYL?Obin5dva&0I^&&2Og$b zQ9Jrf_+^xi4;8sworj0ESHzi52uK+f^f1xJG~@~?Ea0vdRxNqonS?1Fj|0;nE>nm} z(fTMkDM7~s?T&4-+zd%B`*PeGMMv=k{B0XdhOkRvts~LM#wX5{)8)|*)c7%JPsU_h z6wf~C^>dOqy%lD4PUnqO5|8HD4_w8m>xjRNyag9GWGkED>|9}1Nql$RT>^M5w}T_QUI6Wp~c47u|U)rsiQb2I%#qHR&9BdFjk0Epy$2SLs7a`Bp#u zgDd*CxS~Da7-pn_d(?l@RjdHbc#qKl$n>fW(ObWUA*tYg(yg;C)4`tuo%86w3Z-m; z8E63=o~Nz492SvpEO=vNi7BsmOijXPa;z4;Bd@dE?N$%$t;YH>O+D%yw-`+G47fnK z^X+LYSAmJTsZwlt?u$R~3!LNFe4#47aa)m>vlh%9Vy?As^iiUuwEw#HVL;0frPO}; z?!^i^aR_(FI*4 z&J1_@wreD8FMH_0%Qw9}B$$~34~&irPq9j@?&$)Sr}0oa(=HS<$SoKj$#?k&@)QJikI?fD?D)ZFh$n7c`M!%yE%H)*Lp)cU06Y+7hUBdeq^&V zTMN1`&OTok33zA1=6zxe<&LIWX%=pFi2KHtX)>EPyTHfOJsiSOlsfkC;#XZp9b@E7 zVfKx5)B+M)KDNG4PAJuzPX!0b`MR6Fg%*?AM}6^cc}2)~2)iUxa@-;S?$JN8JN^L> zM`g0--81E%f5=p)4Uf4$jjKJAUh(dHcaW)K#nz866c+M4;e_;xAVWTxAKRX?%v~C{ zcpaOc-wzZ{&bChpRX5aqFnR14Q}1BA_BqMH?$iXZjeHPSDPSUFJN$aIG1-C8Lt~lI zsR{AcWgoFZNm=@ubisxoe=(YY;+rhuT*bZm|3G#UPlkSGN z^zi}mC*6aq&U|~P0j*Z_W1yRr`Tn*4r1smtI6@}i1LqnrylHa*6xN|GPB<#acC^{k zk3PIayG~Ge`jDSD949(K`%NurZ>4V3kEGQ?j`>xe%9pW8s2DK!7GD(Lv8x$nei24puXJR5;FX?CNF(1ng?N4~_ zO%5qS%H~lDI%WYCuuQ=cy<*T@B8)+V+sr0n*cBW8M?$I)A?x&cg5GLsy1)NX~(=szh-Kg?FNxLiX=TGSo; z1{%z+nBE8-exdm#x7!hrb;IG(i$*sqDpHMV_BSEEk2fO ziNnGw_YP_YH;r4OAtQt|B^&mr~)bX6=#Mh-uEK+u7Y?{|x!gzc>WAOc?(+6~rQ*(e=3Q zWvc=-qB}!y^nmDf)|7;M<#tNt&0D9ZT{Y)FWI29+p}^8QCi!DqokNMYCxK>d;A>B# z_w1RmNHGp}f~3(Px^jXvk@^}>@vfi@xjDW`e0S?LYC)?E#eGx`EO~%_lgj(jDQl`j zC47NF!o4gjaWL<8QEvXjCi7mpC26`7Nn3;0O7F$$&0%bUqBx7E_D7^lhTNQM4rCy>CbMBz@`|HF3&?1~R>Tbn}Dx%{W5Uyimow=M{vL^&rqV z+T4WFjaQUBY)@M_J!suUx-IeEFacS(Sus(tF_>@Oo-R-0w0N{S^W*mO=)BBfqjbm# z95#)Y4w>{-vmQm*c}CTtsu0`q1i17SD9jbXsiL)@`lx-sW}2p6VtVX*?OSx-UI4#% zXIH1&jSCu#y!4~SU8YRhWf!h%!LE1!k6>b)fmuvAa`rRqG|G*I)>GWo11+u?jicsu zRtxv6(OaP>x)eq7@&YIda?zc}wm+c8~*7C&hMKWalft%G`8>$_T&2(i$) z8MQXWu@%}E;njN?V_~WxNe#5)w=|nb%$KY5PSy7W`)dz3#iqH5@6TtIClZMH0R4R{ z`?nv}c2ipU*<&phD?kz=&}vFeK-lg^Lrx2l&j`PTY0Ym|5zzCzz?);fm+q$=l1JKc zS9-iu$8^Et4WnWJ`}fb4wz|4%1*Hx)IYpxdhaW{p5c9bN*va8dgQ%>+17kr`+AK=` zUP}uJW=$NKi=asS8aET(%s0;y#6;Ho;dybr^)|WZQw}{#Zd-=a)B29*}@<1XzflUjMleUjbUOx0Hx2i%%! zvCD6Z#L^C)+{k(X68hW74oOxLra603zv53K(S0yope9o9Bode#&WFc8Kpho;c7R$E zf4y;6@gMf&vwM)Kjyd^g0KQ}TzPlj3bvSoP2V6DYY(4+sVEf*tS?c3$`y^s`QnnVi zGTLZ}PvR7wYNmaKGQ9b%rLe8$~%b^CUSg4C5SUg=G>WzWU8F5r298V;l4 z4%XdZ2SMS9*_r&|7QcN*1rS-UP{RxnFsV>qma)@&sB@sX>a?|Zav4a-o~p6Y`WmIT z?#TD>y_mgBFb+>p`ye0FEb3OWVZ$Geb9oy7=z>*lOL^i^$;&TX5Bg$0b5dE0I(0Tt zyNsycOGwoQQQ&7-Epg?%x<68xkI@9x0n3r#+9{Wv^r-+7myHrwa0qZ7v;(vtg6Ia! z8zY4@V;SeGuUN&nds%X@-sP^kLOK0 z2=?Jl^jom;I4xDNj{dzK(C3mAKmm z;zZ14<5}SVnEDiUXY6w6+-?MLfNuR@DxcYyy3kW#GYwfVaem+_C1Bm~r}ynPT6bxo z-uF?z8}VtnDl>r&jbMuC){#3vVOek(A#3xuR(2WlJz`4Jc0E!W^^6ONyDvachxi`WVho{R>rMdm2T*Fig(S43$JwxQ&=7lxFg`x_)9cd7$13; zaHa>q`}xPzIN?Ld8Ry1iF;{yFwA_kk`MVvSe0zvyYhY|~;%jE&3}qC*r?y?zSW`6C zZFdKZ^V=SBPfv3LCzl?PDh4k2&WC2du9??1NDR&w$oheIpap=l=eUq$0lgl*C=dhf z7I|~gvuFDPpyP#v-&&iMtDaDi&I1d*&a_#-V5nCeCHf^9YRswb^qgzeuqKM-Cmq5> zRP1>+r_E|*Vm_lszI2r7_>Og88Oq*NSSd-+aF+DWXencm(Ru1=N>T=H4H+c|G@p~U zsl{*!sM|uoHiqalKM_7MPl_y7pKDQ`qXfOp16$B~OSud)+~&D7Y%jHn*we3U3UgD@ z`UXj2?+S8xTpzUSp#@q+@<~RGd$>(azfX$>IouKlVcD{ER>J{r(`izsb#mBkpMCau zJqq(Csh5!Vfxy+y`J?BvszJZU1na7lJoERr zm)SN(j}&d>+T==D-4UJj3M&LwBw1hIb?RB279=28+}0#fY<}a3>$i`Isr%rTnc3|f zd{T{?2^pyIK6^scNSV{a1$X3b0owLJUw_b->{pqN5#Z6nkP_G2+3$m%P;s<|!@_ zx%@p|Pv-uMUe0jo<2%;T%%+ejbT15Xu=Iio$rb3G&As)#mOHD#E7DCsk@gC;>p6ehi>AW+mUoj6dj)R+=?6VaHR zDaXAw+oZkb>DZro?k zh|@D%LC1nBFrD~F6f43J!Lb&!6Uvs~mhNFWbX7CJPpQ|B%LU_bdQ?J!r*8kGll|#M$S4Wfx+v zRigyej2f#m1qH9-!4e-Ea4qA7cZZWjJ9rG)!NL1Y?(2aHlf6@ALo>@QrPHM+H^@3& zycejktsGFk&T9rPje|*qMa{~V+Iqc=@fGFsaY>1Xre~SAZPIL#9o_^ci`BSDL7bOn z(o9x7omx}yK3_k7JC5Z|7ufAf-bAFV!5E2~BtgI|3gJ`mYa<{hByMCO<+Bc7#CQgO z#b^x^E0kYjEUi=C4y%9bS=3Urn~Oj<$8f84kF%IIUu!X^jIWmwQQRUCFKgY(;qF`8 ziuUv5&qD7yk7gabR__;R%p0lmt+tefDgR}T+dk~u!hqBW{<-A%Z!Xox_P}z4kO{OH|!F!J${V(2s(|JOT^SNh0=s*gKEOWX2>buOYC#- zY#(aAJz-a`_0^_D%vSO=L`SxEb9F{pMCvX76CKQlo6if6RjuPXjbh~%4ht4Vg31HrE~Gn=zClO{|@5RfxEkrHZ%_-#=_D=_@~EFuh2 zE!kaIs8?urNMn(_Mcez@&TM-@GUv5`*rd#F4v#)d?ooTKbS`N*?4BK4-&f3~RC>Ri z&N|df6`R71Tkv?an8wE5Q8v%$5>b$u8 z`D!8vI({8Q;_$(e8>~Ez3&oWW+z(xvHflzvuF@LlFQ6D*riN!MOWa42N@b_+XT9VD zWaE7GDBtiWA25fkniL+OTSZo$w&F?coLE*9Mtl{f0!=kjOuM_EhA5+ahoV2}nuIsy z*p4eGrvY8hK@`D|Z*q!MNX@1F<}!PM8sB=SZLSodM?7os@o=}u+N|G)TmNzKX)DX$ zocDIF6JO~+xZ&6ujaHWFzkO7CPP-~z3qRu_1+>g>)eFbojXgCWi0seQ_DQtjEY_8? z@58xUSlaY$n@{OXR_$?M+=s|g@)Xu@N1z&}wm?|OyqlWfxZEX0kL<@0M1=EqFAlZ3 zn`vd5`J26TZ<%fQj;mraY3s;hKBAo5p)y~QG`E72+z4o1;+)4$n8WL|ABo&El%a5t z12EhAaLbrDZV6$c7-Rqytr>NS7YsWE!1;GG`U9`GBT0FWBU*x-wt)cp>>FwX$nCs` zoHQ#;B(wv510|sXo?F&o%vvSqs2g5g`uOzA+wa`BbJo4`Smz71D`|VrQ|2?>_zoNv zc*N(3lTT*{(;wT3N<&-E0ND&J$y!cKvj&XN69<{xjlDR)(`UWnp1<5F} zlrR-2pnG<&0i!brMtCy+Y+(RVp7fX;=d*~9c=FXlPEu@qY~}6mijGYqI(Ka7?@m?x zc}g&w+el5g=TFR%{i~1c`x+z2V%Kqs?i(n3`?T(ETeJS_&fab9#$?W7+LpbPhtsNa zHc6&c0dP%$h&D%%)9#elwi*vKPnMw9sdz<%K+E*yoHBf_c+c=-U<4-q^JB$sLT>S7 z|2_pJTiIa({?%Xbl``>Gg`ddxVl+S9p+R zd;o^M^-h}NBia|fD@NDTBs{AnE-MiWP3x^6k(Bi^ z8Jk4jzZK$oKGUFe#C{I$j&A_5Lhoov1x{i3M}CY_;-1rAudnOnBCSHkBQUf!X4x74hlhRN%`j=N|zOhf;x{vJNT+s0b(9R zo5Ayy&=e`bgn-Z;={Z6PE+jt^rsd|Kx*+u7hW$nF#^&z=7jFm)T+X?0jBBnMRy#%B z&W8OCI^FC-M1Mh?2S_~A9(Ry2@hbc_A!ccK3Ti9yXGL(Ssh(xD3l{6LZI=wqc&t68 z=JcfXncv|LI@lQiK86vNSKB<_fLJh&o=D6km1nJ-6S9b_WStJwS(uP4>at7f;Co*4 z>^kF7&rhtgmgTQ}BS%ifr3a{4?rzYL85gX_BDyi5jXm4N9PyT(Z}>QxneFG+9l7%( zO5~;nSD@)+BqzopW-t1C%O2Lhg*#Ps70pV0I+9`IYDR8LI4($4uh7yB?XhFq`+N*gvBkM-uK~J_kzO6d z*eVSu6oZ)M7zD>lau@&?7vJUX#T{o|z|yOh7%o_+A%s;3BVI~4iuxs<`yccW{|@MT zu~iXfkunznVC3_5(@<8^3Ew91FTj6p(AvYmKKW+vX5H6bzz!MM`-Zq5;#!};6U;p0w&coC9 zgLqR2cS$e4VVob7k|REIp4-Y`9oc=I7qPG&Rf>LN9l)?s#W5pTslZ&?c1rNi71b}9 zQ*|S<1M=!4?g#E%datm9*t6kSEbb=v^X^Y#Kx+`&eL6Y?I=h#w!}obXi^wVZKd@>- zt{8gS71$->P!|uPBbu4$UiXUikMK(jxiJE-#G}(qj{9cv;^i;j4A*k_z2k9QaW|x2 zjR6KD3!kvV9+3+PDI_#GeI6eX01#cBRLd?K&T)!EQBR&3Gy&YQC!i%+w)5d;hBL#7 zO1XGoT%dl%lX#8o>yAZpiza$_536Al>P)^umzL{v{`I0LQ+=;^{ph;8jq4+wjb6wm zXE|X+V7-QcSCBxqsFKIMgp~+6Y>F7r)$@{%7sd$C=b{vcxq=#T#b>)YBR^&stw&~u z^oRYV^A*&po$tO1C!5 zH#vP0o_m1zyc&9`;t&_+#Mb2PVKrJ-ouq!guuG)ONda4#(o8!*59$Hq zLE>Q=)KnPw#KjEyYP_cdag8SF0wTQIR2mOeE3|bZtaRnpRJk>|1xLF)9T9x)S;jgP z1B-cxkUxaGR@>y*@Urpui(%un)}0F))cZ))Mcx=Ey?_BdW6}Cfn?CK5Oetq4uK3u0>@2))XS!?ogp)*mNX?S&bk zi(Gu%czDxOJr%VcP080N$%!?2p498YN|i0s;(LorcZ;g157BRd&X>z%aT)_=v6P(@ zLrteKyEK}_p~;3%2-X1M)-0db;pQ1o`WS1oW+0<+H86fQt=N$NY1M{^*$=shY8wiR zM{Yux!FaaE;GF=QV-K~>nuTS#osqQIzQm9A%DId+it-L%b2&xQ>!ZZnYRIhsKepDq zF%?7Nt&xSDxVi1S^QJh8XkeC&wd<@5Z8{vZwfTMNrTZ4`i{=OUkMV!dT;Ek3UH?<3 z6lSN!0L7D@k(UXF^X%XY+EgyLtA5mXC{*g7M@yO`b!b=3yz^f!4uyw)GqUNDsZ-spi9F&vo^@$phM#Jc&A=fkGx*pFDC$=am_k zJxja=xyanFzaiss*^EHE<hB(J)j6v(E#pTL`3Ja^yFJzg^2$oZXYbaD zTN{rN@=X${AJa!21X5i`v}S3WZnIH(socHAvSq`^E|4Tn_RgU1*!Zr*7@}`!Pr-x5us>XaI4T5sUwsumA_03XW{~HYc z-;q`_8JBYh-N#DR%$UqQa&vgLKixOOB5UxqXYG`1n!af;yKcJn7@LwygZ$Iv?Uwj` zr=_9L2Y}Yt+~SO(ndd=_@O;-m&(851M3qEW!Lc2+1FlevAb4~qAc*#)X!81riCgWG zHKh6p10){n%AR1O+d#VgyWUAVMs&Wu_0~e;Q99UGZ=RBUs4l-*NTn`Xn?dF0E}MTQ zYh*`uq49D}+GFBP=#^rTHb_uF>=&wS{ZBdr=U@N0{qUjC)b5j)fi$LhOii9*I!+VW zz*j#ds-c6hU2b0UXcb)7@XgCohGJ2tk%`ZL3+z<_iXrC;Y)+By5OsIwlOqYF-A-Zc z`V+MZ1aDUD=EaWP9?tjQzZg;S1%I2n|ApfQFO?uXzfuTv`1nT?@aDus+6|Ou#mSwq zvOo7So?i67l$PdfB=*8X_`Hl(F@k}{Pqtjxed#+Csm9nCSUq6#4FKiyCT#pGZ?9e~ z;dp%ZZDE_L^O@Ygls*b}r6so{aXUNUxIFoL4BfiQAtR;aVQ|sO1{Pv z{!9wyG}liW^JN4{hC;fZ5@#|d zRa*!41C_VFvEhG?Ik!3)ZvJuHNUgEpL@B}lRg$pbOkzgdim_B$wI`RnKbrK^pi4zZ zg@s=8$(If9>%3v6%fKl4MH*udA)yV!D2smqFq$esL*dO@^U4k*Op%~U;fAO^1^VQy z1(BrusQHJl5pkhx658=b!GQ?&r_c?pzM_1oinL`HQd1>D2yWX2Xw*Zlk|BIbzB0$} z``D>7Rw~wJgQ|l4mtDGQ8WT;L?v>!zK--s2z_2USL<+kbk!f)?22<`EJfknW={B@A zl~#Hv%^hD7ESVkGZNPDP;WVXw@G<=g`VCNjh$QpNcg;?Bf=13_o*2`Qo12x=h)Px%vgJuN4=Jw)3lsb!Ao>Yo-&EO5rIj zH6X{vt%(rqH$;z2BfwR3MgOp6)%D&z-i<=#9jj#s=4WP@{HP23=mI5mc07;aWbBNAc$J&T*sR;5TKu1iNt|YBD3aOKj~047y_IR zFjFRS7(`3&m=(yx&U>L&g83+FZZrlo@S*`DPKH+j+rw`WMVP@5Jo%`n)YySfifRN} zcOCdP*~1|Fq&gZ?2XN=7e$riuUI(zAhc3Vsm+w-Bfai-CK(xsLpT7j!8yZI(U2gWF zan;c-Edus03@~JrJEjmyNjBAv5KV)R1MD0bLAwuHU=9%kt${(5o85>HTL{7tnkVPt*8)A+E0%~UXi0515Q3paO+LcAnR}zQ}o1m~lXt9re(n(OA zfQ8uX0nIld=4L_1r(x2-r?C0`r0eSgjZ2@$tZsW!_#%LNK0~|7jy0r(jR3BQ+vz9+ zu#?c)jN?(O~CgVPt|PaUoF(=G%8zEp%P=Z|4gV_jEcK|)3hG)9&P zsJ8X38ai_h4!cwx5o1Pv8SXEi!f$+JwNgxBCfk)8Ld8ameXG)4WnwoD^`}`<&OG)k^8-!(Ao|$~>-ty~xFmv*`{)!cgjIfmhX8cV0<{{JH2AF6@nfa15xu#MrQG{&B zWXL8WeQ1m<-i>FeXXwtbL?#xXk9cJ2%lXd&~IZ1M4B)~ z>KX~crlRbqo8ns`Yj5#V25vtI*$*&1S%PZI6^pW^a9Ah zQB6f$${;f>%J1C$D)VJu(cLDdwNz29Dzw@*pm=3@zx3Nl6h;*>_ZC4gy7Xw#DI$*= zk8q(HEKDruh24Tallt+yL;bkBZC|7I`599Ez4^AIbdCLF^Gm^#@+=Mw(}6B(7ST{0 zEh$>@$g2GwgoVPk2)QUGR=?p|#^S%!X>eGmrCN3vmO80DF_F|Oj>`NW0(x;gi2pxj zrT;VXg8w4v$v%qWl+!HU43u|MyL_uzY~0Q`C#mf#;EE&y&EbbQ`~> z*r|bm5aeIBAMyQ5{`nKrAg9Qg9}9mCfhyR{5F+5i?P3uu(C{8TEwd865dS!O{&EQo zu#0Yt>)_}DKC6MXSU0|TDW$j~sC=26MwmTsSC3k_93D5An;9^cdHOzsfzi&=>GO;A za#?K)Q!a+d8Gj5cJnyw02w9sh(LqL{E=yYTHRPbw_n2l*Xb@nND=(niVd;h0~=$#qyWjZ=#j+n?n9G}m=4}2tNY(;u=$^mll0L5?4hA{1IYc$s9|tPXs_^IZuIBW*EJ;{x_ftSx;3$l zsqi^PXre{G0hAF<(4q_>){VQ6k4ZgzOthYK0Ho0o%qFG(q)SL71L%nTAb^kM#($$<1E3{VJ=!1rZJ3=6 z(6M(zHtiP@B;+uMKlJ0HDq4M`|EI!;w1wRx_A<~M-!bR#KmYiRo>iTWZ52~J)HM?@ z2Ou%V7=mt!8)6|Qz@+*cMbIAh^+t+*<2y}OojR1*omQtd`lo-KqGyxR%eWoYoU;`_ zvoP`h8?NEpXV4r!|$YIsbT5I;vH3Utjk9jESo&JGiAZ*g0(` z*PWFTCy(UMsI|c8l9~XpNg#v?qCn37jHR_(#KsZX=kL`OA=)eI$4aa5*P(zG`Epb3 zaCXB7+h~IkoWE18*-D(sl%Jh>pd)7jdE`B+d_#aRK`p_Hf$Ev z&Lc)O?ZnU2OnTs2l7K#4bap|`?K0NIo}Pg-b0)~#z*+85iuwW*^G0DF)Ue&+N*Laa z-NAg4e?KQy1gj9Q^)y-Y_gIDR3F$@s9~28DEy0tnTXp`{?535X4{8P~hpnrDKWiFf z-NGJ_HM+Ao(8>oLB9&u^NqI>`w>kP()gde^IL9+{Y+u%B>Q!keohStX^8S{S-IQD}V~{Y-_S*4eVIGMzcSZoP}}Zz%d^Rbo|}KRc<>G}3ppwY+ZZ*6;PP_Xf{K zb2Wx9ezH^DbZPg+t(Y|GEeoU~WJfOLiu{Q7g6m3l>nx4vecN;{0DPuO!eai`&6Arn zY--^IQ2c#<*e^sY5%5zs?zz*SF4FB!sdy`#$y-s_wyCp%zHO53YMRLA!0f7n2KclR zy;9f-RFG5BiX4HstzDz-w(~Y_?~tMxO=Bnq26F-XEF~NOW_y!rMV$$OeYdj(r7lmt4REY7l^PTO%_5^xdLc5oB(<& zWIEi+*hI`de7&_py9Gt)U~BRpdLB^O&Ejd}*QTHI*C)@;EOR~gw*7-e@!OYh_mA(cui2q3!N0J8!7~oaxISoSo)kloVfxav9QBMOP>1TeLI-=8z zs7H(Vj;DyBf#+vR!OVXJpmNCZy^Ri zQ&!`a_U5Vl9n~=ZnDehgUq1nN>`a&FvY!j=&wjV$w=tT}EvY>6D(#S;&>$j}wlB*{ zwC_^#&DLN2KBXukO)5I6A4Kf$R|}E@REGZEDjbKWkS+tq#{FslT?YL1yMOy$3!G_f zUw{R^hN7L~+hZa}^8%Rrw-YXaT`~p$YumqTCc89AqA>CR!A`cC^`PR43orRltyuzA|gt$gKGtK)uqD*wABZ}l*5VG zjAR9P>hLJ-JNL7xI?z36mf~eiHNYxCKFPEt-_@1n^@(@@<6&fgRxEr}^hDW*?EGbx zDgR`aF;x9|#J{!~S;XILBl>^mE;<-uqj(b?U!OQY?~MYsx=dYBGzJB>oi}BU%2cl0Ed0fWcKCj*dYZx5zS5Ieixy(w4kt-I`Iek|p zPPkm-6HQNyLl$|Re$q)R-~9@(DgT4H{)bFp2gOK}f!Z$&7B0*PcO?*eSjzq(DA|Hvyn4*y>^mfURkFlSHa?u-0IK)4}nf+pCQ zV3FKD(UF>5=$SVl5^CtiRrp54+M|R_GiV@>p)t?GWirh2ewl27==;)=G)Kr6L zkMXw_F8f+J=;8;`*HjGO7O4XkKC)r}u|WGS!W}$aim|=owFkiAy^Q%g_Jb++1|6RR z!i*Q1z_jaIJyD1QwQk_87$azAu$G^6m+gS4$Q9uF>JZEGzqme!kVl&TS9br8OMHLh z4fciBlh>14!#I!a zK6dpOneFaZd%f(=2{$0nl%a6Vq3B`Cgc)>b^O<>TWp(Vc z1c$t|T=U%KE9k5&y6lNuSJUhZ&vV(X3&gKgt4Xs(ci9*BwF>3rD|(8`3sEhbY}L&N z|5bcXzk&foq(~s5Q#*v)1w$}knv8Q8kt=0=^2(E4>f^^Av2tctWzDm^x8D2yY5eBK z7rnLBH@=rxyMiw5zNYBpc7)`+n#5b+C#^m?uZF9O5X)7K6W?iOqLYW9mJDe?=P;zQ ztj5s74NJmL_>uWqpvH@Xhjz5G9kH6tJPr{QI6mC zng>nkkYL!>+iMJLwV6NZcrygBaeL3?&g!pdZk8`wGc0A71%BbnfH3%lAZX_Sa`ha4 zGg)h)RNIG8+=IRzPFfyHPBwVlj$23S$>1Im9|vdp_k2xSUbX^9x7m$brk81>91)Jz zWu%GL8J-V^FvOh4gH8%aN|w-`-TCLtjMcreQugLVyItY_@wDdn!%wTfl^##o7!suy z^P?zyC#EoQGDnV?OXV6(ahReWP-LxlHO7neySg*sjk(pWVy=jp2Fn{#7xqyt*(b*} zq8&lc4H5I+PatZJ$fd@}k$jGRCqbr@z-}K(ru63@uB&i1azf9nBtgBliKskZN4cdm zS~V>>7)q^T15W2il}OejB3;aiMxhj4-%*;Ln6pK@%ud37m8q#^ep!XTSCDL~vmQ_+ zZ0Odv3FaN}cU|8}(^UT}BeY5hhXW3{3&Kt@CYb7#W5A~EO7OJ6LMt!}W1xL2>-(@j zxT|iTDDO-c{bqWu^0_8H^rOFl7h*wM#%&^5A0BhIrMFvVrp#fbY!T5Sx2J^r=MnS! zs?v+{QPPNKU{6wTa{FiJM$Zm+`OYiW5_+V(hI&j(ov$Olyqg6lLwA2F+TqQO)5zU< z6EEDyY>uEoDQ&z!d;Sg;B|o)VM{VdG0J5lVyjoA*e^&*dGfjej`?XOC`3snKrqkqL z-I2U%^2^2G7%ua85(nqwKao1kO_vx8aAq*oU$<{$}grw!#GaNU=n23+;yC9s%FdqlG)mILjKAZ z54+&=+nmgd^cOy*0gGw&5m?N4K{R}Tc1s;CA4>xn0gy$Kg)Z?dPGa@0%)iSBju z&U{qJ4E|C5GV(y$n>n#IVcEuGU}^`P?*7-Gg-UP9pZGdsYGJ(hfFM8Yg5E{f*$YJD!4LP+ zqza^BX0pH%xAED5Uhm?yJiXKW(@W3942(xXTH6gfJIugBs3HSX%e+OAz5(HWfo;e4 z#=7BRP?vQD=ZQg_YHFkF#>Q%kX}A?_D)laH)*oNK6FFxt4b(P;X@o$Gi3+3bJx+et zBfBCJmgD!XJB6FrZPqvwOyNC8-t3p_bP*2lhc7Py#7PtNg)TIa7ZeDy_C&g(7=qrN{xf(1ZnKhbQ@Wl?MUt7$d?2sna6jyTG(&3hB*# zEhycNeykU+I?>7s}@ zKdDLJDCfu=i%c{cNkLVd^T)bvVPg_c zGAh^~670e`oNdT#Y?xOzIWd6*)XlaRB`;Ex2u?jMkNy~K)*~t@7ngGCorl78lrO1? zJTusydp|u37I^!qGBQ!b=WQ3e;%4!~T<+h?_e~1fghh51vPIfW-85aa#nx+fC3Ri> z3IS2(ZvkPc`pJE|`iV&iRpWOO#)Pv~!|Ne9pG7U|M~oASgA&NgNt*=T`!A(zG|6-d zK19L@$S=N_&38sr*OfBds-3*RSNcPKD9 zV>(0=r50nHnO@N@MJ%#!Go9Rn!uvnRbzN;-X_y1OG2Aq@5Nu9Ej7UiWLyB3(hr_>? zp6M53djI>z^|Bq77*7XD!C>?CQmnq|EVw$+q;%^;jH1|Rl6Fw{G|nyeBRa2E>mL5m z+69M}PImuwKR21)s|CD@SC(Yr-aXhkU+B^`xuei`H!9J3gwN*Di4N=;IeHGk3sWKs z5@LLH^sZ1e#--g$f8d$dM{Fit-kDFfOb?Ei4|yD3oNmY9U4bY;co=E!|!YelHOdV)7jMUEe!|T{#|^h7lm?_DPYj%f?$S z8r~-!+Tz7tTK&D|+Df&_MKkVOM!z)8*;e>!0IBUVKsA9$7R5%k{A`jTF!}?-;lj%^ zazDDq0)AGwL9Js38+X+O=!2$Tlb@ z|JjgpBA$zADMjj)J({Eb5gm->oD zUMm4dLO?`n^1IH^vV-AXBzD?&wh`i1CpkT{WVWc9ZCPofoaT1Md5s*rfc z`!>>d;O6%##Ot4X#f{e%((8I$p3ud~PV^S%HIG!SIWZKyGq6|14y+jVkEX^wt@dIBAZq zhToN_mGqL#%^5$mlM6JF5ABav_?}bJ_oe21L%bMDr;!(ZLB?qy%7!jkByRgDT_%N0t^bwMMFIU5_LMjX{=vFonm3p!$K;={| zDt1*7h4!8cw#^G`6 z;SRf-$J`5sNU-LmA2C*{+XfyxQh)+T?FhElx+VHaLRrDKP{LSlPMQ{w9Zqh{RFCcy zOMgDDi}c$)x6X-=Q4ywwme{zw(<@p-c5X5U!@84^WddamF**5Q-vZ zVx_?uwf%5~aZ|@v-Tg$RGNIu{=Cjuwr`~BJT1X!;d%FN|cF2lK`AG-vqgL;*f&4f< zAnv`=W+HV!z{ig*_$y@kf^hMSK{3Oa7Kb7rXIq)eB3%~v-r%~nYg(HYRF&MOBxM+t z<(od>#yPfU=cjMP7=f=CEcf%I@!B1228$H;Ck-5FNZs*-?COg3n=F--q!|nLJ{V7^ z4$S5|2{Nr5X?&Yb(o$|gZ;tV#&gAB373gu-ot9(mzo;P_(DT(;=gt$|=ZxIGy_=>2 ziK)6v>a_{3orwnjG-3(}Lnr; zQ0%X7>g^)bCN#1KruO}$lh2EEosGPQRpL~aFuG>NqR6rSKy=2+Lge2Vl4a~}>lc8P zO6b_P)P%cFn`;HKs)$RCls6WO%j|UDzY+J5S=(Saribk-R$}7J+z>K@8$cndyoj=v zWIc02I_AUTC29R;E(z9)>R9cEk);CX2e{|x+RV)aA_bh6ojcNN+|gKS3#`skRxnT} z8AsaOTxlN9a0;=?ZwFe>hI)=e@V|7V__JK(eMAY%FiaxB_KUWNR+A+kuEjTI|u|KHPQtHq)QD6f>Htr2m}Z`XaD}6 z-g(cN^Wn^dJ;N|e_UwJ{dtcXD>ssso=6QHwFFKat6!AX^|AnHboL?ozdh32w`WX){b)sn;~Ms+&A)_H zD1C7fZ;&?xkq(rqhg$M~Wa~|Wo4g3dejjlX7w)QG_z>!EA53Nbz5JX8U*-y?WvW_JWQA{$u#Ppk|u|AQU6M zKWVaf#v`dse)JHa5z!ZA$PBi{{d&z5!ImOWBJa4%F+S#9` z``Wsdd)h0?pv#y8@6&=BAS%^0c7EA&)BZ~0ee`+RxRM*DfsERXVq;MsCCx8QJ*&RN zHfV(9zwqSpdK6NmWavcL;N$_p1M~SmhD2qPD>P$JB>1LJ0$85rDcx9|ayxO0&pH{p zZ9P?pZWKyI>dTqEq-fq;`o;2sL84uxvup z{AB2L9ZU!G@q>qH8K+^%+Ul$~@57DjHyKU@{tvtU|LwpI`Jw&mALsuV>;ZV|k8r|; zv-?)C{dLe;xa9f8|G#M_R2XU&u-?V+Z=7l4X~7i79-NJ8T+xD7bzi>Al3nlLKfQL- z5BBt~-Hc*>Ad(!yj1Ntr1!C5)JRxF+?3Tl!jfQqq7Zq{x-@5Zp(5!~rS zb#7+-_a8Zw!w}HxJDuighPo~Boff>H7FSJwwzrF#bZKk&fLFNiuG#upr%W{e^@tA| zcoP3w;GcUR4aah8swO{ex5(7?>#X^rdyEJFSX)p7oLOcU?+!oP4?;)Remm8y(O8z~ z^SMGt(aekJ=9KXxUys`utWBnxO4Wwp0LNYaxv$I1PS01e=>IX?c-`mxvD~5V$;+Hz zljEr%PhC{RoBriJO8D$~cbIrplR>IlHT}w#D(V_Kl_h^6T3Ox$r3W^&7Wg-+H_FLa)y3}pJ1M)$&NI~pbY!M6tW{NvB4sN6k?W8y zk72iovC=hHrmiCH*+6b91QbjO%u*mQXp&WvZw#&htq|t7+$s z(@AxpO|`Xno2a! zKwhVwz=TUgj1kfhFq=9@XEcM6W#ol#oDsr&e2z~spePiKq!Kcn$9KUbM3wxz$nmJ* zr1g(unnV2-IHdP(v72e6dwEc-S*7*1Y02n>$t=Dz4oCt)P(a<2anFCW@fWWX6%#rj zMW(=9%8i;I44puqGJ1eIK1;9^r;%&O;X({^GD)`p_Y#1uh>rPnI1b){K1B{q$g-qf9*4r?gf&dl( zs3-<95o)K40QF~Vtqhnk0hH|bHo>#)!v7dbWwIC!WB&*3DIx9tV-Vi&r(XcDcN@+B z-(MI=ZlBosPn!Zx&5bE0Q7Far7M+oNP&fL^IgJ8e6EF5Hqf64FRtV7pp@hp-iY+r4#f}1i zP3AMk#idPP@V#~?aM4N`0_znLo+_PeG+KqVB-`1x4y;CeduP~Jlw5JgeZr83Xk|=K zj!%aA>y+!@T1}Hp(g(>hL+R8c)m7a9QuQdm4h|0_5hdF#Ky8OxVZ`>V?LS4AN3C}P-)VNbUxVgIju zUE#XWt#NNG8``L;<8uctG<06(8}CzZ;Xr9>%Wdh6L4D~57dhFaum40^Z0cFw^)rA6 z6qQu%uX-5R%^6fy+7I8$Y5YtrmQ!~rkPu+jf9JfVQG)4XO26~lgYv-(bo`5HNr&T_APzqs-jQ6#pKPNb0X?d_8t{HX63 zcBHy*x%;^LaYA3za;uDQArp zOWNIS)w0%e*Bkvho-QbNj3wX)uI<$%7~To8w%=;DwKccjY+Bl+W%LShP(fR8N2&se zJ@)K8U7j-9jlW7WHyGasMF0a>s9Sa{{QJ;h9WUX@-$3k>W!Cx+BkmIZ)mVu;a-YSV zq+*YMcLHs&2@vRd*kyx%t$BfRq4Sv&^@d`n$o>QRx?QS$(R?>;dt(Wx;ym@AzQPHy=P=>_s-Y)ng5Mq^he z<_68oHhH8+O65|l4MMXF?9}SpU~y*y+6{+2`0)Q2u&%KxP;?B86)Z?odP>PHw56-k zd`JU3p9Ct5H?qo_!tV5Gz*PTnvnw=T%XX4W&J zv%#x9<*mQ#L&ftr<*LHq;XMM`vILMEygM!0K0ChwV+QjqEYL*0exOBIP|E(?!;!Jpv8I_8B-e?u+ba-Rkb*l<8#@!-m_S76dEy12EiCWG z+06Q;S<0T{GDVZ}pysT;g%4!zwRwo7yh>*~zEFr1r&$v_ixSz9%9PXBKb)I09`V{J zbD&+dIvrpBfIs+^8Qiq{QQ^z>2qe&d??s{gs{w~8-lgghTF}~J+Rm19u+w}RxjAyh z!@Sr;zvXO7tiZI<=~H7+Ls{Md*5)S#^K-9jNsy*@Vv9u3_$i|g0a@P-KxNdWQt2+l zKfe4_HefS*NGfUo7sa5@`^ZPI{w6cb-%-~8uRMmx&a@5|ox+hip&056r)nq`Y!!qaY zZ}bvB?-XLJA|vyq>sRz(LDT)Cx({IlQq0!Ci7MS^s(SxFh6L?~-*4zJ0LeKBH6m~$ zj7OhjUBmJ2j{Q!^wDy&7yE`D!u6yI2_EQs>+j{#_-mnGKYiG1@-F2a*+9C>II>D!< zII_m+h9tAWfwepRagk`s33k6f@x1++6{qjdb-BOXEZ*GwiQQdltKnbHPvB zu}|i0b&YmzA3YTQlhClr^H(hr%t{B*!mgzGEQ6xJ0zX!Mcx}rmE06t^33VuijtUQG zK4JV3A|+CwQSn?!I+=-KIyF^lrq*gbWy_j11er$Cj=(hNb+Xf>)jH8ENJffY3{tAh4sp3R_|<3(Qo-{^8a~;v zQD1&({A!)-`=NUw^N+sWWPTQD$hTg5{%jc5fa_{%$|l0TYX5`qfJ(_beNMSgX)I1^ zN+ycD4}Qez@#Ncwt{PpID*Y=D;~lM(N~8KEm+a>fh3$$;io^C>Vy!0%rercF4U6yH zHjp=rg&*3FysRg?YV6|=;X5c4O^{f+HFlZKQL1xVh?IaAL#Wz@lwBPn=!WQ<#(8ay z-T+7JM71}1M)%^01N5=5s_t{sh-RP9XeX1OK183dn5d=mDJ1qT&^ZqfCsKk)la<%> zarpE=ZjH90=pr+4%P67a*-s@bS=8~mb)mf}B1c8PHB{w6haExm*0A6@kh08#f3-fO zTkKr5q2Lo2WNs;KU7ubtQ4W3vC5vX|ShuMC|`TRpy0-jmJvne#MrrL=k0@U3h zJKZL({EaR~tmTD@t(IU4Af-?Pxzpn6!H++NLk~XwYSCHD4t)ECBdYcjN*Xl^W9Yc2 zl0x^U-2jBW*P60K1$?R2(eOYn4-g=ZR3LM749{C@_~sUB{o^O*rDbR=y_;G*44-U@ z&#+`GtT4Q1bC@zB)jNS4U5Io5aA1?XQ!$y78Dp~jx{VA8{pQt3LnRG=;1#vsx@g^< z72FRKdWr;3)$WKkCm(iyUeBs{sxR>&BTw<_?Dfdpv4X4m-JrH@I@5CK$*`bl2gN&0 zr9Z|F)4exT`gpWN>G6*`+>7SOkC}yHim5N!nRwdOPwr8&y=}2#Isyvi}I2jt2rQzKr|-@BWqqyy9DUy0%($s|NTLpl}gK%-7Ky=uTa_1eL1~ ze@T-+q;`XFKA*}l=}lL0n;5FpDVsZotoinI;c>OVy9Z0LPtISGS;un&;Tei6*{2sQ zskkm}R!=^A?pzm2<4ENvsI5VvKJ(RsYGE$#uf6=2v`P=%Psb7;Ocq}ck}j6qeOMV0 z3v*1HhC_Wq=Zdywx@SsrnJvNjF~w%K6UF@EOBKkmqQ;G8J1w5BuEF%2snGl>5eG=1w@mo? z2Uc(LTA7W#CmpCcXJQ-GDClT1@7#BL!MJm-iVd$B3zJarK zd<|l9Y5GF5rYLnT@h1;zL^h;!pYdbs-FW@^bDsb;ALlg(`AcfoQq<=ZIg2G?`pnGT zXG$5xvA=x%g9+9t zTwiMqt5$zu=lstN(Pryzcb(q8p)|kEVOQQ1BeIyv@Lhu+Y4WZz*rQ^qjPg!!@JN%H zv4V9$+)Ff%31zbr)Ib2N=r>8|tyxM+*O>sdHX7+r{&YR7KPEs@w)StB)L*jvv&VNj znUWdD)zXO%%byIjNvRy_)B=@$WIBvf9(Cs#&?)=^E3`H6X5>l7J;vD?hQ8!xwErcM zHAduGl}k)QEL)2@D3ncnB6OiNqP_C`u~ zZU~L}tU{A60?l8tUW(`U2Vh6<<3i%-*2IZAQi#e!hzE1f82|{O(UWE)NH*`z<7udC z{*sWRA)5S1prPE^>L&0~-scH)Bumc3i!N_G=+N}cTCON? zJ?#vv@DP|h809%l-Tlt`(aaU6`gkirWVh`z*M&bu3bPXj$O*8-0JRlD<653a3;esi zOKV|gwGl7dT3@YGd#J6PjJc)JY=6&cJon!F4Q3_@x8Bf7bd0yfPH5<8z&!lhXu9v( zVa`JCj@+S%J=taqCv6pHAX$dFRN4iL6gmeyGKPql9uRv6Kg~yHsum^D=~_*2n^S3T z?ETtA{rUcyE8>UJ+Z4vKo-KQZ3$Z7?Xjk@GqEFzW4(b9z))rB+Em+HCtf}CRx6YG7 z{wZ$pQBb>*d`7i_^upFI3VGa4PGfFH0!YzfvCaTmyFNT3BemGGb!oW$S>U9HMISH$ zpfY~;yD83UFW$DTCiw>?;Q}$E(`3%%08i^CV&?k49$$`AVP`Ta?On#OA-ZN2-~p%S z;ov1bd}HI6OUmvwXJglKrZpt^wD7VnZ~G>xbZei&vQqd=yKm>s5<4}{z2HG9hzH>^ zW2%~eu(NwMCb+fO=#S%{Q~F`WO&o~Ik#Crp!hyHkc+t^jR{>m% zN60?I*d!C2u;*FWYOp9;&>={3CTf5Z;wbE2QEF2vkl?S=|1k)(`8zMq$F5t{q&EyR;2Ua@v&>r zZ({ye93A;*+z?YeZmW6;~BYSrp5MfDa-Ptumxr-3M08vjQX-PjaRl z%!b^`9-6K~y$MS0qQ8C}nFYbLPy>0K6kO-%y!i_H>u6Noje4Meji?TQv3O>oqXXic zadma=t+B^~nK#34i$v--ec)yM#B0`{?D;2Dfe~Q>p~?XzwDJzi`t)&Mxz9y`yy|~a z-Ti~PHRvB#Q`vT{T(QbG&T$73Yt%?aB-SG#^ zw*GTnYZj5;3p;x6qFl=l{+i()aTSi5*$0B)a4Im-fC&fjsI5Vzt@1OsizR+(}wf3YNNo%2evds*)Fc+=uAr_8K4*yU(>c~y0*W_57C9^M}8 z!j-taYMhr8xM-0+D6e7`RdW!?1ti1%K}xJt4r#yPg$aQ#(xhoLJ)(CSwX`$n7%QN) z^78?4nB6M83t|CnyL-aZ+S;@uThJ#j{?a1Zb4P;aOWA!Exc-a68#_w+IHhS!F77g} zsbv4a`-cpqtew9pavt*Y0j`uMN@k+lG)iY=eX3GJtC*=$S72!&*&E1_)BszTV@rx{ z{NsH6im&<0i5Bw@?A5AWzNTgF3-Ol|I1=g8{s*9w6y6Xh=IGhOZv1&98*!A$Lv0Qe zTN4Pm(AAVQ3mx{BJ>MNHhCS!F1RZ{$_+*>A+=b&c9zwf(;C7mW;vRJmq_hIC@Yl?Cvqe5Yc97DME|I#>0Vt>EK1e;L;(0T6aFy1eE}$P!_<3dJ11XVLR+M;_i4a z^-Pndn^J-OP-k{!fcx4{*R-G;n}2Tjban7iRr)Z&ByF~z9-QlHq(j5x<6$vRnGcEA z@`S&B{KX_1d*kK2UGz(c^FzhbkKJ5if!8b(+BP1gX{XHWs^k<=0^NFNM^j*wsVKd} zGL=2>ZQ2y2uR5E z7akV;vwHPwhU^eV>+SIhDW($^ffoE5hi0d{(~O81zMnR>rv>Bvy#j0<`K(HCnKfbK z_==Nf(aTEVdatq!pX6F=hhox)cX)Wb?Q)k78>fmZ*Cx`2`z+RV!8;;p<8!vt!LMpV zY-VP3$5#Occ*hv<@4veQXacQc+U($zY?2-BO(215z>#9zvn1O*sT_jM6yuofy|H!R z1jshN&WVh={3+MyZ@Ca%ThV5IB7Qa`q)s`ABZ34`!yxwk1c~k-vJY`l!IA<`=lxUK@$4eP6F~TLU~T58ep~8nUKsE{}53Dm(4DrrQ1i5aJ7)0=&gU zh%3Z^m{}vQJOB@eYC>3aKtG=n-_AV_wb-|FH)Q93hf!!*H;wdJ;!H;3*6NMi7I%Bg z%CWh7IW}L%!(W}a50kO^+OZ22#$*W@nIXdJiNp}->UIF2lRE6HjmBIEOd_Hqtc1W6 zxy0E1sGZgN21@_jHuNL}UKGLdyu+YD>1`|{^62{33rN@skv;1F5JNO^?dZI7wBUR< z)b&_($GGlea1vW%tZ3D+@LLhnYga~AqX{4DB-B-66B~*dwZn9aHf&%l<|X;x(wj_^ z58iFG*Ww4-?CY~~-65d~6Bb8>R6C>W+;(~L2^Q;-ODeALJ*w;>Fm|w_M$k>{omw&n zk13ZTh#Ca0(Q=&?JNC|WQyZv<{f#)2%;|$|#`8sama~mdx3BZEz5G^%?2`GT9fbzU zM(sDcM;(lGb_zPexJ2Y^9Lz(Rs>waTD+Fh(o#rX;sqTceHYAYWmoybCxW3JW;)a+(2~Z+|XGHoglFLie7J3ogX9J$`%{JpyR&bw{;ZUANMYnl6gV6-v8 z-PB^m^p!=tOVzRQs8RN0s;6b|U_ndOCKhAju}0jB@C~+e46G>~0AY8!(JXXDT0d!Y zu6qUDi9b&VCheB$KFzD_lgAUekl?h(sw9HRv!s<|5zWsFZ;4ss&kxORG&D$QKe0O- z1~nuAroWT4sjw4mny?SQ-aQB?&Y4o2?cphW^RaJ$upQl%9-I-hE|{V7-o4QEe$Dr< z=WiQ`q&y|AOCt;sA*wl0Z-Y7G-L_8Y=%(vax!q z*k$e|5R7&RpQg&;;^&+e3 zd@GwF7dEq^>-Rc+RCB!V@6`x%gw-r={lpshaOtg9JUky3e4=#L4`T!~A~ZU)M#?EZ zU%N^25kxj^!>KmUV%jSLd4}te^Np%_Tr^MaSek11PqEvKH)IHX)1{{^)Z3^nX@46H zh(rUKsWw*5aD8_XkKBFvq5L#Wn#*Q{^F7`%Q#rTgi`$B~MNw+9)hbx!v<~f(4VxGI zO2C@LA|bWh3!z4 z4ql$-ft5E7P&aA)6uwTB9Dbr;_wUIL7s6)z%+qPH)yqfI>zkVY>-(cByP0`<;UjmZ zB6@o5)KyGn26uCcvTf{o4Rk^W?&>OHL%dO?#NY4eCd3TRezigA4y!_eRHy$K0?ian zA?V<&5!;0t(;Ogb2wD1@ozBI6P=i0sKT|y$#jv;8Rg8v^6k=ZS#s8fj%1)Qv`#IqA zeA-Vb_?DS|m@kk`<25bOuW;ojx>FjxTzwDJH?PGj*#Sa~lb|(nolqms!c~|a2qg1B zGt{=8?6ZPa6j!p+ z2^bJC=kZKvo?97nrm{mQzc}V?I*U9xY;5c@!f$edq@pulSxD1AV==p9amSbYeP%<= zW;!k#ok*SyFP*2Ty`i&_-n!OP;Y+z!>%&wBU13-jIq=etZq0^1m-yBp_EcMgclz_z z{8rK8DFypD(Iae3Lu%3D{t4efQsb`*`!Nr=;dS>>HZz_87`M%|p$B-=2m-PnLWz?I+etaz=o!}9^;{Ho(A+uA| z8uv%wN+J=?Jk%{DG*Qqn@pn_7>;=Dhzpj(jgM;J#vg8v$)KcxdKggp) zgnE`qh4pB&v}vG8xxBnFx>ULCcNbftBH^umk6wOrdS`t2&5B{i$J`dxXChx48K0w7 zR5V%G7E(S@Is{iXzCKXemX`~&sOVjheBsQa;F4Rwu4^B2a7=qL7X z9RebWPL($G6DVD{X=1xW$#y-{wm6z6Eqnvm) zRR(OXR9C~r_@7ml0CfPrOl6;e-vI1sQ^M_(r!KW2&s0!2Uv~oyXr^`uaFAn<11r*R zoo1m}X|Uy;UO;X#(|yc?NkBfLUU-Q6fz%_Gr|q*}Tc1(mXevIKPZhT_6K~k7aZV0K zDnESDnJRFM{)%r1-Xc@*eQJ0PFhBhw1rX6bC>Jd++ic;Bs+LobPuJtruZM7ZZ1Ydq zMR27*G1jk%^?%Z5-Xq5y(ms-4$eAb;WE~6F@T>gNw@@v@WZrS9gula8CUhrYvUVhm z&~dP~HjxF{vn$dg9AwPn9&Mqm|d6JR7%C_BjcOyUX9 zd)~Kl9eB>5&hvYwdoums&#BHsrqWHxH`>XI!S;4!lX4&Rfa+mUjXpFzP2G3Cu9XX? z_2l2p>C;afn-O#OhuT!TW$yBy%h<&8poacO?Z3xLfM=kG80Z&+3vKW&3Q?G&>wa%s6+)@L~H8M;+HMljL_ zM@da|63YgS|E4`YF~ZD3YfW7CXF{RS+IQH+M~}vla%J?J4OA)YDMlXe!LO+zJKfUu zUhzs!5?1kivG00jngS83c=0bv^SMCnB1jH7rw zUjY5{!0SY9_TUI*HJULrkGt;3Gir3GZDn@)yWWzoz4++Yf-OoO=7f<`*?A@>JLkJp zdC*WRwjFBX>TREspt`g$QjJH<$OIdbC5CtPdS?K3h7C0-Q;ixSu)zb+>^AgkR8>3` z)+uxmXC&x?Yq$!|MNCt?Vp&R4$S;d%ocEY6>BmX!n{+F@!CyRMcIQKZXlj(ut|iXT z`0U}1I?8Aax$0JPiudBKC}RZ~doG#jYp?TNi{mEY9Or6F?iA~IukBUWfZt-<{?Bag zsc6X+NkFU%rS$ZTGO=VS8I^%Rm%`xh`@zX^woOO^8(p1}5Yt&ZuYCZgf}#T0BZXM9 zNtPW=;|OzNV$8O1`Hdcvp`o<;9$|XBycOsj&(vw<}O`-l0@KsdJdNUGA1pNaT zAuywtv+|@)3pFL4r{~>nq3SlcRw8zn?zGe-5RZ`0WUYrh13nFTa$6O+H}zRs-QQaY zanTNQv%f-#iTcY$gs~y4Arsgp_e|`(;58ynP6?Zgkz=rJZEf(~Q>s%Jo#B4IPW+r& zkYXY7z)*o$zE#LQiEkCpo<0~~FCIL0Rk7xatrVYWO0(w0#bC`0P5%@N5{&E?7uCKa zovDe-u3Hg6$adRldci41lZ)uXx?wXDuTX3RV=jP})RpSw+mp5fV_1T|jrVbqAlu+E zaS$gMRY+0Tss*N{6q>{L00MGlS>ehs9Hjs+{?P_XrO{;8!hxXy(ksT+pJ4z)C*SOXGV`a^B3%kf;CFxBUsJ2u5*G{d;GP( zH-9^n3w`i|ZkfM?aO^pjD=9A7P_2i02!x&15C1dCDPHn*w+Q!^HxLtRgG&x>!pB#WA!_^vQZfrP45_xO z_6?vdp>xBCE=ebHz+m}I4APLmLU%^1MQN(Ir3cl2#^InE@8oWtR|yd{a8$ZT5bokm z=a7U|ww*gsMUCK@eq)mRkWP6!rw?<4^^JdN&aoNMzD6P4tOOtPBM=@ZePYUR8(k?Mf30O9x0&hwwqRQ z?UdhJ1C&Q3d@p+hj1liP%7EY^3MG=>(H|9UbljqiYWK3t()Fqv79uDAZcg2kb#cuI zIKaP1UM-B8zB_Yj$Z^P%xHWcicOA`@z2cGybadi`J|E2#eB38Wah3;M_O0o{A|rkL zd;FmB)`uP;wm|brMv{o-1HCkr!4BRWTe$OJGpu)TvTA(E0ODwMC7{CG&+m6A{+&ne zQ6q9}?v8ECGcg_n=DJ6d!26UkU`n5&AL{n>0ZHMV;?nwkL(7z}eD9B|j|4-0*7t^# zTzMTrdB2Ql0e$UYOzA79ikn<^hmh`K`z8u!Mlc-hMyen5r@O*Bp1=Ka#c^c(>vboW zx~^hf&Zm_8Io=>`^Wd-;UVrY8y%)%<3;O#DB z>}|A+=kd%~;-UoiL+&VWnh*)h9_YrBj3U}0w7xC$Q3(y@$tI*xa`MohZN%1gK;aIk<4EG;z| zq;CoR3l`!sM2%P$P0(D)u2zO8n|!7Qszs^G#e-Y1Ifb%zHXqu!*Ud_D0#dcI489y0 z$Xlhvt-_^rT5FTFy-gzV059YWI980$o_*J5)8tuxOE)DYvaG{6jH6JR8mw6tGsbnR zgZ*7ECcs(iHRjt1sl%(ok^}So6R3-)*?3oXZ}}0a*;c<^@qA+o zvS)vqfsf#z+-|ijMy@C|Lm4Kw;)&0Y)pi2K-II7n_sOSOfudjyzoXk6ffPr>FXLc- z#K_vZZqGl_mrYPFLkL=nz{>GsFK&gB_TkW+2&#VV+;lSWdH%7YhG$ zh`f72y^>f=yEnKrW04RHH~LukR&+y6^+Ncil}*DU5n0Xkol$8&&w^j@Memx4hC{g6 zwLT=Z{vFexii1jFcosx1?9bdHNcz=$w(icAXLk5or!mTy3rIOy0|~gEhv<6O*Ju2+ zLqlMKB(&BZsgR|vY!}o!+yz}=ec&Uj#57I)*SyD8(o8&4UuGLn_MEZMZ_sWPjuHug z){Kd+L}UYR{3i2Rf%$$^|E0NPyTKHbFIu|JRj6^~NZzQ-pYksiQwveIKM}32Xxy5A zRg&t3ZCL1?h|N{`$E{Be8a6kjRxu{JkDNBqZ9Ljr!GG1BJpl?uirHw?93c_Kg3z#N z2QWX9!CLDSUEN(1hYLzs2e|}=h=?0F#1E_{8|fA|Epx#hAs^DTDH)`NS4bF72OlE1 zXR~N2ZdeNWsNlgX*_z7+1zaK_e(XE)?Cp+`0QB86g)vMDZ&{MRF-RJzNHaZAK>Yxyf_|#@!8gib%)SX9Ex0dhKk;oK zn)AEBUT2GCW6y7s6YhEvME;iR>Y|>kko{p=3G4S@>k07P|FZ_)E#0Z7#Ze`eCBo^C zNH&gLah2c*Km6Ey(%}ZCX4nuEAjU z)~1SP03ha>g$duilXB?7pK2Z(=%#w`*#809jL#BFf^8TCT)r|~EOM8=9{Mm-{Z zugfag!+*o0Yt6sm&~LbPZO>loea~|G3;oN&?LqCVmVs}pHpJkZdqD3yqoEeF!5AYj-N zAEf9VqCC*1Q$Ad}kVJ>DQJ!YRlTME=s2p?nP#TB{rIDhvFn7xD2XXhafZO?FWsC?_ zOZ%rPsj(|5?N!2Qo1iwb$ zOs=M`8i#$6cd?bFLv;>NClhvuWgrSt3a>akS76~FmNo;*&Or-Jf~5U6y#p5C7Pw5f zfvD_zlNPK~W7Xmr|2bombxo zHJn_(m)x#nJ!fdu2sHkZlEnuWA<6MU@n*5wTEN27(g3vOS35494S+6ms2Tuj9#;Az zVy?>?V3;;(TOIQ@aNeC1rft%4ndu(fGdr^BLs};JjpW(W3p;Fj%RZeDM`8h;Z|aO4 zVYAu!?d?0F28Mke{IQ}&)RMO<`sRh#U*W{)S2LD|6;JW-p};No@fpMyT}8jR>4k-+ z>nGowr+!^Ao1bY$C9g=Nb|sdQp8)J{HNy2;Gi!^V$3Ol>`IKg}lN-A&$T|3kk_ zIq9DBi7cXO$GT82M+RuPktTkp{wW)Ut6&icj=rnPAK*;FDecdk;Dmo^kCuZwO=70+ zfissCBF=b!klVDxdb0lMNFttiI!y>Ib7(-T+%AgW?@|BPXJEwtnYn4S$eb43FkpP^ zw@sQ+adle0=*gh5jqST;!@duTSWb=h7xB%MF$rGdn z4R-R7E=?(^1HBd*-$GqSh`=TsvW>@(caGr=VHI6{mb(s|c1)zuw<#i9102sqSb&|v z;xw=095TRDg0@J}=sZ(|E9)z-kZM`yHpC~vi)XMok+AHhnxGX8-B-*b%tmbY%z*^+ zVtLorwYfVmcRja_3>lA^w!D<&G`Gn(cgeEd>Y8FHfB6yHrGximiGXSzD!Pjh(V=yk z4`xL?{QVfrNlPL6T%_&wu>jfdXr4g#;?LBWXwI#9_rosYO7oq@f;4@J^d%?7k+yuN z^o|i)(uw-nD4Jh3U|5NC_%-noqGDbrAw?HQm53rMBzHcQbdGXOh`b+p|KZ9lz8{v8 zYaUDn&AM5oBU`IlP`_mNN<#WD*r}jkRV-*yGy~gWsFdUMsU|hVamZ;RZpK>7ncvVX zLpE%(<6l}xHS!!FsPm*eB6hS>3TCVP!(I8Pl&`G;G?v zmGF?^{A;}YB}Hp>z0Esig#koHnI+1vI7rvFZC&p8%T}x-<6a{uR2eg6Dbwga7^bx< zo)y1U_ zNTcHvfA&0hKW>@070h=1euy8W4eovg^=AwP=sPKd?qHf4kpKuhKT{%`CZGdEBRS?J zIThl^x-2EHGGWQpg?e%~uh(z!FVwriPzK6|HEPNNa*BC#x7X9@2>R+|JSE85eg8*~ zZn`7uql8q4Z{sJgaKrLsw}KWOn;j!$6p1j)cc2@$0@}hA*`dB`U*YY3IuVFaAUjbk zUq|ov#m^}A3x90-_PFF(nlZ|6TYaFmRuhQyStj%*ve?iBNtiAeD=p)3U6y(k7Jb!C z^)S6@S2zCcI`_A4@fF`cy=G*+zdTb4<>3FV;``Dna^-IEwC0q%g_)fK52U{&ImpxX zw?o;zXLhp6t2+<6Yzf0d#xLFXvCT)dHFee|r5^!M3c?`*$Vo!z&hJ&2D=ELtnLj;0 zcMw$TL{*5S%dKd$*&~$tgajt`;h-mto}Q;NW(@}98V85ySpA&;3BZc3>V*8vGOPXu zRCC6twlon9U1N4(S`+mA@}@-659}+w+RAn|(Ioz=I}IZ9+1M05y!hX}eXn zFfZtt4HO?V!%>s0r$(0)8#*}~#8=I+InEEr(3N~W#YzbqdUD!=71{n^ZGHBn8oQWd zmpPQ)l4&Pxn3l6%HrrmyQ|P<71f-dHBZCNx$gmZkx$r~ai-448BBu8#{T~XtTXjhQ zXia(mPrrqqHg9eCg*&F;a+gw&DgPcSGTQ%^rb<74op}2<85D~?hq{Cez%^iL^AyJ} zlwzE5a2VjEh47ns0=0U1;bU*t-G`mlqK+1an$hp&~gJUhV| z8`z2d`U_tOZ~%n*?1m}sX0fq*4R90PY7G_Mt?g8=6;JJVpH9=UB0wIpDJ6rfP1HU| zJG6)B^=5hJR{~<1{=ibGjoonRoIyyick*JKvtrHq)fW~neI$dE3IegTJ5Kk9{S5K! z9S5aKjxU<^m4(b{B7fX~lqWz_>Y4Lxe@k?m-Th0d;0mC2EFCt2T*E?gQp*}u=i#kp z9^~fGxq*#^$wcrK3$wOP9iRr>b zsi8E-=pofVfw3{pHU}#Bpc_g#Kl{D^-%$Mt-H+=B)W@F}C1Y2u(5eRfF3hF5%M z3lDs0X)93JI~WJv6`%@f5j{b|w;XFXQQQr!?Klo~M7W78T-fWyvzNN#2G>+Zqf5#i z%1u+;J2xd;4Q&XSbECOriSI{MO^Gcn(o<_aBUm$R@}YgXjkIRPp>53!PCg@eEjZ1Q7V zju^}hl&qYplzu-T=4za(4j+?X(vXuK|MPq@{~+Mf!V_nX6bBvkhZ-$IQ`E$GDV!}&xFR6 zupcKuUm6o%6D}YhQO;nI$H0S)VTK{BNbB3Bl;Pho@ZyPIxg|>2YVU83@-8l^b+#EV zW(S5LQpPG$la)IIPokt$_kYL6s95YDmXIcEE8{V3jcenzqNUK;(4;gUckU)rY(|4S zbg`{D4Qm!3HdEZeM9T$5YrBGCL5-`mTaG^N`6fhsMBeo~>q`QepJKWv+UDXjbm#6S zO@A+LE7|liXmkonad+`LJp#%B(B%#uUkV;*!`jr&-rPu}>nqEIYX5z@WFQi8D2Z>i z&a$#N$uIU}koD(?h~^9ksU5cA37i{yVw`RL$|$Y0#l2~|M$E7v?@mH6C_K&3$IeHs zXtKJfplYSGWzq~UM;IVn1}dyk0fYi6rh6w2#Ejyh^V5QfTqL`t^1zj9 zu$>lQ-)c2R<~(!ysN;K3E*7GSEmGVQ3dkCpEO1ohvTvM^aLv`m; zemNqvD=5gC&s6EM+ppwnQ@KVAJ)9423KgVFV{l!hTcE(HQb}k)%>-m_U>EohmV$hZ z4NW1th8e1DDP|p`5OT11Gj`2(SmS@H!wlL4~;P@ndeD`kcxltwhVK!S&UwF#M` zL&OT2@`E|zHG_6u`infeDxK5^eIYGr$?&4%Enr&SroOy*ezYs^>JM3LwSqCuC`=nN z0XJg_bxU<{e6M`Y6d+j`&e{E}dh9vn%{=CDFQiY(?l5#?KN#NHI0P8BJv`|wnO=ul_eFK$BTtOx!1p1$x;Z){&JJ?%2w31^7{I0a=i;Lw|A4DF)Rv~9L`<)&^mu@pt{gfXD0PU!G=|u zNw5z0`gnLO+4b_SXWjSpfxbvF2{Gf0hT#8;z4wf2at*^Zv7)FTMd_gQ7EtL$Vgn3p zKzb)zdcc76P-CG;jdZ1MX^|R*gkGdemoA|MLX#3mKp~KjJ>Ncm=FF@!Yn}N!Ykp)c z@*^bqR=)RrpXa&n>s~a@H(ig|Ev}zkoNJ~7P=pIQ6F$nQH*L)0N~Fj=NJA5KVd>{T zQ%b+1(X~NSOJ_a0DgEq$k}o+#OCQWv-eYS9bk5GeZ|^9^g>2P>ip>^|SAvy5#K*OC zio3!*cVne`r8C}VXuVB*JKk8tEdXbs(Nrb9aFL!C(!0&-gkjl04T1D8YKdU_X{=08 zYwNE8QXn-*+xN5;sKMKTqaoRt5FZLoX!ii~B8GANSCnIpx>Zheu+!&A@5}aCbDn$L z3qF^{`q1Q!Iy1gS98e?;FwTrCL)oa@haOa9;ZLuxJwo-)#ngMfc)^FFPL#?`frqY_ zx@%&XVd^}}@JD8!q&>@~N=zz178>t!tPV_SjCI0}#Pwe$SzHs?oO~0JyE$-q4lYoA z(ro8gpdAjQ8ZRr%dL33%A=Qi_N2af1IKmB>w(P{819x5y>c{1A+x>+;DlxYOsR*s06;w^jJibfFH zW!lPwbCAM-g|)v4MdvVncv`Xx3h+X`a}-N>m`Wp_Pdiubd9pJ@j%XSo?wtlu-`n?2 zr*aAyT>SCwmSI7dedK^}%@iR{*@qXFTnTjCZRivqkR(5H2IK7d4wDANZsi z5WWuaNsA|9edFRYONjv(0qY;p74&mT#oDRpVkiaU3tSG5Dh zbff$Eyd4&1bJ&h6lMOAN*e=G_)gOl~yD}1p3ReJdo+6RJsl4$GWCvI%v4&@=17SJF zlfNrG)*U#XW(KJ>eGMzgR{Ip}v3`^MnAY8?x_C0$1&!4fCG&^NQP^H7830B4{ZyOw zScQPku3x-dn8YL&(tDksm7j%w!{1S>^8RNNN?1k91ZR?(;yp|LU<Q(_;ZB#LxDDUi|@PD#aE)%Bi2L3VL$o2`qG!!9f zRY$p)v9usF%^1~pkRLxG7{y7v>Av&aGnwmNC$IUtj=2nG0V{Mo=Blo1Qja)2#LTP3 zT-*VB8c`XFomj@i z2142B;M1==bj@Y2h+xQ@t^52sO_NH;;uAzg*$~UhiS&Kl>t#=R&&JdKWwN9ykb@n` z>-9?{f8bn#2|#fy;x^v>u4rXhG=N(!*Li2JOFXLm9^SCOds&maAl*uk)e~%<-nyZO zM$&NBn$C`M?OHetgk#@znS_g|(uT{$Jsjji)vf1$Tn@th$lWhmiv0{EDEt+i6y{ zlk(oeMyv>%lK3^3q+b-vs1V`P8{0{w=Qu2I^=0Ab+^jf z{LbHE@fI#GdCt9IyCpQ0FPw9=qQ{G`n#0Sj%k-!Tm_SYtl0ntqHl;ejI;={TIv%^q`r6q4)tccnJ{vT%|rXZfd0IOrfHG%SLGPmg2dG zTwdR>IV?}=c4uMs3@9?n7o8hiOid(aJt^1ev?63v;Npc=&89FVwDdqii6B=le?&xo zZ=pebD^J}YxPz>BxUv^na!IvoZ}!~bz>KyqU4Wb%T?xZu60r!M03SA6{DLj44`>-` zDkFXWa8&Q?MWl8;}?7DX@IBlx0{r)nJJbzqplr=4B=Qu3w2l{O_<`FQ4VNoxb9&ZY7 z3i2)CGa9AMw~XqzOZzk*XY~Sd*fyTX;R3F9xAu2n=5X1I8N~Zxy#~vBHxMZh_~Y&% zRX)&sO=*cAG9BdE5epYBri9@@b~P z2eDs_{2fyC>kn8RXdJ#>DIkfH4FHtz@AeqNr7CUdj+F)TQA$ELfphO~pqcnb(-1PQ zsmS-MdOC>QozhwNXk#Gt^1WG3mB>FcNVkI7!5(1_K<`HMc_nliurkAy6zve@w9ZU_ zPZJ31d82v--V7U+>T!PA*NIMzWZ3hSSmRKw?5fqJj8&3*$ZXld0DXKNFwh@5xs%E* zv#l)DTW8ASGe|eWs;yi9PDO!IEmJqN^bXyDb>Ls79zvaPA1ba*lU$uw<#{669UUC^AmR$@&A${X)yl&=UMl z{S)t;Al;kRk`1FLTCpyB0=_j3PDy)0cggN=8Mmo!2OW-Ja{kBaU-(2v%TLAIH`y0# z=Sv^XiJ6{FzIUeMybH_7-PP_e%k(VSqypWw%l_!9;&fYEFJ67=-XkTy^)CHXZxD93 zskpdN4BH|;lw)Pv3tEu3BF~USmr!Tv928U^G74M^jlq)6b<7CY?6#Lv0mC|9{Zpk@ zRhzpXDkW)3*74Kp#3}E`a0^)KEbr@|RZwHP{%K}7Gxtsz<=kP=XV zQwa*yO}Ux(w}N-&;)QH;T*74O#-(AL9y61bgm#`@)-?J`|A=|EgJ{2Gm``OoMzUnm zsWD>FefCv_q1y-jG^~Ym-P%;?N)d@?7K=N|fmL7`o|J+v=q#Z__yWM)*h>bayVWS+ zZXXV6U*}7YHpMS5@$GR{?g%T>C z6*%)!`&%UfZ-23#R~5BFkGzIeof-bBHGU+^Hz*bSpwIXC-TB1$qp!ICP<*2|n0L#} z$HEm&P2-Jy{7A-`qt-o++aJhZ(l<_{1>|O0r5-x$U96n5qitK4Ie0JN*0f#8%)tB$ zsKPY-CA;3%ZZ?Q>UIt`7ne>G2ptHXQ(pTm5Yz0@5`e3p))FPGN!4Qw8FmvC#=-eND5NO)$LP)2XH{>Wa)#z}$;wSas z(3_mqRgf%nhYBG>4?mC(KUPyc2M^)okt*O0>U0!)sGU>pd5!C%hdT{@B?|zzR zkVZte5#OSeJl?`Q>ho*-lSd_Y+QV(brKt{Rs+B$&6x#(qdyVs9{$=caK0%=ixQXJ| zZ@-Zral3%{nZ7?eTkP`p%zai{<13?kG+v90#XY=f*`*#3oW&c~qw?EyR`~|bZOg3t zb6DH-^_aXB6T{(F1!-}&aialQD{jgC`Zxw_IG75exp@g+(mpd<8ZP#O?oZS7s@GW9 zivfvz!G3MSwbsWFEbr<%CmORj4*gYJah*x->>KS$ig1@g%;Mel91BWt*8-bGQ^Q!b zQbIzW0VF0wd}2e!z1A&I{Ga#bS?}mcSQi17zO?M5P>cJ&%nvQCV3N#cd7HJlt~UbP zMNFF@{2KWTq2l|q6S+AVY2F~+vDyV)gX~em@Yw_R9h0TeOZ2nURYGlj0@$_v4D~Vb zT7B1N%qj)b6*5KAGDepS1??LKVYpP;?LT&E&vqX#NX%tvyG6bQq#yiCKHr+X1{K~w zFKS6H{R-sPn-n2qV&T|7O)lp}pMu8DWnBHnnd`Dr6(~~^P%hm(V4BdH9?3Obu9DE4 zG1Dw$9A=63IMB~N{E~hn-8_@DJ2BSWZ#x}%U~1na$v@cL?oq%-)g$haCYBUlgRz2D znV*)fw4e11Eq%KT_wb%*(IH-{{@XIy1A1hI^6_wVdENE8b#3;;TZLA-9^fYKTH%fv zeH$rHSNjoeQH0%8ggJ_iEw$C%lMiaoxL32wtETpS*xw9QTV)ED_LnMNB(H6>%L9Xt zduFz(gTkSM8GELV<595E8Cm!o44OG$V6eYm&m5GN-a3uBml-_Nim z^bU<2SNR)tZCgk(e!EXY;jsGkCtZAMS3qXAlCgl5Di}7O^s%b#d#cKK$KuTsPMgzo zKmb8tr&{TdCEp?42uy@uk^JsHtiNX3SZgvT^yTMr=N^r5z4cw)IVYKBUYG~d_dYT) ziFoeq4d*N^Q9YRt~Or|h_70LlXZv%8XH@M993hx$2!5oGI zx2LdIq@1C9R}dIG`VL!lZ?9{HTP3sJ)&f`8@OOO_?^=pnwzzfFMJr)<5s{(B(O>Y` zPH1$f4Nk+o3(Phb5o=RmRkN?;!MSr1)%j4F_*@&Z$}u2h66>S9Z?uy0&!l)vo^h!8 zFQfGQ{NKe>CHwIPO*M7BffzMnx{`&bS@yokOF!f0v;_DcKX{d`78{`O2fx(@G$0)h zBE{&OzzD}svrGGW8`TG}0!cr=d1O;<7}f2|B#f?)8Pni zHlS{Y6U*prX^Ppep%Xo&|{ZO;u z^;}os-4a$C@wtz9BRnklvz308tzvR+O0Mha_P{+9#WLZ#IZMUdH1(Fqd@+^;*_1?58(G^bf zF#)HV%h%9-!dHG--3(%g7U+)$JguJQthVk8Ij@Lxw{4w#-=h}C^1!>A$z1I9$+b^( z1uASA#e@MyY~h+euzOcPxtR&e6@nr>0TdsJy?gB5@uENH=KM$<^L~KGz&`z#P8-r) zeVE{eX0^Bw>7~m?h(4~;92nSqvaw!f3T0DP>)Z}lQI!v))%zKzlnk6^KU<&paC~s+ z2%G`L=mMvo6|@XXfusx*a(f3J^F~O}_?z&x7N~ECAfrfdQumtiPEv_=&t>au4@Zlu zXy0>BaB*TQF4T4R?`9mbat>dF#HI4&|Kh7>>vFbnFsRiC6vn*X_w>#ers zWeqVaF_k4X)X(~r$yULGO5DZ`KNruZ#wRPHuo)_ho$B z4M%{>5sy1V*BeU_Ikx1sypS>vjO;Ib^i;Z^@!#X0l67NrFBHm0RooEu%N2+pWNpJF zWdu&=enKCpkELeyn|Zaj;@2|>b>GT`fA4b~>nd}ihWoYgp5d|oHPCmO0SiHwFi)Fg zTn%_hcK0WB*PnL#5AthV@Usa@i4jZWw5IVI z$j96;$TTtZubT5_jL!f;IAJ-KY4&AORpKTQ-hre*VB9P2@p&KZ*64t7=k{toP?;QSbsJh8qJYI2g$m8iRxnFSqsr2Gb@* zzfJ{FfRbvgO*#BFxjj*C2d!v>N1z|nO^UoRZ8j(zNxbpp>361;_}#o93QwFA4QC*xUTzcY0d5vroFQ5TKKIAP;`DC zxuPqGTwRwv&~q``J6@T~!o2m{UlE@kedahNb1@-qjK)Su$?-)VeK`cYx*^lnIZ8NO ziG!xfPLVh4zT=0FBQ0O=*@k)ih~GEQpjcuS7C8*m`bf{$lBbZc%{ts`STwqzc`G;ANXUf@NfY3)SkfE zhgyzM+fLaeJr}~hD5BZoYvcIl4U>o>Ta{*-228#w)&uElvE3%?<3+{e3&8fDzqPHO zk}fK%H1F*7tExrz5l^DBw_THW@SfCQS_Tvv1B60MK>C|Cv5ZTnMcP*xJ^7cZsW4_f{UMjd$QWs6+xv-dBqp=0vyg2^M$t#-0LPEwR$x%nwL^S3k zrmr)fdqSB8G@RS`fxt#(wdV;YlmFB{X=q9oTr`E;;x9H|q&?=~4s+&J+U&jFHB~yb zpkIxYG)m`+q(TmlQW7@&{+Srh(>Asml_u<_LM7*cQ#V!O=GO|(g0H2opI3NhslI(O zqfFxH^ymz*C!eigPhcP?Hh7re&$F7KVELXF0DZW3WV$r-MK zEh089FxNDfzvVYl7JjbCjSTrgl*145SnhtFNAm@&NZ+?F;gK3J+?~&EU2NL^Y;@;j zAvAqPPEuX}uAL6JCUanf1}iJlc?yJB{NG6M|L4=HO3xGb*xw0NVYY3__>qByjpoLT zFJGU;+vMhdV=`X0gc*G7TOgeL76|did_6ddkGxF999B&K{+B6PV*uGHEgAd4kUVER zi7iRB;V}>>+_s4R<`%CTe=jpc_uYkzc>8yZ;osNH;YRk8)g|<~!SWdc+fnn>gsl%b z{wTRWDDQ#|q{^HFpSp20n4`KS0==-gC`O*d3%~mf%OpU@+?=-07rVN~*q`zBxizRK zbxu@fAXO{{ZDojEDW4hi0cjphj}|_{<>w$B!h+gb=U8NPgHKfHuSwu-JoxmyNfGk9 z&;+9uF#r6}VY2xjRPa>-RgRmUlbir#zYb#gG;9I5mi9 zJ-<}`f!B$Pzh2H=R<*tB7b=?$fP>Bl0;)N{zZBLv1HD0a5YQI*nvb8hUYrZ401efj zZ*%H>tpA`_?QCm1gWv1$9uU>pNPP}$iT{P$_En6biSF0ODm2~?fuymkd)I6s@_DJc z%39oL+jQws@y{#gC#`BL3gPwCy3y;D89MvS5*p>Rqwq&Ko+1Ald&)8RSJK~MFO-6Q zh)MO`75)%){;>c5;k`b80^Vx5NNRjYF2^slD@3!t-f~xlab=>rU%%SG1emsIFaGw8 z8-P;{z~7?(W%{0<=jaSrym2&MJjDd_%1;#|d zIplItBr7yr0&ut$(fCPCF$ICApAHqUFKD10ZoBZ-&AdgUpU?6 zk7)qT5%~dG9&P~yiQZ@@1MBQD=S0O2a=EVES>Z&pAV!!9g%RkXD9jRaV+TnVXFUJE zUQA;n%-#S0!~cKu%CBg#(e!}1A}8))VYo8&U}^OFVt!_*a6CwU4NSgN?0jOGPO$oz%$aO`G z+@(6TRZ~@gW!vgBi@{ILB=iWW%mfm6S}XPv45u8WDnGvdt{|Y#_m}f-*3Xcu#lAMH z^In|-3YjC(GPTw7YoObMlz^iGU=e#=8rUK5yhlCv?hV*u)^yQpp8nzYBc^8Ri9y2T z|A=yk*iP`*>5R|RWL^>E^{p(8s!EPti`0d~KHgi0feAy*P2Wq~QsSkmh}O5_OxPb4 ziY!S9G6_aU8h6tl+Qs?9oFy+@a7hoYaSV0Xnv0A;&8R_RKa+b+1h^#Dcjt?Lx8$FA zxw@oUZO*R(Vu7<>1zc@ssf6W%7zO9L$rhbuL4&_0cE$b5xDN3B9E$AU&*XCGDbLId ztlYs;enOVFpqVf<{12&#HsLU#U2!F@>}}7ZR&e|^2-FK55MD(#V6bq~B(-Y_E-D_Y`JOzM_vepckn`5m z(1vO0ZQ398++2%{)j4k&`)Pvv5N7RDUv!b)1tYF91;3jnh6J4&xa}#Xs6HRP5tFby z8V7JCkib@dxlIcQ$8()g7LKmhzCaOv91a^bHL~C; zD%l(`+P&Pfcn6zmXmDV>0;q=B!p~Dsoj$LSScM)`R5rM4L3258Xt0VNN#^uw=KWp$`3Ob$L6D>s5Oa?f11b0mQ2YMIj04f_e+(jJ&nk z&eI~1ZH1D5u~!`c6CGDhx}VA`M~bc*Is$uqjgc04dOmdsCD_7o@i}(pmxFEg$^7=< zV(Sfv*@gOOmuvnQn^zadI0^WWtFI!4eJ@_>$Fyv{ z+|S_c7(S3O9LQsI7w=&Xq#y$U6SdJ0e}~T#iSqS(w@wS1Hf~(T9e%pu3U72FW=IcO z$Uq+I${!$egasui4yY)w$LHS>euEHlbL6z`6DT|8&;7G2rW2$Vt#I|igqSv5U1MFU z-5JT0!wgQ{0{4UPPN#z#?T~H0fYUrVIia@RK-cQ=!`ccErYIJ7B#7ULav{z%IoQzt z(((Ly6j35$KGil_vo?K*4{xbS%4(F>F|fl7C-E<3MYVuw8gx@Cg?2CUM>~sF*z={l zu&#XNF)anMY)4Wt6^O~gLLAqrc48WNbnuJTFGHMqS3dQnkMiD&@fi(BOtG}6FiX#^vOu#2mXsM}sEMy# z+V8Y#5!f=HECc6v}Af5SZJ98RO8ZsBJUPp8aX%coMscm6k19nS4T87!Lr zGI1*~uB-qk$+t%-ztCMG*3FT7rVXv(r_T~;EDi{^cTlo_N#5JYeZrHwOZktEwRsdH zQ|q*G$42ge-Bnw}q^Jo!_%Bl`+U&sn2pE3;%hb#JTXm@RM)BADxtSxJC}1=icSaf- zPlw9>ai%i4_MN2Z0FMX4Nl5G-Jr~^#rU?c5oXTaQ@WBitGotV*N~4~UY4AW8C?Cj% z;A2IFi~lk;fBu(ga{!1Ik|>~m%zBGlm_+_w^M4>j`7bBzqEABms$&CS=0g7R()*wO zejs4@KLw_oIoKoB(sbxfRN)m=RFh;ETa1w8bX7Qn!on};X?XqDobnZa=ZM=AS)`+v zSbs$wfzAi)XFI}QBFOprMKq1Y|Cs8l{gGq^E9?AtA<+W z$OrC_78oa4%D7EdH&TU_5v56MunQ@G1D}sv1mCQ}qF!sOP_&!NsGJ=~H3;`EvUNmZ z?*+prPu&|Dn`8QI1jn>+4KOkBL<14Ax%8TGi5j3O@H~}U9$v*)7QYl=XtEvLZdDPYYTI{ zXO%{EYAKS_<%2lLsKAd7rv#h)21ZCqzr7ahQrPASmTy*(yE=rg(=YskKy@Dx*j-W; zE>Si0zQieeHGaD4O$=gP+x3x0gBIwB-^8XKvOFzW#72znTiEhbW8 zNZWMD~!>eCo2nc4tPgfD85TnrjN6=Wrn>%3@tg7^lVtYd`f!2 zD@8w1(&r>h3azFxu?8r3U10`K4}kaw2Wy#oRhP6Q^+ztZVRuMMX+YkCP6MsN#&5sA z|Ify^cGTic>K@t)JR5rP>p$C$eAB}E6mWEl&Uq8UrmAO!NO9q1@#rZcVh!Sy`gB3; zg7y0c>;E#jVBP|+^Dm{MdNr&%pf{-sW)$5DuBJ+DP0DK9ttm{@b+NmKzM4>|$n(b{ zBKF|jvCDX)9{kuzi$I&oS{QsFukZ*C*&fQz(bv$Fvx{8#Ojohn8^)+U$qlNv2+AV` z4|=w73f}~Kqi#}#d)kyKiMHA)5G10KyuP@82)QwSaEy2(LzT+UJkt)u(!^wl+C3+y~su(;M1yx5v|eomwcoF^exFZE1RB zo37Ot$U4XYl%cp8WNlV2hC7^xT12@=Gb0COEt#wcUa_NatrHLQYm$TC?2daShGa?e z?&qtfg?DSpYDIxu!*x$H+N2p{3@$2ag)Q!!0eLSj{Q1()0JclN$ctKog|<4__ zZ>kO}cR)4!ufF>#Qe==sdd3*+Uj9N2A1SwRa2-~&HBx$!wvp~#A_;QZQ`dp!7(6j_ zZsUo60B z9cs~Y^wwzxR4D?~j8TudbALQACDG%CT-4(Cc1Ve<*HHB-R7J8M!JHbs+#lioA_% z9zkdWTR{~P6G?xfoU7{~o7P&65w@-TIJbY95G8ym5S!-C-&wMT9%%Ja?D~3bxbaQ| z1-KVjfEgnS4iZ9a#%IGCU$o&J@@vWy1(kcUZAwJ!N(BmP~JA1 z*rB`Wu*PXbcAR?e-mFHMe+f_7u#{}?ogkRxC2TshZ0ld9I@IeH(PaX!Cz3;3kc#Qz zL%;qlKK;k|>edgN`=pWF*(-rBre{p&hH|D>)N=eZmOFP%7u{FdXY=>^3NA6k7O0|! zL6mhAk!1C4+{5;MU$<~v0shFUU#`u|u4mmd>wO0gVg)`d!ZDq|m$vO=AfGlU6loUR`57 zeszBv*)q*gpf!Q?^kGHB5^qK?U2|W?B!p{e*};5$mrk9bU+d%NY^MzKGU9jX?`!Gyg;Ch2Qkx&-JYZ|G;-hqy>AUV*Vce z=&I9sQ8ef!lUPUqY|Xmzraa|YhMKh5(Vv`+M0ikvK!Y#c^?@L+byEx3e(opvs&ST*#~TMdWQvLba$E<-Ry0rFiW^|8TADfX)&&s zTqOrj&YY3u?3{Zxf2C2x=HPN32!FjJ2bo!QYjB3a!&sAa*QaiT#Q!f$7T@UF?@8lGODHps=x2 zeN(DgVqutEJ60uY>1$#59ddmahJ!lV?Mv04GjAWGD+vA*#(%F+DI2CB4gV}o)5*d{% zY5;2bh4xh0w$Sy-O6<0eGUrIXoehW5{Hn~_hpS(i+*2a}K)qQSr$avf3RSM;Hhl`8a^o;O`&Rnk-t7Ft=eb9i;$g*buDjHq(i%T!FBpkD}48IXH;=na?Zn-D|D*eksiexQ+@}w zz9nE1ZpkZxJyK+l+}E41#N2FcMSKi9EHd~xblv_~cZ1aKw)hCZo4M^%4tDn`;xDbh zY+xA3`S6+X&(MRV^tz*K%iZKk!0#MW?}V3{m}bA+X5BV+I3XR4cs2J*;`U$p*7r

HACDhBA4=OW z4KgbBl&WY9D^tT*O#RCQJC$Ke$R6zwW~NI~g5&;>E{^x^nW1#zdv3+!H|>iT0~aRm zE^&4Ib)1x2s8O7l(Z))bps2n^dZ6Cr%eRfQc;M?|mzzPH&q9c9jWhvn$Q>E9AL*Xt zq6KsCV6H$&M%fzAi_#2Rn0bZtq@ntKQ6VE;Vm7R~S%p+&88k6bWT)EgHj<&Uvniug z3LsG{T4V7x!b^ zdF9=R^JyrhR5*4`Q`>o-}&RFTuV+po|~miE}~!lkAHJ(Tu1KxqksqCQF>xqCks?7M>?I2+!nz7Mf5 zX3?Qtq$^m!f&P#Z`>u_P(XZlo=0~8 zsO4-uOE|7oO9=9a=Y_qDuJY};!m43G7$Mut3qJ`E@*VB_Ww+{{U-b@@>)INRD$x%p zubX$>9nmV62D?JSfYyaAe7`ii)_Ac+I4q=;(VgvBgmxJ8@%15BU%r)pnMKRH$uqEpWnnz0`BVwF zp-T*9V|-(>I8I+t{qG;I*?G^fB!;m8VuyT*ucxoVMS&KJ-Wx-HYvU+D!aXAzACOV$ z4X(|^KNFIaS>q3u>K1tUb3Jjt^7C|$!6krCFi<$2;AP%yGv`&Ed?I-4B5E;_EZ)$U zw}729S@+x?^TdXFG=IE>djX^_ts z21ZsMkGBTn>yd0wR{>jy#ecRrfHbE`T*T0WRjU}sGFOm;6f~gxUL=F!wX50GV z`1^IrRK4x=4WHr##*0j*?Nd$QQnbU=q!oTllDaLZr^gHFH>~ht{68|`x$bshEghN` zLSfk|Q8~}9lP@m`6CWt6878%(^u3zo)EK|EmcONvdcOuP&CxPf6#m5gqB0Vw<)hl} zlDSFD6ihGU){hHyABm&v9uw41>iiQ@h>uSp-cIv+qK(S1Kt(Kz(PgGLm;0``zd6Kd zgJG5`bMy8ssa_G@#}4B`!Rx=u)%_>pEnC&}9pI`OaXt6jczU;HY7PAejDt!HEDk+p{A~$!3kk&3m<#l- zb+vzNd)#V{r&cPgy4Ezha3LGgGrUk05@KeW>Q-af)uEbL01zn$yU|);T{7L#NzW8Mq{3VzP*t?Dc*=|rJgcA#DP(219=Z>SeNFZce zwQp|0zpHNMklfF)U~OkmWp5zu*R3mA8~ehqjg;6dTw0>0KEk!J>(^%EBkv`z=l(q# zPNS?Pj^jt}8E0ldXi`SS_Zc3Gnz}PbQ!|RKm_c#Lo3t{C*0_I}UI<6~hYM1}C>Wiu z)5`b3#K@xJpHwU3FLiMkvFy{}&nbL5=KIbZ{i;Jjavbap)odw@k$;(LBzrJtBd6-g zh(Wz%g=i@2p9p7LD&*E=k-vXfHM{u02b20Ia`l9V!XJwKpy7=_4Y^#6*~J~IpGwhw z_&_~&8#%|Ce7y?rz&TosyH%Q|QN{Z#u}pGQ8tmu5rQ~g9Cp~u*p65EOysP6M07#0! zp2)XAqe7c?JM!*ZdukFfM7~XSyXj&|;Wk{5QCqfsB|@Vv4_(+`@}g8-D@9bK=X_X+ z#}sdDK0t@DJpB|Y>~SL8Qw3gb(I|KqevLxt6_TtYM>P$%_<3n)SAbR@lGYEdvd1hyIkBytS?h2>7spvgr zH7SBSw~@fXg8zOim(zq#yR7k?GHUK(Uk8JOkI;>I6$vI!*MGaDRn=m+mT~2C*IK@h$0P}nZd$}Y35s)B$4EM|XTHbgP460HWr6`b zNb%~pp&GfN}xx3W1@}SFMt>1c=HJ~Sev?h}|$Va+i=vfsnV;)>DnJMZcogr;kR z&oyF6)7dDMy`0S8rgg7W{eJQLlOYkUSzX`f+UoL1{NjVdLN%y+*)xl^hG83>$ao=9 zYRb*RHYos6@t@CQ^Fa5_L{F@de?WC})cbz)qQj%DI}iE0qy;{o=iF%j8vL4}f&jI+ zXd%6brwW}`p)DMUD_z3ZTP#@Xt6W89Mj(161rU&~kK{3{{PO;>pp z1wN_#X`c;VDcPWN_*k8OB+;)m_a0duRa}faMSH69DwoMW3+aW5x!t@rNXZpKly%k{ zvt@RMqK%o2&_?E)<7m~>8Hmc-@KE|Ec^3fL_%+GiNZTa5y`{&9EexlThDt9o!31Xx z_d+BVicc$6P$bo|aE>hV7GTMKK}{eg@jn~~V*^Lofk2kOXrSDO4hxSQ2oLWM7QJ9Wq~oiY}z6^EG{k8gAOVJ;Dh5vB(?qp&9It;xROgI z6^Qcjp?V@Aqw_30M#{~t((d= ztuBGdf;iD(HUpb&t~UlZ!t|&1=Rr1lnZacv8552>>QLEc7*11isHiU4@n{@+z2&*@ z68O>rqHwe$d*+?{tKQ5Lh1jZ<%-vmxnDy9oeM)b;;+s*?VvkRG3l;`!%BKzVE0ioE zb0Vu7IJ(J1yiXdR||h+C`%bL^IW8dNvfshF#1HqZ$S<~ptl!`)2v9t(^m4KB4x zb_ufsOf$k|E%>sa)iN?>21;Rz{xcY%Z7}#xU%T@)&gFtwdKg&*%tlr0;xj+FUwIVzLA7IgUsF1JQTpdVfm+JS zU7lKb@+Pmec_v43Dt5&--Rh`pWPTq<=%`w)%$S0vu3mAdf`;|=e6GV8qUykY^CX$_Ht|OcE;RY3+CMHQc#55z*R-B3Nx~Z?b1c!x; z>(?q}+Vm&HPAaT%V7PR(KxWO*^Ee&O&Arur9_)c)4fmSVdc5qsbP9lDCCGX6cMzz~ zNU4|wpBGVM$L|fAreRCj(q`gf@mBT~(zjF6{RlPCj)E&xVG9blyF%eL5Y^%KmB{vW zmM}=+Cn~jxOa)#7Sw3cW*U0=NaQAjYx=1B0+0IYuN{aZOfHjK00lX1@v$~p~Jf9Y- zQ(f)t1V={aH3E07_T*you!RMOjs^ZGiZjed=_e=HXA~CSuddlN&Fn}`H!Ko z4mnB%a{AF#w8huZ*Y~r7?VPR)V%0ohSWzu$)>$gCD{+dhOet6rCK;}PleAf=(&h9g zWI{Jw*uY>8dd-V3qOGI|y16MPb2T($3d=EP!1d2AnPVNo%T zJk*b>v2+J1ifVFJN7XVdf~l>n#H-DIWLh<-<47$2$A|vJ@5N0TwNDm34p6L&0bxPs zNg%cFaktQox&&JaGf4!1={G;Fow}W(rH-yk@PE!FVd=_!udwRN`);0)nzrFF^oM|d z^6ZU-ZnRFx1m==z(nDG^a+-{MO*}#UW!hFl6HhFCOTV&awG{0%Dm44$DVr!&4gFIB z4)I%*#(DX-2T&Dh2EPCiSc^ZAE!uXb%a{ux+0({{!?v`O2??g(N5wNnDA(rytDENr zIkilCg9dDb?(tg5HeWHM8n4ihR4H8yr5Aoq=w=gD6aDL@XMtzJdOOOZId6IYDC8}> zeo{kqSM!;;^USfHRV=%O*iUMJO)B)>TljXnTt+qaDAjXor?OE}r^`az>|>B`z%exI zUM@DcT@<#P+1`u97j(8?j1;GOE$y^1QH%;)SGCs{>xz zPA(YSXntD5^P#e)yY#LEPs5WJnjW$1m!V+0Oc|ep`;Mwc$XSY;r`Zkhdi~{b?R(1L5D7btc>d5 zrd^~N_J>|CFSK@lv46nu@D)>h%2NEwb+RM`+C4g(b@+z5yu24*z>PyjiRw(#kwoDO zb{=h)TBcvDx73X*IXJ1W=I>jtdp(qUcXaRA#NZZtrB`dQ(;M=Zh0Jo1<=8r=UvlE- ze$T-mH1I%O_sGh`XsmTHun{(Z5yzWLg7wQ4eWM&&xAF4RaCN^$qb=<@A{+j2rpv^` z76{N{?rSG!QcHJ9T8c|jE8`<&pKa$vv}StR2#0odfi|2H>j;q^x77XoWd3x&P);6=(26nQ~ELgFxW>ac-q8XrvHlAmqCrQ zHKNsri6D38VaI2gDT&U5i+ zj|-0btB?bUY+v#yRo1E-z;5B#c5bL9T6HpRf1yBQw8b9&W9wnnWbbY|9$2R-_NDP@ zaiFZ2Q6=WeK(gb)WDUJ*ns8{=2Gr5qouLJtgjbH@NS7`GVu%pwEf58%Qk1H+sFV;| zq<0WPuR}tQ2#l2KOoRxFVeSO@Y*WjxLiF=hP)=qf&1xK*k{zFP8beoIOMOkv!&s-6T~B{zr^s|+Jsqx7w4m%%W`GeO8%Uf8 z&_;%}@ZGM$ake}nRJNw*L2JKUvFj#>bbl_+*(WurW)fuJroFNXV-qR)Wb0r6keW#v zw0YDLgU}Bc#1Cl^z!xzrN?c-QtC^kO4CY^_Rc6Fe+;nLUl4iMX<<@;BN3k>HRG`F? z+=V=;7K~5i2-umB<{Bkx>$ z4<*Xbh7iP*fKyxDUqeMm)oZcc`UST(iur`LzzE9<7T`fp;87|1?50v)Xo3i7d z)woQXsNv<_tvUt+ko76JFK>ADJ1;;QZSX^Gc@*~KO{mbh+S1^QUV-i_P2`ct!ype^ zKv}yxwM&RU=-9LYMJ}9B^CW`XRJtNcbxFcluHkr}&F#xO!9C{^kA(V$e*dt3P-`Mr z@F=O*>Xe72>xCkZl3Tu6{DUSeJIQXN*`rm~HNUH}o`2rY^fU@Gl51%^S8tt(hUWWo zSZxXx`E4vo2kFVP{x58?0g3`|k46HNFIog5Sz(CvUYRc&@`Yln#UTF#3f%#6Yo~V4NGp;ek-L*JYuj4m8esbFhLUQP0f`p!;FfaA*GR$uJ zH<Az7+Y+ zWfZK5s`F)7`c3OKD?5qQq>g1T4UjuD?I+xlT3d2is#7y-4babb1%MKF*Kh4(cU#0) z#+ZzSE<_kWG^`{ro-)7}Ctg|i+&KT)*6wh08Y?|~&hI-?IXYKn`;aqsdAoNyUnM2K zU*6Su>%h{o(xw1YVwYuy(<_L}73rgvk=+CB6tZ&$?VgR}tP5}tNQhSpY)$+`3&w;{ z1yZ=39y?Wk_Mdd6j58;dkdx4}(xar-BTH|m*h3;D{Po0_`yqp>EJ4bzb2^}Nd}M8e!T z_o7@)3L?75%o8Ov_bIqwHUnqS{Xq||4S9MPDlFfD7x}4g{%mhfuMF&@DVt?70Z&VB zWN1X?dai`d0ZOoGgL@>NQUdS!fGB)-Y?C6v;W9+LXqIAQSyh`u-s=p1URQl|@!*Or z+9#kUFQVg3b*jJ6uHb~miGUd^B5wlKl4yVjB{p3lon2}NP4Vzf!b3|}?%T=Z;g;uq>#l7#UM1y|1J(jWF`=n=RnpGsQGRXV%(|Dses@BO$+ONT5jPw4$2k(Yx8Wc$4X6oc3C*n%+n-@psTFhE16P3rwS_ai2aH^ za~#z4#d2&)$i6rlvh7yepW9H~fC`aqd#c<`9=aU&Nz}M#6(!6mb?uzifAOYfiNjulQxDUSiW0Hp}1Z-e4^Wx@_6bh=|`}5SHdo};N77Nw# zS4nqN&D&oP2Z6!#d)e9T;Z zPIRwR|B_tu*xVAN-oZeBeF3^;xlNBpy!xFUDQD=7RoN*GAsky6Dr#1Id%l#R=aF_^ z=+O*3n(0Ug&V^RcZOwGwd))F!u(J%t&PU zM+gsl^_!t&!|x?9!K9r>H)`Ij#p`DC$*R6Kf7-(XCfY2n0l`hvlfc8iAIf4&NeYI& zR&fody5K{kA5|s*XZX76OLG29@*SkgA4+I%r@<8nW}J6dw+{@nS+IKPG2 zMqQh}XPliRB5)wfY{t(5z%j+;e*Ju*Tow}B{uuQpZ#`Jw%lDe2u*jH^TKPjaqw{4D zd*dX;CBoLqkD&Bz46*nQ#Rfw)B3Zm5sEbmC2@LMso%Yw7aJedJ>E3E2ZO(wD)Z8=$ ztK3xQNIll2=b!w}K!?;B6%n??a4C%nsz$Vde41Ig?`Vb z*QGk&`Y?Z6t@Ij+=;nk@Ga^y>@g)qMBPnc^ob-&{5d1D=2Su^uRU`H_{rY zt!D3t#C=`Lj|fLr#)F(h@1pfhvH^3R-d;@wH~rg&3aPW#kR?!us%5S#BUP%qVe_&Y zBBYCx!uN>IP?W+aZ>UG%=)7!5<<_@5r#=qgbdEllJ|(b_fO2m4SHOK|fd?*6!f63o zPpUz|G{s|AbK)2HEM+Hz-ZaMk+0M=S$a_sy2|kzOlC%YSvAKm_FD<2Pv;;fx#pb1e zyK`)uv@>pXHQ75WFk{54%d`5hWPEgIP<)L;zsgZ_@AcvA8nkXEIqA0X>yrFH4Tz4P zF{EnNISARd8yCs}7*h2&dt=Ee5fMWliogZXAO+0HPX7Y?cHIv!nOqf*6RF|+4KfWC zl_xJb0S-PFsUYHRdqXxko`|(2=66TSqvbE@_jk;TCqEi<&FoLOBHyv=?e%Gj?+&Zb zJI$gbEjIJTA<>np;=7Jg&Eo@^Z)_(K3~{KPYFCJ&z-~jOs!VKss=4K+g{R5E^}PIk z=WThBy9${QeNmxWy@Ib?Ymdaw~D?)m4MC0L+7`as|J4ES5=kuhn|a z4!z5b^b6yp!-`1sY_yy@(hMDJ<EU;HeGt&mqB<7Bs8yUZV+Z@_l^4*}|Sy1q_ z4qt6;53peLlgZC;43$tYd39MaWz|@{G zvEKVE(5l8MQ?rau>6u}$Qj3FcwX&C}cCjgXAS*N6_Sf7}g`wd=MtY|J5xG4_peL>Y zX{T%sZms8k={=Wg1#nw|B-Yk3g8`R@jC1^Vu4_<>9(}pMLDG$C5(jz&p0PXAAvz6o zO1jD5;~+6z>l=(P;+w53{dvs2puz84y5+4dQc-V|(+%YSGVBC-<5L*wtyw!RMNFR~ zBVN=j4#wzeB<8pJ1~Q|QmwHq@6Jb8!$vMx=Y0Zoper>xWw<2ZLkTt|@kY-Tzd9G1a zwzl%PT!Vcc4%oT8o|6MJmF2-TX*@g(DvwmU$$e-i)S>?BZK1Z-0hz#)va6h$E}Q+o zTBnAW%HsVYM+TU%t$b1dz~aag2u^6L$~ZJlT_vS!ns{84VXl ziN+hgN#r-kDQ_k3GB9-50}L%PUOrf8Zfz(Mc4~M;C9@PO-R-+j6!&y->^K=UsC=Y; zZB{IFN5LR-iR={%pZ|!g?v9Y_p&C1pP62xvs%U9|P5S{4UmcNLdnR*s0rCYctzMN@ zD{Ipq$$jClEj4!M0_P(VO^PB9L=$FHUKIswcG;h3Br0S=iAz?*nl}ZTlN0IewaFU> zjG5jd@Ht)+xek*Vz$q)Mv7LY2F)B0EbeQn5K$ zWZk<+DQj?*fHm*)a%O`AzP*#gWn-^00wop06!3V_oG9A!FhTr5K0l&t;Csqv^%&DqU7syt3y zKiT}o48%TZq-F*;=eGM4^J%SQQ<2uz4xR#U%B1ngTUKPJ%iq^&oSrRD1T|&qS?kqp z_yg!&cXun0pvS6l6Ru5MNYr4bq_y|!kn$!n+*k8{--&t<@w{aAQ7_q`Hc8Jwe-FmM z=l=GTluqXug%h6`jlA3<2R9f2koPFd!OxW3PL#u_n&p}OOlukSh^$L60UbxLq^MVi zd$CNiO+IDt`A1y!MwbhCvXxqNP<_WM(oj=fcAN#nVnYv&~(p~aPB;ssF)wo^olCX|>{>ijJpVrF(ej=9! z-rivue6i~-cT4LkEZ(4B?Bpn4+3Mr!9=J6zyrk<`1N zAQ`FE&D%|0VAe6k7Yx0h!tMw}ck{_be}8A??=Eip!Gryj%_-}W>C|U+d+jC<-@I8} zO`S=U1*eLjg)s_fxkm2?77CF<5h{=(leM+1Cu<_ry}hg~+4UIJL9}3hzw>fl)8?Xd zH;g_2u>{`cB_Rodk!ZY~;{Aqi+>fdzpObu_jzC&$ZrmGy*vKC+ zRRK*iEZOp2+XvzzWf&Rk0&rHuA@pK@a3a%7XD%4BlP(fLVoEVHR+6Xtrzj=f)MR(-u`W5a{PSVkr6>QtFHgOR!G)-y3% z(hJiha%pjkwv-XHs@`T)(MTWm{TE_-7`t0+OYsLJl^2>E7Y7a1WIZvE3`C6kR_#X3 zi;Kg{@}*-vf^jT!7fY|bypQrwWc_)+g=t+eh^Lyw(9v3n>OfrHXkdROk0^JW2T{tU z8q)TLp)38DO0>+IOgObX-i`9VesB`pyZYospm3$9{JVs{6ipmXHue)6QJ%?|L&W3JT7$@Vs zw{$Ky#N8sMY7cLl7S_Z1cNXT|^LdPnpz3zGcZA2XO`F{96nF@`D8bDXCCKPJuB@-8 zs_b=yE^dWvvsjSF@9sOCrU?gVEz;_N?8u*82g#jI?xa_IkG3TR>T(EyK7&#sk0V8} zY8AcwpT$H3DldF0r41}_`mzGZ_jP{Fszftzf{K4UmDd%4F1lN)Uiwm88ixa+V=84#qDo<7u<4-2*dcwoo;`&U<{ts6@RC=w1a)vg)B@N#CFa(Xk z8n1e#ai^{C)fM^Vni!Z5Z!HZSnk9QBN{&^jbI>NH{gR6e@vXdYKq?*S`$0~;)b#Gi zzD3b8W^>Dr_utw3fnX1_llR>DME*(RB<_XfMg1m_I(8K*EKt~-w! zyB`5LLWhsnCIDJBiegH{E|Omn&NfhD2;2_LaP4updVULr%Z)49?d0CUfq>2*I?|57 zD?$|K6mJUevy1)1RN3R~mfMtI0FU{V?bJpy?2ZamfHu%7dC3utAxNXTWXoHFsc)lZ zr9K|AODXQ0xfj*@RZxe&npAkmb>mQARtkv z<)8iJ>2)(nUdWj9?5*ueZrde+Cw0X452CnVf3mq^Z0u26nehg8054CkGWIaBuI1k3 zsTn~{#df*|NQ79k+}PCJ*hA9`4V_j|h%ck)>X1-h z!O=OqZ@R5#xm+XVuiF@w?|BG(Fc8=0YYLPMeaPLP&7Xey6{qM8up;GnX*dp`hr$hs z()US;TYzQC;^Z5`e5yuaMp+|j_V8zZKCZ%wL3u@{?%rLeWT}XZDP`Vpf5&4^LV&qJ>^i-U@KKg@p}|LN-Fim|ac$2L7^`}-+%US7_;6JIyt@aVmAv?)S%Gqy1{cnh z)EoHd;)PmaEan>3^7uVmdl42%yB6YL)li4aufpXvM6$itLcnBS{%p{>-1D6}aH30g zFfi+;=_P|0Vr55N5u|U&Py{nKGzl}@hVGYddWNXk*|T+FFXU~gc&!+>%5UeFmL5G? zMm!rny@9BxZ9mo}#{qjQ?k-K(`Hu9AiEsj#YeQu&tsE8eS&^y2O?K#Uiq7@iv{T%X z_&4ILrLfo_hc4K3E*78(14aa8s6~eh8_7B?x5wdD==Gm=w%?1Rf(=A`Hj7iGrG_O} zJ}h0yO)3_@ChccxUn&6?%rK85t{-if#v62-jXlZAE5NzQ#FuQ%CXE3>YIrx7eaCd; zl-rkO%w}(jxf{*z0+um6+ESJxz10F4E6LyHNUhsWc+5rU^h7uwfDEKb;S~FJ@nP0s z0Qt8tyeaTzNIQ93@mAH|`&Y?*wN`lywPFk(VN#PISI|{Jlg5}>{bu1c=nCB7BL!<| z=%Am8U+WC~<>+F3KNPcF5K@wyjCl z7gb3Csv(EXl*VGgr^iqI}29uk;2Jvh?{updsT}A&O-Ee|I3%YFgUTPjIBlE^^^L z@)ATJ@ei^vUVS?S=T8OBJm*7u{AnD-2{e(N-~bFv`&*+s)icZ06F#uGTECz(tJ%Ij zKR-2AxLdHldaG~oh*16hc3i_@L{I)j`irKi;)6q3x$MfKca64#XN%08`uoN6IomC3 zJ8%zvU=j$55}L2gm32(bCM8zrIcj?W;YV`1nh7lFg{PsExk%#?Z#3vRi1B;CaF@mj zBBHJJdH}|h$gc_4<&D~sXxC<`L3<^23l5HnDwxMczy0ur|A~5?6X0Ko1+h^;1l`U- zSMw2#VMl@k)6{H0D7dN%V0wqC^Nr4Bo_Hf95HorCgsS(qFgW1FHl_5S_>wh~xmd5^ zpt8E8iN1K6q*8CEa4`fG?5hqJA1n_X4`R*V`q62!;u$;M$Bu^d%8Q^8e(N*lMG_l` zYF+HQ9QeGO1EZX~YnOkHGLGAXI24a>4A34NO!};rE;Z@ZcB$!^K)hbYJ=JA1x_SnC zX(I0;tb2EAQkMcIU8D*$kj?-yw4KfNoZG~j52aRu+X+YcjghNoa|o(dF9YJdq_a?0 z#YNrop<`VxRy^FyZz9=B+#0-M0Wx8i)K$Yi+ulyY&b{t5Dd|9~ywSZER%Id4fCW`- z-gO>8cuul&Qq=9X(;1;njGwT{l1`v4kZk6nroD7`b z`ot}=n!E2E7s;L92dKI&DikL|>p5tUL!=<-v^6ODNd?6Bk_O+sikV)BubM>9jCn4E zb*$%g;iZg4sw`0q=Kw5?;T>ck=(e@PkkR2yn@YlmJU0*%O{Argzj>N&f;^IKL6)<) z{VDKT$K6Ln4mMH36XKM_GjWJ%j;L4PWwkQu>_RhIU?MH4%HQz$u)lc6)BVZ|#+l7R zNRXT>r!Y$VjSsrhem6s=ajJ7&APDufHNnq;7cL1~8ooqTBk`nv+~D%9-bpNmmRomZ z#CZ!Xt#n`8mDvJ`Lin}ekuiCi*S;U;s0o(_Ff20umC|mgWVNB982+pOy5@+pF4Hh; ziDysd+tlYW?@|S>IbRhY8s<+Q8Q6T-rX4I|< zM4Z7lxj`4<_~9IMVcuH5%cy42_het6u68nt9vmr$ZQnr29s*IX3!|t?}Xtvu4I9r=w>S z4X7k{7gsI7ja#>8AYIPAl#{r$ZE9GPX!L%lQ!+mwq8D&Kb)7~_OpKs*og~cd9uaA> zMDR8zsg@j!YjqxGgI_>maStSXhObg4kAm7mZayy+)Ja6CA}%Vn#I zmsysfrmlK@GVfA?1s}wgxEO1TciEz+4c7z2+^nm2s;1jktu}kp_{6~MeaH&3iP`LS ziE_q)`7d$;Ml6(8e&B#!=dCJ;AvnZY?*ev%aAlGXx-h`Ow5E#0^9gn-&o3xw)}~v{ zyDHh1|9*sRe0g!-MfaoTMyt;hQQ~H&Jrj^1>Du|57F{y|Sm9~MPsIBO#mA3bf%tuq zb$nFuPeL`k^4BC82M9U-vpdmpDywuYKJlNnF`)jXs!X`?k**JMDsukyqtq z9?nhtqNb>0mb7vHNx+h-S#lF&$~BS=q6QQedXrLt#jn;AH@{l82xPV|FjvjNOmK3W z{r6p=_n*{V?(tZSRCwM%m*1vLmY->te=$~0iL%yL#Eu&`rG)&U^G?+<88HY}KTx7H zq=}VT8Oia@kjJ?7l!J@%0(Ut!0C9=SgrbgnR5xygPJ zzIl|5gU(SKJKOu^Iv)-FU#utIlGSA&!gA=UY8#Nk7JvgzEBy~YHV_?E58ofpO#ns7 zD}N%f<>xWW=eK;iHhHznT^hyPc)wSy)2iYmy>eHIDE@Z9ukxRvgPO$?RRV{(MkcW) z`XgRRv3e-~{G6_U7{ZG{^PmqQ^4s-=`EJaSNyX=S>uLiF+lGt=z4B(D-i1WhZE5^5 zqT4zh3*!!;@322V;d6ZI$WyY(Orpkay^;E`FC{Br?dxg}OpP()K~#X5+-3F`C_+R6l%7mjMODT0uDozQ%n3S|lW22l;Q zdQKKe3iV;EkLh|`wV}wXYRX5Cs1GUh0Js?@8#*YvJ`FJWbn$B>HjH#k)dX&*wCae$ zx%x%?g{xP);CsQ2hpCA{D|r_%zv|W1Dy0bLm5$`~Zzrc5qmvSG(F*V6tcfS)G=q7EEZ3 z1mJk-r9?I;4?}&VdeFk%>hgOrf;9;Q<*Npbbyx579o=(#kpHfn=Nrf28URu90(hz- zQ1qE<;wB24kn&S#!npXtZ`HvJkdKXaZ2h91A^rC5k;PYlX{aoSo;svi{GAl|ZjS>*H&% z>g;6QJOtJrE;|nA#Urj#PU%cGnT9M0d}spUo7vjfXbv~q?E*iq-v3<9bbE#$Ea1kw zd?q{9Ws#-7RL!lME%y-@XP#9r zE$Y4*%6E+RvEwGBp@_Qetry@f1kBZEzvXk#zOJ99r^UDp!o_0Lj*8zqUMyw1_KS**_uCMC^=G#sy`OJzGu`Ev~w2TaW zPBF_SWW+t5we}bV8*Hut72ek8iB~p4IVpOiQ;UkP;9&GRj|?e=ts!Zqtw3A6Fn0Ut zXr95$`)Toa62cO;#IT<~fw$(sIh=}ex85XqItYu?l?pu7N^{B`RPT*L=&E;IA;FCMwY9IPPDL!bAEJ<@zSbWgKPXf$=U}|92xy5?-3#p@ zifqhak0b*pzmck%fxh$c14cir^x8xQ>gg})oL{3d5_Y3=1V~bqK=AMDbe`*@r8mlx z?~QrvXF_9q&t_adxYBe>mccLV!M#v_tIJj#7~!RIjzC;&(VIBC`6_8Sl56xd*}+Y(3pv%}BT30WiY5jI2o|i6)$1! z`#nw-QiHD2dr@@vtmY7!gP&7kcB_rZOA(VZ-sB}dl77jUJ2oB*ZLA3X6zrZq@gna^eZ%-LMT)V5_j-UUq5Cye9Y4(B=Eug~!tU2tS=Ah{ z^dX}ErIp!BBh|^Rd0q-*63PB#zy~vfB-_$K<=#eNM65W*=`g*Mw_qW5>Z}u(QM2|7 zO5~?z&UMp#qYK+21$fccEMyNVAE5DxBNmezCg0=}72X|LP*&GW!WQqUz1U2XyynFd zI~uRrf12Fy?Vv>K`#lz9ky-NL{y;j@TfJYGX!5@;RDUddeeY%*$C5QY{}*b41%iT> zyH}<_IPY$FU*3wTY?c#S3C72%Kuinq7h>Hp5nU6Ow5Op!+Jrum zLn)zD-*d3|El&J2%{53y+Ac2688*2bRx?%Z^#&?X7=XQvr2~zlpKgo8KH%rjn zbNS&=V3{tfIwvVPxGeO{?7FUbb?VSp?;4pC9KD3Zeak4s53ZYk=&l@ffq!4OI0AYr z9~>wRFi~h-4!=w_gn@d|CLoqyzHn5eAoXfmChw(wjf{GNQtq)ie&P4oXhcUSDVY{! z-m(vvU?ML75vdxW^7LbtVL-}8QNgtyo^09tFWMshbJLPzWT-NtojlrPj0P+;rH@mA z2&aXFYS`uHM=&Hgu^hY-c=$b2aer!PJ~OkFcLQ@7@KTl2qVXTZA%Cfq9$;wq4#BjW zq`w?83*dkSX4?c{Kib23VE4CeDW-qd)-=sbBBt(D`x>W43Zke9fHLlkF#gjc0L%&g z^COr7ou}$80nSlWbsSumWPry|Z~orzyYI_*36S-57KTK}aGHgDX1Z$F!@8FnPuaNi z_upyeZ@v@Rp#v7HafV`;Hw8s9$uDdj+3DI;j7qE=NmLxBr+b&Mk)FsuQS94jjJ{Cc z&vZiWZ@>4_-*%ljpTBMV_xnjOrFL6}r^@DV+gLbN@!+;y%;yX|+V`uBN0F=XVY^$5W8?+h}fBOCU^!VMizgnKh^`yDN=H9L}hgRUIo8D`spB> zFCM5qjpprxh%M!7<{${Z}S#{}T?LC;qZV`@iRfez|)q6oFR*p2!;w5lTdh zckXp>dR%V;xAbu)3!)8}SP5mo(ho#4gsQ@F`rdTfQv;U#%MbP?QDmScy@D7MEpw2D$ zhwey>Zgn&7pFi=`PZ*8i;7HAou=`4d9w<;{`Wu>l&B&P9P-JqkePr8ERPQ*vvvb-e zL~Tv}V7Ci7Re6UpM@;N!JqHIDopK@=vaNyZoS@0PnViNq4qNt;ICwhmV%`&Scu_fv zA%kMrN3F-zhoH92+2hHtFpk^yEF}Ga$dz;gS9}1>rJ|UX`mLpSTZgoeiV-=E1U-D7fF9|wMv@g21zJBkaL}PN+c?@dU2%hZbCEk&~2IVdIQKuV=RQG7SDzN`|o#3xGoz6iM{&22G&|(w%{! z^iQU&y%DbeZs$H#s7v?qGvNm zA(Noa_7gijSexyNfC@Ixs!qXsvh^!g?(^Sx_x5gCBaQXo7&xEr0YeDzxzm?1RFykl zwUZ#-9?Jf$i4pHE+h)&RekAoFcbzx|nV5%yl26~~k5^Qd_-=kmLQiQq*$(xO>z}1X zsr9~#NnTdI(2V;WkPlj0?7lNl_%JsjmrL$R?zy~NmLxqv=Ok-^v>3^&|8e{dj4khn z$jn%emia(?J+5*$`bSz;H73oQTbShKmCH1_hhuZknueXb!L|8Mc9N@!to93_~nb|r!%MLwvzOB%d(CBc?v35RBC0TSl%TKM^y8k zp%h@Zt)G@UN#=ZVU#$rI(i3sr|K`PdlR%Sm8|UPw|8XB+?z5(1&ab49mjNl|f|}ue z;Knsx4>6(X&leYDK(=rrsO5>Zw*k^*4+?nEflX_vSp{o7R{h2x@Wz+1CS$@j*gCCG z`SvP<-7k3Z`kJs4@bcJ9b3wtz2&{Q{k;myVur^FJ*^#a0ugCRva^!!E@Y z!yjckTMc$KbG06;#<@DIE*7`-O{(Wo=TcMWclxzM(z^e{mePtV>tB1yf1G3fwa5PF z<@8_o|CjM zba^o6<>X{S3?Ikxoj&Zv5}9+qFh6pbmTbFU7xzzf8l~)~@MIi-a}VWymzL51O)b3( z)m&3!e9tTqD~EvzHDKz=!N{SC0G5CCcaTE$+4Yy*3_@z16{b@9?nxrgQ1Pz z5pBxAF*ihZNe;>Vyy<-9!>5qPxY}?R*o$r*pG4Ipu{K1@HpM;DQF*LoC^XxX{TsC5z9V z>}EV)UAhxqwju7~t5EMX$=vn%j$+YGt!n*-S6R!+aZJ!3jiB$mUlr1cGmOzZd@2%5 zCGXZXf1H#KM|2Nux${c*SLx;)m3M}o_^=jO3=z6bZ+sbZcvpH>q^cC z;!rb57_aye1ek1aWfCl@EK<^8D+FT6+aEtSTR1BXA?#rHfrS}1@4mKB{4KS|^lMpH z4&>?J#$|x_8(r%&*t9=6Yf?iJt}&`+cLo!wrs88hp381Qem*U?B~_YQ@nty9y)N-8 z9i8RLmdTHd!>tSfGmBC2?lgL!LQgcgZh5zvD1|-(LHu)g#xz9aD+By~b|f&(H)HL9 zxT%^?WP|{Am3qXr+@0i%`KC`tZKwd9c5i(Ox^Vr8yNw|Q!MKe?2ga+_k__20N<$Lm zV~#YnzFb=AIeB%a=g#-zvy?TWB8^?Acu^fpyPCMQK+%Nz0{(=^CqG+emfO_qb^I~u zNRTS+xqBBb>m_46EV&KM*lnmqJ6~6hCAPt@e=I0kpnqwnVQ6MwKDMB9#J*$rW7IFk zdS>nC=~Ex*c|XaWAi1_>!oCB1OjkS*14w0dgbVnLf7`!J(ga5uGLk)U@u=S%<1K@G znY-1`Zyo0z^YcR0)%uQ%UV>CWuDcPTCn(*ywC)@RN;bYY1bPo~CZNk^knI@Wue#WB z=gMq*s6ljvR-o5e&7Qn4Gs_>%bfM4TW)y9rK4=Qt70LxTEoWY9k!>>foqEDQqUstCKgmvaov=z7fF*X6Zgiz!n^0eWi z-se%kUPB??UCv#7JGRr`&AsO?%QN$_t~(dbP8f%&>%RoaZtsIHL68-bos1Vl2Xp8t zmZ(QR4rm;;r1VbMt03pe93GNX40&B+`sdX5er8?IGoSpLYGe1T;BVqG<4Zn}kIB@xcq_WWf( zEX92tL%qju@?UqYxzjDdl7jGQez7AVJ0R(g?T?XKE?nT5)IKwBn zBaqlSsN0bt^)By`wbjNKEf;uggRPfKnci~04N#{>O@qh$AF%Kr$P7t|jxymIyQX=)jbjXTEcxslAHN8{D^wjsjYty0dI_12za z2Nj}0M@eGjkG1hHQUz>zfrsn*tSL_Op+hDs7L%EH%Sy!O^`^yOm!y@ce>qRx2#W~qd9s%N3dPZcf z)Ahmq+3D1-!+hV1I}1%4dIHDLF+j-YKt3X}zm}v*vTqp>8jrHY2Ho$aO-|$s`EdJ- zE`;U9h3BOHwy=xG-+wHs(-5T++l==QhWht~s%EY_eysZo)RpT8whj%2^K;NmR30GVGRXF+Djw8o_VG8wO4){aYF4TDGFbZ zPsmnX!nC^^v^7lh8$^uCTjd7YUlnAKauRTSe`^z&GMTHdY^2eYb~ao1Tz+w0_Du6Z zZMs%xr}?l~mYU#)aST_I*N7!Vq}ay8eSae)0*IRuB}GM5A*UKUcq>_qH`t~pu}D^X z?m?ApfdKa{jK_}sw>DL_gn*eI2aV!uHCaob)_^*L`lqZ5kEO?gyPC3 zu_Ohni?uu{)(4aFNfnl`duct#(qZ0xALh+gM5?zI1ZT7IwvwAN=NdOcaJIXh!!baB zf+(@J!-1XZTPRo-kB`5)W;V9=u0101T!zl_!Oa)+UUx9*82dD?WVG>=G_qH)80MTh z6C~)pT{wb{E<)ohVX)2pscSIcN}hvW+e;l6HQhbB0nsw!5hm^=)E+2SPV;@Y{bJ*v zF>&61Cy8)wS0XP}fesyb<)Yr>)~kt(v{{Ff8gv2tMwWm@0rzWo8mOH(B=u;>^o!Vxjgh(bFK~; z;w|)fEm)_vp&s2ot;T&Tgh73a`w}Xm}kLVYYm2c&Crd za8gTkHT5JgR@8kh0xJ-WeIVASdz$I)Y2QJklQL)t3Aa+$L^DC$0b*-1DxD-;mNXf{ z8fW&2V?0&(bDL2`FpU%fOS4C`qfqUKe&Y+jESmUf7fca^W?8a2>H0$CWXH(?H8mX^qMcs%8ua!p|x9s6ZXS04`VxMa($B zX2{^J!xFwdI8x#;$91N%F=%_QJaR6T(umb1t4ERdiL=1Q;(-C^Z3xD&}irYY76<}>94DikLi&s^0nD}fh^6KFP{=IN`3nAB1WQ8Wv0!Iy@mOGzpUkp zg_EbT^c?!PeW6|o^I0uJCXSJ`vrCMO$ zT>;CbpcWGu;I|sSkcL{Lx42!E ze@y#xkj5Zx`85CDC zm z)WSM*GQxq%Ljrdsa#BH6B=$~B1cDd=t+chxpNs<4-W+Qg=CZy2wsrdE3EqJir*t|O zwZW)V`NJ8a2_ozrob@;-_qbXJ$G#X>lcQuaP71z3#8Q%vJO`u4n|6Oa(HM{(Y@J5< zuAQhom^b&vuWc7T3=)>m;3;mbOfJ@!g%?AVn%$~Cu@16xXzS^yOhi>?2Z~p7?V|A~uwD|0CwvFkR%2;m(_9{QfmD0iPDb21&)uPIl*>a`57rZBRjz0%=y3Mk- zs5fr}N%>X?D3I@_ z4a-7)Qcn`^P3vO&ch5~LzV^XE@rDoe$k|+=itd^|2idisd>rw$@F}evXfeCiMjd*D zW-)1$Fn29|c6w`mO@XJP<6*q{xbWn@-tjs}z>mdJ`OE*Y2>$zW_#fYy`TO6Vn(hz0 z-LB28ihL~d%w5p4OC}}7VvCyf7ovTK1Vq{%-3eHxcHIRgvCWoTH6$kew^=LkxnWaA zLN2MhQ&CICQ0V2W=IC*m^a;#Hv4Z zeGl``{GrRQ+>ebtendOT=}F5Q0e-&GFF9-jqz++G5+kiU+vX3Qfne@mDYeNdlqg_7 zG*k-wQPMYhz?zTB45mHkZ)@Gz0R8r=&!wG5{huygW@Yk~HlTluu!m{d`z z8IX-zv*{sk3B{qiNx1F%rsr8*-CMcB#Tm!T2<*U|vQ$$=#LSVW?%ps-oKTxclZM}& zXc47ql9(5u^L!1#@otAV6Bw)SFS7~qncq!1aYKZ2+X0BfZL%I+?2SrIJBL(&A)(H{5~Az;6W)SfeB-85k1n_ z39frG?#CTdKz@`fKK0DQ9uvFgxPHcs_yPt*}-p9or z(_^2vCNtV_3zi_oep$CR&+LHSYGhEI_Ty%x@Ub$ZDRx0`j&Mz)s5K6Bt6uIemDpo7 z8q5C+Y{maC{YwqQ|HOm*i^h1Uc%7XF*l!&3HGO0p;u1NvPl%YTB`l3cspPCM zrAlZkdr~~bbEiGmPoO~#o2H}>8$sL3{J z7sb~uDk@Duh*AXv1SwKu0}KdAZ$cDQ2r(cXBqXl|QL1#MMQZ3#Aasay0Rah3LWzW4 z0tsLUq`05=JM*3WwVAzV_M9{4%zQsG6Ecw8Jh`8BuXU|!T^AKPULO?mv}*XH$>{~@ zCd#+M^yG;35i9xY=S8jrE1yc%vC2Ju)6q{_iW_K4$X-L&k5{urV^;tEE&c-rw5)@`yyO``cN0zh_xOX>h}gsiC!Po$U8vqQy7N&aJCp zi{U3k)u%ke05tJGdu(qBvv1A*W4wKri2;t1GT=JAm)Ec91Z|%Het$oD4!YN{?em8x zdqEQzdd%gz4-se+P=KWOochGaE6kj2^++4}_+#hbQ$}zFDefQoc-P!)6uhY6sz0Vlxjjon_A@ zxu^hZiesDnNb54a>fDh%Czjy+{pCJ^yG8@&h3ekc`1Vd-0p*LIr4in+1!q{`qs&`3 zDv8@o`Ul^1nSZXae^?XqTteb+0lw>Ua~aC#8_r!u$>)~1K;e&YO{oQ`)SNp59eiTN z^tcm)Gj}5nodsm2M} znaO4?nt0|xYUr3zhr6_+cu^LyWglOc*y zO`xUq#<)SYKHV)=SG7xiS4OTgJt$eu#Tv`K+hSN?*HGRD)IsDgcw5^@gf-&>w!nv+P6iK7=Q%@BFqxZVHfh>NR z)+7SXhd+ymfI{wOmAkk8cmvHEic`O@PQ*Gj<~~Znaa{})Af(c;rSBYYIrJB{gK(4` z%rphAMzqV}x-B)rX_$|T(_de!LL>V4-I#-Ik|)3C*)3Hm40c$=074Sc$wSWOv$_*< z-zzTnltVvQCd&`!&0d2zbd<+!hpHFAaWZ>m4!>)v#|hnq^U6H6o^ zhNVG}j1x?K%v{KliFQZS<>Y%eU0v{I%3{`z(hoD_M|5F0HiT1+r zhl3rjHB5tB0z1@lEc=2NWe*_sXVAC%Op#`?g3|IszVH$R_wmDL*DfDFe`Pq=RL?Qm z+J-eQC188_-v3#Za~3K9=t^VWxJZr!xvkX;&ed&C@M4zj(N!G!5cmn^?eq6fMbY~` ziLaKc`>i+%sbW^+4?G8|9&zUe(BW4wP)hV6VJ^xxAH+W911;JGzR5#v%hPsk%2Cg& z$-nm)$tS}CZ#^TkEUST>WgLDHv^GQ+wwU17bg6V(E7PW$J zq5DQH%b*6v<_6d|*Ue=abBhGF6PUYe3uy4NE&lM_9AKC6ZR+Bf5vYUcLGM32A0`2O zR0dUP_s?HY|M1uWG2_F)AD(7wG@Ne4;RSD2fxm$%;=zJ{cnkd1hF$o$r^S*)eHTB&4SsKs&ba-QJ2G5_w$6mrKXaeG4Oc@Ok^bh|E1fg6QpcTxzuSO4Qea#_$w z@RGwHp5$!q4PZ-beZ~D#tZj)#0>NTn)RX=3-(P{af3xnx|Gn&g*@ypqwf}pQ{GZ*D z7j*$P$$?`Wpl$ZJPX-zZ{eq=N=$BCx)sL?h{2cH5G&xCKd}Nk-RVw=V)Au_gP08y}TPZvto7z&pBV%ep45)qgRa7+q*h6f82yN}4K9NKP~@vrKX&ndT9nvQi>< z_zV2!d{6xsWn#;jyW6NQVJQ!4;yvT)pHST zBPQkS`UpP0r2YQYy#KNkRn7qK&zSCW24ya8`+=y9)}I@HWYD&Ak7e})NaPjU_`0k; zN}PxLQ~lSdZie1bC>5q2%V7!F3e7r8Xg+VYCLlQLnN|~l)78sq3`(ksl?P+IV+>cpj8vuy*ZMQm@w$4sOUdc z8vNzE$~iM7bsu%k>-#cEo}tf+{VL{B91$~>SCyV;MsyrC>()iUR2_h=_J>D+4We{g?yY2w0$(t)6~p?XQQYy(Mh#JPMk;5!Y+b7E)~Vfh|YWKgERF&^9{A z;r}#UG2%A@9w_4Z_*Ou)&;Fx74`wh1!Kq5+z`C)7^J}u{1EPl2@|BrVyJ;~ZE7T6QZq;nCte3s%fZ=4m zOwMz{+FUWFa_sLx0Uq6R`G4~)>30h{GDWjjo6j=k04&QLWx6IKg;TJ=!>B!8XM6bgKCvT*2-^D6!CeeAb7U5CXn+D1V~f!2S~i&0qk&{T z|F}389)#WPFT;p+_nP5Sw=H$2vx)&G4^jrT>k<%u?>@HsetF-X6EsU)k=C`g@e2&3 zD3z&i&`-@{9KEC2qHtP7J4`u}{TQL16;qPy3@h^tI8dKr&mEXgvgeK~Lp`;I)WRs$VvUif<(l$iv8ia zrnYYHZ#T7slD-Yz0sj8M)G>pT17Xbr0qcEu7kk?O#MsS$$7i^PT%Wb zQSKO~VrT6kFx!RZVMAv(UI4zQYe;D<5`s_c1autURf+O@J*+2sJlcSe(M>%nA9cGC;3s<;Vchd)Bh?$pFGUSVV;-)>KyN1!jbw%f};(;tdg8M;64(I zYc(bjFVV~c#WCyq#8#WjkuLmvv2DiT!CQvLeQ4;brBGeH_H$jw7S;UjmsjSyMAzj? z4>H0;;1Gi;h(;O=lR>841jlAwpsh_`<3uz|dsmM%DioTd^BpEN2aY%((8B*NGX_$!`=?x@+=Um)9A>!ra+@Rpy#NCqr~fcVjQh^_1`z8=ZGj3qk-BC}8gyxFzky-Vj z<)hC@6J@`_=Brz)EtoGxYhNf=Fed?3Fz)*Ls%7ZgnRH7g;##8WSJw-ss`3ScTiH^G zXJ`HFt-sD*YU%f%OIV>0*|Cu!Db9|b0;>i!6_!!xfPo*5G~fU<{|ciuw4l_OAqS@# ze*pKoa@jAq(?NXng_pzZFLLr33D2%|%Qm??@j0E$SyAv)dc3rO`vs5a_|c(NY{pLT z30;>HTh4Oq#+%ES_mK!Ws zv4$BaRBuBRC&JEXFArrp6yDI3SxXqHWCFOtKAKDg0L-)QRRE4z9sR>8XZnm+?`% z;hbFG_(}us#XHB^7Oq)OxA8W}zOb;&gWc$x?yW#@dZ_Gp{~7sY0m1SqJWM$~5E4@J zczC#6p%p5!t!L6cEzY!>jWS;YfmZd8i%T@nB0h{kUBktXlv`0Pu<^3Vy30bh0FHWy zo!1?b^}I;(#oT8w<35PO)}@v5G9?G!2GafVzVQ#8p4Qn`)>xENL3)L0iH=UbbO5}h zB;OC8^XW5AhdDvt;tDLr>7QlFa!-S)Ag2Aa2AVIdgvvE%pr$k!tbvL78i0%-j&k{q z-RqlZcFx1HNZd}a@MWy`dh6ssbw;o0)b?FjR{fbW_zFbyDKCY=cjSE|8-k$ z5lFaMGW)9R*FL*hBen!)0zICZh6IfhyjYs)jFKfqzl9L*8gC3i)GTl|dhYbj>QGLz zd_uHDLl44Gp`roiJg!uB;ki|&QI(`zZ_kyeButN7gQ82f20)e*7X1L!V@rz5a3|l)vOA(v@4Fqg%Z_{qG9{LgAu(0Ya2h?DC?h2>c+hh zVSn77z?z}+p8)O5o8_o()*-fg>a~H^sSxl+$(ZYBWnK-|eps~fJ! zd*7DzvXoDt%@MrZ!`)ySLNIIKXIE$18}KOGyfzNJzC3#P50879GE<{};v44`(m)A3 zhO`_8fIPW9UjW&|Z=yt7$E6`bg@1UqKVW`%b?qLI0thGH^6b7 z_t8aa|2*~q;)4KbrMm}t3y3p|060bL_V|y;;l4dEPPHqYprH;&3kF9}jMfMMTq48_x=V8@6Hk1|c{dxn zszT{qg@>DT*qeS2d`4=$`=u&f1Tq(%q*@%q?E*fUm30>UxJkG*u?LJtY89?H8okZF za5&21<(`i|ef(owdSdV8VsZ!clWV0h`(pGP{{3frj;SOjjj4HVwdg;}iht9*A)T49 zkd!&_+QAkS?cpl#22eG%t8&lkJ6PUJ`jnn9(ubQ49ecT8cBQ6CX%=u00<_tf8@H>y z-$2j)Rz9>U;=d4TQsN{UTH;hdvg>Jh`AGk%tnTaJNpYK&zZyiCr5f_(XT1EWVNFY& zChG}sn*I>~oBXK!wH24K=7c2YwNW~(OmsXeh^2#kG}bKV0i@GhiQwlGfcErj{H=Uu zjd5ji)};BDN3jc28HeC7ihqh~+Xa=ICXylxC_ac#1Iq&mrE9#pl4x2vsH>SnHaWX1 zYW2dqT>5S-Z=P^qc0r8&~!^$H!tTOGc)s}4HPdZsg26?Lb`gl_PZr-nU zSwr3>oPL*`W!rmy%Km1icBI+l55MF)EID;}Rra|Kd|$76|8zoXg{NaoRy_8;CnwZSa0V{IQ7v=qncJab-$)*BjxsELFN#CN{=PqJ|b*L-BsI z$B4>b4z3s2G*g2uEc&Rbhe7F3y&KEzzkJAxG2iz~E|(d}!rUJivCW?&{ij8$=M&^`=!)>^j8wtZ1^4cs>4^#lMlVEWMTIj3}IGe$Qa-i1(0D z?Gt#z>x9dWE>2-t{O7=pC*gfqTfr-z+d1#1`}?Ys>O#sy8=Q4ufvM`HL#U{1^|$_F zb;-Ce!FfTca;j+6XibF|(X*d?pE=7&0*=^l{cB6)N}n? zbB`wGasg5+KT2tuS<)%4Fu2{MV@MmPC08yB1*MXbYy)>Tys?f^tM7ayx}_|7@tbau z0qtoP{i}Aw!=2Lr8sFs=v6QCX}dUMrJM{rpnB?)lCls4D;#%T zs)2z*?Al!fIN5)A;2gfLo#w+#v0}C*v$Y=AX8L5abBD6gB8ofOk{6uTFCBW;pqsc| zD}`@_iC^Wdyc6>mM(>u$yJmZvByXkL=@rkh(xL@xndx?R^)6e+a#gwFu%RfJUvIK= zzPr0(sDfq{wSi?{@$sbSl?d0 zl;2atbM?}IrS@2RmNv5{l+MRE$^4xcjAaxvUs1q<4oF@?I>28!fs$kLn$x&NpC-HA zBt_q5R}ZaCoA^#p&K#-_k3=SZIZz#3qb;!eYdE3A_yjIQKO}G0acCxJ1iN9-xx!fb zYK4Vf!A2AULc4*e)%*3HnOWt_4(jVw)O;?RsD4eoOlHghZ)9IiC3=ir-+%D&@qI0l z*VH#(qZBy>Xm>yYn`fgjh;?ItLRF>&e%8H8i914w@Mk$|n$#v5r)~0Ps!(2dpLR>= z%asf8@oSQC+pH)O`(4<^vMe~6m0+Bg5awpe8ueVEo3U1K@GLW-s`(_VPU{iylf1F# zX|nF_?h1-k2xmuXn74s%<_iNJL8JB`!I6t?H4N^lVMRrCyUKX~i4vA=))B0Hpl*Cg zuJ)l8`E!u-k8EzpnaWU6IBZtx^AH*K>kaqE=+y!9=H3R~HVXC~(g=(C2|B8K6}!6g z8CIVXMR6bYXL@BmsQ1XJP*ID2h3^q|&3`dbJ9|$37y1<8X`gHx1|Vg&ou-ppQ=fxk zk+QkW$N@)MN~+h6r6-W|jZ3F5BcH4*U=2_E%i9o53pCYt99(XExE!HsoC?m`=_7HDOmg0`$P;{+k94a?y%tQ^q{i(-S^kGQVSWkD?mY=1DfyXOnw_qniLEva z-=s%-n|LXV*W-19eRbnNMXPIWG?prPPC860F$#q&Cz@az6NwCb`pQzdTj3@-5?yWn z74wSBKlZCDvK;9YMtSoicht#&l}R{|b*sSP{$My%C%+cUjI*@mSU4phy$Rbl7U)n&7h3q#m)a{8`N&XhgLY_sRWvf@- zr%eR4(7i=NkrmI2S}hSxu6(D+&)VSW+cTw?CNhIriEJUF$hh{KIc^U?#8 zXUV({!ELvyMlMthU)*{S;W(&NHIaWm{+(j^Y-F%gT!Vx{s2@~``xA|ipzdP{!S&BE zn`T2}P6BN(djEUmwXDBH=5t6(S&AxE)j_Ao0|!fYgw7-fmp@9r@xoTCRbuyVtAu2j z#cQbc{Cv!iUsK{7+z6)bPx3KOw>R{S-mLw>Aj0D{`xGtTFnpV{?G4-KQ@`sgaMtZtkt#i?~-6t@qNzgXZ-2(1#=wfnLV5 zmgIuRwXsPd#iLkZ^rNCW^_mU69Eg6IwlBdn4dI+GlWmqUpHn2)sYjNG@|wsS9x;e%B&`lcg{N^xzuh=6 zG~OwD&-Ij%iV!QAR||$^Ee-iMEoxc6G%?IK79Y(C!q>rAW8(!$PATEW@)>i*`Zi~8 zBAV*lHH{S=*Vl8N;c;PzUKr@9-S@F(c_y8ugaWd>6Z+?Zdl?a9`ZB?8l#&%k3vs1E zwRAX#-?H*^7FQ=K#J@r3+Vr&jOoEm~ik6sz>!W9yMg95qR^fJ`_0N(G>uU`QdakVWkJ;@hw>Qhs$ggzu!YCVOgI{(*i2l8H zb;Ec)GwOw!suu#4y?}9QXXK}Z@7H-ArLkG`{oEl;6_|Y*4%ke4cj8Edb}}jJ0#mby z?7ZYC{wn(hw(pG7zzZ3UK4iySBu=gC@&m7SlhdLxvx0Xe^1tKLbN}%CJu(m5Bbk^l z!1GBftq*74b`2aSx5&Ropw+dmso}i7AT$xep|X1*Z=ZvcM+4y6CIW@xT9OZXRt#?d zgiW#4SPn+_B8Be&TXL`pdWLN|*7(r(DS!fUC2EE!wMPbvP9r|!tD{`E5BHMe8o!5> zXV?fv;N)S`eK_?eqfN^B+x1(zjeY4S(%73JY-iaU$8&myf>A17AJ~S zVMp)le!G%NMbElu4|#o*Qax8hL^X2`veM`6V(XSr%NP_!Xuzf`U88{gx#;q7Dgw zufnX_OuP$jer~&9U$7Z4k*@Pz+S0)fbmN;7&5$Dj zbwp)8^wZ#ynbtRQ)=q5kFJxM*&)v4`4^qf(C+9{!MEB8eCVo1 ze%9??x_&Qp6U&wwg2Kj*pFj9rbenlGV*cB;@rH%DES0T~Kkrl-7zkkQ3x@lmGrVS7XZ+;UWAKe#cq%2aN zxV8ShPb!N?a0|;86k3M>GhE)S+9juF;slWPwDNbeInMDQgSwH6v6OS??o0?^dtctA zxqTd_wU4EWKdNfKr;1|f z75tpmroSz}5zoK-^z-}CoK#6DdAxPKXL)IA*Ndwt*8F!ZbN3g^o1{O+co3#(rOhF~ zETHQKy*$h9RFrIp9eGdqNa!O=yw^aGj!yC&ri_DOP(h>(6Q73~%{o?r5Op2}KU8#T zuYY>Fy^<68yPUdsy?7?&dd2L%7sq+NX-VKay62;=1Sc1W-SZ@GZ>^pm$RD!)H9Bgy z?j8}rh!}Q@2n<-Uc||bddz27LB4#Aw2Y#gO!YSTVQF?kCxdOYkOqVsHrzVyG)?cWD zU+B&ojDUu)da{LmALXe>kHLbMZl^#w$`U{Ru64L|p;syWK6~V10DieO9}+U&nE_ZZ zlqWRY|A4%$qGi?9$&NggnZ?M+7Mu?Sa4N^WCgtCX$cuE|Sy^hCa?1wEgc0)t?0Hn} z1L}D2mXr7i8Xg<&U#F<9Af`V}S~1ZxhLpLu8y&h6UpDvB`pi|`gv^&IKZg&1$Cx4}#%Nq8;@3A!c0%RgVy=dU5x!~bGGcOfO z=f!iz+B)D6Lua*`CV1|u2=g!VI8b$eJnK+!I%9VX?WtAJM1#H!NRI*^bYPkrn=0E9 zFRPDJ`#Yva?Qa zK-MHICyPX#c6lwVR#+bi319^I;;ErhWJ4+(dTV13C|W6iscw|xVX8st5?BQ6;VlC6 zH;}3IQXt;n2<5MP0UP1$>y_Ca9xjSU-D(JoImRRq|J@eBRH(;`w zyx=I)`5v5-lXF3$uSFtYrF1Ou^_7xSnZIWG(@0Z-Q#pB438p1}h77aCp8}Sb`>N>? z;W%BJfM0OHn5MbX?eU4J>6A(wMzFDT^?d2aZ-yRo`|8iU4lH+@1-HEAN_Rb^V0htO zZCq8_Ziuc5CHTRX$T&v)aU*>$EQjb^EdBTUv+@;5@sjb_vURkZIgb!AQ83E81h1U6Q2K1Bv*J$!5`}{_J zr262-qgeH?S0_nEK36%84$g56B0o4U0HRF?iWfaDOGFm!~4UYj>YKJb&;&y3hN(=tV)`%kM;s2B&utQGL)#n|8k0!!M-in(wfGo4Ws6 z)jHg(+e>t+JA{n7&;Gdudg^Hsw(fl1;Qr+&KtCA*qsq%9R_{%3r3SaErn*?skv;a$ z?XjRzn*ixztSMH(Kd`1jm_6hZzLTH}?SNJfP(RWLv*ZZIf8Fy^T z^LZwF0p4f3Y3e%J7Zf13;E<@~kpkuG`lD zLU^bA+;l4JZRMh0iNLtjU64H1z{%$HaU5^p}#=FD1du-tkHq)=o|#0o8|Jo;GPZ+Wjr4V0P(GA z2npk!D&o}D2lM00*M-iRn0ki^T+!*wKN@+R9+Ba5C09MqbF;Q-8`C0_8<oYo9pk&xkI3;!&E=I-HgjemJuAq zLyLG_6?c4U*_JCtVcJ)Hck0W3LPffFZMi6&Vlj19+xtXO~4Px2gvr)tdljX zE28Cw1IOStkDyx8>6qU+eT_D{Fe; zr_tiUn0?WW8NYo5mL81C*EAeHGTgw07?`O7?U$A!$H{IF;&ahke3sQJGceYW<+BQI zfUGcYgF=y#6B%G6dyc`^M403mK#51W{kdL0o(`Rj8IBKD=s@!TNK2IXf$9X(+5Yt7 z8gJE|r61isG?QS2|LD-GudK0cvma^w_|+RpQi<{FU0K1>a_(UP-1lO&*^^E+mujo> zAJN*N!rJl)1Ux}u+|Ph?4>6H)Z?IcO$u212z z37Vo2+kZ(CUt25VT_JJ%t;Y58&vF+kkG#5i^-P!JwroVv+9F-S*@Y1}s#qo(H8_s< zUn5nj<~wEvZw&>-84*qLlGoOD>>v~Vakp@0cVrKN_*8bHcqFEQpVj*oIcVg+Bk`tPI@-%BM6m}Z_OBb zK5i5J_~c{J29kx@SY;Sqd*){T{l|9|m7n`$ERP2yN&O;v_1ac7IA>-OS@q2}OgFj{ z;}s_x3^x~80va~Lzr7DL0WAF>4gK!nkL?&y)3i-^I&*zKtp`$G_Qd;Q!udObw>w^= ztUpuVLxyZKK69tWb_7Kduo?`@=!;s2(7Xb?vp2DCv$Is*Dq9}4Q(aJebE3A+Sbhhe z?lY+4tS6pevQo@mqNP%|SSCmV=EGd>2!^i_LWety2B6P4O^vgKhy?dCOXvyHPmn;x zzWNoQ89WVlE-TWMp?de#kWLjwcf6Js@hj85g3q^0>E2$ni@R!PQ4bJi3>oQBW+c06 zF*B)iSDp};G0*-{W|@bdCQzsutS*3f;h?Gr>I=FsC43Ax3So#Kz_5{hn6ipF z!u0BG(-$Rrt*i4+cw7vPVl56+m4XZwzMr{v;gnc>3heB+W*2{_GDCICDk)MF8lGbL zI?ZX^Of`mN=Si<0uIsSEtvwo3weUsAz)^2%;ht79A$#BvVq zr34JTLVG&<&7?&Af(lPEjoJcH!nEo{A9d<{S=9+2bfHEOEMP&>Tto5=d5syV>SzSp z7h`yTTkuiSxSua!VJ;(ECWT@3I;F^E%+6HxX|j!(8L{eq>ZYIJ)yPCUJD-Hq`uWFA zSrJ2c8u@QDoR3t=z|cWo!N&lfIYh(@P^Y$coT9$;{iXU7O@j%ux0ky&o!E4$H+j~+yLc~Q36HXv0opXA9B7Oux! zUPLIBc_OBCbV^(nf1-s@^1=MSg4*T& z+AKpxY*`lb>9%MJR$5`4RX*0}&4_E`BfVEIdmB+~xm@mm zxC}kEc5gJjKzcnp;BlC%t1rVgWhwtcntig{ZOdb+CuhUp@5 zoIc8V16Wmg0}M<2Jhh;KqQ$;i2p2yJJ?ugBNDE6TDRjtnv`@in!lisB^H5`$U_Bf~3r&zt zNhryKQMVyTi)%rXt}+^!J2SX(qqb^*B;cjyz?BDv-Vc=lM&Cl>pds;f2*S$T16vI# z%Q}+Jr*lEv%HZ9HDl;3O33)*w8GlV+M6HtAYtdoUzufKY)ReAb7561TbkHUlFZYh64y(u}tOx06?T#?{8*+{IM zw` zfJ0pUdro~#?*`&gT7zlc?yTj>Of5YzGq`Nir{PB|2S{OAK+t@>Y1R%c^q+)7BluO9 zizux;y=Y>9#_CiJhC77aJUb}UVB!SNp(Vvf8C0yOq#T)eb)uFBa|CG6-(TXY0j;;U zXpbg7ig2_f{m>T}eQ#Z%38A))*PQTomXgAqLB5leAp%JF{yjr%%<0Q9;-BVIv}|Y_wHfDx-W+F)OJCK%5%+y(Qh8%Q9v^<5V;&vCk91 zuuP{G@sl(c%uL;O{7l$>NV+A*CgotcsUu+kP49Ya3=R#iPwdVVcm>Y*=DV$T?z@YiDw4r)QOA{j3?VF` zA~5mG@6;|(RI?~^KMmdiKCkQM7Uq}7G`ij}@>?NHRVwt|g_?Ky0q>j#9scj$UMCs9 z(GJ{seEK3NA{gLncbG?xWr05@GM){yAI?Ap;Mz9H1z5ys$XfYRujZB$O;ulwi!NIl z9e65aWHfDKPjf37#{Ql8T+xL;|ESUzMq(8bqvj@)<~2GxaI0qjO+lY+j}b>}EBHXX zQ95ywHa*syI!cBzjTnD3oo1n86KqAI`nX+ts`!a2I%E)Ak?f+Uv|tn|mv+72@<+*l zOXoi;WIT9@dNKm&NkPTA1Jl}c5l?=T;$Sc^bfuI&>!Ew~M5*!6ik#l0*YvaK9?h-; z9yeSg4^iv7^_$&9&fYb9kc)B@oHbU!5e9k^#y(ajn9(bTQtTF7Y;Eah*TnyVdNs<* zl4#aWVOo}q7)}Xpetw7BhfBdjU!!UF6fon{EK1f3meJ@8YzA^NiPORR2_nFWG`mucs6r|SFy zve@~o;g_EDPrFH6@zi=RuwdDDs$i%?x1VnZq-(`-H|{G4PlyJ4f}#iq)#6@0A7E&N zmooqI7H8jiQI?YuOm(&;4j8*#e(LJp7@Dw_4HAJDK1?}m?q=cYIf&k*%F6oBZb0K@ zaNk#?<&096JC#iHpKRH<(teb&H+?Kfc5z+)4D0oz4Y;vIYy}KtX5k?6kJOypuLe=? z2r|uYG=GMCwEgnhZcF4_`B&U(``&|hd-tb#f&bb9$tLlP#bzJoSMM3*Fns5J6 zvvVL0eBd$xjuT*-%$U6>WQw8GoI5BuA(PSppF-yIqyEnF z3Q_c2#fpMlZv_A4{+D~_#BTjfP;yEW^z2p4cabyBTeOr{+?1Jd%)i!^g)R(2khD%2RgO%PcX?}37_LyG12JLx;nqmJV?<& z?>TyE8#r9pMScX2yZXJVBIfRMmwW^QG4E)i7E9ZRC#k<1ma5xmH;n9bmHXj!FJH;2 zNo=}UBQSY4Y%vGoNY#jMxoIQ&I@dM_GGdyCCu;1JmzS=Wl{7SEB;AjzE14l2LlH66 z1MM*izc6jR1OZQ%W1~oOI;g!_gf9FRzY&4JI!#&QMs`a;H_4 zZN2B(9q{s`i1Wv1`8*ip(&|F3f}&8g{_1*vY3KEd5i8>Y2?72cY+p}9 zZL5_h3!0+(e2MyKo#><4{if(GewJ4&#Gu@`-Xsnx$!6%nVtSInl;FPi$293a@H{{gKju{!oFemY2d?WgJtPP`(<%z64arrQ)zfA z?lPspFT^t}>JxlVIC5JD%+G{6Rt;D68II~?f-OGRIee;rX>dHDOX3W$O|Lw-bK&KQ zU<{kzs8#$TEp<(g*1ig)I=?pnl+h!Y*Py;iWWE^#Vmva%wp0`OzK~k#1-Sg0>B?ZW z7?)AE@K|0^%a`cm`C>tX6Hc%ljgV`XZ*@G(wJ00eo|q3qZHG1?TW0w9xr1mtHdbFg zIAW%YDqY0Z8RUY3M^{@>0)yLeCtyMEJ?&C#X-yr|1!L7)rk729RHARerE`zC%6=zb z2xfPWMPD%ymg1x@z;^B>{ZrdmzD^;L=%#99|Lkt)&nZ7?p)oIyA_GnQ(CRKi zsb;jyC93u+mPmAosF`+$^3R^o%433?@;vlyfT0o zEIrbbROb$Nma1v+TrLUi?^=pMO8T&DP^2L6!ELH=8&_gvyX+}ykOY3k2G0`SVtBpO zKI)pxtbRFb-K43s59KL z3~0>{nFeq+RIy%hY4?(BYfL>8U`^RK%kCP8K+wYJ$=i)u_lH*MtaD|ka6M62K0_L* zM}sobI0eEK_tu8CSzHw86naK&xFfZlaB>w|*;({yN&kE-WqiSjs=-BwkIcTD_P?Vs zH91-J#kAq#SXe;k>*SP;$m^^$Hsh0bMYS-!VV@2%8{8#BoPv>K4?hFZ=VRl&Jr zIT#xvl?Y!KVNNi7nPhqzV6LRp%mLKAU>G1C-y75?3zg+9e!tPyeh)9l+a zqab4&NttT1^n^qLykm8U>Wfzhi@W^g2EVCV3@84yYa{bEU*QgMWjNV* z%y?)g;Z*Zg50Y#om(Q7*+Lk53d^ZEwgWV_}H;09J^EOq$-s>tHA9T)X6lS;vk6$A} zcvIv{m*$z#w{5E|eWU8(A5A-|ejC#g;1pAEkZVz^@@c~}D5}G?P7~`%ON2~$I&4a> zp(?Cs1}(sJ@8pVA(9tj1Mh{DtwUaCE!$<|G!Kp%H_iB5(&&MZ}zdrxQ@`m8V#yR&^n@O95YvE{qztY3m+AC3#6PU@IW{TX zFZDRYq%%QoTg5;77U=wC=Xt5A%;cQhbH?U?@T#q8cZ0ML$w*IA&a%t~7nm{WJ;gFI zQy^TeCOr1s=t+m>B-1i5HHWDuXl{3y$p|b4#N4_KNP7q~!+?E)If83cqrrhvCe3Mi z$3u;(p;LP?!6~%qN1N!bFXUX{gVI_<)xw;jk{%mLh|!Zpoz48dM?;Wl2uTCkFWp^? zsB4fuI_&MAYwCg^Q61EX`1w$yj|Hit7(tXiQ)h-R7P%iNPTK3euzHK_-e*j5JQ9Ak zi5eVi53~~w$0|!Cn=6s7A3LlQ8T}wZ-;udPOP@uzK}o#~CkzEdwJ2xb{#?)e7@TU$ zm8LBu!ldz=%uuWL>aqgT#DVan9uc|rjrh|JcJSReUO_wc;1IRhHP3CRkh2nsn3pme*DBLqi#JZbak%2svZxp zp9X#AM>&~Ih@4H+am})n>QHU*{hU1g{YY~rqKN&NCfrfRYe|cZ(OYv&jl4jxz_u}N zwl0`gX-InHlG=ODc7;o+>{q7%FurLS-^>ocMB1SkMU+*AiQb}BN71oeSIQ!tIuO{O z_8ldYF)w&dcN{aU?fk1a_UpY#_oNvgpHyZ1t8{M<9PAo3pvtx8dBaL##pO|81Or}Z zd{nvturSTXAvQFsoU6jZfUgA*I|KuOK?(92(3MwDMtX5x&1Y}E!Y)piG-;l0@|%aA#5WKoLK(F*Zz_bg(^gXrI<9|qX|E6WhV5KvDB&&Y zvZ5fMs+VN6$nAe~Z9i}7F(v6oDhfuR4-@wyi;K-5o#%^M2vz@swD$~ZYK_Bv)onph zQ2{}!g^qv)qzWoh0s_*4gtirs5<{ehnkWiLm%a@p3WOdI2#Iv*0wNHa1VRbD1QKc_ zB>Sv=@40vGy>q^txii2AW|+(hEAM*W|MNV*XEM18Y|_!XWi3#R zXI#3gANMu)^oa6>Zn#GzuE295Bg2x_w!lTZs0}yYJ?uE1W%Bt1` zWGPQFn1q{LKZY)Bx0JbW54ZMTg!@x0?R@d<6{4Fb!t~-`Z7&*B)DmJMk2NZDS4uR{ z9*nh#3tf^gCa>s=5KV^do9cmOC4TyJs4c_Hktsc!DDFXyifK@Ag(3i){V(_(hdY|t zoCg>$u&TH4t@saN*k|Qq7Dyj_Jttr}?7XcC zG|-Uj6e51k=B6DtH~s0T`hZ*3d;uk@WrF2QU@qd}04F+laB8z{`h3&%Wio&^{*eA5 z8oQjK;o9R^kmxFfBGsHsmdQ(daYDgDfBTss_=cL!G`OG;r!MPj;=%7;uM$$sTG35b z=$%@ud;0OkSmhTBZ<6Qa$KYDewCpl!*~DJFPpQu;Sv#It%zy%KXp7UCig=_X6!*Na zyTsOGpaE=Y->pKS{0tZ!=;GtrGTc;Cd)k)8Y09gPEzrY0R!=*3-GI^F8>tp+qc+V{7`rr%1zE6O$x8Bx2a2k zAZgk`@Z8@Wka(eZ4{h*D$Lc(%k5p}*GL%ie-Gn3e|3=J(~6gguiv32d-nSYPi zGw$ydg_?PeIf_-$;ZXqa0#O7hxluC-Cff_}-mi+j-uK;1_Q~L}??2u)LD?Tr9+*f} zb>bm!?5x7(2i)$t5WCSE&4Wl0paANP!$NP`T>n{Y1d>O2iTJf+!Wf+Ie$c9 zTd8&>Q;&g~t>~(V(s1gic(1KU7}L66_T6=8SNLg<@LB7@!S8|j24I8e5l2;h18di- zp&=!QcEdnWAzQp^Au7B{>QIl43g^fj`Y|JLt920Q!9qi@(t9s|;f#j5bi3#&wS{+P zkq@&j?q!B2eLnX3p?Q800QKDY(kJ69^?73>YplKp?`7v`AG1|6`C>t1sIjOMB#R#z z0^x2h^!4@e;euqgB~pgglp=KS1}&HbvFi*}1d@-rc_MRKR0 zVH+{YcOs9*xrTq0GyMC(A7RdEeyaGmQ){ybN9RA{v9@xcT|2mvSqN$(2^%x+V|Pa@ zz0gt^{?URbiY6@~1eC_>GoR-FZol2(2rz=>60X(vlda#Eq2s^wsIe0qF7X&fesCA9uLVM&}J+}C@{+jQ6eokwH zG3Sf}Zf!~g7)OMLx{o&84ZB~nBYsZh-MJ3p!H;c^t1m5oM@T3ASnHHeW^^sudSpv?@h8laqa}J z_Ro&J2@OMN=ao!2*arqX=(cIZN8~i0tCq=exU;o7r5R>&;Z7wKBq=PY9UwX~KTSYJ z%sL2sZ?0Boek*CGTX^V3Z%mB9R>2jLNp|v?K^AvPUKey@e|#5o^iI(9Y#V=hr$t}U z!n?GGBhY7*wW{r2KW_4{i^`tNvh-~n%Y4*4dZ#AAag{v;MFrptElCiEj$yOe{p0|1 zm{=v2GbvszR?WDs6hU@tm;VHJ8^h?1~_ z42Z#L;=+eeU~ffxNC#kQIhZQ(Xze48xW8wQN9SwepEn)#n9^Ymv7R6YAg?%F@1Dk54W@tx zVL;Fsm-Slj3UPZNz1}TLD`s7*Z-{GHL@{WRgcVBh)ZR9^zfM3jD`5BhVe;F0n$l&@ zWk>yH1*Bbu>>M_53`ZU4W6XGpjR%GY72~Vd_gH%=YS}3avKJ}N=-aqE6-xLeqzAAeI%?#l=RF_6n=ncKs% z?je70ZZYF$1HB3v5_`t^ff}Svl5zBgO6HQCv1EcwT7KI5t-M!yZr6m}rH|FFjijjv zwrUNfEW~+bDChKSKE``l1nbLok4yC}n_K7q!Q6b2nMyQ|p#UG;K?OU!1uWlx`nZmV zcsL3lQSm_uc_wf}G(d?vFnR9bn4`Sy7naJQ@RKCuF7MB$R}7O>^=B4rOXrowb*ZOX zo5v^ihUrc%s7N#-p-fAbacb6~B5DEC>2%hga?~pn^rfTj%6l|6?Hd}JDNw6a`6(K2 zGMUy7(=gBSw1}%Mv8aYgfjZd=akMIiZS1vtS%1KW=PcW#NA9M1xgIT=OmP$ zNIjma1s{7%5$1!H1!RRvvLq)H$1C=}Fiz1lh++njoa@Lz?b}TMIch&a#!J}d8|HE2 zD}(@#xBIiDV}I0-2DKfV`_Ox9*HhEF)MUh|SEkc4E;YEgEvc`A*k@8}Fq2K}?3iU( z^WXOv+VjrX*0+|mM5kLF1dKEmC1&F|62qNl&_+=0urATB&$`nD(`7@3?i@^rU7@`%^j(di3^aG<@Z8IpFOg#c^U*-ansX0Jax0GsAT(*taMN6 z#Qv~F=LF9~qnvV;=ce#n-+28wv8||TJV2*Up~m43RQ0Y2>hLv51Uk*^x5fKXG4Wn# zQTet5`?0Z&*!0_-5ivy^DYe#w`L|Pm|Kkt6sgc@0exvg;QkaAtRxJCwW<;m@vwh<{ z*yc5*_gDhrZr5L*MSGnagKf11&L#9MKd+*Z@7 zxcH&Xaxd-L>7LtTQvkXK45_cF+Rqsr$xC@R3oHgP$n&TKr<$k^jA)?O*gCGr?ofs4 zTs&o4o&qKMv}uuj*v;k*-0@V^i<^?pA7<|QP1kr;10K8Ice@|}ysx{wW?ajdzPg3t zZVIosIaUA#yN4!;|NJ=-d1Oh;zrv2&iPuIG`*z`(dr!UxKI7(RtcpONx+C!DZ1T9< z9r#LO%k$fkIo007G#55?7Z?tUJ<}`lBpIhU&;oYV;Uezhm;XKTqVXcoIHj5+kB zZ=1mJ%>EXRawE+6>CpOltqGd;-ow3gcfO!R*lPga|2kfHPCJ_QB=FxO514i=g}}`A z9L4uN&Gfi#H+W$xMPYZI5p)4^-9Jb&jdZIKxQ8i_oCTbsPUwZx#rwWv4RXGf7Dho|YlIOk%I_|t(<$%2)!4cy0}hfoo(hnw57 z71FoA=yLx9&U+L}kITW!B2$Ys%|H zVf>xJ*ZybWdT1s-py1-6s?9K8;Sy2fg737r-`Z8DoPjXkzVV6*4rX{ZUVW<4w7$1)>2{aVwI!Ok8QJY zyBSP-;`sh-SYhk5*x~DpE-?AYMLYM5ee@;U$q76C%*$7&S*eQlfE% zyl`UsB7Zhy&nKitu#*E%lW$fnUY+?W_^K`@@1Y8Rl}{>ezBaRJ3vz2m;bkb zkblkfGZmJ;do$pB3Jr|TY_~;Exu#uZ(}STu>K9x?aUsJ!%4;cZ#Zpcqj*~4C?^$piyVN!GS&a#aAWBX8p z>BRliJ^Lc|-P|TR=gI#Qe)-psAJ3nowy3du)B#uC1Aq|DpTQ0WoWY-Cju8Ln4f;QG z^`|;f)pJaYv4f6XHHO;s=~eRyzma#(29 zSVypwZ|b<2y+;Qd#Bq^q(;n;`(LSdd)m^~VTvA3>x^5| zFDhG;vd85@u|L|jzf~Rpv)@=?=WfOMg%MHy#uIUQsim%_xE&IShEQes=Hzc)(iZ+* zdc&{#>QSd&K!6DA(9&y9t3F#&i2q`lJe-v(V*gyQIbbzAGf`#8bkjP_$=aT%VWp6d zVFIkfokrwd5aRHnF4ZPM3k94_^|WlLb`!s^0mK`H&vmsPmt`gGI+7x($d}Jv9N*Q3 zEMdcpS+|irfJd*{W%H=&+a|%^PaumA@0FHJeGAF_^WeMN-$#y|jnF%4BORA6y%wrG z>ves$OcGA>JlqJ4xxJWL%NK;NA9TueUn$ru#3n8LE<5XKRBzH(=(>RF;6yny{(4Fe zNSV10w`N9*)-#b4hP4?EcJAxu2W zYaGBC4kIIjJIXJMN8%{!=wMBql*IkC=59SN{@SZJ>N_;j0pL)`y6~X6{BTu z*;MHT+LqcF&P|DXHEfYm7m%oE(NHUz>}h0zg^mL{MYY9XldE(={Jn|8T6Sc^U$dLy zp%0i2R1_a)wE5JIcmf0!9lzABbbe*}tfB%^(i34GG-o-a0xcMwN89PQW3&h_ejA83 ze9Sle8o}1b$yn`OvWzkJRMcLrs!o(2+;$%&z{ucak0Lw+x@K84MZ##;)ojX2pclqh z#5Y2!7VRge&v3fv93ZLP&IN0B|J@+%&9Z7^2wQ33k+NKzTM2*MKF!>F-b{*2zp0h} zuKV93x|b(+w&gcUI^%AbaT~?5_}JNVc>(VVf9~%WWUuNF7F2W7Qrer#tcsPEGE{OZ z9S<;a5XkMC;)+W5Q2RR0%jIdjQtN4y3(xq{p7Xm-LNZW00_g5%JREP*?eCmcQ8*cL zKd|er(}UU&!`M!K$y7Nb*VyOq+r9^`klDo*o7Rz>^7rce_{Oh8ZBqNhdc~J@H89?R z_GY-*6)yM6OR3qr3qClZEy9?6Hzq$syYh5?q55s&fY3HWPzMIg2s^eYR;J)-vQ4p_bz$4D zyrzcYl@P_Ud-A{C%zsMM*18%Q-ET~j^IOO4*NRlY)NwdKgwa0Kp;zpg520XA<7-{h zqD>;9+Tn8@;?+OF=<`G>POQVpl5v)IxfjZJ*R(eM&((luX`s|=e`lTSTIS2OM4`1lxD5 zzR;*a<2=(_5Zp)>U!Gf@&mhs4%JT+!`Wu4>NV%T`#(Fyb-Z$$E)|aSjeZJ=4sg--5 z&Xh7uPrg*YsuwDF$<%dVUSwvBgsQGsXO)FsAJK9EOrWX>xKQ)CL@`f>BQw)sXa_um z)2a`=JVhdnjx2q1zZ%203@G9^s|}w8W!lK`X36T~Y<6-T^!v+q}h#FQ=h|KH0K{bhlrj{ z%Gg!R-2YkTAj4F ztNrt?G%&LbfvL=h_S+0^KC68xP@pAUTo6#iqdBTfv%J32K<*BqYt`>5p5ddvjCFP- zQ`=6k>+Cf;MDFH~@#c2d?;NDq_w&eluJrgIfI_j?OlS8_a}%|0dEZWj4s4G=HLkZ% z>jpn;&NF8S5iqClT!s>o08*ZxM>_wfbGId)Ms|t|hg#E(_cEB~b7rSk4>sR9JDm?b zONZ|nMBwi~5_SA-c2icY5Os=N7)^`o=IwkCDd6|>OXkiZq0oG&G!kQ^@&!Wq<9gbs z5ZaZQ;xIz_0}olUIFk=m`twI0E5En*F-si-^4WHfs>m|}8JqnQpAdgk!!U?Nd6=DZ za+tDfD++aG>cEr_{MXaRE|yNN7(vu?utIj-0Dw>$45lr-4J~ZZ5#aDoaej#l1NETF z>~N$wIZ*N6BhT0wrZokDsPA=;>?FwR2;zWl&^i23t0}=>-&ga;kz?Azlgs3k_^#**2%p z_7a{X)eJvc?iu^bTgu!i-ya*;N)W3Nwzam$`7Jck1`7v4DiWDCcy!QHcAqCNtl3pk zf>Pm!Ys8gIF}#7zmA`PPF|Y~8iXRVEpR3>xy~BJsllZP~W#CX2E4kUZ`8FZXgyFWi zk@oj+Zd?!HpvYb6>Migm zwNJTFGZm;*yhX zMz*%4dy(b$;I&KCI}Kt|%|vhSVxqEL9NJD+t>$Njo;-F?OrdC{nb@BIkVvOioz7_; zb-QV&$^EG>{_+{VH*>xl!?`z zx~UXcg*y?=KUdcl0+qOge|+-Hs#VfQ{nugVAmtjv9xr5i()0qmmB;*c+-X=aR;aT0 zl!smc=4FjRoG0pQMN6O4-W^i&^EH~CllGN?9r<&b2BXPa{3B&k-FYE)zZWkCL48G% z46c7m^jcuOza&4t7Ce-5y#Z=MRI8EL^E4kXs4)o=B*nQ~rm4y68-dE>jSjoZiz$=z z4t5mGPl*o-7*Xt4rlF>ED>1oR<7t6qjz}%(TzMsG;lonX^)*wpv1at3O&?U6a3WQs zq&q`<$?}StJE1;+B}+uOAIfclldBOhPaBM#B&x=})L@F)IGhZjNMaK%Pwa)#T?+vN zCd$PH-zM_IGGzmzn?J9^UoS~w-KZ+-rvpC<`QDH=j^ zUZ%vr2k$jKFRW$%@^Vu2a)btN8EhD&xHng#T1<5I48Hr$ARE&U}Xx2>R^9Kq=& zef?3TtBUce6kG!FOW5AvvL1Z)cg!xjWSS<@H00=Lg|Y5Qj?Y=?kbGGK9-J&PeOfGw zo1b4;T%5>0P?47YnUg?MaqiYqV%-XycueP%ehEz3`^6+uRhtJSNO+pARqY^bLpf~r zVcpv@zh3|J`B#ssCd*i_U!VM=3K)K{vJ_&er_Gw*M)v-+!~W!lqSjG}B-F14N0{&+ z#IVO_$e8t0Gt*a=IjZmGcsc=xJagh1W9+Ro-G3>%X56nnq*2o#wH|b$Ea39xQ9#r= z8wt9a)NOSlrpSC#<(ytiCs|$J?AKGoyRbhFz|+QoJcc0gW@}Uy3zWg(icnuWU~aHT zIIL{^W8DB`j8)gCXHe1PsJ2F9rxE{WPP3Tk7h}p7-L#CPza{(%c|a7-gAM*coHsOy zdTp6?jOVlUcJG>#ZS$srB$9x}XRsTHx8v1xxp!R}`w^x&bEZ1JpwGGaUvuBcLoJ}U zmiK*_0l&y|PwhO;#W&J=bIN%sEFi4-_T<=TRL3nj!a6q;N=ynyGM(y4YX)AC(rs(~(E=P1xjAzZ#^K#4Gtt92q(e-BudA&!1(GwNgjnBXs<-b4I%L6O66pSMscE&RA zysb%pADNT08gqCorhSr85hGqXeJG6*pV&*G+t5UT_4#OEGMww-Y<=6Tp&tmh@#;$* zdO=mHu)u+ax`X)hvHXE~LhT;psbimsf!@8WdR2ZG@RhYSo+@9;=&@a z;wF5mw{lK*Pm0bH-2j|6o3sL1?HE4AiIxmU!EhbnjskWLxd*7{F2KKjW;^k?+P)}3 zU4jfUG`IPCQh40M^g{8OkICSojsrN&pWfAm6k~QUz@z=&F@Nov+yyZUg>C!7M7k_1pV1Uu(cSA_*|>M* z-89Phi%Z*bL2c{k5i1O_0s^ZYu^K{*4pR(DS@yrM3n5eHaoOZrUh^~|t7IeP1$Bw! zn#Ip}JN-#Cgbc!cqF%;)J@tKD`(j|mEIig<=MpoV)hTw(=|W&smqtPL!rGY7PnfWs z=SBMo31bfhVhYz=*j$WEI=^+?v6jZBFKb*6-M`Q$Ou;)|_lWXgE@cxiVt~D?jLENk znC-M(c@m6K88v{_`Ub8q9FH(g$L3N7u%T|Qxv;`-|XFkyzn8k>@ z-y85CfIpsgJrlFtE!1+Rq4{vy`W3iqwm$W z$(5hy60s>9{9w$_FI1PGn~@x2bdT1PTurf6DaOjx$c*`a22AAgK(~`gkJ;h`e0TwQ zHdJ{8c`;PGl76z3;nbdUS0k8fX0+iMK?ioLB*O6bIAlV9_Q7}OE56CL|7<&0LoIMd zq{Yno%@GQPuZsO^+6G^(JMUlvc|-HXiLgGZe~u>Z^*>YV|i!`>dOl_ zjm)A@ryJCAc$iKzFzL3sCq50u1GCQf^`E0xa z=nZEAb;X~DXPF!)a4+Zbu)pY)*<=})OL|b1)s@&{`^Wc6h?xN-qt9g(SKTPvEpa5{f@x8zwD)~WaP!saoMN>&Cz-p4qo)XmrHbQ0yBW;G_XEYI{}LGid6E_XL( z$8-fT2roZC*QJRXSnQ=t8H03e6&%shA=rYhjKuL%Gwmqe^(M&)kGl^=quSI%Pr+u3 zwDL(~`pNDKxBoo4Kl>)yS@89jJNK532S-?2m6ntgHqu@dh6SYt(fYz@{rCSp@@Wzc zBUz>CAja>_!qn{+>cJDUiIa(+cBYw<0Ld)SulXpT+@tWS9VQ{b1fQC%W6unlr8(IS z^$}tvQz|3R4L<8qnS69_%YdAp^EmE>`i1nD2QTpPMoBoKF)t70{N1!Hd&nXJ0GlaO zvQvUPRL)=U!y0uzvg_~=*pzkbH7+R6#*dO!Q4)Z=!PzWQsG^l8rul@I3N6U5BK9C1 z7e=*vU-!n|4pcOe&&&Pt7ERCk!BdSN4}Te-mmgg_J&3jB5xQja-p<3%q;DAYM=Pt* z7B4qk_`#n_Q-wCw={*b^j7iMZT7t0uIXqF$oS2PDRNM`7fNS$&$;<$?jq4XDV`F(; z0C(xhJ5Cp~;v;o3Q4YXt}3nLQ5kE4K6HHkr+fJdBRE;#e<@@ zyn#O>d-?yG5-(v6MS#eWl>Dp?OCBtK@M=UBHM8J?U`J@l_2fq|EB}7>b^!I#)A>)5 z6XrjT=XDL#E(5i4SEr&W0)}e01hgrBGqz5Yb|pLfB5^Ec=`EtvDhvx!k;*_!Z04s`9$;Z&F@mq|31|LpG5A!gDN#N}n+Q0liu$0XG~0aH?x7ns z>{!2f%;=tQuX_b7-8zOUa7ph@Mh5% z~0b=en%^Y_(Eaz3cJQGyTLfKOC+5a4yr9cdc~jT zeKX#sJ@I59+=0PYH&s1z|Je2um|{rn{3VBf^6S2$_qr9ued{2Tt^D(d#NGe}#|ca0 zeK|Q{gIT+xy#+JF@l_mDCkR?>ZCAD+yEsV*sE*)n)0O{Pb~P^^X^h{wGON0J=3;U7KK87 zauyWR{1P3_A*^ZNE0Wbl=7?{%f^dDQx;4%;k9FaxBRCsG$XWZ;Cu?WWEj-mTb$8b3 zxA6?(ZCC3&J-==t_fTeZSHW3NsW^Imc(a05{&)Si=5&`JMTw7;zPqi6t< zPUJX_k^L85@4WL4Eq;|3sNd~gYXP}H&Awt0+-YHn7~P5|r-alx5D}$Kh5ZNphrIpY ziRqkcba3Xf#>(nYy$0>RrDa-eTMg?ux0IA5g^8q=pQ_2OZCeO?kX94%w~!W+xelLqEI( zQA_Fly97zV$^5datPrHEj_0#{Ris$8Q*wRvdaNEf&pQdeabn!7AMNp!@{DB9-uxGH z(pMzPsgpsel4?J4^WEBYDuL@H!v#5A2Y{v;*Le$z51`3*8->RV=Z8hp03EM>!_=BDm1GK>IF*}gT4{> zoO>Gb5c0qR$Z?B4)MiKHH{YX4sQ2{YkkzaNl+@% zeYNfNu|<^Jsnw-t9UtdUOSSaMy1_-`cgZPMjFzr)a#f1LmPJ|aC#PZ?GJQhSRqInA z1kT82Uv=%A*iClqPAL$k1y0TJ^uoE#cBROn!0x<^P6#|4uDn?V6_6Et?|?__*+`Af zw-*bWxepjp)q3wLyZ5f|DwDAJ0gbcL_H#QKWvRf23`dSF*!Xel^#)yzE5)CU$1+%HGLY{ zg*kx~XXee0eP}pZFy%fFszl!?&I@!i#MhmBHM+m}``7j->jkvKXwlSjz~-KOH{<1x zUAaM1&-_)VsVpnuO}-)X9TWNB3v&V{y15xT>_!hoIJi*0siCjY>=H8(V4YuOV)8=W z1_3I@MP{;KlX{z*cr4`C76me3XRGHXKCb$p^^S8iX#05W3&Za-A+X1nBGiTwlH%C8 z4uyfenPcdSC<&-g%?%r}^rp|26Dw!Geq|FFbRKidfi_p8+SqP$kr>t^Ph1gYwa)C# z=Ao=uazD4N{ci^|xK@)3OlRCNQ_>2#MOM3$Js90^; zz-p>f6jJ%{0X=!t(tFXKlhR+$xlYtzc!5ePSi`7XSWR8 z4+--Pk@JcxstE)UsJk}Fp!!#tAkUgQ(|r({1<7Kdkvo27B{q#IQ)8oJgbEYeIh|9e z=N0cU$6qilPrV1c4;M|FPc=vuF%fNlJ*|Js8G;7wIjL*}JgT1;cS-axyLpyiU3GhX zWMFmJ-_^W1*gQ^nlWV+FJ2uU3pvCgN2TK_z=B9}X+jewpI&7v(1@^}@J3}=qqB+-? zmGr2+_sqBSesjj#a5Di2^PY(m)C969`2IGfL8AZ@_|$tnzLf7T^!J~_uozJ)qfo*v%MOK>e9YHsI9=1 zp5uu>JTZ5U_W`F(TbhoeW$kOEf2t2APe~O+gUSx&)!t+gMVETI|%D4Ne|2JQo9F zEm6Q{6UDnmbd($(-EbS04(BRxeI4_N_)*;B*OlLj!{pdizF{<0$k?!R&-iiqBpT$N zHZkZ<06$7zDp~EdRZf9}hy85AV3gGZ%>Ta!E7-5NGy6;`(Xv=B@z>6ZWwo7hnr6YS z{g$!*roWq9P4O`5#To9Nq2hZ(6km0$y!)RUA>(#!g@8_v3cXOtbeL6&LLM2_GMhCq z{$7_)E{tgK&-I+$?X_Er7BZfQmab25-{>0;(jF9T_vujj$LG_to{)H`tdTXp@i?{z zhs`VehJ)(rZ5(PSC_mPd>FDyCzS~4hZ`y9$RB&owuhma2MfR~ygx(tqJB3U%ty*)%PJ|GGtee+;>7j>@o0w5J z15~M~*({9sMnyruD$upEj&v;@0R4)mUdcz@ANfU#czx_VXct1l=iHbGF$ zq9*)Sep&6S^kR8E$G%r-b$gp*mWzo@sjl@|rB6mB>KVYBtUAr7SLMAQU;1V7q_*F_!qG*62KOHp?|HDxQ3@iGS_=2CovSE?>mjNdQ(u&&I&*bi zhI0Ru3aANXvo<6KCY~`JSEv%13Dm9MrO5enk2l=X|oq zRn3vp=X-w$(!oQRu0$Nt^4}w>I)K3gBfY;pv@Gw&MzwxA=+{G*p^p5o)RF(gWc0uJ z<7i8$B0KBwD80~}`L4)=*U6KcA>WY#NF&d8)eCi`syLb0r;oS$NfjEwfp z@v+v+Q|ip9VpOXpmF@NK5ld#QCxehzXirEA9GL2p0M3yval%nn&m50>w!GH{#r<(x zB|qK2je54WzF=Z!ENhgS2__naR{Y76l@6(|Z3?~7w&NQ|*=?3XgQg3c{l`1+)g;Y{ z39=(N7u#ItQW)|g|-O`195g|$Q1^$p9eCvU!PZ{Uu)JcY2(6@}YHdpl{)jSeL2#>UJ$r z7LPmHAo@_LJoE|sGe;s+zml#@1w1~d5^BzA+nL;5)CrPQ^RV*fn2P%@D5*Qs@>?>MDtSBi#Z^*Ok^0}?dT%e**Y)_V z47VC^OJu8cbm-A~CSZ2eKB%C4PgAuhN5vtSCQfutuv3ve?9A7AaS3qFn|&8-eu;`8 z=x`}l#Bk&oripni{N?ZdJ#yOlSpylCYJSrjVgSq=PZ|zBeO|CFsjmK!e(E!LsMMmo z8WA>yJ0O<+A-H_uB2bf?^>QhVmj*o#Zp`ThSg*Vc3KN zRz}VGZv&xl|2>&Ow^&P>N8CFi0D; z=V*={@-n1nQ4x^N=?>({VFgF(fP)Nl;-o*Le<-!E1iYASYO?k zJuxD$__E|t?qFMH2DUa&#u(V$#m!@oFZU6$`Lk;GvArm5TYYmDmaAqlX>m%Goz}!3 zYQXIBXJm8^IC`oI0A`5_E&ifq#3g+{7EW<>R_Y(aOx27RnRi4KM{jt&Hpn0K%2pLh z@=&o%1Kqc(Rj-Aw^vk27(LmQyareFKdy|mCj^1>dcKlY?hC$NdWp?VWPI$(FH8zT7 zz|eH0kG|z@`x2sbh?s|Uv2dlD0YkZ@{SZPwX2*;v4R3?pn9<8v-}Pl6y2i+=k-N|^gV_;w=ND(O zFEgKL`?1c2lMmg5)jk;hI5AB|T)W-0^HO)`gr$$q`^?Y*rYquSSt?Q~X0l|o5$6xc zh?L=`5v8AXMq7)BgfXA}3h1`&Mp^?JH7;+!NNfcX8;6oiHY2eU!;7E3JdVY!F{@zO zBeds_Y)@3J+zaq-yZ&S9?|-gk`V?;77CNzu{?w^*^^0UK!a>M$)B|T}B9*;?uB+xU zdWyLdCbU&OSPFZYosZj85FMNmaysN?J^IE>qqC@E9pYqXYDS_;bEMFFqT|KP4xxnf zq*lr5qj%2J92hp%429GbI@HvZZ(e%u zYVf-`oDr~`g}j{JU7@gEQB|q;&>&$IQ>oLYV73>+j9{tq@H5k=^_Xd8(BOpnFnExc z($y5J+K|}Px9GnFk?n1UYBGrNYW)4BGVy}n;tEZ{-GyZ#q=Jq^_cLY5hhYISLY{SyRhnb642FR zX~5j9Kn@V<(sTVQfM!m!feKiTJEvE)F>BxVF{9`K_0d>zq~wolmS?ym_N=3BTFa80 z&Qj*<>wTsHnGURy;+rZ$4EG3m!x2HYcsJeW8r=|ZTqOewbTmt=ryRVj^j zNZ3YTbBEb)OdDWEy9RZ-)Sv+5%A1Z4YuV=N<}(+x_)*S$$Qy)c+v|7P1*Cv*m-zX3 zF9o5g*NKUD=i>_T7Ei-1;#1&X!GMYLjGn zNx%LCgwW5;FjyCz84rcdDv2BlGh60(B7t;5i^;4R&p1}w z@7b$${4XySz3_Hi0WYY7vu&gnv>n|Ln?BoW(~VhJIQUVVvk@Q3{wu7*)_uWMKArf^D?&jQOf#nOC!UHCW?6jP;CZDqmkNtF8U+-{fNV>gZy zYAOxMFt2Oqu>(=cDNHF$eX^5ANTLq6d{*8=o7jXk(FnWF8O>mS zrw-`=7CzO6!k4_BY&gSF;`BS7XHw?Gk232!gGb8&EjIdBGj@3oaT}XWqZ88wUFyK` z=!ZOLl0JXRr4!EeM{I%~>mY2w3CTw0W+fIRP%zeQ!N1xgWq-NOVpO4{W=SBB-EX~^ zvYa3=*AJKrX2r?eM)cjN=-qgmC$;p7*qwimTylpL#NGt?LPOl=%gZI|k?}P7mtL62qpo znRn#{(D-KdZos}}_MBp?iyd4F%JcP~#q)6+#pmzQTr}TEe5E$Z5z>rOfG!xR$@wh1 zU;(tN{C-JpuhGjiN#Wd3UNPyEg5$T>gkf6j8x zoSj=!5t-ykg!_lgR_8%h53YU-c$w@DQ#=v^M!fj>)mY@!WNNnrD=qkGUnS$cv#e~< za_!ue@c{c(u%oeVe{tI1o>pmk0#}S})r_A05BA7mlK$Afh0>M5Rebs?s9* z0s=y$Hz6t_&4BbEfmmo#M5$7P(xgVE*GQM%iGY-ZCOx5q07<;defBB)?tQ-R>@&t0 z_Z#~zG{H3|SVfX;RTXaZ z3#qNhtw>7Dfrf#dD?e3gL)A`SPkog72mQqD^g|Yjlu}in1w%a@`N5Ama)y3!FJf>d zZKv~(@U(kHrA5`>T@c@DBrSO@1iSWJ#$4UG@ozTktnsM7r8enOIhpB(9om5X<04SE zyoI^UupJf&qWvq-?;4s1`Hb2y^OC6MLmpEXJG*9oD88|vD6ne-XS13= zIAYli&OPoWc$_kf_lN+q)w>bPbUuw-8c{zL;0Q13^<|S%&=@WJ(SBcI;oY$(d|st| zSHCSjQ$3j1JVSLMR<%z->__Uw?|-z-53jfWh;G(iWZ(19K$dz1OXb{ahHwGu3_64A0ZQq(;;RwT6P0K$TioNQCA1&oP~9fw zstR7XwxbDljOsmvzwe8WJ=>Z8qnGRS8@qOayKl!GtFCLDZrt7X=eqCqFrYzdld0T& z*giPeBxZQqataLyuj(QXrAekO#VyU$1Aot#NrF&|_ko91(`K$-eUilw=ZJ0S_exFl z?itPplyyLNTavH^*ivBebp}Pf4V?4s$CiOrS%NB^yM(aLA*Bbx(<#(m2Xnh^IIW@g1#O!sifGyMe<$;XaCj* zg6u2E0+fonkH0|6UBAF zQ)v3Je9CAor~t^BoB$FhT6GZWDJZGP=ZGntjfIi^(ho&pL(f_KJPKGP@v_oR022^V z1kzqIa2!gxr3gM?83zgOxF4t7(lUyLyaGjeUAX^7ZDCAYf+-lJD#BJH@Zj5h6 zHl9YrM*zbR*F)b=lyTe4N~RnXVyI$DwK9e}qh3;wG(s3IE&{l$zg!?{Z~!>We{y|;zd$@4w411f zJAYo?pZD(1p84l<2l{hV`8^>2UpQupog)GDY!=!Jx*+A!su@LzU}xHKKne}Z$hCI1 zOgg(?y?=YyUR$uW-z0MVXT>Uv1vUHT_o^CL=T2XYY7=CoC6?x$;N^Ce(R|@l0LJz=3w7U}C4A_gOYuL$lRrbYKf~Dn zKZf?F_}}*OcC&|BfQrPwUD&xWG;rj1u7t4@OSF>RR}tW%ccj5+m+G_W%*TPSXzl~x zZno|A3zTD-aAdzl8x&msJ5_aL2~xh-akB9^@~Y}?W%~%G^mysJxYMCt%!(oYOj+oH zJ5R?{)*TL|?C8UlPX%%@t$swxU~V;l{dr|M5!#U|#1N~jk?SWIaM<3M7COT^+}2g< zChI5em6tOd><4x4*F_0!_n&*;PDwB1cIS)5D(^4mp6t3}pv@&(JU_i^4wnwhWF^`X zxSFt$jTdk*^4kHadM%O0M44R2z(TfR@#hBhm&cEV-F}1i-$R~p(?-oEsD4Sutb<=) z=?IDa1roviw3@zvmomS4BU5B(0rfy324|jQ0n|BWP%ZNI3?vl^j7J*%Lj%b@J*7dk!-%SH(f4JdwSm`mxm=;*P|)&8kh|tmN$@q{gjA!Y zT_673WAnv_ewwg>MrEWBEfG+E#737K>LYIrsxvyyISuT3oLtqE8NEMT?2EWJJTykQ zDkJ9jTJJ;R35wQqkuW@_m?g;YR`&L0o9202Ya(jk#cw(n^uOxDvVdMvHb;Xs1vA>79SVP)1M|NG`Ba^Z;F^IMYW8wT{c1M8)1!QcK?zDmcWcLz8bKy1F<+Id$P69QBBt|_8BLGBQ@aMLfmZk0 z=5tf%k7kz3x+L!ZM#`FD0W!%5n6l&`Wl2MTd)YDHG&jeZfd_SJB_%zP23^AN?W0FS z?*R27rXm#(+tpagWu<6dm36%wL~QGXMW{@gFFu5`mjKsVf1DF1E+Tb0vdci!Jo2ak zL-`4*EZW|g`*Mk23e0@w#0!*)%`%Eh>R{4AGQoCj-`9e{>MWW|AqsX>}t>Uo>T3);~_Y3V?nX0Sl1=^O0m-UVF z871{(f|z; zLQhcqe1E=N5PHB}xs;z`HJDI{cd^u`?$C0xi!5KFB`2q&_9SFKjnKvTR9@LP=iWjI z*SPOQ?TrM)kC75L4QT-9f3fzk5Ub$hF~NmDhW*00wtaY|Y0g$J_#y>1hY3~0a3W-Q zj-@8O)X1!NNWlPFqdD4hOmSTtBJypYs@~P$SUFx{Lh~7YZTQzq0#M`mcKOpov0pq4 z?bdy}xD$765S`GcYzZb$y>o38vqi@B<;^YV>%|kuj-PumyD+w&_NPa8u_q9whk;gQ z!(wRt0s4<5?1YLqpP~ib=UK6)L#W}JT-_H02QfKR^E6ThJ)6H?K&k}_ItRW>QTIsU zvBkyeHv^sH?Y;v5QURjvt=WotcRiWUiD!&#uX1l+d6#1R&0b?lxv)GDb6C53d1F|g z-rJ2&EKST@a%W}b9p90Y==C-+tef0RSRNTyoND+GRh}KFoca{}2w^a1A6@_mJIyd5 zJzZ!o=V(q%FIz2x&u;UsuH6CPv|T}kid({4`5BkK-GgmPtapOB5hy%tEjy1sfi1(u zHmV`7Qi6_mL_(b2l_&~$wApAxHs%w!#RikcEKWeIQ<1cdIM3}0k-ceI*{6a5xhdM_K6+uZ^NZ7ekf@eg3EJQ64OujcwLXA$O)%+ zzyEfvsnkY-JIXBY7s$UmK)HBM+9Yqze{(x8v%axUrZ6Esuh7?Wv1MBa#if*0Yor35 z5Tiyy*vl3QN4Z?QuhLK?1_Jh(CTD+^En*XP$V|y@m2-Z|MoY2|9!AOEBDEY=z*DT! zH-kPZZ?ydRZL6o3x9*uOt|g39%UiL{jf=NP>eaNsrYO>;Fb6fT%$W-9y|u&l!IS4G zt8HFLaY_dvt=FKr7DknbW&b8b>IfBKw^e@{8*aILE; zBHD749G@0xV4D-~g>7yeT1bdTR*k2>E=HBTkBS^Jqvh4w&VAXSbNC;ZjqJQ88vBWU z0tu9OLkH(PUeV70IUeYt3Y`NR%NRxP*m8Lbo*$h2f{Oo1!>DbFJ=S#+8N_Cpp zr5488?tScXA9AmlvG&51oGkR5Fp_(*Xc_aNreVoD8_al9zJSSMX7;Z^BT!`Zm6-!;Y4G0`%%4GYfihAmYU`0b@XY%Ioqag5 z7yQ4M%%5ox{tYN|^v}Pt{?E6;KMhy*fmCn|(wxDk-ZIaD7B((u60rI$ z55yl3i5R_Uc|D8{>fBO_^8J>YJ|W2t-K2_BUFkR%?eg_0m+Y0|zM;q;TQC0FsduIr z=+`Y^yUSqui^~I$`QwhiK=yBcfqq_kCjGZ?q$A&ua0)xI1MrVlp9WF#@ztAaIcl?S z1j=l>qfb3}%ys2Xi_i; z)g;!)faD@|l9nQN(>6K#UHq4vD{G5S@pHbrX5n-9)ja?G*IYts3NJMCFi?(G>uGs( zS&_YwMpE)_1!h|v$#v?X08Z!9x>OET5s7Xiu0jy zl&?Z%rjJ*ZmseB-Z1A4E6soE?RAwMG#3}e_bY~@3j8{K(NW98%YGQrQy;FJjOJqZw zp21AviUHw^{VThiq)yTKwc?swaSzdP?F;{f-uBn8Ff46SB#MKbsO&|At+}g2coQ`; z6;RiY1p_#tVFDt=b=h#<%kW_iW@3t{EQ$hRWA1`U^x6 zv-_~Lf#@~^7waC3K#1;ho4^tW0c@kpnSv>6j0dk)`61&A&`1W;ow<*5(N%Tm;py z#KvX9H=0Fhokr_wVX4=b@7tJ{xXd4S>u5cOj1S|(yij#a>@g5lfp8!hkGIOpSXiOk zCT^%dW<6b8+@&@9LTh&5B#NreNCw99>j zt5BtFDeALWm4xYYBf$9n)i2UU~-MuWRJs;Esql?Wi58f~f0 z47vYvr}7ptL{WAse--{=9=zzxkX=}7|JkLm-R8u_J}_eDL-T5qR{KY%_A}EKeUJ_GQ6+1uRZf z*VO8?w7B!RhG;~|dA##F>WLFtLBKAyFH*jZ<#X5iOn5C)VD@%O{)ctwG(>#+IFxyT zy?HEs)O8^4MZP;?$~JR7_k3pGo(JAW4LOL%PVlu=(iJMkkQ#+kcU_03FbV35ei@zk zll?tsJR`qXQ`(4b+7!q4i0mdh=WsC+sbpwIBI{2a{4DXfxzEZRo||m?K0U|}xs_SSa_C%9oK|PxX1%R86)@>x z2u$~76v8%{5KDHirf4{U!_n;wEpX+1qYv@>zd%kZ$CjLug!dyKe}fWwk==7xPAa^L zbUIU+qC#A?AEUae+tJFg=gOye4Z5rEIaktN=>BofOs^Urc3b<-0-`9tiC-ZC2m}jS zSdFg6I#Df+bJvwuH$66O6Wb^5(q1wUi~^&2#~h*TCRUCneUZ6bvQ7;d4ZRJM+uJbH zU2;wT%SH)Yy+1Lwd0K^J@!E%GYE4{-A?N158)vC#9a|QD3-?IzE8}RIcSxoCwBL7~ z_4Jh+h4-GiTBlajHa=c5I<~a4$jV_L5R(5YH`uyO&(3;6e`R?kBXjDECBbQ3Er%l3 z0Vn2vMKMurNvv&tWY1~WRMr=>WsJ8g;-9>>P0P5kI5xz#aORs0>e^SS&tD|v_fMcn zLio+K4pP*dWhlfM9Yw}6$F|C{YnM{g2!I(U+{Mk`eZny}Kk@itR_r4W>72@V8t3&6 z2cd{5=5swh=$l9}%Bw=^ZDQT(!BR7Z9U;HPHx4gVl;zZRmC1f6bcT0`Kse=aPs{SP zrD-}Fw|s1Py%s^h4e)w8H#?<5@NY}QMobGNlN-v0kQ#(ei*_ZP&sFl#Q;w z$rg(-E!#sa#qUl>M`c5spmI9LI}+|qZrx#=G$&$OWFyW|kH?drQc4aDDA{+2{h@Q8 zNtv;Z1Xx6JiTjuZPUQ+TyX_;?=WCNxl0_D)dYII6zNM>KthGhkPy#f%{s@VI>_o|( z)7v$)Q&$K&eCRyX`O)R=w3ZL~!QQPC2=!+&a^INSNi03ZrQvU!8Fs!j9_7S-aW5h< z61?c`Fiv%qS!hTZlB2eg5<7^!s)L+_Rv;o&0=vO-_h~SAH@CFS?@vM zU|bi9cspt)#1-j{?+-ySX`cT+v8>=Sh7;7F2zIHf5SrN@#0h(1l0E#{D#bz!ygC=# zdHwmG9NBgJ7q6iI*TR_~1CUD5rdR{zGJi5FB??c0*LPz4d--=jKi7B- zX_GwrTPPj>;0J=;66aGV`Fp*8f!-Wq=$&u%W*YwU8FKFwS64s3R?c|M+qo z8My~=3H2bSQKAk-ex6wVVFFk$z*3D}@@jm*ZrAJdlO z5RLNbUX^T1U-n#X{iot}vMP@N_6qIsdYOiP;`B zfa|CDZN5>O@S=VQZrbV0U!&UQ%Puw#q4qV*55U33FhA7g)78H~CeD9(V<2J389>mQ zKnVxrOZ$MHm>W0v_t7rH4vKy%A3%IK&d%)lf@#<84*p%V%P{?yw8Iu;(v5y=I_ek5 z(I1$s=y|*v;7T0zZ37p*YqRASh<01?>22rTF7b%VS*+5uJk3kU8w35JjpwL>ja8pW zma)DmQc}Kk-Nx!R8pU!NZKInBh{U1Gms_GyJ>AkMsCHVyKHY& zNb;%7d|ry!fy=qUfSc!vjZ|)wu3{DD?TApfmC1MXy}~cummzx~mH<6|FOm~Pjm|&u zp^jD(EJ=BBjVeUkCSRev1xGPGj)VZi=l5mKFPZ9{m@)iZoXBCv8vSv!9EUt2m;S|m zDd1Q8nx$cAH)m|Eq@OJ72lVgY+RbgTz`)vG_gZ3D_0?UNRzICpm zFSgJ&?tZmdqRlnS(?3b7iE-BijO4iyabD*4eSRn{E>x*B@0$fQOgTQBoRA*ByLayc zUfLuvS$eZOuxQ(Mx=L251fx`Y7mbIt%W_a};&xfjP%va~KyE(w3qV^3oD2jcYy;c; zeJ9V?`tDA6n4~=P0;HFlPBgkxIu0G^BQs^_W^5E-;VwD(QxzRc6_`DV)WWm!BOIVx zk9XBhZNx;>RhQMgjT>7zrJG9PvEezguV46yOT1&e3OYlZ7heu67>SQIHK_!ogD3j> zdh2rK^2JA^9XAf+Gi&p?we^iijh|rWeS^1#&1S}ZNw}7Gnh+|OQi6vHe5YQcjOQW* zhqXtbZ8Qf0w$)C>wxarlq*$iFjfn}C2L}cLZLNqa6WaXRV)x5Vrs;KMaF6;vjLYW| zrFZM)47v9mYzq@G9AeoP7ro7*Mf7FvZW-&j$p+&6VutPbqWt`T@szXi*dYBP)q+^n zI`bUNU(e$Fd`P)qVl+-`})2JM*D0I1f)plF&hP0B;uIs^i z(1i2hMk5~)`#ShCRhjlyQ!)7a9_$=XsMZ+)Y&$9#?}uJv z(|^4F?cVJN6PFV?BA-`9F7@VHGKR*Rln=icHZLZmj*68%-P&1xpLgfu9I4vZt=TKG zY;dcwR;4l3euaMfz^Q5a0uVQsHLF@iHg=Lx>l(_;SfQSoh5ffh>r>Cuop`?XsWR=0 zuC~}q(Nc40>6#aQf_bR$;uTFfl2IBS&1>rxELMv)9EF$e6wFVj23{-wg2<_Qm90GZ z#}gi_MzZv}!{wpZftC!0UfAg_NuO+}CFgW~mu5jZPGJx$#%PhV^%PN~=_Y}k;#=|z zm$$XeG$<>>%EZWi{#nZY>96_Z|9%x@3o@ZgHxL8(j=;3ww+C>P02aLQ;VmFL`jCbO zBqmA$OY{{mLI0+PSLB1M=n2+2ei%bA?_EUS%=LJyQL(zJ;d+htEpjot8af2+$mt(f zj$LrNXZ^|VL)pFcQaGIR)h4mp52qLQ?b{;+5Y84z#JU9UzA zd^$l`(E~Br^|-xJg-$ZwBB5S2f)Up0NA7=w-A1$3EBQWAObFn%&dX)!6?zQNv~I}t zv{K(|iAAn-dm@T`pT63)=8nw7M;GBJ^6JQCR|>t8YQY zMNf3seXL>Ui(Rp|JPc_`d#!H!-j-5Fc#Q#;^t|+<6K@W}U-fvc(778jnr+p7w10G8 z7fwvNb#Ds0TIyfKoHcmEI>{r=%Ze4IgweP_Y+UisrS9XRWn%@xecG?T?hvmfc% zYUSx>w#ZVPOY>O8g0J_aGbT~<`%7qVq@wk4}2c!{M@uwF5QZO7cp83IGUl**s6#Y_ZV1LiAtD zoue7(kCY@4n(6)4#FjSo+wwfO#sWBAk{Ejc;joLH1WdU9DZ!V7Zs`YyR>bnbc(*gT za0jKON%*%5Umdqn9z`GhqHyX2Zu;RtHD2yoh``<25P@{lkPPk1+nw63g~i0v8WEmT@I=C`q7cpbaNFRFYV5s%iG%HDjoqoOCC4#faR1+S{gdCma!SkL1iH2 zhx^K&>+ltcp2+BnQTJ>+W+>DxG486+&2P=j{U)zp-fG~@U318Inl`aLUMdwAfxL6D z)CxOKdD>x5(k$?F{x;*7*277>aqSj7+c8ln)aq@R|BoSsDoqz%nI^oWp>czeyFKDi z+ekjj$k@mWxiO(}(QV3GG-WW+vd8n?#}VHWXmVPdeeX!Z!_?^15X(!AMb^_}$P&e; z>)tb*bP?zcYANrh!t!1j7W8B8pBAd|p5JL) zm^h?L4)r+gGXVbDMkibBj45_i>imK*LYO>SpHH&N#f*9_QpN0 zhZ08~oHThV@mi7q9d8FbwQ()73`p^664MM-faJ8UGRMqf;x=VtT~d*A)9V1J;q*Z# z;7ci%;*uO0af)y}(ZpdTsLF%X-4-7_sRAkUcA4-e^FvMxk$9&f9v)iP!nH~wIcLhc zz8`7toy11*TSib%P&|q3cv&h(RNM3s3UihVFGodw6Z17C6bmJYlUZ7I(eU=Cak${6 zN*AGVAqj~MDSki|Ip~i-%XMQ?O9z-Kk0|zx&ONbgK#+~dl#jhWtYr9f$Tm${j@e}+ zw>k+Bl?;s5bzk{h{Mj)>@5zz=1ON>4M=%qhO_WAjBKx5Uy3MfDl;@k8Vx4)@nl)LI zQz>iMFTOmDJ&R`Wf&IcS0Zx()HytkU-gaJXyhAgBgwXCuyvb#p~PlU z{F)B}Un=F*-46(KgezwY)SCt*1*ouxywH32@QV0@+3jtoRySKWa0rZFs<>n>j2rbB z%#tJ5`rQ1yz4L|349`HbN3?esHc-sehs2I3O&J7cwmsv1aB6;t)Xr*#Q2;^9L&83% zEjM=4Ps=!2R{ zBfgUwjBVajGm?E89vi{+Mk-nJ9J_5Bv!RnvZJLQek~e$n(EXb#UAbCdCtNr9Gh>)K z7twT1^Yfvm8~RJ^GvpD{(T=ZVu7mK1VD6sSJVY#X+lC|a-u)K{clF(beeaz7V~N$t zi(i$4pxQ@8KG!ETFU!1Ff4{t<78&_W?c=<)gY_L^*U1B3$7n;AXgRFeD>K^ltW(ba z9{@Z2_ZJ%fKEwQ{f90v!DCN5MUi?IjF=$5{rTS}#knyHT2e zjs#HYp1r+|9dQTHSXoRk$}!Y8Je`r=4`G2gm0a4>p?Es@^15;{EB&ZSj!~$)+#H<= z0%d|W+^S1Y+e7$b~k~`TQBwj0i(0UuA$dZygwT+Y}4D8_GiZT2JHg){PSiMy2i0$?rZCh@9q6F0QkSC zxqy>1FEWzv0{M%BaaS;DGZ%TiI*NI?mp)h_hc5MaQ-!yI5nR5)Hkw*4u8-C9MED)XcYeaEEz z3sAprw6a`zlP;lUB(uDNeoH;~s^x*4RSJH!t^J9+JX9wqBh{_ewP*0d$FF~Bw*LZP z1gwV0Cm# zt#_?^N1-2_ncujiK1%zrTzQ}zli%dx#GiTIE*>2Gi8B5{GcnQziBzh zQzBoeS7>>S>cQiFf)60gGtpyli2OC8LPLL;3|01nZozxzZMhI(uCLxnpBVUYGrs4~ z6RWLE@^(!MCo4v>Esz`1D1SuPfu6VxE^4U${VPnbxu(6or=FUU1d^QU=La`zD^i^E z*~mn*QYDEquK=e8JERgI!VEcmx03*%&@ve)&j}4MgBZxrhnRWd%JP9bvmBe2qd-N? zoypThlB|t-hc61JyE2|4{O~+YH`G)(^Tlf_NAtz6*<0$V3?~hm_N{Dn)tbZ=@V>_B zeH<<@G>xqDj5Jpqt#~xQa82K1Ym#h4c}ZMq!&c6Gg+xJ4DapQ6Z<Bj)|dFr`TLFU2N9EJJ(^=d z!Ob(rfSeDQ8F8t7hHxWzK-I9`UiHd}QHSz+QbHvcr-7IEr3sCaRubPmWV(LGBZ3X~ zjvN1_gY2fQ^&1H;<>jWvEvj5W7}3J4?%HHt2eh$R@k!JbrSC&@Pb0`d8IhcDJJ-6!e}tglI)uPINf^cCc9CX6O>EZ0sQEPMbQsECGJLZK>AQm#p#;95nwJG zt0~cv?V9Sew)!D>V1_OD9KsDBjV^0XIuPjSz#dVq!CTi~zxc9Ghqd6l?ag3mKW^Sf zZ+lR#=Z^Q(VfEFe@iB}|n%u)k9z0xGO#nniLpK(0%$>+}E~h@OO}r~(7}C_QXJX+uVc2{QXD}@zIM*0y zYOz;ZUq@ylUZwaRict)j{bu+sQo`>aQ;~OWlq?&5R9;atJYSn?U{zug7!|Jk`8uhE zAtjgfv~g{nq&VhYagn*NjmHPTwRIz>!q0Nj-yg79oH#$ikKR_^0d$t7lQV!)I=f{FmQz4nWl!O$MrW7^Dv)DH-*rT9|3aW&>Ksg5F*@%?y)9BaNedD5lRjK%@H+2 z$QS?6ohC2Wf;aB>L16Pv;(#_+V6jfBH zD?mDD9n_cHVW&|4ClsI<-_j>xTRJs;0kX2Z5Acmo^mOU;?#nxEk00* zp-Ptia5;e2q%OJ{s6(!NDr>G^U}I#-gH+V}Nx=cO>kr-=bzsxqz#d%&&Lc1vyRpG2AxGN3Gh#nb0rDi&WgXIQwEe2NVe3F7DhpkDCb%J1(L2%B`EvJ?&3 zH@78_DD^%gMSbK!=>$vXHk&K<#(Dw#-_^0Fo|%|kbdr8J^&{u7%dkdozq4xb>B2v{ zSo3dw5sxvV(D_g-8Vn-$QO{{X*>yJXO?o8Q!QKhf^2z}KPpK} ztll6g(ck*I`CLq5y&@we7UtMv+7-gsbjFLt3rw7Z0r0e+w<&eNJOjYlSn1{_3$ZFn z6=jxNeziM(mOD3%TxBGkuoCNlZq!y`dR+Q7 zkz)TUXx)4WhNqxptiN!z<~?zkd;<`?OhU{w+h}5y8XDgn_$DP2SovKK8bT9`F6%^2 z57AegrE&Mp(U-YSC2*UVE&Zbgzv*u58K~s6Sf}|@Y0+dQ0~e2j+1WQfF2Z9dVw-Dd zyrF4JYI_QC(>T@R#EK`3qTvhWUcr5KmTxb8FXd2O>r)<5gwKi)mR)G8;p>WZ#8BXv zm#7_4Bmk;yMUldPfg}o=jnWf7tPQ!?mRYzBmhetYJQkPn8L2Rw+OONT+uwEzKG^W1 zvrsgMxUZV*Bgj+uSSBsO*rFBHP;!3$k8gWde)I+@#!qpvD=a*Wvpxl_W`Kiaj(h&2 z`(k#rZOANj&t$>igI(OXtaPN2eo+BAtuDxR(5{iJ2kShQ6$~_U88ob1+MqerBh(i+ zSOI0VcQ$eMpH>@lFP2tZ%{`^mkXw%PV2MmP!Z@CEDN?z>xJ~x&p9!-C?mo0|;#^*a zVnzAZmnydl(fLe~Id(aKoV8iSsOCX~|7b?+EBZ-*M3{&URRr>k2#0k!ijY<1sJaXq zo}t<1?{WG~i>P^1{9`ZG^?0w0@e6NG&SCMDjX+6fAcf=)c)$DtwS%dJMF~q1^r^c3 z>Al*+2?IOY0?B{nkNe!lWMhlhsXlu)p2KinLq8X#&#Q^^sDIF3%@QB|~Ox!uIC+czEUEU@`1`Zgc??Bv{!$(x_Q+F#dv{^9vq*HrtI zQkP_2nTq@teC5yo8AlTUd)0o%Sh5bK zhDaDyha4)<-H+RmXYr>xTA1oz;7Vx!Y~bdo)A*2Dj6N4^DjbT{8Cz&HZp9c-515KR57 zud@BQ5iH$wzcA41=FDVDmAGw{Vp?K7=H7>DquGCx*JNOA%>*X}oO%Bs?cFa>ar7Bz zbx9Wpe^NsK(}mYrI1ii{H$JrGbyNljfosD&pJAb2bs4L*Y=z6y36f%oC4Ctf z`{ga!H1?a9lFL&?A0npSzI|oF{X+6P_DebT;KU?=xl9CT&nwMypTF~5yI-WvGS%zQP5;_S~3vF(^#8>6=-SH<3-E%+#xOa5(P72P-0tS zJkJD^t*)^4J=j~s_3Q<~7Y*Hqk^mGw3y!7j!-!d|LL-_dsobOWJO$LNqkuKD{ZdQq z=#ONZ_LrVnwi=1lty{uz)>-0TEL}ieJ*T9Oh^gaBQI0OC9hRzJAgm<){E>MuYvVEM zS&BZflUOu66N;1{BTGBFPlJiO6>lTQa}^Ys=Rd4RclBP>+Dd-#y|ecz028xF{sp=| zi8|cE;;##Omr!mt+lw|1`$E|eFryI}AGiLBpL;4}#@!+@?d`FBq3_twrwI&u&93|L zG%5X@8MlGa7~lZJwhLhCfdaH~&8#7~v1BqAmYJ%i$eULth$(21dBq?y{hm)}a9W?~ zf!;{lIcr;))6QD^IvT+0_CGd(*qA0OQkcZrDxgB>!xF1nlBXpGvz&cm+3lT^wpKW= zWQ^Z(=Q;gWe0rbht3dCH+Zg0;x*&+8p+zrIbN4j5Fo$e$#Ao#X5k(UJtg+X(=2Cx1`#`@d}4KdI*evVg`Sb;Ux|ISMHsE~~c>uZg6KUfnlK zN8cYgWSU_PD~fKt5ekVk6j|xx@0V+FycTrV{Sq~SuplW}C*uDw#+9;XLdy@nxJsIG zZahZ`_jM|A{j5|HI`~HleCZ8b*Xlb5KH@4vMNk<~tGN<=KG%l14moB}G$g(JGgvKz zG#O5^YSX?iDI(@vr&T%KSsEm}(vK4W-{2TWicoGwVzuFic;Rs!Wa=9Etw#aU=0}# zYpddtLp&W`8^TV^zc`U;Tw_)o=wR`<=8os{_%@KoUx;y*M+ma7QQyJkRiOZg2Sw4Q z&QSE!#S2$qlVJEH+2gaJ3s?NYW3@e6ky=$uqrKeZ7m(V)Wl*U%q5oCm1jFN6l2 z2Tm-c1b7IMV#y=ALHp_NKOc&!H$^;4?(1vGsO|;%_&z785yGDbvjABHF!dG=Qsxuo z7KIS4J5(%##{~?X4Evt=ZX@oGyU(B3iGkQaDnEbMJS1O^(p6eY5zvl!>Pg}rRkTr@ zsMI=vq;nox4+jqy=9XKYawMmPoXguu1y9F(tJ}YJ40L8IYp7JVbf?a(1PVPA>8bp= z$C>FI-|3b0#hqXIjE*iNPu8iw9RA;v?)zeNW+!4Dol|y=qtxw=Z9uXn+vu9_I}rb@ z9yx$@K>NvBP*P(gWt%uXGso2g=0b|sXbZIl^EC`7RA~of`B;!IMqD6Ysy`#zg{_o- zn!vV~+yEv?H_|M70P$@)Bsq*Od~aJnuHqEL(YET#$00!K9$CTVe=HUZq~VQ_#=t~U zbjW~UFwUIosU0leSG3LT(+`TX2)lqLH%0!ozLQKTp>DjN{lfPnN86%ay%h=72E#0E$grEF}v)uiy16`2|rF0{oO+@XJKH!JRC# z(iHD$TL|^%f;H1+$v1KMiPEO!(yc%DQ0$|Dy!(e7QImP71Fqbwzt~<2r7@oXZFo)$ zTkU_7t|D}W6a=H(ji`FE+acL|N@NQ65}h;z$l=h-(L7skbPkRMa@bP%Uw<#5ao7?}#Tq zNSOdEJ9db!zzej#X$tG-heT#-vq-xmM7dOAltIMyu!;|Szb!31sHok!ivxJgKBm9e zNZqUXLI>9vx78PzrXPSKhqnv+SC4ZOk}hBhr9k0jb!RyPUPdxGyu$z%{uhsP6NZ2# z>-YXv?B*Ky;89%;@BbcR@Sj&={@>CJ|NZO#M_=%Neg4=N@ib)-Mn(d_lXV}&u#((> zhw|uifQjorjM@mT1~jHheQXTEho@k-f2{wZ8t1!oaYeTt}(7uiD&_$ZPi(-7!~M zy2r_La#0U6$1ic!S+LfsM_fsB%*prrX|Eh15?;r$#ic$KjX-y*RUK=?F|fj!eJ9`A zaDF|-$qsB~)Kd-ANrnXtMKE({bd(v3-1}Pp#=G=)7e5ErzVmONd{*T6ezpMypmtI2 z2)36eWfRc@9Hv2P7<2?(f@+RO-fTE>>+1 zE%!J+HztYBBsR`iRlrER&(Q1$89JDD9l{X;wi??ctu%+#6^#1{n>rcahRpwV>q5*0 zL8N92Z8`ErK~xWUcj4G;|Kv=MPr7($(Z`Zfn6vAHxq=^cki+-)zlx>!$#+-;6`9{u zRF5t2gt?tOQ|q_7RREh>t8x{&L7t0;67amMkEvS1!oxET(@xi=V&(*I6^Thc6|%j` zc9M>Hq_@vLP$Q_IASZf&)X zCZG?mg85h)Yo8Ie%pw*aO>IFBblOjBLf@WH+RiX^kQ&=_oSB+C>nW4k1_LQ-Zu|0J zrWfBnIwj-7ypY2?#2bTUW1XU536rGvl!DIeBjsZZ8v;t$$G%x$Qf*nYTE*4d>Bq7@RhByQ+rv zbKY0COIU$^WmTX#iKy$@P@WyCsql*prPBDcQ@Qv>`Lvnrp5nE8uni|R#y4{9bFdfi zbg(1)K>}bXmODgitNlPNw$X-=f#wgPc8z$el%8XaB$`#EFK_Ubiyh(P7H8foGk64O zEv`za(Gd)zVU`$cpgy~xj0Q5A)W|Zk8r>~5)iXy@ahmZ>gJTafnoNfsGET>GyyKdY z^gQ!P_X0JBjnP7uEzA}p%aOPVmM^k3$jjyP;=Y!x+VuliHin!*Z0^T+y-v;IcpaQl z|N9-sHX@YdsmrK6$7$TX%49>RkX^y|1c5>u7ov&1+i%Ii!^h$aiCY^*Xz`)$X|^c0w)}>qMLp(@4DB*J8jb0-Xcsr=#FCq$i7`Tdw(QU zvSG5SPWk7R#ZmZuJKi9VL0>Md3gM`GN4P{{n3}-lwv3(=Cga;d&%srgR&3N0p^wo7 z@JYmdauTqoj?(B67FW680%Xkx)<#@)uv&g&dhFaW(W$5EuwB)sU@%J>u;S%tmYiZu z;|2A?=a2Ki+{n~&e}6)}rFHCJ+Vw9l+O;m31l$`O%w*j$zGPToyq$ZZ!}uxk=`GH7 z^(CTI(vhCm-W=(3NTn_^`S+;a5T3OftMphtwZAQ2$C&-<;5;Z3^%cI&ANVN zv!FKeobMl9*Dlt-_?)T;81GDt9ommyP>V($rC>-G=YO%q&Iv+ZvQAN^nD13IvfSIn zj3YEx5{cC!+tcQ<#h+A0G^RCQNP&kuiilQUd{W zGDM)I`7C8?`X{UjZ25U)qg2y9$Nay4LCRStL6bEHg_be4LtmjCwba?{9HQom-T6X}`|7 zzx$8Q{D~hRf;y+9cCecWq^<~hgSHP>{9?lZ^x|E==po+i}^!?LtJ%5Zq_e+adxm21y|Ly`tlVN zKi11~2GHKf6+yIE#ecj=fY zlH1rZ$WftzBpWWmbw3l*QBi6Vw|!vU-Zeo@zE|2r3fFL|g@xwsuCTc8(yt*bnT6nc zi6?+Wtj^NTLfVU4O=BM#nnc0zVOz~<`=CBI zSv$fS!#6fm`tBKZe=90f-qlFqQGR|M=F{+IS=LZsSuk;>1HeZSf;4BMS}aRvjDOOY z+!Y=0$tR$PaJ?O1&prx!{e`{moPGF{-OpoLHxqghEK?QdFzK?HVI?%5as2N_wif9P zVJJvh&jLb?ewQIh2`1SRd8gTLisewiQGr3&x~A-5;kKpcGmR6U&9H%Kr%XaUrHeiv zHS2kG&+I5IIRr%|()h^it)LqF4*YYsV>NHv(5E(=Wq}*cX%s1ocY&#|I@P6UDqT^Q z9wxq2sg4*hTVj?z=TVf*?^Dc97hJko@^A|KINyRKW06l1Qx7wHrzxU~(`*_av~U}_ zJe~}@Zu>BM_wEb?cHAvU%GX|%5`oe2e>9RCe`&YAnVX`vfv4-TfOY_A^k5hfgaa)! zm)4~V=lx+$*w^ McJf^K6NvI`-6lx#Hr|S#yg|>q|?SA`Sg%DX4t>!x+>ePdcsB z=T^ZLU0o$yezLPusZ(>-~?`$|HHdMyt}fU9b6$rOM;ppu?p5ClCWqua|?4GW5w?8%zw~ z`c`325};er+*@|m4b++0Y_*icxZN2L*p_nVZTq&v%P(00vN=L!Cr%r9&&s8Z7msE0 z-@f#~kE6KZeQ&?-V#cSB8+)d0+O;it8IP848lWbGelIv4_YoVdU~G@miqZ&jb}fK{ zV+Q4mwZaMH;!ZHXp7Vz_5xf9P2-PMP>PtLMH#-g@^}t!vcLg_6CufLkCMzAn5NXEn z7Ovwp3@8s#V%bS_FhYF<3)eTwkFuZzQPzoCNel1pxV$9{+IIx|-`wC-KHn5;fo3Kr z*nCe~87{V5JMEK_)s%nKO803{)ufUkQte zHe-4hOD(9KQMNU4o!;3=xSTV`R`YM>`S(S5LO%&9TIgtsDki)42Q_~9=7Gf#K!^i51qsoQ<$IqxYyunovuh)VV`IkMIa zDd~EN89CM@W98c5lP}-;AS0|)0QWGhw$tWgUDJyWnYl+f%Wupe@vZp{_IB1_GuS*P z8Ug})0daxHsa=%KYVra#t)_xp1*)*a_!a`}sR(ji)rj`mC+WJ{hNpilrhZ3|mYUsl zuPM%+?<;=)D$_mKd^pB@Cfhd4(_`+dL2vMKfT?4ti@PcD!tRoiV)J+{Z2Oa2x3h|q zPjR?P@5Dj)I^+zhRZ+G1*fgx!0PqDwM_@Udhu%ASQzwBSgTocPydmw&O&9aZe-qR7 zHRkH8A~Qd%wlqeh-z$mHmANU=jcc<{ycAFJO?LY_LU*kTyXiEOk!@8Z7GU=_QL`*N z4HgtsAMRJ57oKQz$LBwbIs<%s5^|PY&_Q(=$|9_fbx&{#6%b=BNxUc4wAj3cKBwzF zS>j?2c^pS;ImAI>Lt+^{FlICBZTsl3- z_E_WAA;)@f90LRx0Nf_e0qjLBy4APkgtLBaUk|Q$jV`{qC=Jz7P!Z60Q1WXU2Pkx@~IYZyT>;fOL?`ozeNm6}}Y2QJSfw+GlBE%wxf zQnttc*{k>W`~Ev%zJGPZ0o+a33f9u^mmaDcsXndhe)4uNT)jT>tnsyVlI>-SjH(p$ zyDY^qSa*76a@t$$qUA08ny{E{a(!x1I8SvImm4fL`nt4_PO5v0#PS;pi=Mih7vdK; zq6_mb{3juy{}aH-0JybZJZ%R2blPm_$^e}*qO_Twcr2vI{T*db#gFLyePzyp)V%T~nH!Rl0^?L62-eZYf%_i}W5=pJ$#B!7bSl zcxyaiiG5Y`8#8ognHL$2gw6h?%Kc)*rhmA!o<6|wLJ|EWHO}`(b|P769v|^~B1XLi z9%(l&2OAJRG#4^X0KJF#UmW`4|H-=V@a$h*CeB24L!RQfu~0~)Q(_x$Jn}^Kq{dnE zi~9LJ=X3qDDmvC9V~oDqjzvl|rmwFlS{FE-6yk?fj;*!2m)AW$fA2zyj0Fs8^rd>o z&Z`^p8PDKzrru#jv!w9|*IHmRElPW)<^ewe35n!t`9?~dbr|ND{L{l2XM`Lczj>;F}g zO}3{k#V4L$0kRqvhZy357HAA2@Z0xoEIE;kn({TbWWAIJ?xO${(VqSr1MyAAmk#Rx z#pbfPB?4pHy!42jNWo->=uZ96T;PQsL{UvSKJ+7Ut;?caYA;=%N(?YAMi0Fa0bF=qm=fCMZAH^$wF>4jf(-o; z)+OZkCutp^C={3Gc@(+5C9N4$Q2`Twm6BT>HZzr{hV)&yC)M}cA-307TMZ3rX(<%; zcE~XU2^dmiHlWnp<5A`e`+qFYj|HGj3`4EJa^l?GCUZWyz2+Ee?Q+ zNw}57xJv<9XLPbuBR$(^X7NV@tHD3F{A#G}&pMkQa%--`Fd^Z$71!C6g$;73d`oMAN zTA=V%k6Xw2uAap*1opbJrD@UhlMES3ZJeekT+`f)Kuyv7xj1nA`widMqNkrfau$ys zlAa8o*Owv;wS$iUm;WR}Kr?Q5O;@#tERneg`#@dyNAAw|23&f41EZ~Is|F61Z2rG1e_|bWGFFokmQoJ=a^gHpX?0>Co z`Indg2Ic@H--_z}@&ilN1E>(ILQ9~(29D+Meif5v|4ICFn|#uph)KjCMSlRpO*#jR zsWbP3=dQ24daIu;7Lj}IY-#N|sx&2T9E4+E0GRZkX*2<#D0L>rimgpUQ_X5FPjbL| zdvsL@*NykZIoWgA%Fo|UTJsc~ML;SXf}P(vr?`S|kCXgJn!dyH{-EkecHC$e)3z0# zRoJIyT<0n3{LWz5KV_uy2g7E5izGh(8;w~8t5~~03vN#zue=<&KXLixk3vNEIg;_^ z=^h@Wy7*vUb($ms2Q|UETuB^UM*CYlZWt_;s#Fk(AYQmZ;0L|r_ z55K4`Svab61)5u#(TG-R@R}Az@{WT6W3*L}K;ykM9K3y&V;`=kK-drdjV1Z+hR2wi z6ug1$oW`lwqLHrT(=z_x3J@t*`e2(iggv_{(d|}^-gx4>`93++!=`p))NfT@PYKlY zjWMM{32nB@^ceH}>7aI3hSIvDg>6z9+49I;LzcFmacl>i3Z8eHm$*R4pUR9xQIE8j z-de)yZo8R`?b>&MN+d)mYSeMSIuRU;gS2KOPIVJMmKM??mk-oVxIyjbPSdr@Qj?-( zQ>6^51v;LqpXMHsJ-6WZNU@f59B4;|=(@kyz5|WP$DSYT-x2ynbL&n#*_fh`$2&K^ z)K{B&jZ}+76jVLF^}F?H={J&V7Toc(>L*1bc@Qe|TQ8O1bRE_(Rtzaf(^`f{^CPS% zo>>L2s$lR-uGOQcDk-{cO_n@|gX4QgSNE6kqo-O#&VA#YtEOnTu0y6O=+rpc-B7^$ zY+OPpkPfuw4CPhina1n0Rc{M=sdr2N;2jL3wsXG%ggAMdbW@T-4sQ)?C)bF!Pfp#T zIs(CPUS?oXr@@7x6NtOyuW3XKR}0bH@Ot*B)tf8k8%n9warM5YGRG=J%p+=#vC-Y< zG2LLAi-a;QngDR@01*wAaEMYIf*PX3v#1*mIM-16V>N&q4szD=Y+epVOo4c4&G0FH z@GE?^Af#FYCo>u6+`R*0U#%a#wB`$@N@Pj```stn`^|Hs`*$)x_$}eNyKIJ6L64je zkLdO!!*IG503xW>Znzz-p@689GXdDa#`KwD(C3aNQlXfWWvYISqofRvt&idTnE~?Co5csN_+9>LvhuOOi|hoN!Y|mj z^G3Mw(rgPqW)KojI^luPI*~_`pD7o79c|qk9n4}~tz`~7a^n0vBncinr*v}In5LL` zL;yLmof^U{saE4=bxRx_MW_@5ka{RZW-&Eg=EGG0iH8Px*JuZ`oiKld3A(VeIFPuU zwbAy}pbs;&6={X+a*DvW_G6|xRx1!*mcr1%h1I|`5IOm{+8;0!Ihl|3w$k8^e^_h% zwiaSWo_&`Cdzldg+NdoA)YZ9AO5jv4-A*q0=X-)@ohNX$00+^r_z$RiUQC4tFFA%^ z150G?%N>9m(eJ}X-<%<)J=;Rc`hYk#f-sjlaQCC&#dA>f{p1Ig*^VC~EiYhFgZ22! zzI8@^e|_i(qcjg__R$QW?>~AYtrH^Bczj;}QrDau%{0%F5N>Hbs{Em8>}QWxa{_ZC zKZsXlq~)7(q`Jp;4g2DXIzK7RE= z`ful?GhQn#nTS)y#Ar%XB+Y&v6!!$Y5ju~Jo)fE`s4^kj$9Xmm!zTwSn~yIZIy)e@ z_$5|aJMEl@a?A}GAVxBFawWVI^StrUyf1`cAGf`2E zd5&8}Za6`x$>evZh)3;@%^RfvT)1Pj8LEiobSikJfjGkIp{5HWkAr#jE=(j6PH{v_ ze_Xk}!xNQ^99r^Y6m8MAm5m3u#zeWe>P2C{_u>i|ZB|&;K%zb|EtI&bD#>y=`fAA+8R#a3XWsNGo4Qz-$Rk}>)wTSrH998U^hz1m^pj<~;HxqQ0I@YJEb zCZrd>o7~(_fN$(*cfsHv_vs1Q4RI^Zee z!KZ`*QqLWR?X0^pQvr9fL0%TOE!mI=k7))dM?q%zr~_a@u)_SXs~ni{4e&?{m~;I- zBAt)D>Vb!EEN^cI?CGHcGY0^yLJ`=2XH~!$VAt9(0U`nyu;hWrz!z=$OW`jzoH^f8 zQF41oyTOLXhz9=zd3Go7dtV|*o09ekMv6Zc&Oe)ft{W319DQ$%P2i{P>0N`49 zG7EOJEfnk^d;Dk>n97on&=}M31J(gNl=I=KzV_9B=H_br8)-M^c;H_Z6GDKgu|IMG zU7PR@FgNaQWogmMKhf@uT2AD<3K*syxa#ycD@V8o#=B|P#lQA*RBx?iPueqC7d3e~ zoeE8}=~A}U6wMonU;O!lYQJ@VsISseX#0DudeQR`pUiK*+Db;yaX%7n6;!QB1CxuX zRm`TDE`=~Mmijzt`MJY#-3^AZahBlu@nDzy4bmBJ*Cg%oTV|gY`7ez_TEBOt$bm~o zAq$Q0ow22;*nN*;`Ea{DY%3Hg25J;anKyT~nq=_h!s=VAwS((z8~2R+tfURxJ4)u9 z70$nv2J$veU(wv>@v(mIbbG1M*<#KKR61NNw(D-KYbuLru1~KPVlFxb#o=DAb)JjP zd-&pwAiw`sXTW%|MTElbLelAvGaIR;8Q1wUlkb(yy{z8RjsVXWNC;0L1%IHcEaOm~ zma#y}qkHKp1%l~ty+8R|{pa$^RCUU%OY6tAH2cq2k+()PYo=;BlDnQ|1qZH(#bl=B z;Y{_#;T~_t0h;Fc?r%+k>Ep(XiHYxJBTY3+PqcPjEkD9iYAA^v$A@Bz2xgE-1-a*o zR6_q~jYRgJM*j-S-< z70w#Nz+kniR2-vkvR13Hb}6O)(+(E*Vqt}GDY#u1@(N1^P)gtMg3fy3XezjtnE|IJ z6#3p=fp6mtAUM6jFZ(sVeJc-d?NJ1Om=Fv1?=>`BajqCqS@$gP@1M=JE~ecTQ7{-z zDBYi_7~8%153l2Y{-^8_o;cY~$Hr=7*?ohUEX7fVKD^9z72=uv;B$6pP7GY5AT`(w zu1-4P@}Tz?myB#acb`t72B4zH`O5ibm{!$7z4`Y-;RTwcm3}{1aIFS><{cz3Flc~r zhGN-)5<_T@BFrgp0)%ni;C!6`$~(lJ{^+dPhV%VE%iTY&nre3y$@Lky(k&Hz(xGy* za@$Z%NYp;;hZwUu*?R>1=y3e_kDRz2IMLlKGPi_Frtq zD(1xg<4u4ZNw>Z=7u#9urN&vmzo@D|ojWIbVVu1g{OMy<* z?lEAFL;+%GZXZf=0<0gNhhSLGAo~(vmf}-&B?#-3CBVJ<2K=a0H_*-9;xK{%D=Rk< zdvFxB2uz)6pV)dzQM7A%_JG(9!}wF`Aaqq!2m`Fcaxs9i5%}RGpdBO@vP)J29Ihi2 z2=g#@TMxysW%Ky^L;ZcG{=TRFe)|4i68>I1|1LBCD;8uPR0MkaPxt5tSn89y`Lmq1 z!v>Sg0@zY$v)fRX^X1v>mj^LyKMMcfGq3#D0y){gqI|&9!329!5c%UeLAx_t%cLf$ zV?rzxl}@|+pOLOFfYX8&zv?}PJRA6- zbNQ2xf4CTS@G%l*lS)$~y8|KwCVA#}nk5h`GrU@_mBP_;-p$Q;ZKP+`&G^cF_g>lh z^dY|Jj(h7m)yqqA4Srh`&Gx$wr*stKx#W!=ys3alhv2*6Q!nO!v2|l#rE7OEpO`VV zZ;$#(h4lu$69$vy7tVb!PtkkMcJhlaRyD-Bxz{zs1%Ij4Dn(Jq^K{e56I9E-gxlTr z(37y31UZq&mun_a&9V&FpJtWy$CL*3KmX5030F|DZXjAMQSIb4&Q^Hz6Z?qjKhzf9 zVKj$MXknoKTz0%iYE}b$WyK%f=~chraptw7C16_yAq!AZ6mUCAgqBO(>O@Bi+n zV+X5rQi}_`<;=>f%BxSRl$5GCg+;|^s`pEY%B9Siy4D`W#jgDmTj)@W6M~1X_9yUZ zifXfJAT=MYA+J!?rphb(8q-&Xc4~Lf+J1vC!~?#puw!#hvJ<;ohGrL=XrwSv3ytp=wlO86Zp^bN625v5z8yZa2LBNC>NP>tfYs4u z#!S0-GsDu;7BUT{KiSN1by*0Pd{Wy2iB83e0!W7maWGdE&qsSSWaVk`YP+p$b;CB= zTHgpU4ge9lw9f{TtTr4fqRg+cAH%U;oBsQ=#KEOY#|sm`sdNFhgf0|ZQ^M)NiGbwm zmB@oVPnOK&atX_8#Xu({SdB-|sME7*;en1*Pe2N+2Da`xH&vwsYU8iMRH^JZrICVw<7dDN@M8m?UYekH1VJRozXxxNfu zze2Rg0w6W`3q3XiWrR>&gY!^S?VI%{iB#Dv>gj^`m$&l2eYuf-MS^XFS7G~@%Z=XW zXTTf0Bq8!8z}^awUHPKsQE@+&*7dbJw4NW&DAgSHiiH(F&mT|QI`{S3g1*k=x`DvG zi-_a#*&>%ZnO>ZZEQ&??BPS?SA;8&avu0sp(!lH$?N~@$-B|y}30bkx%0>J7rafnf zGvotQD-_P)rxWBlP%j}B7SZk$kuLr^Cy+i(T~L5TDr(qk*pK$9W9oUf10?AMYM-CSiIk$Kxl)BzmW>(J=FN zXRnNSwYZU7U&hjM^-M~wZ|w;6#sN#Dr|99Pxh1#o_mWJEoXo(;@>0_q`)TPkXV(f# zK~zs=A<$>O#2*|g9^d}5p*?xQ_TgTwo~QU0>?6i~wa}KTxnMoH1Z55|_L*sbGy#xC zw?lyD@>Ylx)t44b5pQRKX-Opv(2Mp|?1@IXPwhoMrQw>-Ui3HA)IJWA=gZjJ6WF)9 zTBoi6rA}je7e&pj}-XEuDMh;wWe}%7CQa*Ww9QI%;bAYK;MVvn&gkm z4Um*3-5J|&3>vMSJY+;R=`atNM|YxdhxGV-@6yG8AkR)1oX?swk9%PsW*DIA%KLij znXE_Rp5Oi(16S0wRiffpr(NfGv6r%ulcrm`oaxwGyXMBP1+GFRV{g6tc`Q!dl+sEbQ>Rini=o?Pi(AFM`Ga|?Z_LcJX7*t$?)PEjiL;kFpQy!7+(3EX z4Hra9jCL6Fl8WQ6%58eu#T}AOTKX)^aeh(xi2U&jSteuEKDmLmT5oFllv4Hm_Jj7a zx1q&-o49F(?(~MjjLNNI%ZevX+)DBdRd4pHz?XnJti}_f-HorF?BYFv90ylHS|Mx$ z=SFP^wp(3lQ2}dWDP?K08Nz;yOHYD|`FQ$#4sU#^jxG}pA*gQXy@ZS&Tgo@qSk-|$ z_x2qW`HTXwEWVo>Z(~e-#=oXlFI^dZGn%SbGu*j0OY+5Q=7$wYSJ?&AVy`iiSpo7IgQ@!XFC`NXbjr4ikzQ(#Hz^G@?>7o8j;E@YtjU~} zOkQ3rs)j$&7`>TQciU;%Yy5iphh{Irxy>BMVBkpORlcdnYdQ?+fdLfcClxC0#ot=!n3R2+SC z@#gmTnEsi&-ow*2Mb>^ZW;i3`!B8jC`oMt{0ds<3AOaQw03Mp`+0G)MwuQB!1@b66 zGxCq48_%EVFIt_*qf{GLsyi$42OECuyU=nbT#0N(4WDcVF@C3@yFt-&22~X8I6aRC zB$=ksK&{b|U6SH}Db?)sIl$MHO=FM0SL$Y$sn@;3@;4?Ps*JRc7TeI0F=A$=moMjK zW*2=`_?o3^w{T2F<$ew!q?_dP^%Tt~Z>{+)v>|^oHUGU%Y2J$TR*?0lv=vPB(1x5` zI~sSdn;6vfE|}8Fx)Ac2p-_=+0vBlgRNYpVJ|||^(JMD2EbCRiFkrI+dL6+OW@aG| zquQRAQ{vGK859mrPDL1wGprgm3{0kxv+{3&jFNQ_a=?9HKR5_i9Vro$U=#6PYe7C> z=aGS<8h$)|uX?<*b4TT^RRuI-=+r{`I7ToJT~Vu5j`;HA)*JuP+2yzoM3$0vm?`K2 z&60p>NjwZNqwNAQBFJwB9JJ5^##M?*%j`*4PN%V|hSPpOQ33#O)1m_SDx7&$OOwdGLkt-BtiO#}QYgY!_$HdTe7^QSQgenb2*9Szj$a9GE zK%nDU@zy!PG1keDV7Er{P-N9qNr||PPImEwNf?~J1gc~xcw_U^@mHgdi8+a%pm&!P zPe0ks+fOm=g3&WSKYRmO*mL&5pRlp$EpSvE&DGBo`VH@>Q17R(f33^TY2Dh~**V$z z-?no9@hh+_YCZ);kprsR8gjVak#HY)jvDR(l!Z>8h225WXAy=eYJMIQ|5)DuKt8$U zBpNWj%dC`rOCHur0_F7<2`u^%g$eXtyzx1jSOvgBj$Rn|JZJd-EX0{Gh z*?jN!#(2#(nSSafP>Jic9!3^>EZqs=N{AWpIj9mUp_|@k z_IBh#ZFx<`6?c;2e)qT6;Y!j zBQy2>yzjPV&ot9*$zmGkw0Kzi>IPMta z`T$Qj6AcL3d;R(I52l#+KVa>^PdQvrMH+t|hiH@kF|hI9&vp(SfPp>^SX17rli~FG zL{?@QK(PP!!<|E0{}7{vZjo&0rZf@2?f5tbISk^jDs`g&M&6r7&cNQc3f5Y#%o;w( z5O$O@jCyC4ra{r%2iBrqg;@c^~hg#gZy=RNu_HuH2>e{u~pcCcdK zu0wMmZz2Zgr1tajWwk3^EAL#^iRq7Q{D+;5PGiT>?}dnvT7!a;!TCfEhWaQF|L8s8 zrcZmD50s7ZK-jde-`&q?gQ?yNUtUG4;Na(+xla`)hltV0vs9Xuje$2J&Jd7bVe(HiUYysB&*RsL{nO}vNp#olwFk|D>H z*hc&~!fhdEfYDk_0m-{re2k^LP6eOLA*;TibfMViy#1jfq)$G=pqUpp6ApAS)uDDH zx&5NvPTY1@0-r+=oxiCH8+2nL5IhuK>U)|gh;)ULLGWUn2dp@_X_X~D2dNPlXj-ty z-1&sFI$hBD=gUfeNRM_8LgZs<1OJZG87w`YqO0efR`i3`a03t1?t4}|^46Os1S zdsS~nyTy)@eh$6bvOphYB$;SdFV#bb66rcST(4%bk?Q*xE$#>T zUW$a9DHlzbIpV$~eq1M(hION>wmS7qs1Ir5l>3k)xDZ$;p12X{P#v$ ziA84cGkcF*dL?p}Wv$NNP`Q3t7twkZqg;?Ez-ZcPn^XFR1o_yrxG7%I zcnel*1??>H%ce%SUSqjQQ9n^sfUdq|Xq+f*$}cHhA{=_c@%7onDkZ`YFkb`^8mJmh zU_SU+vw@HK{2-XH6>V^V=D2HlTs1MIemwsTEpl3Aa|x@ha%4y?waj;7;#}Fx6b_!h>U#+H5JA>wnf)s;Zeexyf3hv2)>1QZJSYqu4<(oOLp`D;aN^X$T?5D z=bQJ{>Iqy&ueSI-VgqM^$i83(+CCP%@dgiYXot)&?1}^amm3Wu%$z1?20=9;Z(Hg( zPk01U98ULI*b2HX1$l{LzsfVQg&6EYAN*hu-`BK5QFmf2FcUTPy{K-?q$Jyr!?DAkefe}aO{{p`|hLWTQm`h7xe`N zAK55E*GGPRlJ*jz!xErfB7{Ra3}h(jrC|;j2l^Ph;(w2Oc zU>3Qtll{8Y8Md&hxg970<*D!j-2D!)vLE>-{>PJ&bSXzBFo7QRODDt_|5iqKwTCjn?>x^=aJKYxJipF|@uRIOSpx{vwfj zwuCJ%=tU@1hlAtwq}2^1rMsb(Ocgcpd}b zU&1IT_8I69OMwwgZbTmYLI%G?YKAl~*pLUQ89}neB{-DdAobn*X6HW$6@e$|l3}oC z=U?8x!NAWJCv?wM16VmwTA^56Zl{4LEr~KS--Lcv!Vo3*+mDrGv?FDQ)x5?UZ)vpF zAKbuvXoykKxTO5KLkzd|M{RlgzIR9XHOP77IF@`1B8-sqX28gmU2dXdRkPss^!wGt zG+A)u!DeldW>dd%JhjQpGTG_Jq4_&^!+NqjJRbMhUOwDCS-m4s3#7$77&cHv_>TQl zvOGS6xJ;A#=>mYXqIn{X{K$yxpKksI#GI?aPIw|lM{WMbkOHbfN8 z2NaL51RU)#I72J4;p$|4c4e_i9?i_Cv8HZVoW-|3ZJzh$yURd*g4Df_L1vces^=vw zXW7D&AR??GG}#IhhZST1#z1FaAl_zb)U2~c^vB|*l7%n{3tQZzuJu@bT z%!?~8vACBo`}^Bm;}OZFXH)d+&9W2#Y6D!??BeMLh#*=d>sTc@Esmw^UH>tj;H!P3 zG4}Sb?{alx>X>Di%s>+4#<0+ikT2=^rL!djq(?`1rO}0dY0LG$%$wPJ0fI!ifha(p zw?ehcpzgx3AZ~4@Y=2YIj@6e@Hlf*Cjg@Li|y+J@DTHO&_UusK{BdC zgEdo0Wo{Kv>VTJc7m64Fse?}nxE+Z=y45F_;RCdv?I3HN)U3h+w;OJLQrccPIHR-x zxQSLIZdm2AW&zj=ahEQ`&}ytiMMx-8cwgB;4naq%e|{IiIWx;{ePdA{N<6qR4W9#p zFZSs3R>GFHxL70TY9I?09*GAvOFPg`f)6uH$EzCT8E5l<1b<#*i6`Dxtl`(E&o*jr z#F6vLOY=W7*VV7^-MeZsrb*dr#l~W*;O&WQj3CNZ7X;_kVh;bnFmD=RfJ4h@X4W?} zRsoLT;ZNPnB8@aYK6!`0A4eXUUc^-_-~G(KAw~mrqN;`xu-@P!KMpuM9NuSGlkG|R z^Q0?54hZ(*5D1Ap;JcYLV>Uj$S?Y*bHmsXX;AW~q zqkaWZQ4X88%*5YLNvF~{%QNPhOMorva|Uo9M(oqY7*}cjaOjGgS&nH~ewT>yAr^9sCgK?GI+&L7XaahY4>u8(8O zTlr<*Wkyq7h6pCEbS;KM4Q(AT?ZKW_$>OGnM5(Cx3F(;Vb~Hag1UqUM?K$n6vAAR? znSfK-jWGkkx!J7-GWeBejC`y|Y1V|FBsdQ112QU`6Zkq2lwur!YK&@7b4z5+IUV53 zcThJ#C*%l;pz(GB;emwYPj7=575W$x+CN*v$b5t1JGh&J>N(cWYLWt|O-5pzjHe~o z^${@hi2W!iGWEw_r@w)ya|^ye3zZ& zm8I-}oLqGPeQBFQ1mdc(DYZqI}&Ub&8fUG$lk^h z-Gi1$%_L{PrEs>QDmXhz#oOJ^e*;$s^77L%Zjl!srzKS(J>;z??Y`8<=l8G&vZ*4& ztAThDb9jWC4q$66fNpWq1v+ymL>yM{y4U&&IXK^B*KTNj$r69Rq}gl+`gu;PrYhnp@XxZV7CCrHrX3_#U8Pt-RwiwuXi;c*ln(6qhs(_UZdA6FB? z<5PA7k3R6QU)kEw2gcdKU65#Or7JL^VPBn-su)4tbLFQFnN5`PFMo4YSxQXPy>?E1 z+xU^yAN+B_s=S&%?vdA0VX^H$a<7e;7q64_D~7eGRF!oVm(u*|9dG+bZB|9aDW>=M zEpTC?HcnNki8$%1dNa5CGvFJ=+mqMG9ElX&g>0-R1x2l*>CRimlM#OPV%`(Yr(Jp} z5=w#NFQDI`wFS-zj)ALHJ4axPj?A=;kpXFA$zZ+9AnKRl%%-U^(_d_to}&g*i@I5E zMy{PjG6UmiKh1EfiMa5UqXkAP0(;IQL$;#epr-G(IOa{vz%RB0z$HM2R!LOr08g0^ zzKv;2(ojUE%|cYf{R;m4rnX-GIq2ixTONYk()X#xNKz~!S1Ge_GG9;6UkIdf8S3Or z7a7Qf!Ie5c4bxl-i+WW<=-Q<>1>(Jo(M?zKH|%0@b1G|dudOmYEgl71WfX)Nmv|um zuwUWGrC?gXeBk@VL%59Y<`ZPkp@=`*m$-`^n%FoAADVN!m@L{$rUo5cG;{Nw$VJ`N zj}E1tAyRLMER~UtR;QYxV`KRiSvPQb`%C>njLRh52H7P_q1)!$IO38l;Y?9|kh^sr zq>ig?bI5d%A&j4GbeDra&P|ri?O9|^GYbsBsP-!%a=%d$8Iq_O@Qi^T&_zeG2C0C+ zX&;PxlGT)m(+-6<^zASP{}88=zSn&R>#+pzQw1AML_AlBd#9V&IO5WKf~UaH=pBRVaTHmfD!9x=I>7pyCVA~-D7(>ByT6(JKEH)EJD*p^l9*((#?8kF?iOd zgTd0VdgC+c4K?=5!NzC={T-D@NTKb}z&rI!!`&*up#@|%5q*oY2?^ahsi zx(agrOF$Ik9hxNrA_rQV4y%@Tmu+zZ$lGn3ycC;pU;1&*g+G2jNl?_aTe zg`(=M;SU^DKvi3e%z_RuT_On1R8D;g24KATbkz2JH$W8^Z1sz6G-VJ(HV5xtQsel= z)=&s^q;m35ngne8=)lfob+fG*9*bSf z2Hv3x>lMTrI8tj4gsnsT z2Bz^9GZ>HsawQL)MLH5fs?MULsP~jdsr@qwRIbgt@Ac zuOxvOlD!02k~|m*9q{Xs`68fqH=|$PwI6viB&{1%3t{jTQ_GnN4BrL(|Hj^XMm5#{ z`Jz}66_GAQq5>ja6r?9MKtMoh=uzoJKzfjnSSZpJ1QdZNRcfRJ1Oid2fQZyUD4_^Q zPbeXf@|^w5owLsTXU<*s%sDe_?u+w+#ab*Dgs}H-f4`qP&X~n^@SH;RTRH$Bo)GgY zRlcp$va))}SK^myrmG(ib>g4r9DO|!vyHrZ1^o5Eet$57k15wkhm;@%QrjfXi`rnR z+<3RZ$90b*KKhN@I@xxV|6V)2_ea>vV#-;cMb-`H=0F?;maoIR6w~qwM2Bs&Hq+qm zzq1X(XIMsG`4-ZU9Ygc2`uQqvTqXQseciJZK?4V`885-N+8UA)fCgJad5$oe*9yKw zO=_A=KFsu_5}zsRJUFR>7;j~tZ2TP8lT-^sjxRza~t@jJe9ZG&X(b<9)+$J*p`vrA!rf{u z1v4F;Zh!u1ZZb6Z{ka;~h520uizAG)1rRnI@0{LyPGHEn@`n(~`sGf#ACh0ySHe)YG=*mddH!$m!|-8WtK`JR6Hmy@*XCfy{7F!N^YowC6tGzgci`QpIl3$AAq)nNLg@2`)51(3c};#0LIo^K;L!e59?#f$G0_M6{%tN5LrcoLP^+lYVUlx`KLDbRE7 zq+sn3FbrWx8CEPDkfuY9g5mTDMc?4X^uccAHAE2j+P*Cw*%=ZyF=s876uwj2q|-UxH%c;RWQI;~(&~?~ZvECf0Mly5Z*L z>TWsmi!%)gVWmA{s#E!TW;=oNFtJ&Uo(51cQ?@#q;dA$Y4S zWi#(g-Fv4OY!mEf{eeef5b_Wm^#s}iIe|P=M`T_n!6K1?pt$Yvn8v3QhEFm!$;aj& zoEj8gD!)9y1kNUdfGu;eXO$vZaB4P|vWiEa$ zY!1Wm2bwNh0IzOP2<4G9@sggb!-!rmQdBy}^SsSB)Sb4^K{1PmQOqzg1i=kF^f2s< zPWVhR4}D>T1Q9|Qv=B!w+j{dme0_DxzrjIM>B0l?d*|;I-f^|Hc1;}m;urpbM|S{t z=EI_Gw07HkJj|1JEn{ZigaGZjcZb~d>pXKSg`6E9@Y-4Dg09&m&EAp!^+b>ZVfGwy zpTI?jcA!pDlVic!Ko*lXQ`h*dj#xhZz4_;G6YxN|K~1>3L%4?h60-1~biJ1cYm~Lb zeGVP+fd@oaXPmP|@-^c6f&bG+=Wg?ffq_|Fo|&J;!A0QI!geLf=ls`W(yPDPD!Rli zC%WSrQ5G%2m}VLK*ou{fB?fqs+jl<2i-eW{PC^gQWYHh- zzJ=Oq_4ScbKjP{vP5Vne>E9J+9r%yf!2e_R_Ix6OZ_yo^5xwP?Jh*i^=i<5njY4McvjY8oy*N|BIuef|b z7lCK$eZudFAQ(f!2fZD)nf$M+FYa+Jatj>Tr~b$1KpsALS^viJ->K#3QSRhbC*YwI zOn=5ua7O3;X_gCbjJUwRS;)bNc-D7Quh9@d0=(~r+axoE=2}D-zoJPFfL{CCbht(J z_~b30Crg{fja6?QuZ!<)NqU_IHkDKIn+cC(z9H{aS`is)J_AdW$ehZ}1}C#^o@jqt zSU&lA^>>w2*tlJQX;%JDcG|~_Q+V8krfg_=VV?Ph0IKC5g39gC$MFw7GH=phGkp^D zhkwipSDtWZvoV+18tze2`b_I6RIzEk+&9xxOQl7VSLyu1k!{l|)|W@$YFI^Pxe1lc zU20S%>StE#vjjaf{^djvh!bCBz+E{n5FcZ$sxmX{4M?4Xfo-n4pZP7^R4 zO0puE7POeQkSWDRhx4@pTEG1h{9oODT&(%E>u1EuYIld7FYH=YvEF!>M484)!cu#O zW|V7A(y$bE<&(KnXZL>yqIi{I0Su<4>{HtGK!gUvjAj6CESHYoH)jN++p5{81nHVV z8Vm!bB$>Xw3rz4v%pwgI@uh88=x?TP@&+(0LdKh8!rGO8?{~6|W-NCgcAv1r$2ZI^?qL($Zx%$rmRcI$1G;)^Dsr+aq5Zf9kJspLt$^~WU73Cf2m>@| z!yE-4^{OP(2la+m0fweY&NwQbp$~sJYwQ+!-g-*Jjq6L4(rLZ}7n^6W#o!;zo6QvA zHDE+OlEW&6xNPt+Z?T@UWs%~PqSfC%JJ@)M3-r7h_knWUS&KuS$VBBI+7+{*RmaOX zzGkIcA3K4X`t|?W>4!Rp{syp}n-R_me{ob9qX7kju2M6ARsSuL_y%N-O#a1jHrOu_ zM(HP0-lDw`MiKl#bt!NT0EmP9j|Lp(=N5SE+G@mm-^o1ft=9>l?C#4NWlGXN%N~{c z5QE1sjR;JKqk5a&5ru0oSdMp@D^X!CH*$F6QbD7WZ$!o%mTMHT`%SCwS+LCoqWwUH zf|Ah=Z!f<-IZt#Ln+xHBWN*Zfk3yykF_nL3BwNmzF;Alg*<3wT%l2jkDj{(p<||O% zp*b_79w|NGJ72q1p%i?jMLR@gyiu0g`)=x^E(x5ngA3{8yg#E@GS z&2C!Tc&-ETDq0RrfBLcrf1-J2P-pF`PNYW`?^mqHKjP5;E>z1gjQ)^?sIcCda|5-bMssdVp3=>Ati;KFD{lhdECj`>D&IE^hhnEZPsjx1h zRF+XZtj_?DkVv3Fl>s+IDkXGPnrb{})`}*9^t6(rmDzj_0Y zrIRjwtb6rQe&KL@xLk@rPhCkS>)?Oc|MTBxn)*MKu>Bi8_0Zx5U5;m!iS{IqVml=G z2Un3ShdVgYspyXZWG~#&n1AGR6UjoP4hhfwK@AXG`UaF3CZ7O~(_F>b7 z2uC`je!1E_UOPKegax4klh>g^e)NPCW4t(Bg@uIn(3k5MU7|n3az_R6$Q!G&Q+7 z-ny@z@TdY?P=iQ!{bG9|E#DLHWE_ejnGZkvcJ!mZDb2xee$aXRW6vaRyLl?4X>G}4 z7u*>E1G6Uxbww@MvG5trwj-3H4oJ)Z(uzWSjtws7`6^0&d0(Aq#$7!j3m3@I&Pd3; zn*DZ9@a4IaL;6O+lE;=OX1KMC^7D?7tMGH-tJ%H9zlzOi0~SQ%Plb~Nicm&Q%rEP& z07+QDdf$B7UKJw>@iaR~*LOgak@g{c^s1k&s|!o+@W-=ZRz>e=;V&dm^yg0Xqoc+4 zSN#2~NPDH%ninv6PCvc*ZR1o*53gM+R;DyJXN2th+E{r@C3cWsfKD(Ef!h6IF~Ufd z8S)9E&ozKDCzt^@(QO;ueEB791X49uau)y{Jdo@3@IwAK>4K>fY$?L7P5bNd8=Gt^MgDxhsEQt5Fw>2YmDx zT=Hu5v@*ZmG*+BFK<3$Ya-V~0S&8bG&&i9yiz-L-ld8Vk9Tc+K9Bbgb_8Lc|58`^$lNhrNf zI&FR|$8ff~5qZE9>fK_fbV^_IUP{gdRmrm71ycAASebFXV#jieG$^GreWOk_?-*_7x zx5ngO(L1TicPYYAYGTF!3UW)2s@oZ}Bj0zjeeSHaPq}o;$i(-pyN9?$NeX#Cy1MlZ zrTlG&OGT~b)vi>sx&qTCz6jWKYnL#5Jbv{>mtAe-11RB>z>hbMV##fXmcqwrYKH>P|1 z&Q5*^H#_2p$n9728tQO8qVOXp@L*iuD?+g0pGz?tV&)^`<3o`YQBuTAY`>T+tC z+dJA?|H5hd4^Pm)oeBBqKOhPW_B7*AvNoI7j|gorf=riy{-7yNePbODIsswGG4#r; zb`7>0@qS_s&%Xgox7+oS48}Je8YVY`{{{WgmUN(P$G z=Uh%k^y`#8f&RIMn9RkGgb_(rt+KL-_@IYK*7H zr~@p$3?+g}?qZ8o^wIi`=(zPFrTZLGf}zeVpkftWx`Vgm9mFmv=f$G@nCZ?$CP7p1b+jMI$C~*E|nG0H6ecVg#ehn#B?B zV-hm)rGUp?)Z6^qhviU@M<$Qkvb89nhQs}JuP;s=ZoHxKl9=2&VdyLfETCI{0r(&j zRt0Hym6lNf)Tq)srwgI6-GI-Qz(Zah-p7s|EaOC9t;}Q`T@A_ zn9|c>=F7p}N3pDE;XSXKDIEtLf|GWZlhLZGs=X3t~`QvT65zuAS zYcB`|#xo9rH84&^QOGk5@As*C?JcUuw?M1RZTE#(6+rrP>PmP#N*$Z#TaaL|Wb*0tnH?40YV-JJH zRAD=GVYFwgY@l`^753}lpfYYv+M}uRX=Re^tt(*QgQO7`_n*M}+OwuE?D$V?~ zYvrZK9P8d|NYks_;_iF}T-vhj9juBn)JOfiJbN`^ear+BfQb$__M?Q6I&`jSSPak; z&iYu>_p+2Sueug!NUeyc9tjdN&adTG^)D>Mj0yc#b#qbi5np}DWSC8+4Za0bH|e4{ z5k^VAX2c}lU^;DNAMU%q$7{$CH!8y+H**?RWHnWD(x-ZQZcUS4V5<$Ux zU(Lt88%!%_%+CH1o|5|fqIIA(I4^8Om`vh#{BWH%^E*582P44kJe$TdW!-Oidf7dQ znqD0#eYhc@JGH=1FIcJ;4|S0-(NTM%%y#ZIY3{X21n%SfP1v3T7yt+_W-&k+ArLkFmZC=TJv2RTLR1^KCx{DKH* z6DLn-iJ?Q9y0n=6wPd;EHa?^=-Jb$wAAe2N?gT^VS7+Bk{vdfMQBgUSGoYA^=5t@F z?38dZ>0Ps*qv3CDrdtxfbey|5#3iM_nZ_=qEPllvqr1%Y#SuKixed%C;O$eOfuIPZ z5wE;!l{bpI!lV@WB2QIx>^se8KRf>R#EUQa`JdmG1PqSb1dgvVMDID<8(keRauUUn z)g_CLqsvF-lU464$MKo?tFulp$I;Jbf8aCPP7qGVwClaIgQlT zW--bHX@0SFr5tAA(5rq;>xs$Lmt}_=0*!sdqxqEvgk(ZM=#diNEI^KtOAA_pm;TN# z=Lt9Xv6{vHv5i+2^%YcG`zQ^yGs-Wit#RCZ!f5EsfQ6cRE)QYllF*0feKVjo*cpU+ z`(GUVNKU{wpK1DHE}4Y=nsf1&j_$Q*{zn*gq-D`7uoYn;h39bTw6((Q5!WQWJ3p#Q zgw=N2O-?zgQr2^Z+-$t}Cx?qPjH}EY*E&=Tot&mDvhr8zA9~K7*Iltlyhyy$;n=l< zZ@4x-&}FZZ;6fqCqdhREy&*^b;_!pV(52D-<@7D{VgA-}ytd>7;`uSW^!@aQqXLRS zr6ImT5aq}GVb4(a;p;~8#W9QBOVe*M?`0Kck~6Kd;roR{eoeWJXRRtt(*wmjh~BDm zzKNE}%Iv#!2HkA#I%>>Qh_ByaAOQt@oa$N&mZcvlqK7ED54H;LQpUY0uy^y(`?eSS z9~#{~V;JC~FEY25daUtC zD>O(T7Za>zXtY9D&vVbo2sJZC0)XO?({wwk@N7pOm#M=X4< z+^BioLHz=3hRr9K zFgk`xoT>fNe1%fs zJ61Et8oP`v=`x*!YVsQA+$W^o4B%VhAqK5EKv^#zG1UsZ`No^F;AQUs+T{l0cARAN z+{ptr=RVy3!GUcmEdp7t&=cJ3JgI`R!zk0#Vkz8|;t;ay&p>s5HAXqU=hO63E3CA` zAG%zk|HfgUR~1N+tQib7QGG{&w)8!(WS_L(pxJQ9y~QHwWIxapaBRe?_+=zE8C zjGR6~@?*uL7Kl^J>_cLcz0#Fx+#qtIF5@b_+}C}re6Paing2JN)&Qh{dx604>TJEu z>-ppsQi##MUAq&c55z|&e&6PO6$RI9DJwp0j;_XKzXPcDYb4G#<&#K#dMU$*X++NsoPJpd$nC&A zolyIGwS!91F{>M4btZ#r+{1mZTw~oEyxtuiNFxng1>IUXRT0d}vn%~%9cO62Uao2R z#A)*rIdfvuc*gvRDTeREr+JI7gH7)X*C*Fjms<*}suujxI+(GI^_u!WukJxxVAZwd zWpJ;9(*uV8M7l?lT03M<>Xcg6Lm~_LAurG0b-vFVK@i=k|J7MD70!n*6_C z`(Gr)|2Mi0|Id9K|FB+5y#EIu0}tS105~e}Yan;^!c&MYVR{xeMxIfRN4v9>X-UIK zry@`ARZ8M^NT$4_ag~$rl-Gf9sS{f|F9WqCZXU_dIAx360Ungzz!voc{mlk-jp<0B z56_lg>zkE{Swpt{QY9Rk(B_u-k@YgA!_jC!{NUP|w5+Gb_vNtjct03#QcP9!QJ+rl zL|t7?zdZKVo+Eo}UupiG!SPvV2yZ(ApZ)-;&4+TA7a=*82$rH*RkeyLUY+!)Nc_~rE+G{v$<;^^@4yiOco zbb_-5MwE1PXA@6tnG7jPsZ83E$91mWoGWS2I9W6r#~kE+>uz1rVZGedErc6ys2yqU zq|wY;#D&wRsc9|>(f+NW^yabcTxY1wp(xY z>pjDA_jvcA?BIjRACq2)}3zpGLeOh$+m&zRmo>Dk4m$ z?$e^E3_W@v;~-N8EJT@KjJDr(9>MM~7CtAfnp{{7TL{aaGJkkbmGjd>j)~UopUp26 zslqR>tRDWn>0OhB?X&LAGwQN)`cp&b#b~}q__T&KUlT0g@i@~l@n-0O&^l|;bECZZ z&K|(G7*bjR^)G0QU`>H_^c|b}L;5Xojd0~g#Fj{E&$HX#r(a)Cv1xsNqw{EUCiXklbU-i>M7DprMu_-_1ob7zvZZg;T z=4*GWarlkOoik9AhxZpLlg=z`@n$HKFN4+rOg2R{qX;yufofgTe3`Ny568moS8g2U zipYhLShWMp&co&gq9yV1?$$SADqm$S`j^iDdOprJG3BS^qs{!w5{eWi{~rm?DvDW$ z9_~sP&r77PNL-kY&t$Ged(qRDlW}kB2>5fQX`IB4FT+>`U7B{d#$zNgAfy}jjdMq7=^Iva;qSBs=gzBLwz7^E3OW(ZUIR}%_EL(va-0P^M~ zJ$1$`fqWXJi9p+pEDRw1{UFbE1atq?_Ad+Bo3Jw;L_8>*-ZL7E#G74l$gtM;xMC>o zX|#m&U?qUB(OdQDeVk935AsQ%m$1`JNQJEz96PmCx%|XB9aBJZUQ(~KsT3*aTY6M+ zLHS_M%Xz2nZ#i1OEuQ!Mv550x7{%7^<$uVYUKnyn%}!~EOK@CI(}GV97aQ}f81*vF z)SX!pwj^0QR+{A3KUihU2AZlk4x|}`1&NZG0)8_Y&)8>>M!?+?`g;O zx6!sr%AI{leL7;JFgsR{amu8QJLxY)Iq zPKIK3Fh^YD?dq>g3arvJ8`C&h`6TMnv>#mc6t*;-u1$ijBzwQ1e&)av4CxPZ;I9SkYSm&k{ zXXEd)$*52?S{I--=WM&E?#T_e)=$Y<3wTRo71c$+Zocp@-Evx{@TuyiIhhpzwGhC3 z6W&6|+cdJWP;#RP=&V8P>Ne~EVs=Y^5Fk-;F^#Xvn|`)6!y7fEZY-2Kjeq?S>2tG9 z8UbsALr8J0cUbA{19XNX-KBKYmT5;>Z5AiuMX(c7-V#>_RY#@MaG*-vGIOtf1J780 zc?18D_u1xlw?6s~o4)w@AS!>N*uK=)d6m^IC@t2})v+UBm74gb{8adtlB{7FJGay} zlS@OUDMreffFu?S!ZrqZyEL3l6)(f2TY<9FuzB$?L)uFBwhQ zin!xGGQzoy1zs{?j9t7c&A?PXg+DWD!s_Ad$hs+4%}9e>Mq>TL37eGNH^f4uBXCP4 zGQo6XV66br-I|Xu4XNCimT|Z?`K81K%0jA(bo6VNK<~Pn8$ra^#sRUs?ufOy^kCk~ z&A2!2c~mjlH9$T+sZPuPJfK#75JY!s=8HF?yvkf~bI`QB>7%V4{s3$rmVbGZ*;<|D zF<;>|)MoM3s7A8a+{WKLT+1fUea)kM*{-m5SeN_p_MhR7{*N|}pVKt9dL!P|4=0p| zm+H%9WqM65_rg)7Gs0`_(`NA?zHNY5-G!XM`^*3(rA#&dS$U#KTo36xxbxcVYNYR7dDpe|_6}A5Gs_xiloh3UX^$?7;)1(0P37_}2ny1s76FEhTl)S9D0y&1dV1({v>!HxeU%D{Dxaqt&t-#J zP`X2ztzSXBJK^$z{Y<^b7KZ0-ZRG2ko_Qq6I*TZke@L>vfs0K!$A&V*(cd(I5+ZJ74<{w1 zO4(MUTF64bSy90}V=oc$t(fs$n9u_CZm9eE-0H(#rWdP0Qu(*v7OH2{#ht7^KUud} z_V`Jka-!cJqF8Rj*FX-%uo+JYY4A0yp_xb{O2Z!^y^yM`yxhMyFzGtKOc}*p0bboZ zP3uXeG+$N)TN&xbDgi4axv1#X`SL$cKu?i3;4b;}B)e^bqJ@bTY0>9byhSE7#r<7D zWIKm-)NA+6`I9dKXQ1C;@#qt1cycUYo1dg3eEl1Js5z`qC|`3Ju6f9PlaW)92H1mH$oK=r0~4WU~=m`C*V z^<=ti2J+Ody;Y_}r-p!_G>D5b%Kd+ihRoU)O-v z+~}9Xmj#{u=SB+2|Exxee|q_v=tP((SQPd1FOCyx*hJVFydf)j2E$_?QDi&B?o{g> zo1G|a?0F_(F#oirSZ5o{3H*`$ryFzA!?VAf)KRf6;F9K95%PA)5kqVQCtl*=~vr zYPM=2)TUv$Hd#V&Q77FNz`{B*GvgT+UJ&=3oUKOl{@Q)Js~aTdH&!0%B5H&zL3jj9 zLZ1MPWDA{N)iK;r3C;)VhQK-#^qbsTldE}OoSfmuf_frH9)!K!*qY}pQBK2M#ZzWV z%Jk0?4L4;QP@(aLjoR|?g87iN0UY+vaKUP6M?5^!+|sFBe$2_KuCO-V*nK02U{<;X zrNy!GAl`&A{!R&9I&3yMHgumD57uH{`jt<&P{75BA{%(@kDW@*x-e3Dl0{- z{4WmO?nhJ9H8Jxyi&@ZC&}pz7djM92>DWk=I8Nbd>k~wDGiHibBl4H+1q++X9GAHQ z%kM!ncUla|J*QR!ex8<$SXFLRU<}SmohPE7klocA`<+Mt+n2UC3`u@Jt<2;nwi9Y)R+kuo2*T_} z+c+UIWqII61@eYyc|t&!bbZ6n{eggo)eK4PS=B@vmAAi7!XF`>9eR(GMcZ4hlOj#p|)|r%4d`(C~SS`^(rf|1EZ`-E%G;q}iFTrX`kb(U=u7sMx zXR|O4M9kNei4}V_@)}p@T=<&)A07R(76aOeR|Z#)ou~=uOBf13^xm~o!8>*V-8>+_*ujM2vitI)p{TLqhOg%bqyd9CD zi&0MK(Rb!BoOD>5^C7BRU#tRNY*zM>nE58S!{y|6l);go7w<`5x0U?pGu#ss(Edx17f*eQkiyGS|>Bd~KvQ;6;HAUT$f%UTM3U7I!7;eQlM+*w~-#5QwQf zbst88(z5DUiOsr*Lk6royn#>HG$uKRe?UiZR#$uWF8e%wV9l>$HG%d5iujPuR&#%S zEbY!WL~O7K{G)IzLfNCFZ6r;wHubqr6Ul4I1Jyw42>$(<>_Ee8@ffM)?01-U`2>yB z^{?fHLhi%2DwLlRgo0t?a;9T{Gg-5(dXNj(x*nl z+%4g}wwX6SVAFH87J_H1n5N3BGr#jJhg(TXum!yD&OEO1kMGjB$gNY8*@$|BF4+Ju z+<7E~?wHdc?}Py^Ovqmx-0=)3(vI~G?F!;V#LT`J9cP;M?|hu&5tv{CmR3G^=zjQ~ zO}by1!`MWR_vX`q%ZY;PA|YHy@A#62+{`W`?ko>$ST~nWWX31fgl6FD)B9HxU3&XW zk)sCA-d$E{@}6rN^)jL1m!_0@SCp%Ty#m;up?@EgriviiGs?zS78FqC)^N6GpXj)1 zhiGO)xV^O?iLO+Ekp|fJht>EYsoFYt>08I{L`nTKpG+oxbG_lqGtEVdHZ_!9D_bQ^ z2Km@e`o79%l`Y{Yf1*I-#z$W1m6BTH~vpZWf;1JJg!aip!ZXI zIv~}sR#+UbH&~r=$fZ5=kXPM3-Hf07=NDpK-X1+C6q|LhCq?}vJ75XwkNWW!2M*Q& zqF>s{59oBEFlaeLIuNSL+D8vBq z4!NR|dl(N;KY39@yzCB{SyvOPlGEwsxmJ}WqG^xE^C=h8$}^|e#A;QaQErS!i_j0z zTz>`MK~LwBj}YK}v6(^X%@^ps(_{(6xOLp^NyVJERIjB%J8Iv05WT#Eyn)Z|^@%c7 z=}-t=pVv>2cktEIiaV~ROnYNhBvtcn`F&s^x4 ziyOUOs`ZX``)ROL@(IWz9&to6t(<;@S~|VajutbRfy9$fZ`7=m3wNN!^l{+Q!tWWN ztABXE`qX?BcwN{TcW-GkPhRL@U1X6ZKj80BvTFz^NoCu1W*1ePbXw<`5zHSho>b(r zG0Rjb7WKg{ys5XeY49?Rurw~%hS}^>2&R#HZ4&Gsv?DSyyn64w>!%Qf( zFPeFa;-WX$KF?tK03=BGUEGk=Q>T{nOx4Rq!7t9a83>;@|7q@YUD0uc-{cmlo0-M_ zx#G~JS^ysd+pG@wlO)h}2X;yaF{T^~OQW;aepebBc>=f(&Qx zDN$Ad#0Mn6Jok$!Mu7skV3Z2X3`SHYW@bc5x%_wLUmR9%bCf0PUP~t2x=4p+e-FLv zTXtJIDo4?3oZEabJ9|9Euu)O9+9tq%A#~ofQ%$ynj#Rwk_cEsDIl3o2yw~|Bi!VKM z6%|MPE%Oveeg~0~omhb6*=^&vGc#a#v4);KM;5X}^vrU;WJ^uZLzd|zn6ntS?hdxv z$>hP}TFah)%!SDZ`UxuM-bnA1AP_6E1J(`L;7^T;O26yV)2nd5=Yk{L)6`<$U>fyv z^GVf>DGlM{8R3ol&VN|p*dJyun{`+fC@$1bX9>C`)sI$RJ)k2y2O(YTYYoNl;uWcy zJ8PCL5@&OUi^5MN`pynaj?Dek(`$IG^L_4JsLFKzu?E~9^CGIXwWyh~+>>rv(*{i- zEGsA7#8BUxb!^^ha1H*&mro2n* z-ERt%VPT#O&(-xeF4A&men?+hvq&@Ssi-VI(>XZ#1e@7VjdliZt#=eqG+<;p$?g{3 zH?3e_phBZ|xWi4GqK_rM2^k5{6EBv0clh~Dcc+i$&p75|ME2xqTh){h0OdO3K|enO zJIh22p(K__oh^NQc3q`jqMKf!&_}+CPLF2s8t{-;g`u}?Zk{f=lHTj`EUWU&s+)*> zNs!l1U9~hjedxw|xp0J28fjci@D^ue>DguLVy@r;)uBA!_^Bt2Yq^b8Xe4nS8wtLO zL{YGSqG}eCJavRsz=Y4C53+%Yz9!zlV^(Z~&p3pwKymIt;4Uc@-sHD%u=JNI_6J;t zJBOcNRw)-Yts5>v*+Lf++!Pfxx;j)))>2syEY`Wl0-eT8Y=;UI^t1y_6I`z4mCs23 zAg%NsV+=&qm!mPu)=0pmet4N$1U$->+xkf34%DBepAascY^_XCG|6iJO_lA~A5q^& zAHLK*OZsjyR5@X~`ZVlWu8fAj%`54A*Jp zAa%uxk%>O2!2Xv%1^tF!CTrHVvjw96cQ`N3bkrcB7PC6W5V!jSCDfQDR|M%%)qdAD z2!x=-hty=177`C9#h*>!*J#Q5{Zzh{Fr6oHi9&n<@i7|{Yiqtt6--JkB>gSGIl6dn zsAAyQdCuEuH@w8798)-DiVs%h$=dX~L^YVxti8jg-WR6WukKB5M<^~9AUcw)b*$f~ z6dMUGc_$e*H3Sqkhi>jFk6~#x1QUrL-vd_6jE$|ZJjJ0_i3bH$I;0<_S3IOj~_TopPK0!`oM0zrC)}VQf#ql zZfSI+sBg_gm~)bR`mzssn$R$AcyXlS2P2mNn11e)McE{DP2yrJ4@nC|dU4x$gO{Fr zr&-cVtFDt#-#(wWR~lU4fPgcUG*rjG3*Ksb`1X6Vp~5DoveW528ynNE?o)7B=*)t- zU!%Q@;3cvt+}lIz&GdX}jYs!3adzHEscXecqpLh^8@xj|WIUt`&!IapXPDgd&}p7C zPOZ}pT{W!mPChS{&W}n(!YOWpdG89gT)*77lKK*lmq)S=Fz4xkkT&JfL7F_P0<4QX z0B}A66^<5n~JkJ&xn zM$&OACIQ=V_(cJXYkjcayDp~ewcK5-5sW10*?OnHNTjDMd#SilscxZPKA>RZT75pj z3BI}O@P$>;e45=$KFdUZKns;zIs970`A8{>PYUUlEQ z#za$oeR%jUj(eqB#IKY#)i~<kV1EQ4->3^<6sj~ORgE-d%@6W-er|H z>!L;p;%s5M$6RmnQ$MiSi8J^^exHzG^^{1_;Knh7#|`+A(@Pm#Wi4AOJ%rRcoPiCiyU8{NCU;d@^i9#?bebgCW1F z-s@(wH20g&t%L93hK*8-bu1d@TZa>6)v#CJXbvV32N;`c4Iu{7MkTzhfA&f(({5u- z?E-KzSm)CB!LGw3Mo#nJByi5sUmW5)m>2A`{p>?X$12L&7QI$vC;KFwf_MlxPPBsV z^-7U^l8SJd10m-@0a4nL$cBW)v>_Z~uy(0&#Wk(23NXN$PSnv0&MFU!h8D<@;qqP~ zWOz*t)W?}-+BJqTBF;nNA&+1p$h!a$sl&WP7o_rcG^jrZu5m=kU|S}k4VK97xt~2! zTJ%$={2V=#G)230`t|S4{Fm$XNtfofZcLo&(s~Wvf9OP`Z&$bGJ*>xl2Gej z?xGxtzcC|2;fzDcB8I2d`-2^VzBCM`T4lSYUwk8f>(Hw;F|9PQSnr=#tS<*uo+bs$ z7?M}Jg#vshdOLpZ#sy4K4IM|UCUtHVLH1}RGR&@S^V(V?$A0*fm#(5r;C2c@evyS$ z3s)YiZJh~?0#ae`(L)7^Yy3s@t8WM)0If! zizruF4$r-F7rT5;jZbMYMhs1sBh9 zd$c#p;)g`xu?hpX=Jj;S1xu2zdYvxuBZ=PJ$N)!QJ)v;wV$j8nOI<}iHCr1Ea5o?E z^rE9;yyDiKfw-ceVOoZq-<`Vp{UbAdB6LUx&nJT!kl<27sh3tlCaR<% zcsuaDcFl3;DW}N2fKP7HVkgy4Ch4JU*u4@;^z#f6CJ(C=iJnC#0yvDA)gVfP{-X7s zC&{C2%;BDjS%jOPAG(TW6DOaMV#QP3UC<&V-St&kQ@_wD5_{I;WmN*yW?lnVFgcL8 z=1yunYZOqFRI0Zm`Z(b?Sx?S8;t{SXjRYN7T&5Kidy%eXgR!OLR=5}Zgh_C4;H5h= zi8mBhe_Xfb;4_>)0DIGXoXXP<6D0$+MODxQwj#Y^uJuXi*Y8Z@2L~NCA?=f# zqu*2S!b|Q}X)ejV)ss?gwux5=b1D-_Ubbcz?9Ciw69(Q1lg|?;-2N%Sjpw~Ef zo%@wL+@_x5S!sCA=kpCw@fMd`!f$(>)2}@LnAvm4WXkADdZWFfqNv%s#-iLR7{6gD z^}({%7m@$Q-g|~MwY~eI*ejyaQHe^EE=o~B;!*(t1Jb2NrGo+K0RmAJkS2?+v`DWZ z0tuZ&x`0S0QbRyMN+1CVffVmt``r8NefEEybN9Vp&U4PQzVU^b%#ktP@s?kiE6TT* z;8CwPkkxTWtJ}t7?qhQHrlB{1$)1|B;)Gx;(A!~|k^A2f1b!(BT1~(^y~xtO{co=^ zayRrUU2=VjX537yCUt$}Jihh}T}tXrIKcbL@`mEm<0UMM!S!+qI>S6f#Iw2@BC~`G zG@-!Ezpc>6zO9zlI#r}Q4oU+0pGiTGdAzn9)5anX%_409^^LE7$SCV#xNI>bpwz| zeEfdMd%+O13-hPzt*lR=zwKY;90w@d2dAnT??@+{*=5Q~#gfI!%Zg(?G;DrD7l0OS z2R}34`+9R84M&9o^(vGhIU3J8GX~npx+TB#Qk?M8&DoSGtSbjexNHw6 zs>e@FeM1bq2q4-4n9pM#uA$5{56JBzPiGn_V-2Z7Z1XwUjC9qL<}5O|+`B89fQ7CP zC2o$dP%xz8<;%y!Ui7rd^mrfL#`Ga0@Q2uWxcC@kRpeR*?cO}89ePB^hp9Z%H=iZd zCMuEMI=8q;T9ZlWSK*ExM0^KQVGd9dH!ost?6;ax`G0KqV6*tslMcEte2l;j+TGQtc!IzhIW1C zGFrl4-DH~VIWZj5U;(r0uI=$PHOK~m1kf64GWb*Y8APG2vi)(u8aWlpo7;jCHz-reT4Xrd@}pG)ZCl;M7}MUXoi_%d(k}58sQG zcxzoRSNe%<-y}kxl}jtHrKuQ(m#F6T;DFecEDS@mZ-Jc3bt!%XkHAPe;8w!_;dAi zOR9)}_rS$72k-Kv)n2N`jz~X~87Nb*G#vWtUF%XiQ2@CoO~hIx0cmP~T)WkUWF>>bA|nTC$tLWM|5&`S>%OQ34lU1#y9anRj7H(SqkL(6jt< z8U6DvV@0FB<7ej=L-ya`u1UU}sQjI#cR|zC@!3~1vh+y%oPel)sz+vN{%@{Sr6t$3 zVXsk_;f;}U8*+G#O!t~Ok*nOH&)`Sq0w@P&K@6!KiW1Xp z87$lsI0wA|x9-AUA7X({Vdfeq(cnA7b0bYzgWs`*GxqxhKUld;bymKC6d%vldK=yI zscu|axoB{(KGk%s`h_T|?m7sW*I7iLaH&6FtZ_S?M&EWg*BaMzeJ+m2l z|B$#m>F(>mcVaw7fXPZyYX2NPc@8%-<~^h*|8pp4GP=M;BgI}C?P#2AAF}K4qri_u z9&dEZ%EIhPP@U)M8Qo<4cz#eswmh|Hd^@8L%v9?Px>4Dfwzj1Vb$PH;^CZoKK?2{p zR&&@3nvNG@;F$M;sfRihe8+IYvujU_6b*h35W|rcL}j3;c}PrLHtH=2$I2`D!BfP{ z?)y2!mYybDtgty)@GkFVtYGuoHiKpoTis)4jkM$GfQ4k(2fpyDtT3F;vEzH**e7e< z+(aoGEhqsTFVjH$nzus-kyTQ!2+u*Uvk$UAHo2Ao2?8LTGTTAzkI{Hqrd#e7DpWZ( z1gib2AT=!>wO<_@+`UOXSE1|sqwHz1Sy8jq(8r{q;W$h{Ra`n^@)vF`t0$w#$_Uja zVmGlusgn{Pir&dgiZRDEkWwk3dBmmo)(g-F3@DI?=rF)k#o1cQ()>o$4F3p6*u5c} zkPnOsOjZZj`8v;^G$h_>znS85xpN^^LmQgi3s=hDZ@|(#i zW^{cHvgqKa`q$3IT*-+u9e1;}7ubA&5f9GOIeQr!(;4V!ceQk0{%lNA(zv_3D#l|c zP3}3Wx!_%~kx%X-EP{G|4b#f^!?oo7j=uISI{)ko1lG27ic_SYSX2Tj0X!SqmIKdZK5)@5YGcQL?^i9BwvUQirbb2T+*U zA&B1B#msp&YWuw#yR?w#%%k2gcB?!2t-TIbr^6bil zRx``f&+&XqtfKOrjW`=IiX0a#E_RlM{c1z#!`xfPfub$+jbqex+!)kb#h^|^@)YzSl-FBGx6zTv4xrDgo9%0h>aT%Zs4p6Jye!p!Dlw^6M{-OJVij4_X6fCPb8rx0zF3>H=*+l{qmeh1eyteupj5j z&(u)0FpyBMWI<`mc?+c(ErdqDD!jc@BEhjIRXUSqm)F|MG#BDqU(hr29K14YCcm=L zyYgYNT!$q!(xI!IW30Tk<6#y8U{_(VUBlr$)&|3j2JV8M1lnjK9!X3cmJbaYlhy@z z*r*h1ins%TtFG4W0`u0r7bSTsnip&dj_xi4>-A=7J3kv2pcxug1mi?iA83TqC|7p~oQyK4M6Q&ZA=Cd(0G zy=!~Lv~g=O$->;cCT*nrxt$1J;LHSCx^MT!=nLIIYg>s@$)tMe2PZZ5# z+BXid9tl<=c`)TrND1O8%|RsJTvTYpS6+6rEwdFyohNt06_eNE0B{ye|#${gp9%$$Nb@9&1(zm~6 z3N77s*MYsj6Bc@&7D)l5pOt~1Cy;3fpJCnu@v!`p;6rVlg*%o_ubgYHS#z5#rsxsY zAC}H|ms_hv_C~kN;MIin;lnw4`9W4DrSq~IelUKlN57VTo&Y=I+=<(ntEO)nrnS=( zYsLabXC@?Z{)WGd2@*KW1d3k5@MB)rr``*ny88!thg8GqjDG1XQ`n(v!cJ%7kfp)$q16UvVj*%LCldV$&Az+F%{zm36Q*y9 zHFR*p-x~sIYR%3ji!@`aZN8Z=O!_CWT`^x#Z$W2~Fwb#kx(Tgx6@~3gfRVGT=P(gi zcd)=R>Fffnu!Op$L-36^NnbT?s;>2)Y>)~s)OJZ-+CUVK8d}^{Vw4#?(#4j~3(D5| z*IU_9Fsi?P;KTIwhSJ*fL1v?H?$^h>0y1%1#!N47)X1{q+2 z?TZ&(*oxL;bU*y;Q6>y2?%oNum@B$+q) zyD;>6YU<+V=owAt6npp9sga*sEj5XYOR;7f1-PJ@nV{>x!tj^bZ}F;}p_$tZ-FZ-4 zxv@lgE7h_q4+Jb?BTPPBDJ~alw0xg-<4!he zRN{Qk4QX`)-{}YRs=`ubrlv(fMRuCI^^1FFMBX2NUnkp{S?@SAGdyk^pa-#a*{O21 z<)8;`ithYJ&4>TxN)P|NOC$d#cgj30T=Oh|dk z6Ap~e*=f#eDzzH5IlmvDv)8IUVmy=_m}oHUp8c(7xw~-4zdTw=~@B zV72lCF43asUpEtIEAowE%@~v)a*{-UKA`wx2uGTjCwHWb$k$lA6NHv4zeEm{Jvdt7 zYEL!t_q&XDXZ3rdPI$??NDsG|yKb8<5;=(>hoHBRZS7!3!#xcW&_ZF@xFT8pY4nIA zoKPT1+7DfX?iF-Ef9m!KJg$pVw-KvhL-QBNReWGN^UIO;n8;U7RNY5d56 zL!K;tFz5cB0v?DDk#9qLP`?5RCjd-F-4O686wrhaXqO3M9YelHmfDyB3iSL0s_Ad8 zUEZG!yTcsOOH3K$;35mq*=e2E2Rs|GNS7zbr8Oi~g7cJ9;$^|+0u<0%O#bo=$X#7B zWWXcWN`7xnqv-`)+fa{y~LR3&iZrtL=lANdj&ugbJt+&=vGD=Zb?`=fkC zd!~%l#x|bA>~W!iN9iTh0S2>elTKfA!vde0(DNa-3t3x8Y!6;QO!DN`Q`0Or8wvSF#OKIo_s%hrhM)g( z({i_r=^oDjaDik1qL%K)>g-}35gWEQ1aJ2}LEIU`frXJRUAJU1vbL7BC(k~&)4=fH zx*pmy$~Mb8*zWCCSE0^n)R+%!c1y_*@V)b0{PMR6HMMMl)eU6dV|Ms|`f7ls+ZWEh z1!o^GPCilMBOGNjqT*7%p;+6=tW`|TyI~y6V`Q)#RT$s>pE&J06m@_OAx-1qbY%fo zj=n^p*e@jK7!bE49cM{9ejxTu8=%YmpUjaD%>27@Z7&V;ip5WpZLP&0V#Lg{6`_MF zR}g3&?Xh2sb+kv`7j^MyGY7vfM@}C7!e3%?rPFQ5;y2f;Qs(=4X{~AX^M?W@pC_bDQeL?k-B|%rke~tZn@m|BJa=hlbsn|M3qVN%%Oz^{F`w*wt?7Oz*-+u zjrE);hcKjN&_k#?F*tc8Ro8~dD3-J{@^igXiYFiXT;nlGfUZj*{>$sR$UlC%k!{~xX!y{qWtm4hAz`CtY=*a-*_uF z{LFea=D~E9{LBlyeS7)WmJ|Gkq7I0UHJ_M<$Y(Texmv1CPa56{-GclY43uBP2W48k z1YDEHiDb>@Qg|8J^E3Dm+}(6+Fv)TRU`tx-tH*3RO_>K?inDrTohX!B~FZwKAC-a~s5s8-I;us&&@psrMe^X*?~+e_PMfBPz<{B~UoDH8lu9bZ_*RfQy;` z>9KSYpiIFaYC_)fjlR5k#*4u_*Hm~SIR{3Y9E%WIqX^!78^&v$n(RqkqKESL?9CqG zn%%)RC0knFnr%=1;fd>+$B6|XzZz^q^%gJ)SO^LEgV`-LI30MqqKT5zzDlSzTw9on zKjDTyOjG>Kb8zLBWHTCHUE#7b!&jY7G#ar9+evDtC8v|$9_*Q|zvw`O>8IT2uzo;U zSe^{1^{y}Q-zXd0opj%`4Cy)pTI*%1-OD4v{XyefpO*nOX7d26lxT***LwlCb8{#3 zWdeg8;N~~lAAWw{?#36FccIxrxjq?F>Y?9b7^tW=y8dM$F1;qsa<`x=RKKQE8F`8W z>X?@$yd8uKYC})2h`6~D_coUkPE2MfJNecmhBVGdI60k3G!+m(1$jQQ*_CKilQ``g zWNo+Sx}0O-p=WD8V?{EUSY7c7N?Ri_)mOnM(3~TypnV#G0kdVQ+^(}s)Cnuyg3tG^ zho!~|M};~$k%KC4>sAb9{^o)Yr=nq@spe4c;epFjioFFJNcBcS^9t*$Cl}xa8%Ra9 z*32AYSkB%)*JdS=y;0=?C@7Juaj(7PCNGDZ35qAaxG7oV+GCu${-d~4{bKH)t^dV7 z7(i72_v5=L!H}Rjg@6FJ7!(;40Wze;wI?y~9luWaoT`_5dsbJG*J(1^~qVU=hcXdG(~6RV;W zU@3*!kthc8ugnP{f#x|2x1hT+kcDotXzr(;zkYKa{@!+VlCovXPLX620lPuGl5HZPEr z3&t!6S)*CZX_t)wa+5vtYG@z$jE05JJmD>MA$leY1tPAp@+lSgB{=5@U}y;X)ZdB;Lsk|=0PvQmTdE1PBM*jP z=T~*w8~D@&CeS}>&)W2>PwHLZy56()aa~5KTTF$rjSGrDbEUpuJwG+NTg$scVyN3v zc-SB#ISJNRD>><5U_hza4nXEwiF>7jsw3C73J~(BS^qTZxt7$K;|TO^XMYj^cH-FGr< z(38ISr!2a7A#SpUPUxNv={H-nP%clQH#b$3bGGv~HO|p1*qIzzMk5^tt|F`<3lSPr zi%5+>>@~yZgcW^vFUD&PuAlC@zC4y%`8FSA|3%>DNw0<10`o^^T+ND(ZyA?uNDQuI zrMs=7(YZmsuDQ!**%v~WH+y}@Rzpxa=#2({*TQ$f0C5|blOuQ;)@0Ia&i+cKY799} zU{ZgG{JE#)pu31Om*ZQTq^U&r9Q3Mr+1t_;(}1MW>g*I5U+K~p=K6a;1sMD(w_5q% zNs9mVzYZh-!#FVO2!m*sCw>KE`jps((8o)9Q&yc2| z@QAUl2N6Qs`em=8mg-C&NhRLl3P4oPFG|+BDrc!cSkjgXsT7a4#YEKY?P0qH7eMYK zn*ms4u#=k(k^6jFIEUHqIif!sbfPG6gec`^sTP0Lu?ejBY5V%<8)4t-oX*)?-Hk^F z@vCjzOQ1A2*gogng_LZe=>+TBoUOyqaMVfXF$8!{nsffAVlmtRu&I(q?A@1yiAdW& z&VM&ZU$3=@GZWG_y;gkW;y&w917n}$jq=(MyT9V$UX<3AD-yXiS;~X13j&`pHdMq8+(I9%>|8I#@@uY_a#-sB#s;!^Pbw;_4kx;}qr}Mhq zBIvnQ$XN5K4`*lkoX-iqn_fE6oNMmnc-KFy{pB%qG_R|2LnA>I+qh0C=yp{PlvR{y zPIL76z$l@b%o4jG`xTEPJQ(_9l+f}Eo0zx0Bz_mwz3?UDOR@>#o`AE&Zw7~=LeN}xZ%OGp0C%GH;%g<1{xuIA!!k? zXRmb{FTJY6X~oJn)difJKmOf+Dakfm)77VhWSS2A%EY{thL}{13e`a@Ww9o-Ebqn! zFQ*^GrQw0UWGKwyrutWC*udgr4wsNK^y4X*>MPbr+-?F2yQ{}#c-{Z=)w+t#qEwAi z)j@UE%*N=BY`R7Bp7la=vm*MPz82#URkjUza*-iVCWYb8exmw)^+*%tt)ecJTRD_2 zDWKgd-@aE`IleX1FyX_V(+et?dc>Y=@(tCwFuO5M0!YUJvln#8h5#Y#RraZYCi${1 zxuDtzEb^q4)$&e>%<~kd+ILFlUkxuj=?OS>O3NRRM^7+HEeSZvOj>#uPcSZg_0h$S zZ(xn3L=F)ch72pOKBi#Vw_3-ahK(H^kCNvo=D9+w&u z^5nfhUr^%Vkzbl#$kyiP@gF(iGEEs`vk_f=3XZZXDM_1@pWdST*eK2Y2$?!26o{^2 zqNk}-gmL|X-G(C(=;xDbvSMFq>LXM%A0+B{fu>Kcc_l*pwjuRe9cvV%x~%L@)nK5D zp02L0N6ltqV{I96WcE2g)B%qN7&82j)X+9MjCxY^?5HOMXzI8iE;uy!Ep$(QD5yCT zXso-b_^rpV=jN3W9Zg#19V37Y*{zOvZ^v2TaR12WASxZi9=|9mii+lq;E?DR7uRc)ROOI#~&AG&705cSi5VF zqS6hP!Lq9>JTtnQ?^e4heoL@Zs`GR|Hp=7I##%7ul^u8L06c|tU*3V*k*CA{G(KHS zQJSYX`#2%DBfWO(D|%AWWNgp621+&9CN(yUzgws5;8+xQXmdIGXXE*3bI=-FX~b&=p^^)``1xHr5#ZHIN<9W-;g$fYZ+G7Pv++!UQ|IOeLRfWer= zFdUg`q2EY{RAPW(G)n{!jU^m&6DjU22_XYn`eO)O&7&Q2&~3=4|0_@zxk6NPzSK|# zK+Ouy1fPBum?;(7t9f=TGD<@h7{q~xRrtpuKGp6aUq65P-tCgD*5a?XYS{voTxsew zu~=4@<|{o=qpps=WJ-fno_=?J(#Dhjn1>4C1sU$t)fN#zsu>|Tdx7`C@V5G7OrLg_ z{!mVB#L65w#!xv*Bs@`9C~^IBns_1vX6$8Z}zo6%g0(!#HpRPyl+qM1Xzr?fL`rr(8l$Rbhi=qjEP3(*>d>l)A-{VhyuZto($I zfKgpstvjN&wqVGAlXnLbidI`3>mT)9^Hv3OX&!Wa;abz++yXv2*^%d7wHl=H0`4&? z&}EWbpSpKij6K@+L45iec{11`Gkvv0XKG<#IOPULd`G`3#JoijnUP`Vl(FUR#KaA* z2Ld2;@S9oqz0QfH7R3lK&txY@{!_HP_ELwHw%m5x*+8R?5?zl7*ZIf#osG3?+%NMT z4L_P1q-QBQS2a_Hb|A|&HN*x5eu-lx>qAwWR+I^1!`imy9d;7<2{c;tFuMo_1{|72 zPcZ(NwdOeif3^bIexS2s?51Z1SJzTJ`X;>+_zx1_-EH-_?d&}dNEeX<)8Q&2PRMWF+U1jdF zitmsIo5bcH_>NmaZh-{g9z-K+izf$^pUtTqePEPWCv{+`VWmGs+Q-^%VM{-ybMJa0 zt@f`p^epRo0Yi2U+~Ro*{#turA=*|@cZ_w@JpfkJJ-dV>oNn;qTo(#kzb^ za)uh{Gp?56@6?RjQyk2NE{gm*{)jzY?_1qat5bn*Xbu?NIp4hP>Ry1iZC18AKUP4s zpQTsRWZLF6G1R;^i_oh>Xsbzmn&Y={Pst+Z6NkC^EFMNY9*BHl_IUq=W{59VXA0J( z|5xym*vKy^wGI?T7KC<_syf5x1Zn{IlEZ{4?DXqSij=vvHF~JkxEdw-kDxq!AQc-TpsR!&}HG zWM$V{BrUJQ7`{3$xQ3>ZI?|^G@{LzDC8(Mxq%ZAb>!nnxXznfXJIHDH6k1v_kvJ9nfH(iEeSK!<-XJ9k2nuI?rh`TDt2=JJeX%v$iw5F&j+QOFC+Bjn zPNsa{shPqCE2EurUPH{?Jz$&sO2+AXiXE7x5?{`XlV}#IutFR>^l@^M4l0B~Z*SI-IvKv*=TBmR%V#?2}L0v=zJ?Xy20u-y=pG?(^~H^#wq zOKSWZ)Mrgzc6!skf}h52pH|{?muI*u!v--qPX=v;j4wtwI2u>kd#4;c6TPv#rAG^3 z*bE6hqSE6I(mjTN;G<(XBjAB{o{m^Nf&&_;}WQ!tuwLaT}R z{MT~1+;$mSMp$7M`~I~`!^0liXTa6HZ(>sWj}Dk=T}O#5La)Ei(|I~jX-oIUDzyJ=R?NCk373Z9!`d|R+JfJ%Z}=op@wJYg%cB0pnFPdGU4dD$}rBV=w% z3A^TAhQ67|TJD+jhBqPf`c+?W6L3if}X)AM%^&;(l1VeZIo zD>g8}UcG&e%TkIR24vB?QM;bN6}ze04_=c& z?wQ7yU%~YBkB0r#Q{(9&O|;D$QUrn7?F06wZP51^x;st%CucvE(mt?Cr1f+k8u~n^ z9@ChZ*?aoWw{veURQOji$03RgwQEA#^3L;$Z#@U}gKO_Xv30$3+9Q^o$O#8yTu@{Ru`*iK9d5xik2*FwdgO0GU>fnDkt4a?G6 zOVJDvh1C}rd3Vi58_<$bNsGk7rPRjwl-(6rSF-n(GVB<_Na0{q$A&`Knmj}#4J+!`kA?#Hj^ zvCYUEdxzg5+Yz*QPNW%ro1@bTrtw&;0kcajwYf;nDeMO44yLjA|9L2g2GRh40Xd_d z&Bz35JnP;l6Ikp)2qOo0FElX9_)~U$1w3j8Sge0^iDc>Y3jrdle%2e%9|$oZ>)Q_P z01R79La!iaR}Fw!_Hm|9XHfV|(kx(lGrYLDR5R?HdQ9~-ZcO#!EH&@|+Gmb|jQI3e z?|l?Gcm8O-y8QE$X`IzhSOj1>_1s*N?`hUpQ@S3-iZTiHWyEtXt+0XI@@FCI5irFV z%K~P<{MMXfmdv{>V|FeUd;sx)0SwI#Sq`uq=eVu!X7AWB6k&OAw-aC9%f&{L2XRe_tfO1cgCpN8n7=t2YdW)`oiuGLFVakb)eg)>4)J!1M0qcnP5+p0GB3gI z=vPndSfN$q{&k5P0hu)d^|9jk>YQWzD-DPvHGb}08X5IgQ%n>zq+wqUH^1_$F~qDe zQHUa$qHumaApV57zPKfT7)#@pvUXl3`U|ubeVrgPxco z>Jb}oI}J5IX(&cy867}mcYx%Nw+MaKTM$Nje&M}#uyA9-;AI>r?l{V}P&g9B~*JA9sp9PYM zhPI-$x+{HG7+doftX7h~l@-qYz*%)l*AN>^hs|p=mi}%dtllE9_!P;Wtr%Xo{p{f= zYV9219YPmL&F$@&fYe0gwiMezUDsv|H}c)z82M}p`u|z}{J{w^^-?thu{U+WJXSch z$oTbwUU^W%_B0eCXe(&`^d1125tb#FSa2rFQ_R+xgVp|!d`j6)8s=U%;XlVFTfr_K zhOBasMaxDQ(C|V!^}m{tp!vtq477VGv@1>fz;eECRhBqrFx1g*j8UPCV*ElFWu|esZ z1BAX^175wVUQsD-BNj0LBb@O4Sw(p6M&}!D}*r62kl;4Z$(<0Lu#aAC~CANehE9 zH`TFeq8H&`_q=^Au;()n$LnbY?@~ao5dIosB@6=ROo;ki9z5ho#JZoo>>c?bAGPd9 z-_TsBFPkS{zLLCIoY&fP`|Sc9?t*s&ZmU46op<=nn%cNg-1pKMO?dacj0tD6G^vi# z9b`vQW5dj3#nL^Esg#T+;38#3*$`0AV^N@q3eK2c3KBmxR6U2l^DC1A|lQux;VZ4J*+ z;IKEO##FhobaB{Vsfy_jE&m#Mn+fCq79SKaQ&c=>376_Xo@xr9vQ|SujYJLU64oCB zxu38^EYsnvjiE=cMr^jt!z!##`L(0pRi~T<75K<|FG{4zxy|WKn7rtTO~{PQo^3v+ z@P{G@VW0dlFUuUUK3E-N96YXEK8>py>&C~@c>eC#SHN{R$N$J>nNTADnBW@_;Q7Pt z(>CBj42q0Im?Gq1up;=YOOvmkdnn8&%SKGaDSOG5st!HiT7pK@`EW<31ig32%A7i??>UYHpyA$JtoXs-xcP*MPZ2LFY4lXy3)(&if|K>}W#YZ4(Ygx)g zYyDKUd2koz2+N2OQVcJf!$%e^dou*qC;APE7-yz#6v%HXu`fSC*fQ}>)%8QIXNJqz zkS}8jS;wB*2X-27VV@M?HmWUx{l>a9LjSb8YRGMl^=TL@!k3aj)udFCV85fIH{ov% zgX~zSB(lYba}05db|glAEtC(TN7ISa*jI7^+=bVm7KJCSY7Z!wh$4I*42xI2-^Z<% zz?XY9^tpw`4f{wLE#0T{uIf@%9`q{Mc;j*&3DUPT-yb`W6!Xn}T6SU?iw?%-`J&O3 znnqE`-=!J!jc72{DEom2$O%Vj&f{t=TJLYen1?_WrLDDI9tuh!qa1Kig z_e{n+j0+o=Ryg>@*1xFb(Hb#s(+XBi{uR3F#@X>y{bj2gAD^xCE$ddox78aX1lh&7 z0>CwV;^$~1>0bN4=46&YmjDZGi=QCO7DmyQ$Pd#<-zR=}2R?F3&DI*lR_f6p2M2$w zCEh$U_)^@_``AI=0)sPOT(Jca?@Ck_(;M7vO{}kp%>%L;*I;t%xZ!FG3y80Knl|FY z-@WS&G74Nv3JX1rFs=j?0a332A>24#Bbpf@QeN}YG{b{`AmdS1&D{*nApO<3FL#eM z#b2oeY2GaVNv-9vNDtRgwhqws^KV|mpv&p_{z^Xtf|eMrc5}%rF&ffXCQbnuP;NN? zDQf)R>@|x*1d!K-ePZ!4o>m~V28$TdG!yF>vO!g z{_Zcr?~hJ5pMP8U<(86W5eEj^;e zg4^Qbv2}5}!cAm)0Ed19@ZvP@L;fs))=Z|CC`H3^rp(ajese#_W_f3V*!h zm+4H!&g~M~ikcfHm=!;%$iH0zAo;wEmjQ6W;I%yD{DuHy*qT^S&q$avt!kzn`nqXT zkh|h@^z!A|-Govd+0?wE?YcxzBNH*G3TlO&-6E{U(|Hv zyjzQta*HL%E}yTQ+Xxxn%PM|sxsuAeoF3lL=jn4oOT*w=MeI>Wv4JqH7xp)&vbr6N*qiN;WFh+R{iG6Rzooqfx*JtGT(hBOpjg;d>Mz_6|R|W{t2Ex5PQI2;^Ea)Bil;pSAdBU;J}M{)rd=#Lj>2k$*14 zf0Bd$%@d{l+N*Nzm%|Ql-Eq9gxwxsBjQuz7w0)bN|1t^!lEM~bcim3{U1I_;^y6RP z3Vktn2ZZ_mBMbW9iBtdm1C9W8(o~4&t}GObWT(af91xv;9Tu-OM~_GW0V9+=fYvy; zMO+aDCJSH6#D8;rdW>9F0?SiL9PRNXb~wP^(@WS6=ijy5`}7x)bl>i40JTi|&D95t zM(TmCthX<+1!#|LSt8eMe{)S`g<6nNEMPz}1!gyKSbN^cKJafYA0)Fp6lDZ01$_pD zw?l(Ni6op_mwJ4h=2gZ`80{=)@-A*Pya1n4(8k9t?j-cBP0mFU){!Ag;BGv4ro)*- zvO79}KfoDE2S6C8^Y_YQ6a^+b0?6|B^k0eIP&DU{Ad4$#OWZBFcK%i5L5Gq9dnRox zH6DAofB3`OM-9&$93hDZ&h2JpX4RLErib`jl_>(5`048pcVy;7uwJ~y#ijufRdkp) zT0YeF!mv5Xt^_a2!)wR{ucqQ<8N734aiR-(?l8TLhmTXZM;rqG{E~6f=VDLFOhwaz z?!|;f{88FY%RPzy2tR#{fbFE4OUVUX^BYM+Yzce#;;D9m-0Rl~vZr=2P3;RKt0oH_ z!}L!p1$;wW0G45{5s%sz@vYP`uAj%)rf<22O$k!4Ru}uVK^I|E&LiVM)$F1;&Lwx* zVmCcTCydqSCBQ?0^ezKaM=B4kLMv7g9 zc**Mj$ULj2U0#`Z>eyYK!-O=(dZ0#KYH2T@*_C39mxREO%~(ywwv}2berX$YuuIkE zwt;0#8ZIemXVP1@wl{bMJJxTC_5c10#lLJJvJt*5e|B)tvFTI#(e%4_BYb6!eU=i| zObNw{@kbWLv>AjOM!0tDsW^qCiZ)S4$yOjfEB8_Lyg3X*Dqzir=@i_Pr?bvkQf3)$bN9IyN`@zWKphg`e!6pOxPCOQHf=xnKhT{d_)ot*suki}3CF2VAnZp)Kf;~=XoEQ!)JZn`M^obhr4jPFx|Z1aE4VAzoxy?`rg~XQWSI%K zf=gqg^2VsH^6)kUt!b_a9s)aJCg%Yau}jqJ^N|#(IcT^l9eEsNVQT`RI(Fu66rXEW zLTe4(Za;oNQ2PDVGLZ;Phk~%8@BDd*DOM@sNq!f}@@g?|5NpSB^KPlp>!|ULrvm)0 zhpu!hd=p&Q@+VkN765o?LbWIBEUFz@O^91-67yqfaK70oQ6tjkh$G5`x1yJ*Yb0vg zy=TP3WgFy@&moNqyVyo_^?s4ToD!#bz$ zFabeST^yKtrvD&yF#SmK7XjS>^;wt=aZ&|;iS3s1z?_KE_4Tx7XIM^4`8oThU(ez6 znrG>0t`?5ujrGBrXR=$W+{#|@sRsZXhs&mGuq;cB{9g8 zUUC9)D*2Uf<-cnm`?GxL@I}~(ZcM&3FngX{HjR)X(W5#c>%$~>x4mBE?YogoiN^+! z^}PxXsl;89{wfSJ00?Jvv3Psw^#IAz*)R-R-T$shmrADKkF%Z(`cc5fLw+aNd)aYL z9$zE05+{%O&mf-MKNi36%u$#tWYD@C;uux*HmUi+-A9m(-YYUNbxT*i#9_$SQ5mm1 zt5~xf3*Q>XDCAaIw=IfymGB8eDVZf5VLfK2YaW8{kn<4N7&y$z#G46H6c8<$o^6#Y z9R%#9=o!ANcC+g5Ef?N|kyK~7Fg3D?$|dD08X9RTxBM4kCZshT(k%F;`~)VfttKvr zPUL%CYj4>cNoq`-Zj|VoOz#dJTl8-X7}@P7gV)UFc;0|()FScM;K4S-3sfk8pK+c9 zMb@Yi1+QJuU6;qa>Aij>zIXHMo&A7e(UHJp9ccWqgXMHP?_vbs8b3!FdF?ft;5{F z8xUgERrenUWs*(<&C(epmroTZ7p_?oKiX_ov`zGrT&D8WT8*Vk8 z6CF<~?;e-=zuG(Rs3x~{-A7SbfXD(t7NDR4(m{}-w7672V9`qige;|o7*KjmY;+Lm zQiBu$DUlM8mLPR0O*(`UdWR%{5J-skbM3S5SbLu{#y$6pv&XpO9{vC_NJawlo8O%8 z`_A|IJxyJ&c#Ok8Ib-_L{O)`(ZTXVC!~b~SZi3j2+iIw?+uf5#ZM??tr&}86FF6)$ zZB!vH>}Z-c9ELDt?)!1$8|}plZ*aQ z9i5CTEfEyVsQC6Ab-YM2E2uv{eWXUwGPDn4$`?BV>FE5)-{aHu4kK;S1a+?kUmmvM zPZpS63c)Ebda}f*o`L?JzbIK|RL48ug zJGn=oD}2{!Ku`NDF=8j!+4>_T8CzmdxQzV$xkE!^{LGm#PF78!#ha`}f1GY|pp`oF zeh$eEgR+Zn>GUZd_*cWkiypd;pm?l2^@l$rbx(4KB7X-~{=bIGLSzJR>OBmlrJ(l2 zph;9`fXjs1;{XB)FkUkQy$!_P6GX;Y71l=b8bKXjtTq4D8l<#X^ zf49KtwuSbd+a4t|x00Ea2vkqTPpLE}KltoP3``t6=dyvsVqFDpIWJ<@ZnC|uf zKpPjdP%62fmu8@~nl$wptC1;3y{xlNDhlE_jFD-unzg-A`VA`RDpRWN@$Q23uC&kl z;8gA|jRMSvOQ8aOrc+a*uM~|7!#}bzgFvdRdkWGC>~X(auo`ZxNdR)db-dYD>^XIl zo}hcPsZOJ#wCh?Prg@n|*Tn*%hA?H4gq7`jqN(m6qzd`ag=)mmWqs-k0Dj8@4cv_D{zLek3TwcZWB-OxIBHjYm3Uw!W5v7-%!ji^jNdvx z;eigY1CQF=e^Rl3Wp4Nr=VRvR5q{6-TQ;+~kZS_1c;EQMw+=tl9KN}ihps({ z$;H&AeuP1LZh>{O=ZObH0?*nS=O!!KWIt4MGe-D;giF&jCso^Oj@iWCH|iWsyyy^$)Yli3t(IK?2E zMW#LGl0ynSJI*Khn1k9+58vy8p5Np?HahtCsC*|}|Dyeb@$tSNM<@SNPJ`y1=fr!# z6hok=`-LhU(*oWH1SKC)H2=f>o%!#eG!z3keA&BqsF{N|2R{WQj*B=M`bDZYrMIaD zeMVEl?;$%xw~;C6tb?N4wd%VQ4|2Ufw@93DI7nN87qCRPO-sEWb&Y>H+#^%4S8Djk zj)NsOdwCYt{y4BmWMrZ@4dn=>iY_&w$HLl2pqz%efwP$p`XGC@Kz z&YW&NGj6Hrxq}T%#r*O_)B9JG_Su5#qHZ>0U<>X&zkeuyIo`P8 z(|A7piJjgb;+Qne*B#V|SpgzT5O^dA@~-Xd1T0NsXtK^QFIWA^wZh+j5^>ai{AXw(4qn0)n2(Pi$3dC!lvoOj^NYOj?iw+=Q9y}CfijZTEZ zti~y-K)t1f&(LCMIVArS7{%fcT2X^^kzU~}MRew)XDmA!3^A0Ak z;7fteY=&D2t?2Os3yYV9@9|TUTN<;uJ(H!*#Ub$trVEH-*Nh-%AisMa#u%+8f^gz~ zX-m8I^%Uj^bN zM?Z_dOLlG{hT0vcK0r{|+V+qlhlO57Ty!l8+_qD*tm%{I`MT(VF&%z_h~DMncl$-6 zL)6bEl%CNWOXkl=&g!X8vr+k_R%fazcifG_ zYani{!@)w)sOen%1-t{1D+ofC+lZLPGp_}NJxB6?nsYx54N}#wzo#T+RmNzp_T`*Z z?>^DIoV|UUN4|O^^#r8YPmaOTLKe_2r)<$pM(9?QYo^qsJlVL}(!kks6)7t5uyBFS zikIVU$8By!cg=m#Ld?rQw79zzU-XSntN!!giRcAl>nQ86oTWw?}Fxall3}OFan9v zA$CH8{bQT)Y%jc}Bm4!lqeJfvOJ5grn{fU>RRJ&!8&m|jU{)>+d4-xV2X4iLL#Eg& z(ngwgi9a{!^K9V5hRx;w*j?e~bWdyz!YkWLy=*!y^`0xQ{8|FzY?Mh%9JB$wb19W7YNQWW3bxLp4_9Ksy{6AMunl+ z&`oydsWne#+<%5Wmd&m!{q}tIJ7{dp+pXQ6o9mL_CkR)>Pd>-xu^eAh&}0MBvk_v& zB9YfD|I8(P~k!LrYBM7Qq8|ZwuO)syI+rqhC#ApGA$Q&%Mf|`5Vv_ z;Sf6zH8@+RbkrJv$A$B27s{!-BQ9%?T!W>(bW7HiOg;T%JWe|1@`L9~vA3xSv}1r= zgriLgDnvJ=E>NVb`=lEz5VLA>VJTS`YgD=ULvW{M3uQw7xZ^!_d7IwYO8TwKCl{-$Onsp0u28b25J8|d zOL@4#mh3$J!Y}Mo0CTJ(d5?a1SLk$uNpK1L-0&XCu?`nzQB$MpSZjvUstI0la8L|i z=MHAdL4DF_V4p@usn)atL~=o-xSyHBe>s=0m?sAiDd4>W@v)~CdaQwAM2-MepD2tD!2(232NW4yHi3H6ul>N>^shQ+r8!~T5gZ-14!`o(+ z@;0u+W5i<8_{Q4)FUM@GdlK4siC@D(# z=`0Fk#*8Xk4ts~6g86~^#~VD%=s*Pnh<#_ofL`kMwOzAyK!xD>Et{hqPj!+bm@#73 zI>1!jDHNsdFp;JXo;Y-2qF@+&QM&*jFE@bF%i!`w)7|innt%IS>2N?w`tUFxygb$5 z2@p*)mjDUf(T5%l@6kj$x@C?QhoiOkXqP$KPmdypqZsKZ1pOZwYy+9zXeWTp%_;j1 za)F+vqAjUU%BY@(U%g$t*>4*USFJo6Y&#n&e=*7Y52(P^Y;tP`$N-uBZz+^@$>HB} zsiOx#Liyh{2tXsQFzrH65S2vp_6xHj+r@h3!DPMG!W*o71f~3*TiLvI$@Guc@*6#A z_$!mBPB#?!ZO5do^H?kkp;@QhAR*rl~c>Fq|jf&8VyOoO+hQqrY7| z5RlyuVQ4vtpi|7Qe*??!t1#G30uB;$IX`s6K<1bSNko169X~(e1*HihP&<)ZPr=t+ zvN=W~#s4p0UH=il>p%V-(*lZmrG}n_A%Gd3+WEk~w1jE&;@CfCg&N629sGnToHYal z8~3h$SRKsOqfbms6v-lzFbM27O`A|E{Lrp#u9#+rDj7<$@z~nhR^IpZ#qJG! z-G2X#b>Gfxbw5@PW1O3KH+KJlVLH$Ip2d66Wqeh0pmoRpF|hRzLc! zTNK-6A1lAn*GV8P;v|iob_>}>JdSro9|yO@#^Tv`0A|*TR@ZA$LPaP1iu~ej z1)g}`4uQC5!Y^Lm#e|_*?L8*E%KbGQnPp}~{qSi+vIJW%pRbI#K^}yDQ zI=?qx8G=_{Cc-=PZHtunbn|M_D$*qx+4Hrr>}1l$KJ8~}?%gn(0TkRQto*j>sXK!~ zR&eL5%(OnkmCHg-#_%uRXsR-Cmvu;qPwr8JKjpSzr1qDwG3xWS+~@!%nJAoQiGfdv z&M$3NGb<{S2KiL9yn5{NnC1P!?P#yFG=-LCQ@b)5u`QhnREry<4bYeSqS%0LF5Cc~ z`pqwee%pk`3TS5_R4h;!n!NTMlr$I&j|MOEqZy|FEe-k`YI)&1=ysPoc zI_pwEGZ=Jsgu&s}%Yc}CE4vCn%v@1a;NvfT2SFIGpgZdA!2hp^>H^x55kvsI_KNhw z>51U`9VCe10tEH0;0MqH$?u?Zcyi!7)K*<=>65TSCNn_ePuyod!0!Nkt#22BS}{v5 z!@2r9=)ZDtz(c^@lyb-+kEa?4ZEMsp1blzMrgH0lSR04z0@$OD;#T}Df9xoP5s7cZ z&;?h}^s?Nw`v4;1<{&T$R2aW9Fo);y%lnQ`a5#Yx;_xKY83GVcNc!w1O4C^}awaOkwDT$bMEM ze+KkkC9tnghvO?^Bk|7eV_CEg^v_kPUWe`-dwtL-wwDqzjW6$7j@~Uu^4S(mxR8A3 z#POdneFxvRWQCd?u0!;q5RHyv^{5g3?{X`2@uYnjz6THmz8sFk! z)1(x|OpHUku1Eu}@m3?wY-`HCb8S$3;mkk%c>0%fq7i?<1nq0mvwCz4s)|IM#I;lj^5(IH~g;WC&3_M*5HS!T$*f@zG2EB|{gK z4p3B|e+MNz=|ipi13_fJ)EDqSf`o4hWhfdmueEXisV4vL{&sAoj+y?n1i#h~K0INP zjrxPNlhFvsz`tsNZ2pN75W9cW#sprxy>>Upm7|#CpaHpuT zfS#r9ej2fb_zR3Mly~io)5ig~VRK#3Y2zgI^H;C$T&`W4DgOoLG5jKGeE^z@mE3`M zq$MV%Bp7Wezh^fy8`v>Wn6nzf2-je%o-NjXO!`o+9clF@s|log08!FQTru-Z*ORcV z$VfazU{0i@-KgL2caS;NY*tM} zR_>H*mPKf!VS!ToXhrLz9h;|9Pi#kgZEn1NQO%X9w-q88@ji)HQ5aF`yS_xnItm!d zuartyR~RQgoN$roIYTLMRN3#jAZo}lnSpOJRmtbQ_U#PLR0WNNbi@*J=P)fCXOJUl z1pvm4%0Xifk_HHJ27-%=0>!1`MiL(rjIo)H*s0rZn)CAJS^BgGdfvB9FGU92x|ShS zBFxfhIGll4^0YErXuTB`@P!j?%Uxi~df*=5(FfJ{E&ql9;OI5GDThF!0*49&F_AZ8 zDX)W6E2uBXU~7s>%sja_OuEb|d8?nM|6F2cY4GyLyF7%MvEM#F4xMrqI2|f6yS(eU zI|Re*`|_K)=f*gyuzA-TBiLC{&at%6z+_wmmH_y2e{dYpwV{ul=E zJ-^u3@PHCHSJ38uPTCi#R!s#wI*L2f-;8YVJH^0w>S4q34#|;YZ{yr{qoq2%rQe8F zT76wCeO?gRm^iUs;}fE5<{RMAnZ~t;kn?V<74u86Nluo$7rel8YO0g?(p4nIqEmdz z+FH*8_@coX&;*BPohzqww0sBgtki8ry|zlNmY$p2L&5y3QTTm%+ zapWakzY$>RVF+RRhp%yLbW>D_>Z#0W{~+5E*DS6+#W8OUZCy-WjXvBFU;Pmq%9GHQ zHG7-sk6w{u)*3x_Z$+&wxX&IE3cAPia+2c5>g&AueJV`$N(hFIyavB^V}g5Ag3Zsn z9T2|c$(5DaZS?ybT*h6XsBB2ltYc5O5LvzCV$y<;V*TGiu4<@I0yx{q7awv8Uy+nR9^CUbfwHdxoRPB+yHW|0+nO2<@<_xLoScehXQH= zj$jtX2t%q0u-XRsrCU-Uk!9){+4`k+8u>k`yHN4(Ag8G7R+__o&g*T~T;qwI6%K@- zE#xf?M5@F3lB12y6LVrkj75Y$q+~Q)AW8je{!W%65-a zdnSG#>4sMNw$>AY3sM6P)4b|xeSKh4-GX*yS+%Y0X^+g*l3B7-v~z}p$Bm`P9nDh9 zm>_Td1APuv;{o?z%SC*ks_Ss|=3f5E(A@ttr_cG#`S{>Qzf6pf(Pq^2jxE_}+Bl1jH`=jiapD<`V zP({j;rHIkF6L$TE6rr!Cq{urmd472@YC4tuc060ZWBsqXl{h8rt#)#!dcKVL%}zhr zXR%ocdcibtCqxz5w})!TXa81lfAc^Og3X0j1{rNWmMrm3d@n9a*jerULfQ+E%7;(s zj)6D;MXZ*Cel1}MC*ip*G9qkoMS*~P_}M;bMf9Lgk1O*4e+6NNRv z$z~ZmB!s)6LD}%?I&eAKNCe(#j`jTqj_>J#)Hz^PI$^zPrfBWm8$~yOzti!){M1Sq zp8B&I=+{dgH zH{&ao$CrbprqSoAKM)1dLB8arc78~>qK2W6n!&J_!7a6V{f}GP)OQi7BKMywzWH!Bq@a(UW1N$N(I-qWhM(hTgmyj$4!c<#5gVMb9TSaU!Ur}pzZBz)0Wli-jb`6T0qC(`B88-Jb`%*3^?C*m|_RL5lqudVczb{%bveF@w4lZ zjE64QrV0i}4hRJLb(u`uy|^uGFm912#_zdXRbVQCWqq9oTm>aQu`w+Pu`7fM148>i zSY_t*&-uNq33iF=Y2Oe8325pHE(}k%qJAb5r`-q-XY)WStE$3X=_mr>4XG1l7HbAJQgw zY$d?1cIG3N{kFj?l75z&4O<{=SU)h?p)N$^mZ%JS>obe?s<#{R_gt=IxPE~fq=iTf z`lK~LKGm5GS>@%ut1Ov3e?>Ca(hIh|Hb9)G+NKX_$elPa`1ld+1_5eoXK}K~(X`|c znkD^ra>oV)HM7R?40)*mb%F{vA}7ZwHLm+)2@ZU_f$(OLm2pUe`}*^le-b$>mMO3B zaVuHYJ3Q}$7sWzI=0=Zk{Ys}rA0pqkvn#z%rL+Iw0vm^=RoLKLlKH~Rc-!DS|C|IL zNFdxHYmSVXUQXOj$w_1^`#fc;^_8#dXgh}$qYGSs`bHm+RK$$ z@xCHHDU0Vt0;JDZX7gya?fUq-&3M=EAU8-W{yakkNkDRZrHfM7b`vPhQGkVw8G|Q3 zzauJ0pWM=X01n?!1ap5#EgOJD&a%;74&>gO;p}w5-BZwCn!LC*Y7X1B7Y(heOT3)9 zlb&8NUtLk1qI&}lSMf?ie6@JQm>j}JhLkPz%cGnOw!U;1z*TmKf>P)3kw9Ix;S%ll zcX5>5IdBa9xCpgR7~T z4wlgh2VE1EueSO~o9(7`kqx!hQI*(~Hrac$PZl(O*LM_G8SMM}{R_ICGp6JElatn@ z+iR*4r~lfPdFno@Nb$$lG3v?j`w{Yw(ofAO3CKb8;QJhz4K7!ts2p%=^HYhY^||Ndt6ae~GBqMEKDagYOw98fw8PMgqew2d zOnnctC~F-Z0i}UleN^hcgF*>Y&wHZ;%T@1SbIf2j8Q+9v^9yXYyFwl$@?s;abQVXeT)4F-R$U0*oYFGwKtFyLMqGzTn=f7T1TruP< z$cs0cO3_9mmuUhF7H{%u=M4T+BTB!Vf@uFxNlneaHn9SCH9pMZtdi`O)#2;WvCD9Z zBm`+?JP{*p^W*xT?3pb@drb{T>if`pOJ*8Q@g94bA+G)T3$3Ql_t73;PbI_=Bu0VH zFtB8NNAk5vm#j+zVguMfo51~2J2>ohUbyJ9{=0ipoV9#5S?oNCGpun7X?5FML&3df zE0;{Y^1DwBY*vZ;5vMWDq;MiL33rUz(tLH&Psg+mTp?TKvKY^;jJy|pC-$sVM+g&K zSV{s^bb?9C)^e>ktDs>s-?wJO8qeMl3r zLZyiqi>~h7xbT1?r8}~qZ%M|z*>ah>KD1NhUIM)pu2DLltYX}_BbL$e*x{B{kHWgH zJ`>4NNm9dsVo`QbZ`z{dJKSB}FurLiTIaWVH8k#?tB<}Tjc(cbu5(j6r2{-RHzU+4 zL=`7B%Y_gMLN^t=1%3q(aiL^7^6aqN&W)W|DbueHqOI?*^ncPQ{JF9vJo8w@)U`w> zQNy-Ta+F}_+Dw!Fn&7r{FUek0+LkfN^CGK2WCq+=7Hi`nbCk>EVwZ;i1tOzFm-? zj0yGTU~%1b{v@w26zW~d+@4mQQeu_Y85P19sH}_JHId(6+`i&|qbc5Clj(TTnx=1K zqWega^_Rn>q-26@E5=7w%4q_>u@s1h`1;n@Z@R+J6|w7wxqjeg98*8zg4U_jX*{P6 zhKdxyecTovf^>JU_wQ#pPHYZzZRx7r9Z-+n;`OYH4C>#F%RF3um#~^(C?nQ)z2;o< z3bvA0@<}2hFU?~cR&<4i70F9qO_;n)3H6CC$Do`d<=WC+U}&E-rf-fY zmIjw?)QcrqOA@qqw-y%~>!Hai)%0@QAE0*NJ zLB50(38qx(d>s7&x?V2SDuEL&Xc?c;=nY5Jlqm{P^}UVOS-kIu(gI!ZFh&m?EpO?5 zeVnwNXnLg z;FmrN3EknSgd^qC`k|athwmXYoAH|$pRW5z2#!95zLpKh$a2ZioWCKQQ=e4lshHri zIruPrGB4#0*Ir)UH<&o_vvU8Ap(*T#@1GNMhum1;^xg(fp&!bMnre?Jdpl#bd4CrYe$_dMniz#BF zJ9R!QUTH={5{hW25lhpAU6sT1MXG2avR6guOc3$3>j=?(hzs$MLL$l02j4(D3l-b9 z^gl^I`B)E&p2@u>a#EYMD3G2(*s|)NRr^|QIKQv%dPB>YsPnW1D*}wn%_`qXmxnMR zvJraB=5|;s;IX0x}nMmPiK*|ged{MDxbjo8$D6;yK@{1 zZTu2CV+$*Rwy(V<5NX>~^H5Sq%0Ca3!;p%YN(c;{@R zT5C^B+rpY9|>ZpKLm`mk4-nI_)nM=`m9Cp`>w z%X)OHHtG->0;2iiJ#w&OU6exOI<0ukIlns!KbAfnvloiHM7_24No|J|IWW;Zw}#q~ ziaRXa9&LLdF(EQ}YR%HnzbmP&qv6lg(;C&h4cDIWa=dpiTN8$8IZ)vDuV4WkjcGkFYOHzVQtp( zmb#CU(?t7Rs@KCCd}-{AZWNcdjqU9=U}MP|9tSEB4&=kIm~Vj^{0Gg0wawE}NHFh%(u>*Edc!Mj!yCl|2>ok} zc2wmzVw(~5zG`gPxA8_Jnv;gD;yCHN>-KWrDrZifFDy^j%WEf9Sy&{>jqk#p$lFf` z%?I2fu^KAlMiDh~be3wO&v;95jh`k8?XB))->nYKlnL!#(uj3gii2( t7C9OJd(=@5fDZb*{^}niufOI3{}7TLJ@Ky{uz%-l39x&Az>2?*{VzP}Fg*YO literal 0 HcmV?d00001 From 342f3812a1e1534568fefdafcc3965447c900312 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 13 Dec 2024 13:39:47 -0500 Subject: [PATCH 097/237] Update compliance-policy-create-ios.md Clarified numeric password setting --- .../protect/compliance-policy-create-ios.md | 32 +++++++++++-------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/memdocs/intune/protect/compliance-policy-create-ios.md b/memdocs/intune/protect/compliance-policy-create-ios.md index 2ef3da3e5c0..7ce469f9030 100644 --- a/memdocs/intune/protect/compliance-policy-create-ios.md +++ b/memdocs/intune/protect/compliance-policy-create-ios.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 05/15/2024 +ms.date: 12/13/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -140,7 +140,7 @@ For details about email profiles, see [configure access to organization email us *Supported for iOS 8.0 and later* - **Not configured** (*default*) - Users can create simple passwords like **1234** or **1111**. - - **Block** - Users can't create simple passwords, such as **1234** or **1111**. + - **Block** - Users can't create simple passwords, such as **1234** or **1111**. - **Minimum password length** *Supported for iOS 8.0 and later* @@ -150,30 +150,34 @@ For details about email profiles, see [configure access to organization email us - **Required password type** *Supported for iOS 8.0 and later* - Choose if a password should have only **Numeric** characters, or if there should be a mix of numbers and other characters (**Alphanumeric**). + Choose the password type required on the device. When set to **Not configured**, which is the default choice, Intune doesn't change or update this setting. Your options: + + - **Not configured**: Password is determined by the device's default settings. Their OS might allow simple passwords, like *0000* and *1234*. + - **Alphanumeric**: Password must contain a mix of uppercase letters, lowercase letters, and numeric characters. + - **Numeric**: Passwords at minimum must be a set of numeric characters, such as *123456789*, and can also contain alphabetic characters, such as *abcdef*. - **Number of non-alphanumeric characters in password** - Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password. + Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password. Setting a higher number requires the user to create a password that is more complex. - **Maximum minutes after screen lock before password is required** *Supported for iOS 8.0 and later* - Specify how soon after the screen is locked before a user must enter a password to access the device. Options include the default of *Not configured*, *Immediately*, and from *1 Minute* to *4 hours*. + Select how much time can pass after the screen locks before the user must enter a password to access the device again. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **4 hours**. - **Maximum minutes of inactivity until screen locks** - Enter the idle time before the device locks its screen. Options include the default of *Not configured*, *Immediately*, and from *1 Minute* to *15 Minutes*. + Enter the amount of idle time allowed before the device locks its screen. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **15 minutes**. - **Password expiration (days)** *Supported for iOS 8.0 and later* - Select the number of days before the password expires, and they must create a new one. + Enter how long, in days, a password is valid before the user must create a new one. - **Number of previous passwords to prevent reuse** *Supported for iOS 8.0 and later* - Enter the number of previously used passwords that can't be used. + Enter the number of previously used passwords that can't be used. For example, if you enter 5, users can't reuse their 5 most recent passwords. ### Device Security @@ -181,20 +185,20 @@ For details about email profiles, see [configure access to organization email us You can restrict apps by adding their bundle IDs to the policy. If a device has the app installed, the device is marked as noncompliant. - **App name** - Enter a user-friendly name to help you identify the bundle ID. - - **App Bundle ID** - Enter the unique bundle identifier assigned by the app provider. + - **App bundle ID** - Enter the unique bundle identifier assigned by the app provider. To get the app bundle ID: - - Apple's web site has a list of [built-in Apple apps](https://support.apple.com/HT211833). - - For apps added to Intune, [you can use the Intune admin center](../apps/get-app-bundle-id-intune-admin-center.md). - - For some examples, go to [Bundle IDs for built-in iOS/iPadOS apps](../configuration/bundle-ids-built-in-ios-apps.md). + - The Apple website has a list of [built-in Apple apps](https://support.apple.com/HT211833). + - For apps added to Intune, [you can use the Intune admin center](../apps/get-app-bundle-id-intune-admin-center.md). + - For examples, see [Bundle IDs for built-in iOS/iPadOS apps](../configuration/bundle-ids-built-in-ios-apps.md). > [!NOTE] > - > The *Restricted apps* setting applies to un-managed applications that are installed outside of management context. + > The *Restricted apps* setting applies to un-managed apps that are installed outside of management context. ## Next steps - [Add actions for noncompliant devices](actions-for-noncompliance.md).and [use scope tags to filter policies](../fundamentals/scope-tags.md). - [Monitor your compliance policies](compliance-policy-monitor.md). -- See the [compliance policy settings for macOS](compliance-policy-create-mac-os.md) devices. \ No newline at end of file +- See the [compliance policy settings for macOS](compliance-policy-create-mac-os.md) devices. From 59535d966cf1200eb2e57866a530476a94ba3b2d Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 13 Dec 2024 10:41:06 -0800 Subject: [PATCH 098/237] formatting fix --- memdocs/intune/protect/advanced-threat-protection-configure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md index 5489ccf3899..a7fb5fd045c 100644 --- a/memdocs/intune/protect/advanced-threat-protection-configure.md +++ b/memdocs/intune/protect/advanced-threat-protection-configure.md @@ -145,7 +145,7 @@ With this path, you provide a name for the onboarding policy and select both the :::image type="content" source="./media/advanced-threat-protection-configure/select-preconfigured-policy.jpg" alt-text="Screen shot that displays the path to the preconfigured policy option."::: -3. For Platform, select **Windows** for devices managed directly by Intune, or **Windows (ConfigMgr) ** for devices managed through the Tenant Attach scenario. For Profile select **Endpoint detection and response**. +3. For Platform, select **Windows** for devices managed directly by Intune, or **Windows (ConfigMgr)** for devices managed through the Tenant Attach scenario. For Profile select **Endpoint detection and response**. 4. Specify a Name for the policy. From bf2546a84694e626ccb1965fc6eb36cd54d1bebe Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 13 Dec 2024 10:44:12 -0800 Subject: [PATCH 099/237] Comment out file download until it is fixed --- memdocs/intune/protect/advanced-threat-protection-configure.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md index a7fb5fd045c..f0f3677e79a 100644 --- a/memdocs/intune/protect/advanced-threat-protection-configure.md +++ b/memdocs/intune/protect/advanced-threat-protection-configure.md @@ -236,6 +236,8 @@ For devices that run iOS/iPadOS (in Supervised Mode), there's specialized abilit 8. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles. + ### View the count of devices that are onboarded to Microsoft Defender for Endpoint You can view a report on device onboarding status from within the Intune admin center by going to **Endpoint security** > **Endpoint detection and response** > and selecting the **EDR Onboarding Status** tab. From dcd351535f14db26e82c2e8073d75f1b05ee82db Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 13 Dec 2024 13:47:32 -0500 Subject: [PATCH 100/237] Update compliance-policy-create-ios.md Clarified line 157 --- memdocs/intune/protect/compliance-policy-create-ios.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/compliance-policy-create-ios.md b/memdocs/intune/protect/compliance-policy-create-ios.md index 7ce469f9030..6cc4b0ef963 100644 --- a/memdocs/intune/protect/compliance-policy-create-ios.md +++ b/memdocs/intune/protect/compliance-policy-create-ios.md @@ -154,7 +154,7 @@ For details about email profiles, see [configure access to organization email us - **Not configured**: Password is determined by the device's default settings. Their OS might allow simple passwords, like *0000* and *1234*. - **Alphanumeric**: Password must contain a mix of uppercase letters, lowercase letters, and numeric characters. - - **Numeric**: Passwords at minimum must be a set of numeric characters, such as *123456789*, and can also contain alphabetic characters, such as *abcdef*. + - **Numeric**: Passwords at minimum must be a set of numeric characters, such as *123456789*. Alphabetic passwords and alphanumeric passwords are also supported. - **Number of non-alphanumeric characters in password** Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password. From 450e11fcb56f6e797058090aad2dea4d7aab5722 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 11:06:21 -0800 Subject: [PATCH 101/237] delete items --- windows-365/business/in-development.md | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/windows-365/business/in-development.md b/windows-365/business/in-development.md index 3bf6c28e3be..6e2b6a3b77c 100644 --- a/windows-365/business/in-development.md +++ b/windows-365/business/in-development.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 09/25/2024 +ms.date: 12/13/2024 ms.topic: conceptual ms.service: windows-365 @@ -51,11 +51,7 @@ To help in your readiness and planning, this page lists Windows 365 Business upd --> -## Device management - -### Upgrade Cloud PCs to more storage, RAM, and CPU - -By using the upcoming Resize action, you'll be able to upgrade Cloud PCs to more storage, RAM, and CPU. + ## Monitor and troubleshoot @@ -65,11 +61,7 @@ By using the upcoming Resize action, you'll be able to upgrade Cloud PCs to more End users will be able to manually run connectivity checks on their Cloud PCs from [windows365.microsoft.com](https://windows365.microsoft.com). -## Security - -### Single sign-on (public preview) - -Windows 365 Business will support single sign-on for new and existing Cloud PCs. You'll be able to turn on single sign-on in **Organizational settings**. When turned on, users no longer have to sign in to the operating system. + ## Next steps From 78b428f30566db2f1c84327afbe31c7e4c993304 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 13 Dec 2024 14:12:31 -0500 Subject: [PATCH 102/237] Update compliance-policy-create-ios.md Typos --- memdocs/intune/protect/compliance-policy-create-ios.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/protect/compliance-policy-create-ios.md b/memdocs/intune/protect/compliance-policy-create-ios.md index 6cc4b0ef963..dbac286ed8f 100644 --- a/memdocs/intune/protect/compliance-policy-create-ios.md +++ b/memdocs/intune/protect/compliance-policy-create-ios.md @@ -152,9 +152,9 @@ For details about email profiles, see [configure access to organization email us Choose the password type required on the device. When set to **Not configured**, which is the default choice, Intune doesn't change or update this setting. Your options: - - **Not configured**: Password is determined by the device's default settings. Their OS might allow simple passwords, like *0000* and *1234*. - - **Alphanumeric**: Password must contain a mix of uppercase letters, lowercase letters, and numeric characters. - - **Numeric**: Passwords at minimum must be a set of numeric characters, such as *123456789*. Alphabetic passwords and alphanumeric passwords are also supported. + - **Not configured**: The password is determined by the device's default settings. A user's OS might allow simple passwords, like *0000* and *1234*. + - **Alphanumeric**: The password must contain a mix of uppercase letters, lowercase letters, and numeric characters. + - **Numeric**: The password at minimum must be a set of numeric characters, such as *123456789*. Alphabetic passwords and alphanumeric passwords are also supported. - **Number of non-alphanumeric characters in password** Enter the minimum number of special characters, such as `&`, `#`, `%`, `!`, and so on, that must be in the password. @@ -164,10 +164,10 @@ For details about email profiles, see [configure access to organization email us - **Maximum minutes after screen lock before password is required** *Supported for iOS 8.0 and later* - Select how much time can pass after the screen locks before the user must enter a password to access the device again. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **4 hours**. + Select how much time is allowed to pass after the screen locks before users have to enter a password to access their device. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **4 hours**. - **Maximum minutes of inactivity until screen locks** - Enter the amount of idle time allowed before the device locks its screen. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **15 minutes**. + Select the amount of idle time allowed before the device locks its screen. Options include the default of **Not configured**, **Immediately**, and from **1 minute** to **15 minutes**. - **Password expiration (days)** *Supported for iOS 8.0 and later* From 025d9e2c5bd2ab0e0b2f77744eb7f27fff0229c1 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 12:12:34 -0800 Subject: [PATCH 103/237] shannon changes --- ...conditional-access-policies-synchronize.md | 56 ++++++++++++++++--- 1 file changed, 48 insertions(+), 8 deletions(-) diff --git a/windows-365/link/conditional-access-policies-synchronize.md b/windows-365/link/conditional-access-policies-synchronize.md index 08e206a22fc..378827f5bb4 100644 --- a/windows-365/link/conditional-access-policies-synchronize.md +++ b/windows-365/link/conditional-access-policies-synchronize.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 11/19/2024 +ms.date: 12/13/2024 ms.topic: overview ms.service: windows-365-link ms.subservice: @@ -31,24 +31,64 @@ ms.collection: # Conditional Access policies for Windows 365 Link -As part of [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you must make sure that your organization's sign-in and connection (if any) Conditional Access policies are synchronized. If Conditional Access is used to protect the resources used to access Windows 365 Cloud PCs, a matching policy must also be used to protect the user action to register or join devices. +As part of [setting up your organization's environment to support Windows 365 Link](deployment-overview.md), you must make sure that your Conditional Access policies accommodate both the login through and connection from Windows Cloud PC devices. If Conditional Access is used to protect the resources used to access Windows 365 Cloud PCs as described in [Set conditional access policies for Windows 365](/windows-365/enterprise/set-conditional-access-policies), a separate but matching Conditional Access policy must also be used to protect the user action to register or join devices. ## Authentication process for Windows 365 Link devices 1. When the user signs in on the Windows 365 Link interactive **Sign in** screen, their account is authenticated against the device registration service. 2. Windows 365 Link silently authenticates against the other required cloud resources (like Microsoft Graph and the Windows 365 service by using single sign-on (SSO)). -## Create Conditional Access policies to synchronize sign in and connection authentication +Windows 365 Cloud PC devices have two distinct stages of authentication: -If Conditional Access policies enforcing multifactor authentication (MFA) are used to protect the resources used to access Windows 365 Cloud PCs, you must create a Conditional Access policy enforcing MFA on the user action to register or join devices. This second policy must make sure the user's authentication token has the right MFA claims after the initial sign in to Windows 365 Link. +- Interactive sign-in: When the user signs in on the Windows 365 Link sign in screen, the device registration service is used to get an authentication token. +- Non-interactive connections: The token obtained from the user sign in is then used to perform non-interactive sign-ins when connecting to other cloud app resources like Windows 365 services. -Also review any existing Conditional Access policies that apply to **All resources**. These policies trigger when connecting but not at sign in. Use the [What If tool](/entra/identity/conditional-access/what-if-tool) to help determine what Conditional Access policies are applied. +Sign-ins from Windows 365 Link devices don't trigger any Conditional Access policies that are targeted to *All resources (formerly cloud apps)* or directly to the *Device Registration Service* resource. Also, the non-interactive connection can't prompt a user to satisfy those requirements. -For more information about creating Conditional Access policies for user actions to register or join devices, see [Create a Conditional Access policy](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy). +If a Conditional Access policy is assigned to any of the Windows 365 resources, then another policy with the same Access control settings must also be applied to the User Actions to Register or join devices. This policy can trigger an interactive sign-in and obtain the claims that are necessary for the connection. -For more information about creating Conditional Access policies for resources used for Windows 365, see [Set Conditional Access policies](../enterprise/set-conditional-access-policies.md). +Without a matching set of policies, the connection is interrupted, and users can't connect to their Cloud PC. + +These activities can be seen in the Entra Conditional Access sign-in logs: + +1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Sign-in logs**. +2. On the **User sign-ins (interactive)** tab, use filters to find events from the sign in screen. +3. On the **User sign-ins (non-interactive)** tab, use filters to find events from the connections. + +## Create a Conditional Access policy for interactive sign in + +1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Policies** > **What if**. +2. For **User or Workload identity** select a user to test with. +3. For Cloud apps, actions, or authentication context, select **Any cloud app**. +4. For **Select target type** leave **Cloud app** selected. +5. Select **Select apps** then select the following resources, if they're available: + - **Windows 365** (app ID 0af06dc6-e4b5-4f28-818e-e78e62d137a5). + - **Azure Virtual Desktop** (app ID 9cdead84-a844-4324-93f2-b2e6bb768d07). + - **Microsoft Remote Desktop** (app ID a4a365df-50f1-4397-bc59-1a1564b8bb9c). + - **Windows Cloud Login** (app ID 270efc09-cd0d-444b-a71f-39af4910ec45). +6. Select **What If**. + +Review each of the **Policies that will apply** and determine the access controls used to grant access to those resources and session settings. -For more information about Conditional Access and user actions, see [User actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions). +You can now create a new Conditional Access policy to [Require MFA for device registration](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy) using the same Access controls. + +1. Sign in to the [Microsoft Entra admin center](https://aad.portal.azure.com/) > **Protection** > **Conditional Access** > **Polices** > **New policy** +2. Give your policy a name. Consider using a meaningful standard for policy names. +3. Under **Assignments** > **Users**, select **0 users and groups selected**. +4. Under **Include**, select **All users** or select a group of users who will sign-in through Windows 365 Link devices. +5. Under **Exclude**, select **Users and groups** > select your organization's emergency access or break-glass accounts. +6. Under **Target resources** > **User actions**, select **Register or join devices**. +7. Under **Access controls** > **Grant**, use the same controls found earlier using the What If tool. +8. Under **Access controls** > **Session**, use the same controls found earlier using the What If tool. +9. Confirm your settings and set **Enable policy** to **Report-only**. +10. Select **Create**. +11. After confirming the settings using report-only mode, change the **Enable policy** toggle from **Report-only** to **On**. + +For more information about creating Conditional Access policies for device registration, including potential conflicts, see [Require multifactor authentication for device registration](/entra/identity/conditional-access/policy-all-users-device-registration#create-a-conditional-access-policy). + +For more information about user actions with Conditional Access, see [User actions](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#user-actions). + +For more information about creating Conditional Access policies for resources used for Windows 365, see [Set Conditional Access policies](../enterprise/set-conditional-access-policies.md). ## Next steps From 4b12e3253fcbfe9af257bc15acdfbaa4ef80efdc Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 13 Dec 2024 12:15:33 -0800 Subject: [PATCH 104/237] Titles --- .../intune/protect/advanced-threat-protection-configure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-configure.md b/memdocs/intune/protect/advanced-threat-protection-configure.md index f0f3677e79a..b2a888bacf0 100644 --- a/memdocs/intune/protect/advanced-threat-protection-configure.md +++ b/memdocs/intune/protect/advanced-threat-protection-configure.md @@ -1,7 +1,7 @@ --- # required metadata -title: Configure integration of Microsoft Defender for Endpoint in Microsoft Intune +title: Onboard and Configure Devices with Microsoft Defender for Endpoint via Microsoft Intune description: Integrate Microsoft Defender for Endpoint with Microsoft Intune, including connecting the products, onboarding devices, and assigning policies for compliance and risk level assessment. keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls, microsoft defender for endpoint, mde author: brenduns @@ -31,7 +31,7 @@ ms.collection: - sub-secure-endpoints --- -# Connect and configure Microsoft Defender for Endpoint for use with Intune +# Integrate Microsoft Defender for Endpoint with Intune and Onboard Devices Use the information and procedures in this article to connect Microsoft Defender for Endpoint with Intune and to then onboard and configure devices for Defender for Endpoint. Information in this article includes the following general steps: From 1402bb8f0d209f00e12dca83acccf9fe0e88d11b Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 13 Dec 2024 13:18:23 -0800 Subject: [PATCH 105/237] Update apple-settings-catalog-configurations.md --- .../apple-settings-catalog-configurations.md | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/memdocs/intune/configuration/apple-settings-catalog-configurations.md b/memdocs/intune/configuration/apple-settings-catalog-configurations.md index 2e9c5229a61..b45122d526b 100644 --- a/memdocs/intune/configuration/apple-settings-catalog-configurations.md +++ b/memdocs/intune/configuration/apple-settings-catalog-configurations.md @@ -78,6 +78,7 @@ Some settings are available in device configuration templates and in the setting ## Apple declarative configurations This section is specific to the configurations that are under the Declarative Device Management (DDM) category in the settings catalog. You can learn more about DDM at [Intro to declarative device management and Apple devices](https://support.apple.com/guide/deployment/depb1bab77f8/1/web/1.0) on Apple's website. + ### Disk Management Use Disk Management setting to install disk management settings on devices. This configuration is located in the **Declarative Device Management (DDM)** category of the settings catalog. You can learn more about Disk Management using the following documentation: @@ -86,7 +87,7 @@ Use Disk Management setting to install disk management settings on devices. This | -------- | -------- | -------- | -------- | |[Storage management declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep2b9f009ed/web)|[Disk Management Settings](https://developer.apple.com/documentation/devicemanagement/diskmanagementsettings)|[Disk Management Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/diskmanagement.settings.yaml)|| -Known issues +**Known issues** - None @@ -98,7 +99,7 @@ Use Math Settings to configure the Math and Calculator apps on devices. This con | -------- | -------- | -------- | -------- | |[Math and Calculator app declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep7881be3bb/web)|[Math Settings](https://developer.apple.com/documentation/devicemanagement/mathsettings)|[Math Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/math.settings.yaml)|| -Known issues +**Known issues** - None @@ -109,7 +110,8 @@ Use the passcode configuration to require that devices have a password or passco | ------- | ------- | ------- | ------- | |

  • [Passcodes and passwords](https://support.apple.com/guide/security/sec20230a10d/web)
  • [Passcode declarative configuration](https://support.apple.com/guide/deployment/depf72b010a8/1/web/1.0)
| [Passcode](https://developer.apple.com/documentation/devicemanagement/passcode)| [Passcode](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/passcode.settings.yaml)|| -#### Known issues +**Known issues** + - None ### Safari Extension Settings @@ -120,7 +122,7 @@ Use the Safari extensions settings to manage extensions in the Safari browser. T | -------- | -------- | -------- | -------- | |[Safari extensions management declarative configuration](https://support.apple.com/en-tm/guide/deployment/depff7fad9d8/web)|[Safari Extension Settings](https://developer.apple.com/documentation/devicemanagement/safariextensionsettings)|[Safari Extension Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/safari.extensions.settings.yaml)|| -Known issues +**Known issues** - None @@ -131,7 +133,8 @@ Use the Software Update configuration to enforce an update to install at a speci | ------- | ------- | ------- | ------- | |
  • [Software Update declarative configuration](https://support.apple.com/guide/deployment/depca14ecd4d/1/web/1.0)
  • [Installing and enforcing software updates](https://support.apple.com/guide/deployment/depd30715cbb/web)
| [Software Update Enforcement Specific](https://developer.apple.com/documentation/devicemanagement/softwareupdateenforcementspecific)| [Software Update Enforcement Specific](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.enforcement.specific.yaml)| [Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md) | -#### Known issues +**Known issues** + - None ### Software Update Settings @@ -142,7 +145,7 @@ Use the Software Update Settings configuration to defer OS updates and control h | -------- | -------- | -------- | -------- | |[Software Update Settings declarative configuration](https://support.apple.com/en-tm/guide/deployment/dep0578d8b8a/web)|[Software Update Settings](https://developer.apple.com/documentation/devicemanagement/softwareupdatesettings)|[Software Update Settings](https://github.com/apple/device-management/blob/release/declarative/declarations/configurations/softwareupdate.settings.yaml)|[Use the settings catalog to configure managed software updates](../protect/managed-software-updates-ios-macos.md)| -Known issues +**Known issues** - None @@ -158,7 +161,8 @@ Use FileVault configurations to manage disk encryption on macOS devices. These c | ------- | ------- | ------- | ------- | |
  • [Introduction to FileVault](https://support.apple.com/guide/deployment/dep82064ec40/web)
  • [FileVault payload for Apple devices](https://support.apple.com/guide/deployment/dep32bf53500/web)|
    • [FDEFileVault](https://developer.apple.com/documentation/devicemanagement/fdefilevault)
    • [FDEFileVaultOptions](https://developer.apple.com/documentation/devicemanagement/fdefilevaultoptions)
    • [FDERecoveryKeyEscrow](https://developer.apple.com/documentation/devicemanagement/fderecoverykeyescrow)
    |
    • [FileVault](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.MCX.FileVault2.yaml)
    • [FileVault Options](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.MCX(FileVault2).yaml)
    • [FileVault Recovery Key Escrow](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.security.FDERecoveryKeyEscrow.yaml)
    | [Encrypt macOS devices (Microsoft Learn)](../protect/encrypt-devices-filevault.md)| -#### Known issues +**Known issues** + - [FileVault failing to enable on macOS devices during Setup Assistant](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-filevault-failing-to-enable-on-macos-devices-during/ba-p/4180523) #### Intune device configuration template to settings catalog mapping @@ -180,7 +184,8 @@ Use the Firewall configuration to manage the native macOS application firewall. | -------- | ------- | ------- | |
    • [Firewall security in macOS](https://support.apple.com/guide/security/seca0e83763f/web)
    • [Firewall payload](https://support.apple.com/guide/deployment/dep8d306275f/web)
    | [Firewall](https://developer.apple.com/documentation/devicemanagement/firewall) | [Firewall (YAML)](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.security.firewall.yaml) | -#### Known issues +**Known issues** + - [macOS devices using stealth mode turn noncompliant after upgrading to macOS 15](https://techcommunity.microsoft.com/t5/intune-customer-success/known-issue-macos-devices-using-stealth-mode-turn-non-compliant/ba-p/4250583) #### Intune device configuration template to settings catalog mapping @@ -192,6 +197,7 @@ Use the Firewall configuration to manage the native macOS application firewall. | Apps allowed | Networking > Firewall | Applications (Allowed = True) | | Apps blocked | Networking > Firewall | Applications (Allowed = False) | | Enable stealth mode | Networking > Firewall | Enable Stealth Mode | + ### Font > [!NOTE] @@ -203,7 +209,7 @@ Use the Font payload to configure fonts on devices. This configuration is locate | -------- | -------- | -------- | -------- | |[Fonts MDM payload settings](https://support.apple.com/en-tm/guide/deployment/depeba084b8/web)|[Font](https://developer.apple.com/documentation/devicemanagement/font)|[Font](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.font.yaml)|| -Known issues +**Known issues** - None @@ -214,7 +220,8 @@ Use the System Policy Control payload to configure Gatekeeper settings. This con | -------- | ------- | ------- | |
    • [Gatekeeper and runtime protection](https://support.apple.com/guide/security/sec5599b66df/web)
    • [Security MDM payload](https://support.apple.com/guide/deployment/dep61dc030/web)
    | [SystemPolicyControl](https://developer.apple.com/documentation/devicemanagement/systempolicycontrol) | [System Policy Control](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.systempolicy.control.yaml) | -#### Known issues +**Known issues** + - None #### Intune device configuration template to settings catalog mapping @@ -230,7 +237,8 @@ Use the System Extensions payload to configure system extensions to be automatic | -------- | ------- | ------- | |
    • [System and kernel extensions](https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web)
    • [System Extensions](https://support.apple.com/guide/deployment/dep5d1584ca4/web)
    | [System Extensions](https://developer.apple.com/documentation/devicemanagement/systemextensions) | [System Extensions](https://github.com/apple/device-management/blob/release/mdm/profiles/com.apple.system-extension-policy.yaml)| -#### Known issues +**Known issues** + - None #### Intune device configuration template to settings catalog mapping From be6f9aa813df67de920277b7fed32c8d1ae5b331 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 13:45:15 -0800 Subject: [PATCH 106/237] 46873590 bulk actions --- .../report-cloud-pcs-not-available.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md index 021a70a8027..73be748fe45 100644 --- a/windows-365/enterprise/report-cloud-pcs-not-available.md +++ b/windows-365/enterprise/report-cloud-pcs-not-available.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 10/18/2024 +ms.date: 12/18/2024 ms.topic: overview ms.service: windows-365 ms.subservice: windows-365-enterprise @@ -31,7 +31,7 @@ ms.collection: # Cloud PCs that aren't available report -The **Cloud PCs that aren't available** helps Windows 365 administrators identify Cloud PCs that might be currently unavailable. +The **Cloud PCs that aren't available** report helps Windows 365 administrators identify Cloud PCs that might be currently unavailable. This report displays recent conditions up to 5 to 15 minutes ago. Therefore, Cloud PCs in the report might have already recovered since the condition was recorded. Also, Cloud PCs that recently became unavailable might not be in the report. @@ -41,6 +41,8 @@ To get to the **Cloud PCs that aren't available** report, sign in to [Microsoft ![Screenshot of getting to the Cloud PCs that aren't available report](./media/report-cloud-pcs-not-available/view-report-cloud-pcs-not-available.png) +## Data table + The device list shows the individual Cloud PCs with the following columns: - **Device name** @@ -64,7 +66,20 @@ You can use the **View details** link to see the recent history of the Cloud PC. By using the various columns together, an experienced admin may draw clues to the state of the device and the underlying cause of any problems. For example, a user complains to your help desk that they can't access their Cloud PC. you check this report and see no data in the **Host health** or **System status** columns, the **Device status** is **Provisioned**, and the **Connection error** says **Client Disconnect**. Other Cloud PCs in the same region aren't in the list. This issue is probably specific to this user, possibly something to do with the physical client configuration, network configuration, or network infrastructure. +## Bulk device actions + +You can use **Bulk device actions** to perform device actions on multiple Cloud PCs at one time. + +1. Optional. Use **Add filters** to filter the table data to see the Cloud PCs that you want manage. +2. Select the Cloud PCs that you want to manage (maximum of 100,000 Cloud PCs). +3. Select **Bulk device actions** > specific device action. +4. Based on the specific action, complete the subsequent pages. + +The time it takes complete the actions varies depends on the specific action. + ## Next steps [Remoting connection report](report-remoting-connection.md) + +[Remotely manage Windows 365 devices](remotely-manage-cloud-pc.md). From bdf2c0c3c901d724af154e4d9de061acba94dc4e Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 13:49:05 -0800 Subject: [PATCH 107/237] 46873590 bulk --- windows-365/enterprise/report-cloud-pcs-not-available.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md index 73be748fe45..a7a21fd82a0 100644 --- a/windows-365/enterprise/report-cloud-pcs-not-available.md +++ b/windows-365/enterprise/report-cloud-pcs-not-available.md @@ -8,10 +8,10 @@ author: ErikjeMS ms.author: erikje manager: dougeby ms.date: 12/18/2024 -ms.topic: overview +ms.topic: how-to ms.service: windows-365 ms.subservice: windows-365-enterprise -ms.localizationpriority: high +ms.localizationpriority: highs ms.assetid: # optional metadata @@ -82,4 +82,4 @@ The time it takes complete the actions varies depends on the specific action. [Remoting connection report](report-remoting-connection.md) -[Remotely manage Windows 365 devices](remotely-manage-cloud-pc.md). +[Remotely manage Windows 365 devices](remotely-manage-cloud-pc.md). From c70a25a07d310987af100a51f1f981279c2a97a0 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 14:02:07 -0800 Subject: [PATCH 108/237] acro --- windows-365/enterprise/report-cloud-pcs-not-available.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md index a7a21fd82a0..2cdb7a009e8 100644 --- a/windows-365/enterprise/report-cloud-pcs-not-available.md +++ b/windows-365/enterprise/report-cloud-pcs-not-available.md @@ -64,7 +64,7 @@ You can use the **Columns** and **Add filter** options to customize the report: You can use the **View details** link to see the recent history of the Cloud PC. You can then cross-reference multiple conditions and timelines to find potential root causes of Cloud PC unavailability. -By using the various columns together, an experienced admin may draw clues to the state of the device and the underlying cause of any problems. For example, a user complains to your help desk that they can't access their Cloud PC. you check this report and see no data in the **Host health** or **System status** columns, the **Device status** is **Provisioned**, and the **Connection error** says **Client Disconnect**. Other Cloud PCs in the same region aren't in the list. This issue is probably specific to this user, possibly something to do with the physical client configuration, network configuration, or network infrastructure. +By using the various columns together, an experienced admin may draw clues to the state of the device and the underlying cause of any problems. For example, a user complains to your help desk that they can't access their Cloud PC. You check this report and see no data in the **Host health** or **System status** columns, the **Device status** is **Provisioned**, and the **Connection error** says **Client Disconnect**. Other Cloud PCs in the same region aren't in the list. This issue is probably specific to this user, possibly something to do with the physical client configuration, network configuration, or network infrastructure. ## Bulk device actions @@ -75,7 +75,7 @@ You can use **Bulk device actions** to perform device actions on multiple Cloud 3. Select **Bulk device actions** > specific device action. 4. Based on the specific action, complete the subsequent pages. -The time it takes complete the actions varies depends on the specific action. +The time it takes complete the actions varies depending on the specific action. ## Next steps From 9a4ad8eff3a3341f800241d052cbb499e37ec17d Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 14:04:39 -0800 Subject: [PATCH 109/237] fix --- windows-365/enterprise/report-cloud-pcs-not-available.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md index 2cdb7a009e8..ac5e03d3ad9 100644 --- a/windows-365/enterprise/report-cloud-pcs-not-available.md +++ b/windows-365/enterprise/report-cloud-pcs-not-available.md @@ -11,7 +11,7 @@ ms.date: 12/18/2024 ms.topic: how-to ms.service: windows-365 ms.subservice: windows-365-enterprise -ms.localizationpriority: highs +ms.localizationpriority: high ms.assetid: # optional metadata From 25cf39db46c09e4ef3069d9659c0f5372bc993fe Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 14:12:41 -0800 Subject: [PATCH 110/237] add wn --- windows-365/enterprise/whats-new.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md index e0c3a236458..ce3b72911f7 100644 --- a/windows-365/enterprise/whats-new.md +++ b/windows-365/enterprise/whats-new.md @@ -7,7 +7,7 @@ keywords: author: ErikjeMS ms.author: erikje manager: dougeby -ms.date: 12/06/2024 +ms.date: 12/18/2024 ms.topic: conceptual ms.service: windows-365 ms.subservice: windows-365-enterprise @@ -61,6 +61,16 @@ For more information about public preview items, see [Public preview in Windows ### Device management +#### Restore, restart, and troubleshoot actions in the Cloud PCs that aren't available report + +You can now use the **Bulk device actions** command on the **Cloud PCs that aren't available** report to restore, restart, and troubleshoot actions directly from the report. For more information, seee [Cloud PCs that aren't available report](report-cloud-pcs-not-available.md). + + +## Week of December 9, 2024 + + +### Device management + #### Move selected Cloud PCs to a new region You can now move selected Cloud PCs to a new region. This is instead of moving all Cloud PCs in a provisioning policy. From a293ca66dc0394f0b4c401b4533adfada0ef0e2f Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 14:23:34 -0800 Subject: [PATCH 111/237] fix date --- windows-365/enterprise/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md index ce3b72911f7..f478a438d47 100644 --- a/windows-365/enterprise/whats-new.md +++ b/windows-365/enterprise/whats-new.md @@ -56,7 +56,7 @@ For more information about public preview items, see [Public preview in Windows --> -## Week of December 9, 2024 +## Week of December 17, 2024 ### Device management From a9093b853d4de9dc52b60a7983c6fbd8e1431f8c Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Fri, 13 Dec 2024 17:49:31 -0500 Subject: [PATCH 112/237] Update create-compliance-policy.md Freshness check --- .../protect/create-compliance-policy.md | 46 ++++++++++--------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/memdocs/intune/protect/create-compliance-policy.md b/memdocs/intune/protect/create-compliance-policy.md index aeedab1c731..3610ea4b894 100644 --- a/memdocs/intune/protect/create-compliance-policy.md +++ b/memdocs/intune/protect/create-compliance-policy.md @@ -7,7 +7,7 @@ keywords: author: lenewsad ms.author: lanewsad manager: dougeby -ms.date: 03/13/2024 +ms.date: 12/13/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -81,7 +81,8 @@ For more information about using custom compliance settings, including supported 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -2. Go to **Devices** > **Compliance** and choose **Create policy**. +2. Go to **Devices**. +3. Under **Manage devices**, select **Compliance**. Then choose **Create policy**. 4. Select a **Platform** for this policy from the following options: - **Android device administrator** @@ -89,19 +90,20 @@ For more information about using custom compliance settings, including supported - **Android Enterprise** - **iOS/iPadOS** - **Linux** - (Ubuntu Desktop, version 20.04 LTS and 22.04 LTS, RedHat Enterprise Linux 8, or RedHat Enterprise Linux 9) - - **macOS** - - **Windows 8.1 and later** - - **Windows 10 and later** + - **macOS** + - **Windows 10 and later** + - **Windows 8.1 and later** + - For *Android Enterprise*, you also select a **Policy type**: + For *Android Enterprise*, you also select a **Profile type**. Your options: - **Fully managed, dedicated, and corporate-owned work profile** - **Personally-owned work profile** Then select **Create** to open the configuration page. -5. On the **Basics** tab, specify a **Name** that helps you identify them later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**. +5. On the **Basics** tab, enter a **Name** that helps you identify this policy later. For example, a good policy name is **Mark iOS/iPadOS jailbroken devices as not compliant**. - You can also choose to specify a **Description**. + Optionally, enter a **Description** for the policy. 6. On the **Compliance settings** tab, expand the available categories, and configure settings for your policy. The following articles describe the available compliance settings for each platform: - [Android device administrator](compliance-policy-create-android.md) @@ -113,32 +115,32 @@ For more information about using custom compliance settings, including supported - [Windows 8.1 and later](compliance-policy-create-windows-8-1.md) - [Windows 10/11](compliance-policy-create-windows.md) -7. Add custom settings to policies for supported platforms. +7. Optionally, you can add custom settings for supported platforms. > [!TIP] - > This is an optional step that’s supported only for the following platforms: + > This is an optional step that’s supported for the following platforms: > > - Linux - Ubuntu Desktop, version 20.04 LTS and 22.04 LTS - > - Windows 10/11 + > - Windows 10 and later > Before you can add custom settings to a policy, you must have uploaded a detection script to Intune, and have ready a JSON file that defines the settings you want to use for compliance. See [Custom compliance settings](../protect/compliance-use-custom-settings.md). On the **Compliance settings** page, expand the **Custom Compliance** category: **For Windows**: 1. On the *Compliance settings* page, expand **Custom Compliance** and set *Custom compliance* to **Require**. - 2. For *Select your discovery script*, select **Click to select**, and then specify a script that’s been previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. - 3. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon and then locate and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md). + 2. For *Select your discovery script*, select **Click to select**, and then enter the name of a script that you previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. Choose **Select** to continue to the next step. + 3. For *Upload and validate the JSON file with your custom compliance settings*, select the folder icon, and then find and add the JSON file for Windows that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md). **For Linux**: - 1. On the *Compliance settings* page, select **Add settings** to open the *Settings picker* pane. - 2. Select **Custom Compliance**, and then select 8. - 3. Back on the *Compliance settings* page, select the toggle for *Require Custom Compliance* to change it to be **True**. - 4. For *Select your discovery script*, select **Set reusable settings**, and then specify a script that’s been previously added to the Microsoft Intune admin center. This script must have been uploaded before you begin to create the policy. - 5. For *Select your rules file*, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md). + 1. On the *Compliance settings* page, select **Add settings** to open the **Settings picker**. + 2. Select **Custom Compliance**. Then close the settings picker. + 3. Switch **Require Custom Compliance** to **True**. T + 4. For **Select your discovery script**, select **Select a script**. Then select a script that’s been previously added to the Microsoft Intune admin center. This script must be uploaded before you begin to create the policy. + 6. For **Select your rules file**, select the folder icon and then locate and add the JSON file for Linux that you want to use with this policy. For assistance with the JSON, see [Create a JSON for custom compliance settings](compliance-custom-json.md). - The JSON you enter is validated and any problems are displayed. After validation of the JSON contents, the rules from the JSON are displayed in table format. + Wait while Intune validates the JSON. Problems that need to be fixed appear onscreen. After validation of the JSON contents, the rules from the JSON appear in table format. -8. On the **Actions for noncompliance** tab, specify a sequence of actions to apply automatically to devices that don't meet this compliance policy. +8. On the **Actions for noncompliance** tab, select a sequence of actions to apply automatically to devices that don't meet this compliance policy. You can add multiple actions, and configure schedules and details for some actions. For example, you might change the schedule of the default action *Mark device noncompliant* to occur after one day. You can then add an action to send an email to the user when the device isn't compliant to warn them of that status. You can also add actions that lock or retire devices that remain noncompliant. @@ -152,7 +154,7 @@ For more information about using custom compliance settings, including supported 10. On the **Assignments** tab, assign the policy to your groups. - Select **+ Select groups to include** and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step. + Select **Add groups**, and then assign the policy to one or more groups. The policy will apply to these groups when you save the policy after the next step. Policies for Linux don't support user-based assignments and can only be assigned to device groups. @@ -205,4 +207,4 @@ For example, a device has three compliance policies assigned to it: one Unknown ## Next steps -[Monitor your policies](compliance-policy-monitor.md). \ No newline at end of file +[Monitor your policies](compliance-policy-monitor.md). From 01e3006258d0e32fcf5c5fc68d41c11ca9f9d80e Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 15:06:38 -0800 Subject: [PATCH 113/237] file name change --- windows-365/link/TOC.yml | 4 ++-- ...policies-synchronize.md => conditional-access-policies.md} | 0 windows-365/link/deployment-overview.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename windows-365/link/{conditional-access-policies-synchronize.md => conditional-access-policies.md} (100%) diff --git a/windows-365/link/TOC.yml b/windows-365/link/TOC.yml index aeb0761f302..01f39fe8de2 100644 --- a/windows-365/link/TOC.yml +++ b/windows-365/link/TOC.yml @@ -33,8 +33,8 @@ items: href: create-intune-filter.md - name: Configure enrollment restrictions href: enrollment-restrictions.md - - name: Synchronize Conditional Access policies - href: conditional-access-policies-synchronize.md + - name: Configure Conditional Access policies + href: conditional-access-policies.md - name: Suppress single sign-on prompt href: single-sign-on-suppress.md - name: Troubleshooting diff --git a/windows-365/link/conditional-access-policies-synchronize.md b/windows-365/link/conditional-access-policies.md similarity index 100% rename from windows-365/link/conditional-access-policies-synchronize.md rename to windows-365/link/conditional-access-policies.md diff --git a/windows-365/link/deployment-overview.md b/windows-365/link/deployment-overview.md index 46eec04781f..7f9ddcb69c9 100644 --- a/windows-365/link/deployment-overview.md +++ b/windows-365/link/deployment-overview.md @@ -40,7 +40,7 @@ To set up your organization's environment to deploy and manage Windows 365 Link 3. [Configure Microsoft Entra Mobility settings to automatically enroll Windows 365 Link devices in Intune](intune-automatic-enrollment.md). 4. [Create an Intune filter for Windows 365 Link devices](create-intune-filter.md) (optional). 5. [Configure enrollment restrictions to let Windows 365 Link devices enroll](enrollment-restrictions.md). -6. [Validate Conditional Access policies](conditional-access-policies-synchronize.md). +6. [Validate Conditional Access policies](conditional-access-policies.md). 7. [Suppress single sign-on consent prompt](single-sign-on-suppress.md) (recommended). After setting up deployment for your Windows 365 Link devices, you can start [onboarding](onboarding.md) them. From b492d51fd6dd9133096af02ae2909f1a10d1e2e4 Mon Sep 17 00:00:00 2001 From: ErikjeMS Date: Fri, 13 Dec 2024 15:09:03 -0800 Subject: [PATCH 114/237] redirect --- .openpublishing.redirection.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 548791d9752..550b80272a2 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -2774,6 +2774,11 @@ "source_path": "memdocs/intune/protect/endpoint-security-firewall-rule-tool.md", "redirect_url": "/mem/intune/protect/endpoint-security-firewall-policy", "redirect_document_id": false - } + }, + { + "source_path": "windows-365/link/conditional-access-policies-synchronize.md", + "redirect_url": "/windows-365/link/conditional-access-policies", + "redirect_document_id": false + } ] } \ No newline at end of file From 4e66db37ead93ce25dbd385cc3d7386967a8e3a4 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Sat, 14 Dec 2024 05:40:20 +0530 Subject: [PATCH 115/237] Fix typos --- windows-365/enterprise/report-cloud-pcs-not-available.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows-365/enterprise/report-cloud-pcs-not-available.md b/windows-365/enterprise/report-cloud-pcs-not-available.md index ac5e03d3ad9..c9ad2fa3e63 100644 --- a/windows-365/enterprise/report-cloud-pcs-not-available.md +++ b/windows-365/enterprise/report-cloud-pcs-not-available.md @@ -70,12 +70,12 @@ By using the various columns together, an experienced admin may draw clues to th You can use **Bulk device actions** to perform device actions on multiple Cloud PCs at one time. -1. Optional. Use **Add filters** to filter the table data to see the Cloud PCs that you want manage. +1. Optional. Use **Add filters** to filter the table data to see the Cloud PCs that you want to manage. 2. Select the Cloud PCs that you want to manage (maximum of 100,000 Cloud PCs). 3. Select **Bulk device actions** > specific device action. 4. Based on the specific action, complete the subsequent pages. -The time it takes complete the actions varies depending on the specific action. +The time it takes to complete the actions varies depending on the specific action. ## Next steps From a9bf4d0c9b1e20cf4020e21fc2e17b4e202257ea Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Sat, 14 Dec 2024 05:47:28 +0530 Subject: [PATCH 116/237] Fix typo in "Cloud PCs that aren't available" section --- windows-365/enterprise/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-365/enterprise/whats-new.md b/windows-365/enterprise/whats-new.md index f478a438d47..074c5702959 100644 --- a/windows-365/enterprise/whats-new.md +++ b/windows-365/enterprise/whats-new.md @@ -63,7 +63,7 @@ For more information about public preview items, see [Public preview in Windows #### Restore, restart, and troubleshoot actions in the Cloud PCs that aren't available report -You can now use the **Bulk device actions** command on the **Cloud PCs that aren't available** report to restore, restart, and troubleshoot actions directly from the report. For more information, seee [Cloud PCs that aren't available report](report-cloud-pcs-not-available.md). +You can now use the **Bulk device actions** command on the **Cloud PCs that aren't available** report to restore, restart, and troubleshoot actions directly from the report. For more information, see [Cloud PCs that aren't available report](report-cloud-pcs-not-available.md). ## Week of December 9, 2024 From 06d7c4d5cdfa1a1261d681511b40dd136dd5e319 Mon Sep 17 00:00:00 2001 From: Benjamin Flamm <57767769+beflamm@users.noreply.github.com> Date: Sun, 15 Dec 2024 21:40:49 -0500 Subject: [PATCH 117/237] Learn Editor: Update managed-software-updates-ios-macos.md --- .../managed-software-updates-ios-macos.md | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/protect/managed-software-updates-ios-macos.md b/memdocs/intune/protect/managed-software-updates-ios-macos.md index b74d79f5da1..b555cb80e68 100644 --- a/memdocs/intune/protect/managed-software-updates-ios-macos.md +++ b/memdocs/intune/protect/managed-software-updates-ios-macos.md @@ -171,7 +171,26 @@ Managed software updates use the same reporting as device configuration policies > [!IMPORTANT] > A policy that reports Success only means that the configuration successfully installed on the device. Monitor the OS version of targeted devices to ensure that they update. After devices have updated to a later OS version than configured in the policy, the policy will report error as the device sees this as an attempt to downgrade. It's recommended to remove the older OS version policy from devices in this state. -## Delay visibility of updates +## Using the Software Update Settings declarative configuration + +When you configure managed software updates, you might want to manage aspects of the software update process leading up to the enforcement of an update. Using this configuration, you can: + +- Require that an admin or standard user can perform updates on the device + +- Control how users can manually interact with software update settings like automatic download and install or the behavior of Rapid Security Responses + +- Hide updates from users for a specified time period + +- Suppress update notifications up to one hour before the enforcement deadline + +- Control whether users are allowed to update to the latest major update, latest minor update, or are offered both. + +Previously in MDM, these settings were spread across multiple payloads such as Restrictions, Managed Settings, and Software Update. As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage updates. To create a Software Update Settings policy, go to the Settings catalog > Declarative Device Management (DDM) > Software Update Settings. More information on these settings is available in the documentation section for the [Software Update Settings declarative configuration](/mem/intune/configuration/apple-settings-catalog-configurations). + +## Delay visibility of updates using MDM + +> [!NOTE] +> As of August 2024, it's recommended to use the DDM-based Software Update Settings configuration to manage update settings such as deferrals. When you configure managed software updates, you might want to hide updates from users for a specified time period. To hide the updates, use a settings catalog policy that configures an update restriction. @@ -192,3 +211,4 @@ To create a restrictions policy, go to the **Settings catalog** > **Restrictions - [macOS software update policies in Intune](software-updates-macos.md) - [Software updates planning guide for supervised iOS/iPadOS devices in Intune](software-updates-guide-ios-ipados.md) - [Software updates planning guide for managed macOS devices in Intune](software-updates-guide-macos.md) + From cf8d27418cc7e8515d1857a40f57fedd4d3961ce Mon Sep 17 00:00:00 2001 From: Benjamin Flamm <57767769+beflamm@users.noreply.github.com> Date: Sun, 15 Dec 2024 21:40:57 -0500 Subject: [PATCH 118/237] Learn Editor: Update managed-software-updates-ios-macos.md From a8809320019657a3fbcfd69efcf7aba6b6fb3aa7 Mon Sep 17 00:00:00 2001 From: Palika Singh <97435621+PalikaSingh@users.noreply.github.com> Date: Mon, 16 Dec 2024 20:16:44 +0530 Subject: [PATCH 119/237] Update checklist-for-installing-update-2409.md --- .../core/servers/manage/checklist-for-installing-update-2409.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md index 2fe510acf73..f6954a91102 100644 --- a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md +++ b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md @@ -91,7 +91,7 @@ The version 2409 update should now be available in the console. > [!IMPORTANT] > This script only adds your site to the early update ring for version 2409. It's not a permanent change.--> -As of December 11 , 2024, version 2409 is globally available for all customers to install. If you previously opted in to the early update ring, watch for an update to this current branch version. +As of December 16 , 2024, version 2409 is globally available for all customers to install. If you previously opted in to the early update ring, watch for an update to this current branch version. ## Pre-update checklist From 9bbf221ced5678e9650df60e3a340d52eff8800a Mon Sep 17 00:00:00 2001 From: Palika Singh <97435621+PalikaSingh@users.noreply.github.com> Date: Mon, 16 Dec 2024 20:20:57 +0530 Subject: [PATCH 120/237] Update whats-new-in-version-2409.md --- .../core/plan-design/changes/whats-new-in-version-2409.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md index 9de89b37b44..4b691e54206 100644 --- a/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md +++ b/memdocs/configmgr/core/plan-design/changes/whats-new-in-version-2409.md @@ -112,7 +112,7 @@ For more information, see [Removed and deprecated features for Configuration Man ## Next steps -As of December 11, 2024, version 2409 is globally available for all customers to install. +As of December 16, 2024, version 2409 is globally available for all customers to install. >[!NOTE] >For exisiting Fast ring current branch 2409 customers, you will see Slow ring upgrade package in console. Install 2409 Slow ring package to be in production current branch. From 79ac5828611472a0d9db3d34b7adaa6a10858c2d Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:01:08 +0530 Subject: [PATCH 121/237] Update defender-advanced-threat-protection.md --- .../defender-advanced-threat-protection.md | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md b/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md index d5f7d55d351..ea3e53d862b 100644 --- a/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md +++ b/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md @@ -2,7 +2,7 @@ title: Microsoft Defender for Endpoint titleSuffix: Configuration Manager description: Learn how to manage and monitor Microsoft Defender for Endpoint, a new service that helps enterprises respond to advanced attacks. -ms.date: 08/01/2023 +ms.date: 12/16/2024 ms.service: configuration-manager ms.subservice: protect ms.topic: conceptual @@ -35,12 +35,12 @@ You can onboard the following operating systems using Configuration Manager: - Windows 11 - Windows 10, version 1709 or newer -- Windows 8.1 +- Windows Server 2025 - Windows Server 2022 - Windows Server 2019 - Windows Server Semi-Annual Channel (SAC), version 1803 or newer - Windows Server 2016 -- Windows Server 2012 R2 + > [!IMPORTANT] > Operating systems that have reached the end of their [product lifecycle](/lifecycle/faq/general-lifecycle) aren't typically supported for onboarding unless they have been enrolled into the [Extended Security Updates (ESU program)](/lifecycle/faq/extended-security-updates). For more information about supported operating systems and capabilities with Microsoft Defender for Endpoint, see [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements#supported-windows-versions). @@ -65,12 +65,8 @@ Up-level operating systems include: - Windows Server 2022 Down-level operating systems that support MDE Client include: -- Windows Server 2012 R2 - Windows Server 2016 -Down-level operating systems that require MMA Agent: -- Windows 8.1 - > [!NOTE] > Currently, the [modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/bc-p/2904464) is generally available. Configuration Manager version 2107 with the update rollup supports configuration using Endpoint Protection policies, including those policies created in the Microsoft Intune admin center using tenant attach. Configuration Manager version 2207 now supports automatic deployment of MDE Client, if you choose to use through Client Settings. For older supported versions, see [Server migration scenarios](/microsoft-365/security/defender-endpoint/server-migration). @@ -91,9 +87,9 @@ Up-level clients require an onboarding configuration file for onboarding to Micr - Windows Server Semi-Annual Channel (SAC), version 1803 and later - Windows Server 2019 - Windows Server 2022 +- Windows Server 2025 Down-level operating systems that support MDE Client include: -- Windows Server 2012 R2 - Windows Server 2016 #### Prerequisites From e3c7bdfc8fe5aa9e85651f16ed47943b715921e8 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:02:18 +0530 Subject: [PATCH 122/237] Update use-device-guard-with-configuration-manager.md --- .../deploy-use/use-device-guard-with-configuration-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager.md b/memdocs/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager.md index f3c4ce07522..c0754754156 100644 --- a/memdocs/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager.md +++ b/memdocs/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager.md @@ -2,7 +2,7 @@ title: Manage Windows Defender Application Control titleSuffix: Configuration Manager description: Learn how to use Configuration Manager to manage Windows Defender Application Control. -ms.date: 04/11/2022 +ms.date: 12/16/2024 ms.service: configuration-manager ms.subservice: protect ms.topic: how-to From d7bd321f2e16b439948a41fd0ebd9118a595f6c7 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:03:27 +0530 Subject: [PATCH 123/237] Update configure-client-cache.md --- memdocs/configmgr/core/clients/manage/configure-client-cache.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/clients/manage/configure-client-cache.md b/memdocs/configmgr/core/clients/manage/configure-client-cache.md index 9f792ce4095..5a06cbfa24e 100644 --- a/memdocs/configmgr/core/clients/manage/configure-client-cache.md +++ b/memdocs/configmgr/core/clients/manage/configure-client-cache.md @@ -2,7 +2,7 @@ title: Configure the client cache titleSuffix: Configuration Manager description: Configure the client content cache during or after client install. -ms.date: 06/16/2021 +ms.date: 12/16/2024 ms.subservice: client-mgt ms.service: configuration-manager ms.topic: how-to From 1b6054ff35ef76584da4d05166f6cbeba3cd537c Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:04:38 +0530 Subject: [PATCH 124/237] Update overview.md --- memdocs/configmgr/core/clients/manage/cmg/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/clients/manage/cmg/overview.md b/memdocs/configmgr/core/clients/manage/cmg/overview.md index abe60342a58..3ce3599e9cf 100644 --- a/memdocs/configmgr/core/clients/manage/cmg/overview.md +++ b/memdocs/configmgr/core/clients/manage/cmg/overview.md @@ -2,7 +2,7 @@ title: Cloud management gateway overview titleSuffix: Configuration Manager description: Learn about managing internet-based clients with Configuration Manager by using the cloud management gateway (CMG) service in Azure. -ms.date: 08/02/2021 +ms.date: 12/16/2024 ms.subservice: client-mgt ms.service: configuration-manager ms.topic: overview From e6ed9df1c52fc6f53131abb23d598869d542a08a Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:06:32 +0530 Subject: [PATCH 125/237] Update product-and-licensing-faq.yml --- .../configmgr/core/understand/product-and-licensing-faq.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/understand/product-and-licensing-faq.yml b/memdocs/configmgr/core/understand/product-and-licensing-faq.yml index ac111f53207..34d14787d1f 100644 --- a/memdocs/configmgr/core/understand/product-and-licensing-faq.yml +++ b/memdocs/configmgr/core/understand/product-and-licensing-faq.yml @@ -3,12 +3,12 @@ metadata: title: Product and licensing FAQ titleSuffix: Configuration Manager description: Find answers for common product and license questions for Configuration Manager. - ms.date: 05/12/2022 + ms.date: 12/16/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: faq - author: banreet - ms.author: banreetkaur + author: Baladelli + ms.author: baladell manager: apoorvseth ms.collection: highpri From cf37df1db39557740e7b6db5a3dffd786a3bc0a5 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:07:49 +0530 Subject: [PATCH 126/237] Update use-the-setup-wizard-to-install-sites.md --- .../deploy/install/use-the-setup-wizard-to-install-sites.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/servers/deploy/install/use-the-setup-wizard-to-install-sites.md b/memdocs/configmgr/core/servers/deploy/install/use-the-setup-wizard-to-install-sites.md index 989b895ea4d..b462ec5c888 100644 --- a/memdocs/configmgr/core/servers/deploy/install/use-the-setup-wizard-to-install-sites.md +++ b/memdocs/configmgr/core/servers/deploy/install/use-the-setup-wizard-to-install-sites.md @@ -2,12 +2,12 @@ title: Setup wizard titleSuffix: Configuration Manager description: Use the Configuration Manager setup wizard to install a new site. -ms.date: 04/08/2022 +ms.date: 12/16/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: overview -author: sheetg09 -ms.author: sheetg +author: Baladelli +ms.author: Baladell manager: apoorvseth ms.localizationpriority: medium ms.collection: tier3 From e44db20ffeb6c31821eca6bea100cac93641629e Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:08:58 +0530 Subject: [PATCH 127/237] Update create-deploy-scripts.md --- memdocs/configmgr/apps/deploy-use/create-deploy-scripts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/apps/deploy-use/create-deploy-scripts.md b/memdocs/configmgr/apps/deploy-use/create-deploy-scripts.md index 01ce4255599..2b3aa94a863 100644 --- a/memdocs/configmgr/apps/deploy-use/create-deploy-scripts.md +++ b/memdocs/configmgr/apps/deploy-use/create-deploy-scripts.md @@ -2,7 +2,7 @@ title: Create and run scripts titleSuffix: Configuration Manager description: Create and run PowerShell scripts on client devices. -ms.date: 09/18/2023 +ms.date: 12/16/2024 ms.subservice: app-mgt ms.service: configuration-manager ms.topic: conceptual From 56171e48fbbebe004dbe73b969f6f45a889103e4 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:09:36 +0530 Subject: [PATCH 128/237] Update deploy-applications.md --- memdocs/configmgr/apps/deploy-use/deploy-applications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/apps/deploy-use/deploy-applications.md b/memdocs/configmgr/apps/deploy-use/deploy-applications.md index aebaecfdae4..da767025b7a 100644 --- a/memdocs/configmgr/apps/deploy-use/deploy-applications.md +++ b/memdocs/configmgr/apps/deploy-use/deploy-applications.md @@ -2,7 +2,7 @@ title: Deploy applications titleSuffix: Configuration Manager description: Create or simulate a deployment of an application to a device or user collection -ms.date: 08/02/2021 +ms.date: 12/16/2024 ms.subservice: app-mgt ms.service: configuration-manager ms.topic: how-to From 57d4e01aa9cb90d6f5334031d9942e8d9365635a Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:10:42 +0530 Subject: [PATCH 129/237] Update how-to-prepare-Win10.md --- memdocs/configmgr/comanage/how-to-prepare-Win10.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/comanage/how-to-prepare-Win10.md b/memdocs/configmgr/comanage/how-to-prepare-Win10.md index e04036e018d..2c2a7357d75 100644 --- a/memdocs/configmgr/comanage/how-to-prepare-Win10.md +++ b/memdocs/configmgr/comanage/how-to-prepare-Win10.md @@ -2,10 +2,10 @@ title: Co-manage internet-based devices titleSuffix: Configuration Manager description: Learn how to prepare your Windows internet-based devices for co-management. -author: gowdhamankarthikeyan -ms.author: gokarthi +author: baladelli +ms.author: Baladell manager: apoorvseth -ms.date: 05/19/2022 +ms.date: 12/16/2024 ms.topic: how-to ms.subservice: co-management ms.service: configuration-manager From b628d5e123db15206bfb970cc3fc44ccbef0864f Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:11:47 +0530 Subject: [PATCH 130/237] Update device-sync-actions.md --- memdocs/configmgr/tenant-attach/device-sync-actions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/tenant-attach/device-sync-actions.md b/memdocs/configmgr/tenant-attach/device-sync-actions.md index 753eab26eaf..72c51cb4830 100644 --- a/memdocs/configmgr/tenant-attach/device-sync-actions.md +++ b/memdocs/configmgr/tenant-attach/device-sync-actions.md @@ -2,13 +2,13 @@ title: Enable Microsoft Intune tenant attach titleSuffix: Configuration Manager description: Upload your Configuration Manager devices to the cloud service and take actions from the admin center. -ms.date: 08/12/2022 +ms.date: 12/16/2024 ms.topic: conceptual ms.subservice: core-infra ms.service: configuration-manager manager: apoorvseth -author: gowdhamankarthikeyan -ms.author: gokarthi +author: Baladelli +ms.author: Baladell ms.localizationpriority: high ms.collection: tier3 --- From e9cf652b7f46924120eeba4ff1f8f2d602d316d5 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Mon, 16 Dec 2024 23:19:37 +0530 Subject: [PATCH 131/237] Update defender-advanced-threat-protection.md --- .../protect/deploy-use/defender-advanced-threat-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md b/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md index ea3e53d862b..d33e3a47445 100644 --- a/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md +++ b/memdocs/configmgr/protect/deploy-use/defender-advanced-threat-protection.md @@ -63,6 +63,7 @@ Up-level operating systems include: - Windows Server Semi-Annual Channel (SAC), version 1803 or later - Windows Server 2019 - Windows Server 2022 +- Windows Server 2025 Down-level operating systems that support MDE Client include: - Windows Server 2016 From 0a88d33cac68fdd33a2f06bc89b5cf3cef113d85 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Tue, 17 Dec 2024 09:36:27 -0800 Subject: [PATCH 132/237] Update collect-diagnostics.md fixing a link --- memdocs/intune/remote-actions/collect-diagnostics.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/remote-actions/collect-diagnostics.md b/memdocs/intune/remote-actions/collect-diagnostics.md index 8ee708d6890..118525c200d 100644 --- a/memdocs/intune/remote-actions/collect-diagnostics.md +++ b/memdocs/intune/remote-actions/collect-diagnostics.md @@ -63,7 +63,7 @@ Requirements to collect diagnostics from an M365 application: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Navigate to **Tenant administration** > **Device diagnostics** > Make sure the 3rd setting is enabled. -3. Create and deploy an Intune App Protection policy to a user, more information [here](https://learn.microsoft.com/mem/intune/apps/app-protection-policies). +3. Create and deploy an Intune App Protection policy to a user, more information [here](../apps/app-protection-policies.md). 4. Confirm the application has been managed by Intune App Protection policy. This can be checked locally on the device and/or loading the user into the Intune Troubleshooting Pane and opening the App Protection summary page. To use the *Collect diagnostics* action: From 06f9e6229e8e1f2ca020387d5d6a4e736e06c686 Mon Sep 17 00:00:00 2001 From: Maggie Dakeva Date: Tue, 17 Dec 2024 15:28:59 -0500 Subject: [PATCH 133/237] Learn Editor: Update known-issues.md --- autopilot/device-preparation/known-issues.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index 21fe518cd4d..01d74e34448 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -40,7 +40,15 @@ This article describes known issues that can often be resolved with: ## Known issues -## Deployments fail when Managed installer policy is enabled for the tenant +## Apps and scripts tabs do not display properly when editing the Device preparation profile + +Date added: *December 18, 2024* + +There's a known issue in displaying the **Applications** and **Scripts** tabs in the editing flow of the Windows Autopilot device preparation policy due to which the tabs might display incorrect information (e.g. show list of applications instead of scripts under the **Scripts** tab). The issue is impacting only the view in Intune and not the configuration being applied to the device. It is being investigated. + +As a workaround, select the table header (**Allowed Applications** or **Allowed Scripts**) to reload the table's contents. + +## Win32 and WinGet applications are skipped when Managed installer policy is enabled for the tenant Date added: *October 10, 2024*
    Date updated: *November 15, 2024* From a0940bf51f2602e2f1a294cc76d7cbda5bd2ad99 Mon Sep 17 00:00:00 2001 From: Oluchi Date: Tue, 17 Dec 2024 12:38:12 -0800 Subject: [PATCH 134/237] Update microsoft-tunnel-upgrade.md --- memdocs/intune/protect/microsoft-tunnel-upgrade.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/protect/microsoft-tunnel-upgrade.md b/memdocs/intune/protect/microsoft-tunnel-upgrade.md index 5a4851493af..aeaebe8b653 100644 --- a/memdocs/intune/protect/microsoft-tunnel-upgrade.md +++ b/memdocs/intune/protect/microsoft-tunnel-upgrade.md @@ -133,14 +133,15 @@ The Microsoft Tunnel version for a server isn’t available in the Intune UI at Image hash values: -- **agentImageDigest**: sha256:bf93470b1a4b74b5d4aa8144c09f05fa59a9647d1aeefcdffef29697a172aa6a +- **agentImageDigest**: sha256:110b111d7f3fee3d13ac29da62560800c26d2a05bdc337c965b0ce1f2ec2756c -- **serverImageDigest**: sha256:9886240ee473583753daf10929921f7c7c54bbf6f68095395aa2089688090fb3 +- **serverImageDigest**: sha256:3a5844f4e7156c966a2d0f5affd8b15ac3b441bd301a5a0b7c9b7db2ae6f5ed3 Changes in this release: --Diagnostic tool improvements --Bug fixes for rootless container mode in mst-cli --Localization improvements in mstunnel-setup +- Diagnostic tool improvements +- Bug fixes for rootless container mode in mst-cli +- Localization improvements in mstunnel-setup +- Improvement on error handling ### October 2, 2024 From a46ccd6b015430a143abf9fbed8470c5b5078e8b Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:07:53 -0500 Subject: [PATCH 135/237] Grammar and date updates Grammar and style updates along with updating the doc date. --- autopilot/device-preparation/known-issues.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index 01d74e34448..a67769d59fa 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj ms.reviewer: jubaptis manager: aaroncz -ms.date: 11/15/2024 +ms.date: 12/18/2024 ms.collection: - M365-modern-desktop - highpri @@ -40,13 +40,13 @@ This article describes known issues that can often be resolved with: ## Known issues -## Apps and scripts tabs do not display properly when editing the Device preparation profile +## Apps and scripts tabs don't display properly when editing the Device preparation profile Date added: *December 18, 2024* -There's a known issue in displaying the **Applications** and **Scripts** tabs in the editing flow of the Windows Autopilot device preparation policy due to which the tabs might display incorrect information (e.g. show list of applications instead of scripts under the **Scripts** tab). The issue is impacting only the view in Intune and not the configuration being applied to the device. It is being investigated. +During the editing flow of the Windows Autopilot device preparation policy, there's a known issue when displaying the **Applications** and **Scripts** tabs where the tabs might display incorrect information. For example, under the **Scripts** tab, a list of applications might be shown instead of a list of scripts. The issue is impacting only the view in Microsoft Intune and not the configuration being applied to the device. The issue is being investigated. -As a workaround, select the table header (**Allowed Applications** or **Allowed Scripts**) to reload the table's contents. +As a workaround, select the table header **Allowed Applications** or **Allowed Scripts** to reload the table's contents. ## Win32 and WinGet applications are skipped when Managed installer policy is enabled for the tenant From 16c40af4628f6bb081520204847625dbe39476c3 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:13:58 -0500 Subject: [PATCH 136/237] Update title Update title --- autopilot/device-preparation/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index a67769d59fa..8ea00ede73d 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -40,7 +40,7 @@ This article describes known issues that can often be resolved with: ## Known issues -## Apps and scripts tabs don't display properly when editing the Device preparation profile +## Apps and scripts tabs don't display properly when editing the Windows Autopilot device preparation profile Date added: *December 18, 2024* From 874f565103c43839add83f2de99599534017e0f4 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Wed, 18 Dec 2024 16:06:53 -0800 Subject: [PATCH 137/237] Updated endpoints --- memdocs/intune/fundamentals/intune-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 3c536ca9988..d3e75fad938 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -8,7 +8,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 09/24/2024 +ms.date: 12/18/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: fundamentals @@ -19,7 +19,7 @@ ms.localizationpriority: high #ROBOTS: #audience: -ms.reviewer: srink +ms.reviewer: davidra ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: @@ -97,7 +97,7 @@ The data columns shown in the tables are: ID |Desc |Category |ER |Addresses |Ports -- |---------------------------------------------------------------- |---------------------|--- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------| -163 | Intune client and host service| Allow
    Required | False | `*.manage.microsoft.com`
    `manage.microsoft.com`
    `EnterpriseEnrollment.manage.microsoft.com`
    `104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.71.199.64/28, 13.73.244.48/28, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 20.49.93.160/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29` | **TCP:** 80, 443| +163 | Intune client and host service| Allow
    Required | False | `*.manage.microsoft.com`
    `manage.microsoft.com`
    `EnterpriseEnrollment.manage.microsoft.com`
    `104.46.162.96/27, 13.67.13.176/28, 13.67.15.128/27, 13.69.231.128/28, 13.69.67.224/28, 13.70.78.128/28, 13.70.79.128/27, 13.74.111.192/27, 13.77.53.176/28, 13.86.221.176/28,13.89.174.240/28, 13.89.175.192/28, 20.189.229.0/25, 20.191.167.0/25, 20.37.153.0/24, 20.37.192.128/25, 20.38.81.0/24, 20.41.1.0/24, 20.42.1.0/24, 20.42.130.0/24, 20.42.224.128/25, 20.43.129.0/24, 20.44.19.224/27, 40.119.8.128/25, 40.67.121.224/27, 40.70.151.32/28, 40.71.14.96/28, 40.74.25.0/24, 40.78.245.240/28, 40.78.247.128/27, 40.79.197.64/27, 40.79.197.96/28, 40.80.180.208/28, 40.80.180.224/27, 40.80.184.128/25, 40.82.248.224/28, 40.82.249.128/25, 52.150.137.0/25, 52.162.111.96/28, 52.168.116.128/27, 52.182.141.192/27, 52.236.189.96/27, 52.240.244.160/27, 20.204.193.12/30, 20.204.193.10/31, 20.192.174.216/29, 20.192.159.40/29, 104.208.197.64/27, 172.160.217.160/27, 172.201.237.160/27, 172.202.86.192/27, 172.205.63.0/25, 172.212.214.0/25, 172.215.131.0/27, 20.168.189.128/27, 20.199.207.192/28, 20.204.194.128/31, 20.208.149.192/27, 20.208.157.128/27, 20.214.131.176/29, 20.43.129.0/24, 20.91.147.72/29, 4.145.74.224/27, 4.150.254.64/27, 4.154.145.224/27, 4.200.254.32/27, 4.207.244.0/27, 4.213.25.64/27, 4.213.86.128/25, 4.216.205.32/27, 4.237.143.128/25, 40.84.70.128/25, 48.218.252.128/25, 57.151.0.192/27, 57.153.235.0/25, 57.154.140.128/25, 57.154.195.0/25, 57.155.45.128/25, 68.218.134.96/27, 74.224.214.64/27, 74.242.35.0/25, 172.208.170.0/25, 74.241.231.0/25, 74.242.184.128/25` | **TCP:** 80, 443| 172 | MDM Delivery Optimization | Default
    Required | False | `*.do.dsp.mp.microsoft.com`
    `*.dl.delivery.mp.microsoft.com`
    | **TCP:** 80, 443| 170 | MEM - Win32Apps| Default
    Required | False | `swda01-mscdn.manage.microsoft.com`
    `swda02-mscdn.manage.microsoft.com`
    `swdb01-mscdn.manage.microsoft.com`
    `swdb02-mscdn.manage.microsoft.com`
    `swdc01-mscdn.manage.microsoft.com`
    `swdc02-mscdn.manage.microsoft.com`
    `swdd01-mscdn.manage.microsoft.com`
    `swdd02-mscdn.manage.microsoft.com`
    `swdin01-mscdn.manage.microsoft.com`
    `swdin02-mscdn.manage.microsoft.com` | **TCP:** 443| 97 | Consumer Outlook.com, OneDrive, Device authentication and Microsoft account | Default
    Required | False | `account.live.com`
    `login.live.com`
    |**TCP:** 443 | From 55292de117ec7e4112427b6ecb9bc1c2c532ce90 Mon Sep 17 00:00:00 2001 From: "Arnab Biswas [MSFT]" Date: Wed, 18 Dec 2024 22:47:35 -0500 Subject: [PATCH 138/237] Update platform-sso-macos.md --- memdocs/intune/configuration/platform-sso-macos.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md index 0ded4892380..83d0e056c6a 100644 --- a/memdocs/intune/configuration/platform-sso-macos.md +++ b/memdocs/intune/configuration/platform-sso-macos.md @@ -249,6 +249,9 @@ To configure the Platform SSO policy, use the following steps to create an [Intu 11. In **Assignments**, select the user or device groups that receive your profile. For devices with user affinity, assign to users or user groups. For devices with multiple users that are enrolled without user affinity, assign to devices or device groups. + > [!IMPORTANT] + > For devices with user affinity, assignments using device groups or filters are not supported for Platform SSO settings. When using device group assignment or user group assignment with filters on devices with user affinity, the user may be unable to access resources protected by Conditional Access as a result of Platform SSO settings being applied incorrectly or Entra device registration being bypassed by the Company Portal app when Platform SSO is not enabled. + For more information on assigning profiles, go to [Assign user and device profiles](device-profile-assign.md). Select **Next**. From ed632a8ba9ac01ef36437a191de24629ed6003d2 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Thu, 19 Dec 2024 19:05:40 +0530 Subject: [PATCH 139/237] Update supported-operating-systems-for-site-system-servers.md --- ...erating-systems-for-site-system-servers.md | 33 +++++++++++++++++-- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md index f402f899d16..e0c262dd03b 100644 --- a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md +++ b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-site-system-servers.md @@ -2,12 +2,12 @@ title: Supported site system servers titleSuffix: Configuration Manager description: Learn which Windows versions you can use to host a Configuration Manager site or site system role. -ms.date: 12/01/2023 +ms.date: 12/19/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: conceptual -author: Banreet -ms.author: banreetkaur +author: Baladelli +ms.author: baladell manager: apoorvseth ms.localizationpriority: medium ms.collection: tier3 @@ -20,6 +20,32 @@ ms.reviewer: mstewart,aaroncz This article details the Windows versions that you can use to host a Configuration Manager site or site system role. +## Windows Server 2025 + +_Applies to Datacenter: Azure Edition, Standard and Datacenter editions_ + +Site servers: + +- Central administration site +- Primary site +- Secondary site + +Site system servers: + +- Certificate registration point +- Cloud management gateway connection point +- Data warehouse service point +- Distribution point [Note 1](#bkmk_note1) +- Endpoint Protection point +- Fallback status point +- Management point +- Reporting services point +- Service connection point +- Site database server [Note 2](#bkmk_note2) +- SMS Provider +- Software update point +- State migration point + ## Windows Server 2022 _Applies to Datacenter: Azure Edition, Standard and Datacenter editions_ @@ -145,6 +171,7 @@ This support has the following limitation: The server core installation of the following server OS versions is supported for use as a **distribution point**: +- Windows Server 2025 - Windows Server 2022 - Windows Server 2019 - Windows Server, version 1809 From 502e21d40d4c8b7a607a84e10f59b76713300ad3 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Thu, 19 Dec 2024 19:08:01 +0530 Subject: [PATCH 140/237] Update supported-operating-systems-for-clients-and-devices.md --- ...supported-operating-systems-for-clients-and-devices.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md index b70a466efa5..2de4131414e 100644 --- a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md +++ b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-for-clients-and-devices.md @@ -2,7 +2,7 @@ title: Supported clients and devices titleSuffix: Configuration Manager description: Learn which OS versions Configuration Manager supports for clients and devices. -ms.date: 05/01/2024 +ms.date: 12/19/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: conceptual @@ -18,7 +18,7 @@ ms.reviewer: mstewart,aaroncz *Applies to: Configuration Manager (current branch)* -Configuration Manager supports installing client software on Windows and macOS computers. +Configuration Manager supports installing client software on Windows computers. ## General requirements and limitations @@ -66,6 +66,8 @@ For more information, see the following articles: ### Supported server OS versions +- **Windows Server 2025**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2409_) + - **Windows Server 2022**: IoT, Standard, Datacenter (_starting in Configuration Manager version 2107_) - *Windows Server IoT 2022 for Storage* is not supported @@ -90,6 +92,8 @@ The following versions specifically refer to the Server Core installation of the Windows Server semi-annual channel versions are Server Core installations, such as Windows Server, version 1809. As a Configuration Manager client, they're supported the same as the associated Windows 11 or Windows 10 semi-annual channel version. For more information, see [Support for Windows 11](support-for-windows-11.md) or [Support for Windows 10](support-for-windows-10.md). +- **Windows Server 2025** (x64) [Note 1](#bkmk_note1) (_starting in version 2409_) + - **Windows Server 2022** (x64) [Note 1](#bkmk_note1) (_starting in version 2107_) - **Windows Server 2019** (x64) [Note 1](#bkmk_note1) From 63233322d23c6500f3544755b566893e60120eeb Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Thu, 19 Dec 2024 19:10:23 +0530 Subject: [PATCH 141/237] Update supported-operating-systems-consoles.md --- .../configs/supported-operating-systems-consoles.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-consoles.md b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-consoles.md index b333c28011f..7dc36ab984a 100644 --- a/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-consoles.md +++ b/memdocs/configmgr/core/plan-design/configs/supported-operating-systems-consoles.md @@ -2,12 +2,12 @@ title: Console support titleSuffix: Configuration Manager description: Learn about which OS versions you can install the Configuration Manager console. -ms.date: 12/01/2023 +ms.date: 12/19/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: reference -author: Banreet -ms.author: banreetkaur +author: Baladelli +ms.author: Baladell manager: apoorvseth ms.localizationpriority: medium ms.collection: tier3 @@ -20,6 +20,8 @@ ms.reviewer: mstewart,aaroncz Configuration Manager supports the installation of the console on the following Windows OS versions: +- **Windows Server 2025**: Standard, Datacenter (_starting in version 2409_) + - **Windows Server 2022**: Standard, Datacenter (_starting in version 2107_) - **Windows Server 2019**: Standard, Datacenter From 58b117310d494ff3c57d7ffb63b9468167f88aa5 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Thu, 19 Dec 2024 19:14:29 +0530 Subject: [PATCH 142/237] Update upgrade-on-premises-infrastructure.md --- .../servers/manage/upgrade-on-premises-infrastructure.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md b/memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md index 7fe4cd60d91..23b5a7f973d 100644 --- a/memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md +++ b/memdocs/configmgr/core/servers/manage/upgrade-on-premises-infrastructure.md @@ -2,7 +2,7 @@ title: Upgrade on-premises infrastructure titleSuffix: Configuration Manager description: Learn how to upgrade infrastructure, such as SQL Server and the OS of site systems. -ms.date: 04/04/2024 +ms.date: 12/19/2024 ms.subservice: core-infra ms.service: configuration-manager ms.topic: conceptual @@ -32,6 +32,8 @@ Configuration Manager supports the in-place upgrade of the server OS that hosts - In-place upgrade from: + - Windows Server 2022 to Windows Server 2025 + - Windows Server 2019 to Windows Server 2022 - Windows Server 2016 to Windows Server 2022 @@ -50,10 +52,12 @@ To upgrade a server, use the upgrade procedures provided by the OS you're upgrad - [Upgrade and conversion options for Windows Server 2016](/windows-server/get-started/supported-upgrade-paths) -### Upgrade to Windows Server 2016, 2019, or 2022 +### Upgrade to Windows Server 2016, 2019, 2022 or 2025 Use the steps in this section for any of the following upgrade scenarios: +- Upgrade either Windows Server 2019 or Windows Server 2022 to Windows Server 2025 + - Upgrade either Windows Server 2016 or Windows Server 2019 to Windows Server 2022 - Upgrade either Windows Server 2012 R2 or Windows Server 2016 to Windows Server 2019 From ec802bba258791c24bd9085ff562b768275115b4 Mon Sep 17 00:00:00 2001 From: BalaDelli <82196006+BalaDelli@users.noreply.github.com> Date: Thu, 19 Dec 2024 19:19:10 +0530 Subject: [PATCH 143/237] Update upgrade-windows-to-the-latest-version.md --- .../osd/deploy-use/upgrade-windows-to-the-latest-version.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/memdocs/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version.md b/memdocs/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version.md index efa9d535a43..eba9339f946 100644 --- a/memdocs/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version.md +++ b/memdocs/configmgr/osd/deploy-use/upgrade-windows-to-the-latest-version.md @@ -2,7 +2,7 @@ title: Windows in-place upgrade titleSuffix: Configuration Manager description: Learn how to use Configuration Manager to upgrade Windows to a later version. -ms.date: 06/14/2024 +ms.date: 12/19/2024 ms.service: configuration-manager ms.subservice: osd ms.topic: conceptual @@ -44,6 +44,7 @@ Only create OS upgrade packages to upgrade to the following OS versions: - Windows Server 2016 - Windows Server 2019 - Windows Server 2022 +- - Windows Server 2025 ### Original version @@ -67,6 +68,7 @@ For more information, see [Windows client upgrade paths](/windows/deployment/upg - An earlier version of Windows Server 2016 - An earlier version of Windows Server 2019 - An earlier version of Windows Server 2022 +- An earlier version of Windows Server 2025 For more information about Windows Server supported upgrade paths, see [Windows Server 2016 supported upgrade paths](/windows-server/get-started/supported-upgrade-paths#upgrading-previous-retail-versions-of-windows-server-to-windows-server-2016) and [Windows Server Upgrade Center](/windows-server/upgrade/upgrade-overview). From f919ca45c83777b7e8ec50e49071b564f3dcc3e0 Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Thu, 19 Dec 2024 10:45:31 -0600 Subject: [PATCH 144/237] Update administrative-templates-windows.md As per: https://portal.microsofticm.com/imp/v5/incidents/details/576826266/summary --- .../intune/configuration/administrative-templates-windows.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/configuration/administrative-templates-windows.md b/memdocs/intune/configuration/administrative-templates-windows.md index aae70458f92..4e1d690e371 100644 --- a/memdocs/intune/configuration/administrative-templates-windows.md +++ b/memdocs/intune/configuration/administrative-templates-windows.md @@ -34,6 +34,9 @@ ms.collection: > [!IMPORTANT] > Starting with the December 2412 release, you can't create new Administrative Templates policies from the **Templates** > **Administrative Templates** profile type in the Intune admin center. To create ADMX template profiles, use the **[settings catalog](settings-catalog.md)**. For more information on this change, see [Windows device configuration policies migrating to unified settings platform in Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-windows-device-configuration-policies-migrating-to/ba-p/4189665). +> +> There will be no changes to the following UI experiences: +> - ‘Imported Administrative templates (Preview)’ template which is used for Custom ADMX templates. **Administrative Templates** in Microsoft Intune include thousands of settings that control features in Microsoft Edge version 77 and later, Internet Explorer, Google Chrome, Microsoft Office programs, remote desktop, OneDrive, passwords, PINs, and more. These settings enable administrators to create group policies using the cloud. From 8dc6b59007f1aeae8712bfdf8e31fa9c3ef70b4e Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 19 Dec 2024 10:11:37 -0800 Subject: [PATCH 145/237] updated china and US govt endpoints --- memdocs/intune/fundamentals/china-endpoints.md | 8 +++++--- .../fundamentals/intune-us-government-endpoints.md | 11 +++++++---- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/fundamentals/china-endpoints.md b/memdocs/intune/fundamentals/china-endpoints.md index 159daec34e6..a3fedfc450b 100644 --- a/memdocs/intune/fundamentals/china-endpoints.md +++ b/memdocs/intune/fundamentals/china-endpoints.md @@ -8,7 +8,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 03/24/2023 +ms.date: 12/19/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: fundamentals @@ -49,10 +49,10 @@ The following tables list the ports and services that the Intune client accesses |**Endpoint**|**IP address**| |---------------------|-----------| -|*.manage.microsoftonline.cn | 40.73.38.143
    139.217.97.81
    52.130.80.24
    40.73.41.162
    40.73.58.153
    139.217.95.85 | - +|*.manage.microsoftonline.cn | 40.73.38.143
    139.217.97.81
    52.130.80.24
    40.73.41.162
    40.73.58.153
    139.217.95.85
    143.64.196.128/25
    40.162.2.128/25
    139.219.250.128/25
    163.228.221.128/25
    | ## Intune customer designated endpoints in China + - Azure portal: https:\//portal.azure.cn/ - Microsoft 365: https:\//portal.partner.microsoftonline.cn/ - Intune Company Portal: https:\//portal.manage.microsoftonline.cn/ @@ -69,6 +69,7 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n ## Partner service endpoints Intune operated by 21Vianet depends on the following partner service endpoints: + - Azure AD Sync service: https:\//syncservice.partner.microsoftonline.cn/DirectoryService.svc - Evo STS: https:\//login.chinacloudapi.cn/ - Azure AD Graph: https:\//graph.chinacloudapi.us @@ -80,5 +81,6 @@ Intune operated by 21Vianet depends on the following partner service endpoints: [!INCLUDE [Intune notices](../includes/apple-device-network-information.md)] ## Next steps + [Learn more about Intune operated by 21Vianet in China](china.md) diff --git a/memdocs/intune/fundamentals/intune-us-government-endpoints.md b/memdocs/intune/fundamentals/intune-us-government-endpoints.md index a98b4d7793d..b1e9dc224fa 100644 --- a/memdocs/intune/fundamentals/intune-us-government-endpoints.md +++ b/memdocs/intune/fundamentals/intune-us-government-endpoints.md @@ -8,7 +8,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 10/04/2021 +ms.date: 12/19/2024 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -52,14 +52,16 @@ The following tables list the ports and services that the Intune client accesses | Endpoint | IP address | |---------------------|-----------| -|*.manage.microsoft.us | 52.227.99.114
    20.141.108.112
    13.72.17.166
    52.126.185.115
    52.227.211.91
    23.97.10.212
    52.227.29.124
    52.247.174.16
    52.227.29.244
    52.227.208.144
    52.227.1.233
    20.141.104.221
    52.247.134.218
    20.141.78.227
    13.77.236.201 | +|*.manage.microsoft.us | 52.227.99.114
    20.141.108.112
    13.72.17.166
    52.126.185.115
    52.227.211.91
    23.97.10.212
    52.227.29.124
    52.247.174.16
    52.227.29.244
    52.227.208.144
    52.227.1.233
    20.141.104.221
    52.247.134.218
    20.141.78.227
    13.77.236.201
    62.10.86.128/25
    62.10.87.128/25
    20.159.110.0/25
    20.159.111.0/25
    | | enterpriseregistration.microsoftonline.us | 13.72.188.239
    13.72.55.179 | -## US Government customer designated endpoints: +## US Government customer designated endpoints + - Azure portal: https:\//portal.azure.us/ - Microsoft 365: https:\//portal.office365.us/ - Intune Company Portal: https:\//portal.manage.microsoft.us/ - Microsoft Intune admin center: https:\//intune.microsoft.us/ + ## Network requirements for PowerShell scripts and Win32 apps If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also need to grant access to endpoints in which your tenant currently resides. @@ -68,8 +70,8 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n | --- | --- |--- | |FXPASU01 | sovereignprodimedatapri
    sovereignprodimedatasec
    sovereignprodimedatahotfix | sovereignprodimedatapri.azureedge.net
    sovereignprodimedatasec.azureedge.net
    sovereignprodimedatahotfix.azureedge.net | +## Partner service endpoints that Intune depends on -## Partner service endpoints that Intune depends on: - Azure AD Sync service: https:\//syncservice.gov.us.microsoftonline.com/DirectoryService.svc - Evo STS: https:\//login.microsoftonline.us - Directory Proxy: https:\//directoryproxy.microsoftazure.us/DirectoryProxy.svc @@ -82,5 +84,6 @@ If you're using Intune to deploy PowerShell scripts or Win32 apps, you'll also n [!INCLUDE [Intune notices](../includes/apple-device-network-information.md)] ## Next steps + [Network endpoints for Microsoft Intune](intune-endpoints.md) From 6fffb863c2912a9dcd91d851f60834dee16e5379 Mon Sep 17 00:00:00 2001 From: Carlos Hernandez <46572053+CarHern@users.noreply.github.com> Date: Thu, 19 Dec 2024 17:19:56 -0500 Subject: [PATCH 146/237] Update WipeNotavailableforAccountDriven correcting docs as the only iOS/iPadOS enrollment that doesn't support Wipe action is Account Driven Apple User Enrollment https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment --- memdocs/intune/remote-actions/devices-wipe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/remote-actions/devices-wipe.md b/memdocs/intune/remote-actions/devices-wipe.md index c0ddcf0f3ab..9329835184a 100644 --- a/memdocs/intune/remote-actions/devices-wipe.md +++ b/memdocs/intune/remote-actions/devices-wipe.md @@ -43,7 +43,7 @@ The **Wipe** device action restores a device to its factory default settings. Th |**Wipe**| Checked | No | Wipes all MDM Policies. Keeps user accounts and data. Resets user settings back to default. Resets the operating system to its default state and settings.| > [!NOTE] -> The Wipe action is not available for iOS/iPadOS devices enrolled with User Enrollment. To create a User Enrollment profile: [Set up iOS/iPadOS and iPadOS User Enrollment](../enrollment/ios-user-enrollment.md) +> The Wipe action is not available for iOS/iPadOS devices enrolled using Account Driven Apple User Enrollment. To create an Account Driven Apple User Enrollment profile: [Set up iOS/iPadOS and iPadOS Account driven Apple User Enrollment]([../enrollment/ios-user-enrollment.md](https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment)) > [!NOTE] > By design, Zebra has defined the Wipe action on any Android Zebra device to only remove corporate data from devices, and not perform a factory reset. From f09b6fb0d306dd725bacd325da640f64dbb847a1 Mon Sep 17 00:00:00 2001 From: Palika Singh <97435621+PalikaSingh@users.noreply.github.com> Date: Fri, 20 Dec 2024 12:54:47 +0530 Subject: [PATCH 147/237] Update checklist-for-installing-update-2409.md updated the info for all sites to 2303 from 2409 --- .../core/servers/manage/checklist-for-installing-update-2409.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md index f6954a91102..a1c6c5c520b 100644 --- a/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md +++ b/memdocs/configmgr/core/servers/manage/checklist-for-installing-update-2409.md @@ -97,7 +97,7 @@ As of December 16 , 2024, version 2409 is globally available for all customers t ### All sites run a supported version of Configuration Manager -Each site server in the hierarchy must run the same version of Configuration Manager before you can start the installation. To update to version 2409, use version 2309 or later. +Each site server in the hierarchy must run the same version of Configuration Manager before you can start the installation. To update to version 2409, use version 2303 or later. ### Review the status of your product licensing From e319f7051759919c0ec7695cd9d3d09c4f530d73 Mon Sep 17 00:00:00 2001 From: Maggie Dakeva Date: Fri, 20 Dec 2024 09:50:59 -0500 Subject: [PATCH 148/237] Learn Editor: Update known-issues.md --- autopilot/device-preparation/known-issues.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index 8ea00ede73d..ec05561ef30 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -40,6 +40,12 @@ This article describes known issues that can often be resolved with: ## Known issues +## **Export logs** button in the out-of-box experience (OOBE) does not show any success or failure indication. + +Date added: *January 6, 2025* + +When a failure occurs during the provisioning process, an **Export logs** option is displayed to the user. When selected, it saves the file to the first USB drive on the device without displaying the browse dialog. This is for security reasons. Currently, users will not see failure or success messages to indicate the logs were saved. This will be fixed in the future. + ## Apps and scripts tabs don't display properly when editing the Windows Autopilot device preparation profile Date added: *December 18, 2024* From 2cc9b5efe7fcb33e564f43549e27ce0a7f960263 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 09:36:02 -0800 Subject: [PATCH 149/237] Updated --- memdocs/intune/apps/company-portal-app.md | 4 ++-- memdocs/intune/fundamentals/whats-new.md | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/company-portal-app.md b/memdocs/intune/apps/company-portal-app.md index 85c0d5c8b38..a48a34c6099 100644 --- a/memdocs/intune/apps/company-portal-app.md +++ b/memdocs/intune/apps/company-portal-app.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 06/07/2024 +ms.date: 12/20/2024 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -43,7 +43,7 @@ The Company Portal apps, Company Portal website, and Intune app on Android are w ## Customizing the user experience -By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 10 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android. +By customizing the end-user experience, you will help to provide a familiar and helpful experience for your end users. To do this, sign in as an [Intune administrator](../fundamentals/users-add.md#types-of-administrators). Navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Tenant Administration** > **Customization** where you can either edit the default policy or create up to 25 user group targeted policies. Note that targeting policies to device groups is not supported. These settings will apply to the Company Portal apps, Company Portal website, and Intune app on Android. ## Branding diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index eabd98b796b..f3130de7777 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -78,6 +78,14 @@ You can use RSS to be notified when this page is updated. For more information, ## Week of December 16, 2024 (Service release 2412) +### App management + +#### Increased scale for Customization policies + +You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select **Tenant administration** > **Customization**. + +For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app#customizing-the-user-experience). + ### Device security #### Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint From 33c73a3c7e390fa151d5f49f19d196a3a9d96259 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 09:39:47 -0800 Subject: [PATCH 150/237] Fixing link --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index f3130de7777..749b9c8e999 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -84,7 +84,7 @@ You can use RSS to be notified when this page is updated. For more information, You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select **Tenant administration** > **Customization**. -For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app#customizing-the-user-experience). +For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app#customizing-the-user-experience.md). ### Device security From 835ac00dcdb3405ff1abc0882cab27a43de7d2dc Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 09:44:18 -0800 Subject: [PATCH 151/237] Fixing link --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 749b9c8e999..2abbe774027 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -84,7 +84,7 @@ You can use RSS to be notified when this page is updated. For more information, You can now create up to 25 policies that customize the Company Portal and Intune app experience. The previous maximum number of Customization policies was 10. Navigate to the Intune admin center, and select **Tenant administration** > **Customization**. -For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app#customizing-the-user-experience.md). +For more information about customizing the Company Portal and Intune apps, see [Customizing the user experience](../apps/company-portal-app.md#customizing-the-user-experience). ### Device security From a22617ad46159c1b69d41f478f8c72ae870b871f Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:40:50 -0800 Subject: [PATCH 152/237] updated endpoints --- memdocs/intune/fundamentals/intune-endpoints.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index d3e75fad938..be1a485d990 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -8,7 +8,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 12/18/2024 +ms.date: 12/20/2024 ms.topic: reference ms.service: microsoft-intune ms.subservice: fundamentals @@ -153,7 +153,7 @@ For Intune-managed Windows devices managed using Mobile Device Management (MDM), | --- | ---- | -------- | ----- | --------- | ----- | | 172 | MDM - Delivery Optimization Dependencies | Default
    Required | False | `*.do.dsp.mp.microsoft.com`
    `*.dl.delivery.mp.microsoft.com`
    | **TCP:** 80, 443 | -**Port requirements** - For client-service communication, it uses HTTP or HTTPS over port 80/443. Optionally, for peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP and Teredo on port 3544 for NAT traversal. For more information, see [Delivery Optimization documentation](/windows/deployment/do/) +**Port requirements** - For client-service communication, it uses HTTP or HTTPS over port 80/443. Optionally, for peer-to-peer traffic, Delivery Optimization uses 7680 for TCP/IP and Teredo on port 3544 for NAT traversal. For more information, see [Delivery Optimization documentation](/windows/deployment/do/) **Proxy requirements** - To use Delivery Optimization, you must allow Byte Range requests. For more information, see [Proxy requirements for Delivery Optimization](/windows/deployment/do/waas-delivery-optimization-faq#what-are-the-requirements-if-i-use-a-proxy). @@ -172,6 +172,7 @@ For Delivery Optimization metadata: | 178 | MEM - Apple Dependencies | Default
    Required | False | `itunes.apple.com`
    `*.itunes.apple.com`
    `*.mzstatic.com`
    `*.phobos.apple.com`
    `phobos.itunes-apple.com.akadns.net`
    `5-courier.push.apple.com`
    `phobos.apple.com`
    `ocsp.apple.com`
    `ax.itunes.apple.com`
    `ax.itunes.apple.com.edgesuite.net`
    `s.mzstatic.com`
    `a1165.phobos.apple.com`
    |**TCP:** 80, 443, 5223| For more information, see the following resources: + - [Use Apple products on enterprise networks](https://support.apple.com/HT210060) - [TCP and UDP ports used by Apple software products](https://support.apple.com/HT202944) - [About macOS, iOS/iPadOS, and iTunes server host connections and iTunes background processes](https://support.apple.com/HT201999) @@ -294,16 +295,17 @@ The following tables list the ports and services that the Intune client accesses If you're using Intune to deploy PowerShell scripts or Win32 apps, you also need to grant access to endpoints in which your tenant currently resides. -To find your tenant location (or Azure Scale Unit (ASU), sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. The location is under **Tenant location** as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row tells you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere. +To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. The location is under **Tenant location** as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row tells you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere. > [!NOTE] > **Allow HTTP Partial response** is required for Scripts & Win32 Apps endpoints. |Azure Scale Unit (ASU) | Storage name | CDN | Port | | --- | --- |--- | --- | -|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | naprodimedatapri
    naprodimedatasec
    naprodimedatahotfix | naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net | **TCP:** 443 | -| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | euprodimedatapri
    euprodimedatasec
    euprodimedatahotfix | euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net | **TCP:** 443 | -| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| approdimedatapri
    approdimedatasec
    approdimedatahotifx | approdimedatapri.azureedge.net
    approdimedatasec.azureedge.net
    approdimedatahotfix.azureedge.net |**TCP:** 443 | +|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | naprodimedatapri
    naprodimedatasec
    naprodimedatahotfix | naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net
    imeswda-afd-primary.manage.microsoft.com
    imeswda-afd-secondary.manage.microsoft.com +
    imeswda-afd-hotfix.manage.microsoft.com | **TCP:** 443 | +| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | euprodimedatapri
    euprodimedatasec
    euprodimedatahotfix | euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net
    imeswdb-afd-primary.manage.microsoft.com
    imeswdb-afd-secondary.manage.microsoft.com
    imeswdb-afd-hotfix.manage.microsoft.com | **TCP:** 443 | +| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| approdimedatapri
    approdimedatasec
    approdimedatahotifx | approdimedatapri.azureedge.net
    approdimedatasec.azureedge.net
    approdimedatahotfix.azureedge.net
    imeswdc-afd-primary.manage.microsoft.com
    imeswdc-afd-secondary.manage.microsoft.com
    imeswdc-afd-hotfix.manage.microsoft.com |**TCP:** 443 | ## Microsoft Store From a4a18dc1631f162f782e8699d51b6b18a334db13 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:44:45 -0800 Subject: [PATCH 153/237] updated alignment --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index be1a485d990..6a51151b728 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -301,7 +301,7 @@ To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsof > **Allow HTTP Partial response** is required for Scripts & Win32 Apps endpoints. |Azure Scale Unit (ASU) | Storage name | CDN | Port | -| --- | --- |--- | --- | +| --- | --- |--------- | --- | |AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | naprodimedatapri
    naprodimedatasec
    naprodimedatahotfix | naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net
    imeswda-afd-primary.manage.microsoft.com
    imeswda-afd-secondary.manage.microsoft.com
    imeswda-afd-hotfix.manage.microsoft.com | **TCP:** 443 | | AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | euprodimedatapri
    euprodimedatasec
    euprodimedatahotfix | euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net
    imeswdb-afd-primary.manage.microsoft.com
    imeswdb-afd-secondary.manage.microsoft.com
    imeswdb-afd-hotfix.manage.microsoft.com | **TCP:** 443 | From d5b5f6b8acc0db7f967b79051fac02acd6c55421 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 15:50:29 -0800 Subject: [PATCH 154/237] updated alignment --- memdocs/intune/fundamentals/intune-endpoints.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 6a51151b728..d1cfcf6985d 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -301,9 +301,8 @@ To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsof > **Allow HTTP Partial response** is required for Scripts & Win32 Apps endpoints. |Azure Scale Unit (ASU) | Storage name | CDN | Port | -| --- | --- |--------- | --- | -|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | naprodimedatapri
    naprodimedatasec
    naprodimedatahotfix | naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net
    imeswda-afd-primary.manage.microsoft.com
    imeswda-afd-secondary.manage.microsoft.com -
    imeswda-afd-hotfix.manage.microsoft.com | **TCP:** 443 | +| --- | --- |------------- | --- | +|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | naprodimedatapri
    naprodimedatasec
    naprodimedatahotfix | naprodimedatapri.azureedge.net
    naprodimedatasec.azureedge.net
    naprodimedatahotfix.azureedge.net
    imeswda-afd-primary.manage.microsoft.com
    imeswda-afd-secondary.manage.microsoft.com
    imeswda-afd-hotfix.manage.microsoft.com | **TCP:** 443 | | AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | euprodimedatapri
    euprodimedatasec
    euprodimedatahotfix | euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net
    imeswdb-afd-primary.manage.microsoft.com
    imeswdb-afd-secondary.manage.microsoft.com
    imeswdb-afd-hotfix.manage.microsoft.com | **TCP:** 443 | | AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| approdimedatapri
    approdimedatasec
    approdimedatahotifx | approdimedatapri.azureedge.net
    approdimedatasec.azureedge.net
    approdimedatahotfix.azureedge.net
    imeswdc-afd-primary.manage.microsoft.com
    imeswdc-afd-secondary.manage.microsoft.com
    imeswdc-afd-hotfix.manage.microsoft.com |**TCP:** 443 | From 219defc790059a56f4ce52e9d3e51f79f9957f8e Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Fri, 20 Dec 2024 22:39:08 -0800 Subject: [PATCH 155/237] updated endpoints --- memdocs/intune/fundamentals/intune-endpoints.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index d1cfcf6985d..cf9c1aed93b 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -306,6 +306,18 @@ To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsof | AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | euprodimedatapri
    euprodimedatasec
    euprodimedatahotfix | euprodimedatapri.azureedge.net
    euprodimedatasec.azureedge.net
    euprodimedatahotfix.azureedge.net
    imeswdb-afd-primary.manage.microsoft.com
    imeswdb-afd-secondary.manage.microsoft.com
    imeswdb-afd-hotfix.manage.microsoft.com | **TCP:** 443 | | AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| approdimedatapri
    approdimedatasec
    approdimedatahotifx | approdimedatapri.azureedge.net
    approdimedatasec.azureedge.net
    approdimedatahotfix.azureedge.net
    imeswdc-afd-primary.manage.microsoft.com
    imeswdc-afd-secondary.manage.microsoft.com
    imeswdc-afd-hotfix.manage.microsoft.com |**TCP:** 443 | +## Network requirements for macOS app and script deployments + +If you're using Intune to deploy apps or scripts on macOS, you also need to grant access to endpoints in which your tenant currently resides. + +To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. The location is under Tenant location as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row tells you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere. + +|Azure Scale Unit (ASU) | CDN | Port | +| --- |------------- | --- | +|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | macsidecar.manage.microsoft.com | **TCP:** 443 | +| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | macsidecareu.manage.microsoft.com | **TCP:** 443 | +| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| macsidecarap.manage.microsoft.com |**TCP:** 443 | + ## Microsoft Store Managed Windows devices using the Microsoft Store – either to acquire, install, or update apps – need access to these endpoints. From f91bc660f7f7622f643bab3db5888370ca45a163 Mon Sep 17 00:00:00 2001 From: Kara Wang <146743611+kara-wang@users.noreply.github.com> Date: Mon, 23 Dec 2024 10:45:26 -0500 Subject: [PATCH 156/237] Update remote-help-windows.md Adding deploying Remote Help through EAM --- memdocs/intune/fundamentals/remote-help-windows.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/memdocs/intune/fundamentals/remote-help-windows.md b/memdocs/intune/fundamentals/remote-help-windows.md index 2cc5bb51323..bea9de67538 100644 --- a/memdocs/intune/fundamentals/remote-help-windows.md +++ b/memdocs/intune/fundamentals/remote-help-windows.md @@ -117,6 +117,10 @@ Download the latest version of Remote Help direct from Microsoft at [aka.ms/down The most recent version of Remote Help is **5.1.1419.0** +### Deploy Remote Help as an Enterprise App Catalog app +The Enterprise App Catalog is a collection of prepackaged Win32 apps that have been designed and prepared by Microsoft to support Intune. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type leverages the Win32 platform and has support for customizable capabilities. Remote Help is available in the Enterprise App Catalog. To learn more, see [Add an Enterprise App Catalog app to Microsoft Intune]([https://learn.microsoft.com/en-us/mem/intune/apps/apps-enterprise-app-management](https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-enterprise-app#add-a-windows-catalog-app-win32-to-intune)). + + ### Deploy Remote Help as a Win32 app To deploy Remote Help with Intune, you can add the app as a Windows Win32 app, and define a detection rule to identify devices that don't have the most current version of Remote Help installed. Before you can add Remote Help as a Win32 app, you must repackage *remotehelpinstaller.exe* as a *.intunewin* file, which is a Win32 app file you can deploy with Intune. For information on how to repackage a file as a Win32 app, see [Prepare the Win32 app content for upload](../apps/apps-win32-prepare.md). From bba7e2ab43cd1c1d21ab3da34d4fd69881c35891 Mon Sep 17 00:00:00 2001 From: Denish Donga <177508003+denishdonga27@users.noreply.github.com> Date: Thu, 26 Dec 2024 12:47:07 +0530 Subject: [PATCH 157/237] Learn Editor: Update advanced-threat-protection-manage-android.md --- ...vanced-threat-protection-manage-android.md | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md index 16b89cd4a5a..72922e5e3e8 100644 --- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md +++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md @@ -114,18 +114,16 @@ To configure web protection on devices, use the following procedures to create a 6. Find and select configuration keys **Anti-Phishing** and **VPN**, and then select **OK** to return to the **Settings** page. -7. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection. +1. For the **Configuration values** of both configuration keys (**Anti-Phishing** and **VPN**), enter **0** to disable web protection and enter **1** to enable web protection. By default, web protection is enabled. > [!NOTE] - > - > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection. - + > Values for Anti-Phishing and VPN should be same either to be 0 to disable or 1 to enable, otherwise both features will automatically be disabled. + > [!NOTE] - > - > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default. - + > The **Web Protection** configuration key is deprecated. If you've used this key in the past, complete the previous steps to re-configure the setting by setting the keys **Anti-Phishing** and **VPN** to enable or disable web protection. + Select **Next** to continue. - + 8. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). 9. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. @@ -134,21 +132,21 @@ To configure web protection on devices, use the following procedures to create a 1. Complete the same configuration steps [described previously](#disable-web-protection-for-the-android-enterprise-personally-owned-work-profile), and add web protection configuration keys **Anti-phishing** and **VPN**. The only difference is the **Profile Type** value. For this value, select **Fully Managed, Dedicated, and Corporate-Owned Work Profile Only**. - - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN**. + - To disable web protection, enter **0** for configuration values **Anti-Phishing** and **VPN** and enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. By default, web protection is enabled. + - To disable only the use of VPN by web protection, enter these configuration values: - - **0** for **VPN** - - **1** for **Anti-Phishing** - + - **0** for **VPN** + + - **1** for **Anti-Phishing** + > [!NOTE] - > - > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices. - + > For 'Android Enterprise corporate owned work profile' enrollment scenario values for VPN and Anti-Phishing should be same either both 0 to disable or 1 to enable, otherwise both features will automatically be disabled, but for 'Android Enterprise corporate owned fully managed - no work profile' enrollment scenario need not to have the same value for VPN and Anti-Phishing, each feature can work individually. + > [!NOTE] - > - > Enter **1** for both configuration values (**Anti-Phishing** and **VPN**) to enable web protection. This setting is the default. - + > You can't disable VPN for the Android Enterprise Fully Managed profile if you've configured the Auto Setup of Always-on VPN device configuration policy on the enrolled devices. + Select **Next** to continue. - + 2. In **Assignments**, specify the groups that receive the profile. For more information on assigning profiles, see [Assign user and device profiles](../configuration/device-profile-assign.md). 3. In **Review + create**, when you're done, select **Create**. The new profile is displayed in the list when you select the policy type for the profile you @@ -162,4 +160,5 @@ To configure web protection on devices, use the following procedures to create a - Learn more from the Microsoft Defender for Endpoint documentation: - [Microsoft Defender for Endpoint Conditional Access](/windows/security/threat-protection/microsoft-defender-atp/conditional-access) + - [Microsoft Defender for Endpoint risk dashboard](/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) From f2cadc8da96efb8f21b1bda5b69ea90446160e79 Mon Sep 17 00:00:00 2001 From: Denish Donga <177508003+denishdonga27@users.noreply.github.com> Date: Thu, 26 Dec 2024 12:47:19 +0530 Subject: [PATCH 158/237] Learn Editor: Update advanced-threat-protection-manage-android.md From badc31ab8396517fa750073b58f2a11df88d6567 Mon Sep 17 00:00:00 2001 From: Denish Donga <177508003+denishdonga27@users.noreply.github.com> Date: Thu, 26 Dec 2024 16:21:13 +0530 Subject: [PATCH 159/237] Learn Editor: Update advanced-threat-protection-manage-android.md --- .../protect/advanced-threat-protection-manage-android.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md index 72922e5e3e8..97debafd39c 100644 --- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md +++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md @@ -44,6 +44,13 @@ With Intune device configuration policy, you can turn off all or part of the web - **Android Enterprise Fully Managed profile**. Use an app configuration profile and the [configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer) to disable the entire web protection feature or to disable only the use of VPNs. +> [!IMPORTANT] +> **Below browsers are supported with defender loopback VPN** +> GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET, FIREFOX, BRAVE, TOR, WEB_BROWSER_LEOPARD, DUCKDUCKGO, DOLPHIN +> **Following browsers are supported with accessibility service without defender loopback VPN** +> GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET +> **Note:** Work profile scenarios (BYOD -Android Enterprise personally owned devices using a work profile and COPE - Android Enterprise corporate owned work profile) do not support the accessibility service. + To configure web protection on devices, use the following procedures to create and deploy the applicable configuration. ## Disable web protection for Android device administrator @@ -162,3 +169,4 @@ To configure web protection on devices, use the following procedures to create a - [Microsoft Defender for Endpoint Conditional Access](/windows/security/threat-protection/microsoft-defender-atp/conditional-access) - [Microsoft Defender for Endpoint risk dashboard](/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) + From 8d27a752d150025b0e496364c3865f9e5cb8df1a Mon Sep 17 00:00:00 2001 From: Denish Donga <177508003+denishdonga27@users.noreply.github.com> Date: Thu, 26 Dec 2024 16:25:45 +0530 Subject: [PATCH 160/237] Learn Editor: Update advanced-threat-protection-manage-android.md --- .../protect/advanced-threat-protection-manage-android.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md index 97debafd39c..4c8a580e3b9 100644 --- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md +++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md @@ -45,9 +45,9 @@ With Intune device configuration policy, you can turn off all or part of the web - **Android Enterprise Fully Managed profile**. Use an app configuration profile and the [configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer) to disable the entire web protection feature or to disable only the use of VPNs. > [!IMPORTANT] -> **Below browsers are supported with defender loopback VPN** +> **Below browsers are supported with Defender loopback VPN** > GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET, FIREFOX, BRAVE, TOR, WEB_BROWSER_LEOPARD, DUCKDUCKGO, DOLPHIN -> **Following browsers are supported with accessibility service without defender loopback VPN** +> **Following browsers are supported with accessibility service without Defender loopback VPN** > GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET > **Note:** Work profile scenarios (BYOD -Android Enterprise personally owned devices using a work profile and COPE - Android Enterprise corporate owned work profile) do not support the accessibility service. From a8140cd82348be493d5ca649917ba9f654b0c390 Mon Sep 17 00:00:00 2001 From: Maggie Dakeva Date: Thu, 26 Dec 2024 14:10:46 -0500 Subject: [PATCH 161/237] Learn Editor: Update whats-new.md --- autopilot/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/whats-new.md b/autopilot/whats-new.md index ca690e1231a..2f3c91ebfdc 100644 --- a/autopilot/whats-new.md +++ b/autopilot/whats-new.md @@ -85,7 +85,7 @@ The 2310 release of Intune adds more clarity to the manual hardware hash upload Date added: *October 10, 2023* -Starting in 2310, we're making an update to the self-deployment and pre-provisioning modes for manufacturers that have not opted-in to attesting to removal of Autopilot refurbished devices. Customers using these manufacturers were still subjected to the one-time device-based enrollment block in the self-deployment and pre-provisioning modes. This block means that the device could go through self-deployment or pre-provisioning mode once and then get blocked from doing it again. This behavior could cause problems if the device needed to be reset or redeployed. This change in 2310 enables a button in the Autopilot devices section in Intune to manually unblock those devices. This update only works for OEMs that aren't within the [OEM list](https://techcommunity.microsoft.com/t5/intune-customer-success/return-of-key-functionality-for-windows-autopilot-sign-in-and/ba-p/3583130) and doesn't work on the **Fix pending** status. +Starting in 2310, we're making an update to the self-deployment and pre-provisioning modes for manufacturers that have not opted-in to attesting to removal of Autopilot refurbished devices. Customers using these manufacturers were still subjected to the one-time device-based enrollment block in the self-deployment and pre-provisioning modes. This block means that the device could go through self-deployment or pre-provisioning mode once and then get blocked from doing it again. This behavior could cause problems if the device needed to be reset or redeployed. This change in 2310 enables a button in the Autopilot devices section in Intune to manually unblock those devices. This update only works for certain OEMs and doesn't work on the **Fix pending** status. Reach out to your respective OEM to confirm whether this functionality is enabled for your device. ### How to unblock devices From 0c5de2ffd7a9eb7b446d34ee69f17fb0519452ec Mon Sep 17 00:00:00 2001 From: Sucheta Gawade <74800964+SMG0927@users.noreply.github.com> Date: Mon, 30 Dec 2024 19:09:25 -0500 Subject: [PATCH 162/237] Remove an unnecessary word Correct a sentence to read correctly; removed an unnecessary word Update security-baselines.md --- memdocs/intune/protect/security-baselines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baselines.md b/memdocs/intune/protect/security-baselines.md index d5336636fdf..82cf4e71374 100644 --- a/memdocs/intune/protect/security-baselines.md +++ b/memdocs/intune/protect/security-baselines.md @@ -138,7 +138,7 @@ You can view the list of available baselines in the [Microsoft Intune admin cent To view more information about the baseline versions you use, select a baseline type, like *Security Baseline for Windows 10 and later* to open its *Profiles* pane, and then select **Versions**. Intune displays details about the versions of that baseline that are in use by your profiles. The details include the most recent and current baseline version. You can select a single version to view deeper details about the profiles that use that version. -You can choose to [change of the version](../protect/security-baselines-configure.md#update-a-profile-to-the-latest-version) of a baseline that's in use with a given profile. When you change the version, you don't have to create a new baseline profile to take advantage of updated versions. Instead you can select a baseline profile and use the built-in option to change the instance version for that profile to a new one. +You can choose to [change the version](../protect/security-baselines-configure.md#update-a-profile-to-the-latest-version) of a baseline that's in use with a given profile. When you change the version, you don't have to create a new baseline profile to take advantage of updated versions. Instead you can select a baseline profile and use the built-in option to change the instance version for that profile to a new one. ## Avoid conflicts From 0599998ecddc7a15eacbf6cbda9f3c00bc1afe4d Mon Sep 17 00:00:00 2001 From: Sucheta Gawade <74800964+SMG0927@users.noreply.github.com> Date: Mon, 30 Dec 2024 19:23:42 -0500 Subject: [PATCH 163/237] Fix a partially written word Fixed a partially written word to make correct sense. --- memdocs/intune/protect/security-baselines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baselines.md b/memdocs/intune/protect/security-baselines.md index d5336636fdf..395afbd1e18 100644 --- a/memdocs/intune/protect/security-baselines.md +++ b/memdocs/intune/protect/security-baselines.md @@ -177,7 +177,7 @@ Migrating from on-premises Active Directory group policies to a pure cloud solut ### Where can I find details about using or configuring the settings that are available in a security baseline? -Each security baseline manages device configurations by applying the options found in a configuration service provider on a device. For example, settings that apply to Microsoft Defender are taken from th Microsoft Defender CSP. Because Intune is a configuration vehicle for those options and doesn’t determine their functionality or scope, the CSP documentation owns the content for how to configure each option. +Each security baseline manages device configurations by applying the options found in a configuration service provider on a device. For example, settings that apply to Microsoft Defender are taken from the Microsoft Defender CSP. Because Intune is a configuration vehicle for those options and doesn’t determine their functionality or scope, the CSP documentation owns the content for how to configure each option. Within the Intune security baseline policy UI, Intune provides information text that is taken from the source CSP and provides a link to that CSP. In some cases, the CSP might be part of a larger content set that includes proactive guidance that remains beyond the scope of Intune to include or duplicate in our content. However, Intune does document the list of settings in each security baseline version and its default configuration. From 2d285eb689608dfa68528caa3190d90ec2eccafd Mon Sep 17 00:00:00 2001 From: Brent Dunsire Date: Thu, 2 Jan 2025 08:04:12 -0800 Subject: [PATCH 164/237] Learn Editor: Update microsoft-tunnel-upgrade.md --- memdocs/intune/protect/microsoft-tunnel-upgrade.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/protect/microsoft-tunnel-upgrade.md b/memdocs/intune/protect/microsoft-tunnel-upgrade.md index 5a4851493af..d5ea848f2e7 100644 --- a/memdocs/intune/protect/microsoft-tunnel-upgrade.md +++ b/memdocs/intune/protect/microsoft-tunnel-upgrade.md @@ -138,9 +138,10 @@ Image hash values: - **serverImageDigest**: sha256:9886240ee473583753daf10929921f7c7c54bbf6f68095395aa2089688090fb3 Changes in this release: --Diagnostic tool improvements --Bug fixes for rootless container mode in mst-cli --Localization improvements in mstunnel-setup + +- Diagnostic tool improvements +- Bug fixes for rootless container mode in mst-cli +- Localization improvemSents in mstunnel-setup ### October 2, 2024 @@ -152,7 +153,8 @@ Image hash values: - **serverImageDigest**: sha256:0efab5013351bcd81f186973e75ed5d9f91bbe6271e3be481721500f946fc9ec Changes in this release: --Upgrade from .NET 6 to .NET 8 + +- Upgrade from .NET 6 to .NET 8 - Upgrade ocserv to version 1.3.0 - Fix rootless container bug in installer @@ -164,7 +166,7 @@ Image hash values: - **serverImageDigest**: sha256:6484d311d1bd6cbe55d71306595715bafa6a20a000be6fd6f9e530716cef6c16 -Changes in this release: +Changes in this release: - Add diagnostic tools for host troubleshooting - Upgrade Azure Linux image to 2.0.20240829 From 347c053ef299662a425bf6987249995c226450a3 Mon Sep 17 00:00:00 2001 From: Brent Dunsire Date: Thu, 2 Jan 2025 08:04:34 -0800 Subject: [PATCH 165/237] Learn Editor: Update microsoft-tunnel-upgrade.md From 6dc6ae067ef3fe225b0dc33a72ab918a70ace492 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 2 Jan 2025 09:03:21 -0800 Subject: [PATCH 166/237] True Up wn and indev --- memdocs/intune/fundamentals/in-development.md | 20 +------------------ 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 50bd8187bc5..c1a018a9e0a 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -97,27 +97,9 @@ For more information, see [Deploy Microsoft Entra hybrid joined devices by using -## Device enrollment - -### Update to "Determine based on user choice" enrollment type profile behavior - -In Intune today, if an IT admin creates a "Determine based on user choice" enrollment type profile for BYOD enrollments, the user will be prompted to select between **I own this device** and **My company owns this device** to direct them to the appropriate enrollment method. Because fewer than 1% of Apple devices across all Intune tenants are currently enrolled this way, this change won't affect most enrolled devices. - -Today, selecting **I own this device** results in the user enrolling via profile-based user enrollment with Company Portal to secure only work related apps. With WWDC 2024, Apple ended support for this enrollment method, subsequently Intune also ended support for the same. Read more about the changes here: [Support has ended for Apple profile-based user enrollment with Company Portal](../fundamentals/whats-new.md#support-has-ended-for-apple-profile-based-user-enrollment-with-company-portal) - -We are updating the enrollment behavior for users who select **I own this device**. The new behavior for **I own this device** will result in an [account-driven user enrollment](../enrollment/apple-account-driven-user-enrollment.md), which also supports the use of only secure work related apps. - -The behavior when selecting **My company owns this device** is unchanged and will continue to result in device enrollment with the Company Portal that supports securing the entire device. + -Admin action: -If you use **Determine based on user choice** enrollment type profile for BYOD scenarios, make sure you have completed the required **PREREQUISITES** to set up account driven user enrollment correctly. See [Set up account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md). - -If you do not use **Determine based on user choice** enrollment type profile for BYOD scenarios, there are no action items - -Applies to: - -- iOS/iPadOS From cdfe2c49b85a9766a58837d4a796142b27016bb1 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 2 Jan 2025 09:23:47 -0800 Subject: [PATCH 167/237] January entries/update --- memdocs/intune/fundamentals/in-development.md | 49 +++++++++++++++++-- 1 file changed, 46 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index c1a018a9e0a..80fdd507282 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -7,7 +7,7 @@ keywords: author: dougeby ms.author: dougeby manager: dougeby -ms.date: 11/26/2024 +ms.date: 01/03/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -61,6 +61,14 @@ You can use RSS to be notified when this article is updated. For more informatio ## Microsoft Intune Suite +### Endpoint Privilege Manager support for ARM64 + +You'll soon be able to use [Endpoint Protection Manager](/mem/intune/protect/epm-overview) (EPM) file elevations on devices that run on ARM64 architecture. + +Applies to: + +- Windows + ### Use Copilot with Endpoint Privilege Manager to help identify potential elevation risks We’re adding support for Copilot to help you investigate Endpoint Privilege Manager (EPM) elevation details. Copilot will help you evaluate information from you EPM elevation requests to identify potential indicators of compromise by using information from [Microsoft Defender](/defender-endpoint/microsoft-defender-endpoint). @@ -77,6 +85,21 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a ## App management +### Update to Apps workload experience in Intune + +The Apps workload in Intune will be updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the **App** workload in Intune, navigate to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps**. + + +### Add Enterprise App Catalog apps to ESP blocking apps list + +Enterprise App Catalog apps will be supported with Windows Autopilot. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you will be able to select blocking apps from the Enterprise App Catalog in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This allows you to update apps more easily without needing to update those profiles with the latest versions. + +For related information, see [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md), [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/overview), and [Add an Enterprise App Catalog app to Microsoft Intune](../apps/apps-add-enterprise-app.md). + +Applies to: + +- Windows + ### Added protection for iOS/iPadOS app widgets To protect organizational data for MAM managed accounts and apps, Intune app protection policies now provide the capability to block data sync from policy managed app data to app widgets. App widgets can be added to end-user's iOS/iPadOS device lock screen, which can expose data contained by these widgets, such as meeting titles, top sites, and recent notes. In Intune, you'll be able to set the app protection policy setting **Sync policy managed app data with app widgets** to **Block** for iOS/iPadOS apps. This setting will be available as part of the **Data Protection** settings in app protection policies. This new setting will be an app protection feature similar to the **Sync policy managed app data with native app or add-ins** setting. @@ -99,8 +122,6 @@ For more information, see [Deploy Microsoft Entra hybrid joined devices by using - - ## Device management @@ -113,6 +134,28 @@ You will soon be able to use Copilot to generate a KQL query to help you get dat ## Device security +### Updated security baseline for Microsoft Edge v128 + +We’re working on an update to add an Intune security baseline for Microsoft Edge v128. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Edge. + +For information about security baselines with Intune, see [Use security baselines to configure Windows devices in Intune](../protect/security-baselines.md). + +Applies to: + +- Windows + +### Updated security baseline for Windows version 24H2 + +We're working on an update to add an Intune security baseline for **Windows version 24H2**. The new baseline version will use the unified settings platform seen in the Settings Catalog, which features an improved user interface and reporting experience, consistency and accuracy improvements with setting tattooing, and the new ability to support assignment filters for profiles. + +Use of [Intune security baselines](../protect/security-baselines.md) can help you maintain best-practice configurations for your Windows devices and can help you rapidly deploy configurations to your Windows devices that meet the security recommendations of the applicable security teams at Microsoft. + +As with all baselines, the default baseline will represent the recommended configurations for each setting, which you can modify to meet the requirements of your organization. + +Applies to: + +- Windows + ### Security baselines for HoloLens 2 in public preview We’re working to release a public preview of two security baselines for HoloLens 2. These baselines represent Microsoft’s best practice guidelines and experience from deploying and supporting HoloLens 2 devices to customers across various industries. The baselines include: From f4a97b61bc11af3630fb40187d86cb203945b569 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 2 Jan 2025 12:22:58 -0800 Subject: [PATCH 168/237] Addition --- memdocs/intune/fundamentals/in-development.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 80fdd507282..f8174b2d730 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -85,6 +85,16 @@ EPM is available as an [Intune Suite add-on-capability](../fundamentals/intune-a ## App management +### Apple VPP using new API v2.0 + +Apple recently updated how apps and books are managed through the Apple volume purchase program (VPP). Apple has updated their related API to version 2.0 and deprecated version 1.0. To support the Apple updates, Microsoft Intune will soon use the new API, which is faster and more scalable than the previous version. + +Applies to: + +- iOS/iPadOS +- macOS + + ### Update to Apps workload experience in Intune The Apps workload in Intune will be updated to provide a more consistent UI and improved navigation structure so you can find the information you need faster. To find the **App** workload in Intune, navigate to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps**. From fab8dd0a89425116d04b9d9e2d4e2eff7771128f Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 2 Jan 2025 12:26:21 -0800 Subject: [PATCH 169/237] acrolinx pass --- memdocs/intune/fundamentals/in-development.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index f8174b2d730..9cea3c3e6a2 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -61,9 +61,9 @@ You can use RSS to be notified when this article is updated. For more informatio ## Microsoft Intune Suite -### Endpoint Privilege Manager support for ARM64 +### Endpoint Privilege Manager support for Arm64 -You'll soon be able to use [Endpoint Protection Manager](/mem/intune/protect/epm-overview) (EPM) file elevations on devices that run on ARM64 architecture. +You'll soon be able to use [Endpoint Protection Manager](/mem/intune/protect/epm-overview) (EPM) file elevations on devices that run on Arm64 architecture. Applies to: @@ -102,7 +102,7 @@ The Apps workload in Intune will be updated to provide a more consistent UI and ### Add Enterprise App Catalog apps to ESP blocking apps list -Enterprise App Catalog apps will be supported with Windows Autopilot. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you will be able to select blocking apps from the Enterprise App Catalog in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This allows you to update apps more easily without needing to update those profiles with the latest versions. +Enterprise App Catalog apps will be supported with Windows Autopilot. Microsoft Intune Enterprise App Management enables IT admins to easily manage applications from the Enterprise App Catalog. Using Windows Autopilot, you'll be able to select blocking apps from the Enterprise App Catalog in the Enrollment Status Page (ESP) and the Device Preparation Page (DPP) profiles. This allows you to update apps more easily without needing to update those profiles with the latest versions. For related information, see [Set up the Enrollment Status Page](../enrollment/windows-enrollment-status.md), [Overview of Windows Autopilot device preparation](/autopilot/device-preparation/overview), and [Add an Enterprise App Catalog app to Microsoft Intune](../apps/apps-add-enterprise-app.md). @@ -138,7 +138,7 @@ For more information, see [Deploy Microsoft Entra hybrid joined devices by using ### Copilot assistant for device query -You will soon be able to use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability will be available in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Devices** > **Device query** > **Query with Copilot**. +You'll soon be able to use Copilot to generate a KQL query to help you get data from across multiple devices in Intune. This capability will be available in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) by selecting **Devices** > **Device query** > **Query with Copilot**. @@ -146,7 +146,7 @@ You will soon be able to use Copilot to generate a KQL query to help you get dat ### Updated security baseline for Microsoft Edge v128 -We’re working on an update to add an Intune security baseline for Microsoft Edge v128. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Edge. +We’re working on an update to add an Intune security baseline for Microsoft Edge v128. This update will bring support for recent settings so you can continue to maintain best-practice configurations for Microsoft Edge. For information about security baselines with Intune, see [Use security baselines to configure Windows devices in Intune](../protect/security-baselines.md). @@ -180,7 +180,7 @@ To learn more about security baselines with Intune, see [Use security baselines ### Linux support for Endpoint detection and response exclusion settings -We are adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario. +We're adding a new Endpoint Security template under Endpoint detection and response (EDR) for the Linux platform, that will be supported through the [Microsoft Defender for Endpoint security settings management](../protect/mde-security-integration.md) scenario. The template will support settings related to global exclusion settings. Applicable to antivirus and EDR engines on the client, the settings can configure exclusions to stop associated real time protection EDR alerts for the excluded items. Exclusions can be defined by the file path, folder, or process explicitly defined by the admin in the policy. From 9ed0f1879f235ff2270a366c8cf8206e0e315a35 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Fri, 3 Jan 2025 03:11:35 +0530 Subject: [PATCH 170/237] acro fix --- memdocs/intune/protect/mde-security-integration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 1aeb1183741..2c9c5b09afd 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -304,7 +304,7 @@ To support use with Microsoft Defender security settings management, your polici - **[Firewall](endpoint-security-firewall-policy.md)** policies focus on the Defender firewall on your devices. -- **Firewall Rules** are a type of profile for [Firewall](endpoint-security-firewall-policy.md) policy that are comprised of are granular rules for Firewalls, including specific ports, protocols, applications, and networks. +- **Firewall Rules** are a type of profile for [Firewall](endpoint-security-firewall-policy.md) policy that is comprised of granular rules for Firewalls, including specific ports, protocols, applications, and networks. ## Configure your tenant to support Defender for Endpoint security settings management @@ -409,7 +409,7 @@ You can create groups for these devices [in Microsoft Entra](/azure/active-direc > Custom scripts and [Microsoft Entra dynamic device groups](/azure/active-directory/enterprise-users/groups-dynamic-membership) created before this change that specify rules that reference only *Windows* might exclude *Windows Servers* when used with the Security Management for Microsoft Defender for Endpoint solution. For example: > > - If you have a rule that uses the `equals` or `not equals` operator to identify *Windows*, this change will affect your rule. That is because previously both *Windows* and *Windows Server* were reported as *Windows*. To continue to include both, you must update the rule to also reference *Windows Server*. -> - If you have a rule that use the `contains` or `like` operator to specify *Windows*, then the rule won't be affected by this change. These operators can find both *Windows* and *Windows Server*. +> - If you have a rule that uses the `contains` or `like` operator to specify *Windows*, then the rule won't be affected by this change. These operators can find both *Windows* and *Windows Server*. > [!TIP] > From 820879cbd5e15694e134fc4b20622e3f025962b6 Mon Sep 17 00:00:00 2001 From: abigail-stein <123512958+abigail-stein@users.noreply.github.com> Date: Fri, 3 Jan 2025 15:28:00 -0500 Subject: [PATCH 171/237] Update app-configuration-managed-home-screen-app.md Adding a note for an edge case regarding access to settings. Let's sync before pushing the changes --- .../intune/apps/app-configuration-managed-home-screen-app.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index db49c80a223..165bbf9871e 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -132,6 +132,8 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. +> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. + **Configurations for a custom screensaver**: @@ -150,6 +152,7 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. **Configurations to help with troubleshooting issues on the device**: @@ -164,6 +167,7 @@ The following table lists the Managed Home Screen available configuration keys, >[!NOTE] > The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. +>On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. **Configurations to customize Managed Home Screen experience when device is set up with Microsoft Entra shared device mode**: @@ -199,6 +203,7 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. ## Enter JSON Data From 54fd42e1f47d6559e789561d42846fbb98dbaf0a Mon Sep 17 00:00:00 2001 From: Per Larsen Date: Mon, 6 Jan 2025 12:05:13 +0100 Subject: [PATCH 172/237] Update endpoint-security-app-control-policy.md --- memdocs/intune/protect/endpoint-security-app-control-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/endpoint-security-app-control-policy.md b/memdocs/intune/protect/endpoint-security-app-control-policy.md index ba79d597475..1dd0699a26f 100644 --- a/memdocs/intune/protect/endpoint-security-app-control-policy.md +++ b/memdocs/intune/protect/endpoint-security-app-control-policy.md @@ -70,7 +70,7 @@ The following devices are supported for App Control for Business policies when t - **Windows Enterprise or Education**: - Windows 10 version 1903 or later - - Windows 11 version 1903 or later + - Windows 11 - **Windows Professional**: - Windows 10 with [KB5019959](https://support.microsoft.com/topic/november-8-2022-kb5019959-os-builds-19042-2251-19043-2251-19044-2251-and-19045-2251-f65e0600-2135-4efd-a979-08d1df34dce8) From a4fd9136c3509e3dd4047fae1522050070760072 Mon Sep 17 00:00:00 2001 From: Kara Wang <146743611+kara-wang@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:56:18 -0500 Subject: [PATCH 173/237] Update remote-help-android.md Updating overlay permission as Samsung now provides the ability to be granted silently in OEMConfig --- memdocs/intune/fundamentals/remote-help-android.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/memdocs/intune/fundamentals/remote-help-android.md b/memdocs/intune/fundamentals/remote-help-android.md index 681ad9aca70..650e82bf80b 100644 --- a/memdocs/intune/fundamentals/remote-help-android.md +++ b/memdocs/intune/fundamentals/remote-help-android.md @@ -233,13 +233,7 @@ In this section: > [!IMPORTANT] > If the device is running in kiosk mode, the Settings app (which is where the permission is granted) needs to be designated as a system app so that it can launch. See [Granting overlay permissions to Managed Home Screen for Android Enterprise dedicated devices](https://techcommunity.microsoft.com/t5/intune-customer-success/granting-overlay-permissions-to-managed-home-screen-for-android/ba-p/3247041) for detailed instructions. -The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, complete the following steps: - -1. After installing the Remote Help app, launch it. - -2. If the permission isn't already granted, the app displays a prompt that launches **Settings** to grant the permission. - -3. Tap **Grant** on the prompt, scroll down to **Appear on top** and turn the setting **On**. (The specific UI may differ depending on your device.) +The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, create an OEMConfig profile that configures the permissions in the OEMConfig app. ##### Knox KLMS Agent consent From 01dbbb02a415d4166a714cd38a54bbfed2302d43 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 6 Jan 2025 12:39:37 -0500 Subject: [PATCH 174/237] Separated tutorial steps --- .../apple-school-manager-set-up-ios.md | 162 ++---------------- .../enrollment/apple-school-manager-step-1.md | 70 ++++++++ .../enrollment/apple-school-manager-step-2.md | 119 +++++++++++++ .../enrollment/apple-school-manager-step-3.md | 73 ++++++++ memdocs/intune/toc.yml | 12 +- 5 files changed, 289 insertions(+), 147 deletions(-) create mode 100644 memdocs/intune/enrollment/apple-school-manager-step-1.md create mode 100644 memdocs/intune/enrollment/apple-school-manager-step-2.md create mode 100644 memdocs/intune/enrollment/apple-school-manager-step-3.md diff --git a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md index 812b2fd0bcd..b856d7e21e4 100644 --- a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md +++ b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md @@ -3,12 +3,12 @@ title: Apple School Manager Program enrollment for iOS/iPadOS devices titleSuffix: Microsoft Intune -description: Learn how to set up Apple School Manager program enrollment for corporate-owned iOS/iPadOS devices with Intune. +description: Learn how to set up Microsoft Intune with Apple School Manager for corporate-owned iOS/iPadOS devices. keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 06/17/2020 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -20,7 +20,7 @@ ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b #ROBOTS: #audience: -ms.reviewer: tisilver +ms.reviewer: annovich ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: @@ -33,153 +33,25 @@ ms.collection: [!INCLUDE [azure_portal](../includes/azure_portal.md)] -You can set up Intune to enroll iOS/iPadOS devices purchased through the [Apple School Manager](https://school.apple.com/) program. Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching them. When a student or teacher turns on the device, Setup Assistant runs with preconfigured settings and the device enrolls into management. +Set up Microsoft Intune to enroll iOS/iPadOS devices purchased through [Apple School Manager](https://school.apple.com/). Using Intune with Apple School Manager, you can enroll large numbers of iOS/iPadOS devices without ever touching them. When a student or teacher turns on the device, Apple Setup Assistant runs with preconfigured settings and the device enrolls into management. -To enable Apple School Manager enrollment, you use both the Intune and Apple School Manager portals. A list of serial numbers or a purchase order number is required so you can assign devices to Intune for management. You create Automated Device Enrollment (ADE) enrollment profiles containing settings that applied to devices during enrollment. -Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md). +## Prerequisites -**Prerequisites** -- [Apple Mobile Device Management (MDM) Push certificate](apple-mdm-push-certificate-get.md) -- [MDM Authority](../fundamentals/mdm-authority-set.md) -- If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). -- Devices purchased from the [Apple School Management](http://school.apple.com) program +To enable Apple School Manager enrollment, you use both the Microsoft Intune admin center and Apple School Manager portal. You need a list of serial numbers or a purchase order number so that you can assign devices to Intune. -## Get an Apple token and assign devices +- Get an [Apple mobile device management (MDM) push certificate](apple-mdm-push-certificate-get.md). +- Set up the [MDM Authority](../fundamentals/mdm-authority-set.md). +- If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). For more information, see [Get adfs endpoint](/powershell/module/adfs/get-adfsendpoint). +- Devices must be purchased from the [Apple School Management](http://school.apple.com) program. -Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage. +Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md). -### Step 1: Download the Intune public key certificate required to create an Apple token +## Next steps -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. -1. Select the **Apple** tab. -1. Choose **Enrollment Program Tokens**. -1. Select **Add**. -1. Select **Download your public key** to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. +This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. -### Step 2: Download a token and assign devices -1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. -2. In the [Apple School Manager portal](https://school.apple.com), go to **MDM Servers**, and then choose **Add MDM Server** (upper right). -3. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server. -4. Choose **Upload File...** in the Apple portal, browse to the .pem file, and choose **Save MDM Server** (lower right). -5. Choose **Get Token** and then download the server token (.p7m) file to your computer. -6. Go to **Device Assignments**. Choose your devices by manually entering their serial numbers or order number. -7. Choose the action **Assign to Server**, and choose the **MDM Server** you created. -8. Specify how to **Choose Devices**, then provide device information and details. -9. Choose **Assign to Server** and choose the <ServerName> specified for Microsoft Intune, and then choose **OK**. - -### Step 3: Save the Apple ID used to create this token - -Return to the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID. - -![Screenshot of specifying the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) - -### Step 4: Upload your token -In the **Apple token** box, browse to the certificate (.pem) file, choose **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile devices. Intune automatically synchronizes your Apple School Manager devices from Apple. - -## Create an Apple enrollment profile -Now that you've installed your token, you can create an enrollment profile for Apple School devices. A device enrollment profile defines the settings applied to a group of devices during enrollment. - -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. -1. Select the **Apple** tab. -1. Under **Bulk Enrollment Methods**, Choose **Enrollment program tokens**. -1. Select a token. -1. Select **Profiles** > **Create profile** > **iOS/iPadOS**. - -1. Under **Create Profile**, enter a **Name** and **Description** for the profile for administrative purposes. Users don't see these details. You can use this **Name** field to create a dynamic group in Microsoft Entra ID. Use the profile name to define the enrollmentProfileName parameter to assign devices with this enrollment profile. Learn more about [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices). - - ![Profile name and description.](./media/apple-school-manager-set-up-ios/image05.png) - -1. For **User Affinity**, choose whether devices with this profile must enroll with or without an assigned user. - - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity. - - - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work. - -1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). - - > [!NOTE] - > If you want do any of the following, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**. - > - use multifactor authentication - > - prompt users who need to change their password when they first sign in - > - prompt users to reset their expired passwords during enrollment - > - > These aren't supported when authenticating with Apple Setup Assistant. - -1. Choose **Device Management Settings** and choose if you want devices using this profile to be supervised. - **Supervised** devices give you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. - - Users are notified that their devices are supervised in two ways: - - - The lock screen says: "This iPhone is managed by Contoso." - - The **Settings** > **General** > **About** screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device." - - > [!NOTE] - > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. Learn more about this on [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac). - -1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *Yes*. - -1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [Apple's shared iPad requirements](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). - -1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. - -1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import. - -1. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select **Yes** under **Apply device name template**. Then, in the **Device Name Template** box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number. - -1. Choose **OK**. - -1. Choose **Setup Assistant Settings** to configure the following profile settings: - - | Setting | Description | - |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Department Name | Appears when users tap About Configuration during activation. | - | Department Phone | Appears when the user clicks the Need Help button during activation. | - | Setup Assistant Options | The following optional settings can be set up later in the iOS/iPadOS Settings menu. | - | Passcode | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). | - | Location Services | If enabled, Setup Assistant prompts for the service during activation. | - | Restore | If enabled, Setup Assistant prompts for iCloud backup during activation. | - | iCloud and Apple ID | If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup. | - | Terms and Conditions | If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation. | - | Touch ID | If enabled, Setup Assistant prompts for this service during activation. | - | Apple Pay | If enabled, Setup Assistant prompts for this service during activation. | - | Zoom | If enabled, Setup Assistant prompts for this service during activation. | - | Siri | If enabled, Setup Assistant prompts for this service during activation. | - | Diagnostic Data | If enabled, Setup Assistant prompts for this service during activation. | - - -1. Choose **OK**. - -1. To save the profile, choose **Create**. - -## Sync managed devices - -After Intune has been assigned permission to manage your Apple School Manager devices, synchronize Intune with the Apple service to see your managed devices in Intune. - -1. Return to **Enrollment Program Tokens**. -1. Select a token in the list. -1. Select **Devices** > **Sync**. -![Screenshot of the Enrollment Program Devices node and Sync link.](./media/device-enrollment-program-enroll-ios/image06.png) - -To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions: -- A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune. -- Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the **Sync** button is disabled. -- Intune syncs new and removed devices with Apple every 24 hours. - ->[!NOTE] ->You can also assign Apple School Manager serial numbers to profiles from the **Enrollment Program Devices** blade. - -## Assign a profile to devices -Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled. - -1. Return to **Enrollment Program Tokens**. -1. Select a token in the list. -1. Select **Devices** and choose your devices. -1. Select **Assign profile**. Then select a profile for the devices. -1. Select **Assign**. - -## Distribute devices to users - -You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. Profiles can't be applied to activated devices currently in use until the device is wiped. - -## Connect School Data Sync -Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. If you have further questions, please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. +1. 🡺 Prerequisites (*You are here*) +1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) +1. [Sync managed devices](apple-school-manager-step-3.md) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-1.md b/memdocs/intune/enrollment/apple-school-manager-step-1.md new file mode 100644 index 00000000000..747822c4176 --- /dev/null +++ b/memdocs/intune/enrollment/apple-school-manager-step-1.md @@ -0,0 +1,70 @@ +--- +# required metadata + +title: Apple School Manager - get Apple token and assign devices +titleSuffix: Microsoft Intune +description: Get the Apple token needed to set up Apple School Manager and Microsoft Intune for corporate-owned iOS/iPadOS devices. +keywords: +author: Lenewsad +ms.author: lanewsad +manager: dougeby +ms.date: 01/06/2025 +ms.topic: how-to +ms.service: microsoft-intune +ms.subservice: enrollment +ms.localizationpriority: high +ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b + +# optional metadata + +#ROBOTS: +#audience: + +ms.reviewer: annovich +ms.suite: ems +search.appverid: MET150 +#ms.tgt_pltfrm: +ms.collection: +- tier1 +- M365-identity-device-management +--- + +# Get an Apple token and assign devices + +Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage. + +## Step 1: Download the Intune public key certificate required to create an Apple token + +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. Select the **Apple** tab. +1. Choose **Enrollment Program Tokens**. +1. Select **Add**. +1. Select **Download your public key** to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. + +## Step 2: Download a token and assign devices +1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. +2. In the [Apple School Manager portal](https://school.apple.com), go to **MDM Servers**, and then choose **Add MDM Server** (upper right). +3. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server. +4. Choose **Upload File...** in the Apple portal, browse to the .pem file, and choose **Save MDM Server** (lower right). +5. Choose **Get Token** and then download the server token (.p7m) file to your computer. +6. Go to **Device Assignments**. Choose your devices by manually entering their serial numbers or order number. +7. Choose the action **Assign to Server**, and choose the **MDM Server** you created. +8. Specify how to **Choose Devices**, then provide device information and details. +9. Choose **Assign to Server** and choose the <ServerName> specified for Microsoft Intune, and then choose **OK**. + +## Step 3: Save the Apple ID used to create this token + +Return to the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID. + +![Screenshot of specifying the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) + +## Step 4: Upload your token +In the **Apple token** box, browse to the certificate (.pem) file, choose **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile devices. Intune automatically synchronizes your Apple School Manager devices from Apple. + +## Next steps +This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. + +1. [Prerequisites](apple-school-manager-set-up-ios.md) +1. 🡺 Get an Apple token and assign devices (*You are here*) +1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) +1. [Sync managed devices](apple-school-manager-step-3.md) \ No newline at end of file diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md new file mode 100644 index 00000000000..1dac2d1ef75 --- /dev/null +++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md @@ -0,0 +1,119 @@ +--- +# required metadata + +title: Apple School Manager - create enrollment profile +titleSuffix: Microsoft Intune +description: Learn how to create the enrollment profile in Intune for Apple School Manager enrollment. +keywords: +author: Lenewsad +ms.author: lanewsad +manager: dougeby +ms.date: 01/06/2025 +ms.topic: how-to +ms.service: microsoft-intune +ms.subservice: enrollment +ms.localizationpriority: high +ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b + +# optional metadata + +#ROBOTS: +#audience: + +ms.reviewer: annovich +ms.suite: ems +search.appverid: MET150 +#ms.tgt_pltfrm: +ms.collection: +- tier1 +- M365-identity-device-management +--- + +# Create an Apple enrollment profile +After you get your Apple token, you can create an enrollment profile for school devices. An essential part of setup is creating enrollment profiles. The profiles contain the settings that apply to devices during device enrollment. + +## Create a profile + +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. Select the **Apple** tab. +1. Under **Bulk Enrollment Methods**, Choose **Enrollment program tokens**. +1. Select a token. +1. Select **Profiles** > **Create profile** > **iOS/iPadOS**. + +1. Under **Create Profile**, enter a **Name** and **Description** for the profile, for administrative purposes. Users don't see these details. + + ![Example screenshot of the profile name and description fields in the admin center.](./media/apple-school-manager-set-up-ios/image05.png) + +>[!TIP] +> You can use the name you enter here to create a dynamic group in Microsoft Entra ID. To assign devices with this enrollment profile, for example, use the name to define the enrollmentProfileName parameter in your dynamic group rules. For more information, see [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices). + + +1. For **User Affinity**, decide if devices with this profile must enroll with an assigned user or without an assigned user. + - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity. + + - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work. + +1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). + + > [!NOTE] + > If you want do any of the following, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**. + > - use multifactor authentication + > - prompt users who need to change their password when they first sign in + > - prompt users to reset their expired passwords during enrollment + > + > These aren't supported when authenticating with Apple Setup Assistant. + +1. Choose **Device Management Settings** and choose if you want devices using this profile to be supervised. + **Supervised** devices give you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. + + Users are notified that their devices are supervised in two ways: + + - The lock screen says: "This iPhone is managed by Contoso." + - The **Settings** > **General** > **About** screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device." + + > [!NOTE] + > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. Learn more about this on [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac). + +1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *Yes*. + +1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [Apple's shared iPad requirements](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). + +1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. + +1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import. + +1. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select **Yes** under **Apply device name template**. Then, in the **Device Name Template** box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number. + +1. Choose **OK**. + +1. Choose **Setup Assistant Settings** to configure the following profile settings: + + | Setting | Description | + |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | Department Name | Appears when users tap About Configuration during activation. | + | Department Phone | Appears when the user clicks the Need Help button during activation. | + | Setup Assistant Options | The following optional settings can be set up later in the iOS/iPadOS Settings menu. | + | Passcode | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). | + | Location Services | If enabled, Setup Assistant prompts for the service during activation. | + | Restore | If enabled, Setup Assistant prompts for iCloud backup during activation. | + | iCloud and Apple ID | If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup. | + | Terms and Conditions | If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation. | + | Touch ID | If enabled, Setup Assistant prompts for this service during activation. | + | Apple Pay | If enabled, Setup Assistant prompts for this service during activation. | + | Zoom | If enabled, Setup Assistant prompts for this service during activation. | + | Siri | If enabled, Setup Assistant prompts for this service during activation. | + | Diagnostic Data | If enabled, Setup Assistant prompts for this service during activation. | + + +1. Choose **OK**. + +1. To save the profile, choose **Create**. + +## Next steps +This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. + +1. [Prerequisites](apple-school-manager-set-up-ios.md) +1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. 🡺 Create an Apple enrollment profile (*You are here*) +1. [Sync managed devices](apple-school-manager-step-3.md) + diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md new file mode 100644 index 00000000000..0ea51cbebc9 --- /dev/null +++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md @@ -0,0 +1,73 @@ +--- +# required metadata + +title: Apple School Manager - sync and distribute devices +titleSuffix: Microsoft Intune +description: Sync and distribute Apple School Manager devices enrolled in Microsoft Intune. +keywords: +author: Lenewsad +ms.author: lanewsad +manager: dougeby +ms.date: 01/06/2025 +ms.topic: how-to +ms.service: microsoft-intune +ms.subservice: enrollment +ms.localizationpriority: high +ms.assetid: 4c35a23e-0c61-11e8-ba89-0ed5f89f718b + +# optional metadata + +#ROBOTS: +#audience: + +ms.reviewer: annovich +ms.suite: ems +search.appverid: MET150 +#ms.tgt_pltfrm: +ms.collection: +- tier1 +- M365-identity-device-management +--- + +# Sync managed devices + +After you assign Microsoft Intune permission to manage your Apple School Manager devices, sync Intune with the Apple service to see your managed devices in the admin center. + +## Start a sync + +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), return to **Enrollment Program Tokens**. +1. Select a token in the list. +1. Select **Devices** > **Sync**. +![Screenshot of the Enrollment Program Devices node and Sync link.](./media/device-enrollment-program-enroll-ios/image06.png) + +To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions: +- A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune. +- Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the **Sync** button is disabled. +- Intune syncs new and removed devices with Apple every 24 hours. + +>[!NOTE] +>You can also assign Apple School Manager serial numbers to profiles from the **Enrollment Program Devices** blade. + +## Assign a profile to devices +Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled. + +1. Return to **Enrollment Program Tokens**. +1. Select a token in the list. +1. Select **Devices**, and then choose your devices. +1. Select **Assign profile**. Then select a profile for the devices. +1. Select **Assign**. + +## Distribute devices to users + +You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. Profiles can't be applied to activated devices currently in use until the device is wiped. + +## Connect School Data Sync +Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. If you have further questions, please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. + +## Next steps +This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. + +1. [Prerequisites](apple-school-manager-set-up-ios.md) +1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) +1. 🡺 Sync managed devices (*You are here*) diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml index 223d0c32887..46175eae67c 100644 --- a/memdocs/intune/toc.yml +++ b/memdocs/intune/toc.yml @@ -1681,8 +1681,16 @@ items: - name: Set up enrollment for shared device mode href: ./enrollment/automated-device-enrollment-shared-device-mode.md displayName: devices, frontline worker, automated device enrollment - - name: Walkthrough - Set up enrollment with Apple School Manager - href: ./enrollment/apple-school-manager-set-up-ios.md + - name: Walkthrough - Set up enrollment with Apple School Manager + - name: Prerequisites + href: ./enrollment/apple-school-manager-set-up-ios.md + - name: Step 1 - Get an Apple token and assign devices + href: ./enrollment/apple-school-manager-step-1.md + - name: Step 2 - Create an Apple enrollment profile + href: ./enrollment/apple-school-manager-step-2.md + - name: Step 3 - Sync managed devices + href: ./enrollment/apple-school-manager-step-3.md + - name: Set up Apple device enrollment items: - name: Overview From b6489bc5755dc2fb5185eb1a72994cba96cf58f0 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Mon, 6 Jan 2025 10:04:54 -0800 Subject: [PATCH 175/237] erikre-docs-15752803 --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index cf9c1aed93b..63ebedff1e4 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -185,7 +185,7 @@ For more information, see the following resources: | 179 | MEM - Android AOSP Dependency | Default
    Required | False | `intunecdnpeasd.azureedge.net`
    | **TCP:** 443 | > [!NOTE] -> Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, +> Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as Play Integrity Verdict, Managing apps from the Google Play Store, Android Enterprise capabilities (see this [Google documentation](https://support.google.com/work/android/answer/6270910)). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see [Limitations of Intune management when GMS is unavailable](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable). **Android port information** - Depending on how you choose to manage Android devices, you may need to open the Google Android Enterprise ports and/or the Android push notification. For more information on Android management methods supported, see the [Android enrollment documentation](deployment-guide-enrollment-android.md). From ab2fa26902985e19687ee01220966d5f42518da1 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Mon, 6 Jan 2025 10:18:04 -0800 Subject: [PATCH 176/237] Fix broken link in devices-wipe documentation --- memdocs/intune/remote-actions/devices-wipe.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/remote-actions/devices-wipe.md b/memdocs/intune/remote-actions/devices-wipe.md index 9329835184a..af131aa55e5 100644 --- a/memdocs/intune/remote-actions/devices-wipe.md +++ b/memdocs/intune/remote-actions/devices-wipe.md @@ -43,7 +43,7 @@ The **Wipe** device action restores a device to its factory default settings. Th |**Wipe**| Checked | No | Wipes all MDM Policies. Keeps user accounts and data. Resets user settings back to default. Resets the operating system to its default state and settings.| > [!NOTE] -> The Wipe action is not available for iOS/iPadOS devices enrolled using Account Driven Apple User Enrollment. To create an Account Driven Apple User Enrollment profile: [Set up iOS/iPadOS and iPadOS Account driven Apple User Enrollment]([../enrollment/ios-user-enrollment.md](https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-account-driven-user-enrollment)) +> The Wipe action is not available for iOS/iPadOS devices enrolled using Account Driven Apple User Enrollment. To create an Account Driven Apple User Enrollment profile, see [Set up iOS/iPadOS and iPadOS Account driven Apple User Enrollment](../enrollment/apple-account-driven-user-enrollment.md). > [!NOTE] > By design, Zebra has defined the Wipe action on any Android Zebra device to only remove corporate data from devices, and not perform a factory reset. From 6e0bb0b65b7d655d5dad8c4ba5d5acc323938591 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 6 Jan 2025 16:23:00 -0500 Subject: [PATCH 177/237] Updating date Updating date --- autopilot/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autopilot/whats-new.md b/autopilot/whats-new.md index 2f3c91ebfdc..786fce408c7 100644 --- a/autopilot/whats-new.md +++ b/autopilot/whats-new.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj manager: aaroncz ms.reviewer: jubaptis -ms.date: 06/28/2024 +ms.date: 01/06/2024 ms.collection: - M365-modern-desktop - tier2 From dc839909c325506e6692512f5bb8579f39b35cb5 Mon Sep 17 00:00:00 2001 From: Lee Yan Date: Mon, 6 Jan 2025 13:35:21 -0800 Subject: [PATCH 178/237] Update compliance-policy-monitor.md Updating this doc in response to the customer issues raised through ICM. I worked with Aman Pervaiz of the Compliance team on this. --- memdocs/intune/protect/compliance-policy-monitor.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/memdocs/intune/protect/compliance-policy-monitor.md b/memdocs/intune/protect/compliance-policy-monitor.md index 0fa1368925a..4328e6019a8 100644 --- a/memdocs/intune/protect/compliance-policy-monitor.md +++ b/memdocs/intune/protect/compliance-policy-monitor.md @@ -234,6 +234,13 @@ Policy conflicts can occur when multiple Intune policies are applied to a device To learn more about conflict resolution for policies, see [Compliance and device configuration policies that conflict](../configuration/device-profile-troubleshoot.md#compliance-and-device-configuration-policies-that-conflict). +## How Intune evaluates the Default Compliance Policy + +In Intune, the default compliance policy is evaluated for every device on every calculation. The evaluation process sets the device to non-compliant if any of the following is false. +- "Has a compliance policy assigned" - At least one applicable compliance policy must be assigned to device with an applicable setting inside. +- "Is active" - Device should remain in contact with Intune (turned on with internet and actively connecting. Default grace is 30 days.) +- "Enrolled user exists" - User that is actively using the device exist and has a valid Intune license. + ## Next steps [Compliance policies overview](device-compliance-get-started.md) From 522231d72eb3a7735774240d43e235021b31ca45 Mon Sep 17 00:00:00 2001 From: Frank Rojas <45807133+frankroj@users.noreply.github.com> Date: Mon, 6 Jan 2025 16:40:04 -0500 Subject: [PATCH 179/237] Style and grammar changes Style and grammar changes plus updated date --- autopilot/device-preparation/known-issues.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/autopilot/device-preparation/known-issues.md b/autopilot/device-preparation/known-issues.md index ec05561ef30..301dfe99936 100644 --- a/autopilot/device-preparation/known-issues.md +++ b/autopilot/device-preparation/known-issues.md @@ -8,7 +8,7 @@ author: frankroj ms.author: frankroj ms.reviewer: jubaptis manager: aaroncz -ms.date: 12/18/2024 +ms.date: 01/06/2025 ms.collection: - M365-modern-desktop - highpri @@ -40,11 +40,11 @@ This article describes known issues that can often be resolved with: ## Known issues -## **Export logs** button in the out-of-box experience (OOBE) does not show any success or failure indication. +## Exporting logs during the out-of-box experience (OOBE) doesn't show result Date added: *January 6, 2025* -When a failure occurs during the provisioning process, an **Export logs** option is displayed to the user. When selected, it saves the file to the first USB drive on the device without displaying the browse dialog. This is for security reasons. Currently, users will not see failure or success messages to indicate the logs were saved. This will be fixed in the future. +When a failure occurs during the provisioning process, an **Export logs** option is displayed to the user. When selected, it saves the file to the first USB drive on the device without displaying the browse dialog. The browse dialog isn't displayed for security reasons. Currently, users don't see failure or success messages to indicate the logs were saved. This issue will be fixed in the future. ## Apps and scripts tabs don't display properly when editing the Windows Autopilot device preparation profile From 141776b772b0be99f2cc6447a27a3469d498315b Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Mon, 6 Jan 2025 14:07:29 -0800 Subject: [PATCH 180/237] erikre-docs-30636964 --- memdocs/intune/apps/app-protection-policies-access-actions.md | 2 +- .../intune/apps/app-protection-policies-configure-windows-10.md | 2 +- memdocs/intune/apps/app-protection-policies-exception.md | 2 +- memdocs/intune/apps/app-protection-policies-validate.md | 2 +- memdocs/intune/apps/app-protection-policy-extensions.md | 2 +- memdocs/intune/apps/app-protection-policy-settings-log.md | 2 +- memdocs/intune/apps/app-provisioning-profile-ios.md | 2 +- memdocs/intune/apps/store-apps-android.md | 2 +- memdocs/intune/apps/store-apps-company-portal-autopilot.md | 2 +- memdocs/intune/apps/store-apps-ios.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policies-access-actions.md b/memdocs/intune/apps/app-protection-policies-access-actions.md index 50b78c4df43..8b646524374 100644 --- a/memdocs/intune/apps/app-protection-policies-access-actions.md +++ b/memdocs/intune/apps/app-protection-policies-access-actions.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policies-configure-windows-10.md b/memdocs/intune/apps/app-protection-policies-configure-windows-10.md index ece8a778217..559365135c9 100644 --- a/memdocs/intune/apps/app-protection-policies-configure-windows-10.md +++ b/memdocs/intune/apps/app-protection-policies-configure-windows-10.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policies-exception.md b/memdocs/intune/apps/app-protection-policies-exception.md index 33a3a17a123..4208c4cd06d 100644 --- a/memdocs/intune/apps/app-protection-policies-exception.md +++ b/memdocs/intune/apps/app-protection-policies-exception.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policies-validate.md b/memdocs/intune/apps/app-protection-policies-validate.md index cacc72026ed..acef31ac7c5 100644 --- a/memdocs/intune/apps/app-protection-policies-validate.md +++ b/memdocs/intune/apps/app-protection-policies-validate.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.service: microsoft-intune ms.subservice: apps ms.localizationpriority: medium diff --git a/memdocs/intune/apps/app-protection-policy-extensions.md b/memdocs/intune/apps/app-protection-policy-extensions.md index 1deccf0b21a..255e8174028 100644 --- a/memdocs/intune/apps/app-protection-policy-extensions.md +++ b/memdocs/intune/apps/app-protection-policy-extensions.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-protection-policy-settings-log.md b/memdocs/intune/apps/app-protection-policy-settings-log.md index 30cd06847b8..491ed9ce281 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-log.md +++ b/memdocs/intune/apps/app-protection-policy-settings-log.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: troubleshooting ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/app-provisioning-profile-ios.md b/memdocs/intune/apps/app-provisioning-profile-ios.md index c7690d7a31e..bc8f0a9af8b 100644 --- a/memdocs/intune/apps/app-provisioning-profile-ios.md +++ b/memdocs/intune/apps/app-provisioning-profile-ios.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/store-apps-android.md b/memdocs/intune/apps/store-apps-android.md index f56f48667b8..39178a1d183 100644 --- a/memdocs/intune/apps/store-apps-android.md +++ b/memdocs/intune/apps/store-apps-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/store-apps-company-portal-autopilot.md b/memdocs/intune/apps/store-apps-company-portal-autopilot.md index e928750a11b..fa136aae575 100644 --- a/memdocs/intune/apps/store-apps-company-portal-autopilot.md +++ b/memdocs/intune/apps/store-apps-company-portal-autopilot.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps diff --git a/memdocs/intune/apps/store-apps-ios.md b/memdocs/intune/apps/store-apps-ios.md index 739c88e02a6..83ade21213a 100644 --- a/memdocs/intune/apps/store-apps-ios.md +++ b/memdocs/intune/apps/store-apps-ios.md @@ -7,7 +7,7 @@ keywords: Intune author: Erikre ms.author: erikre manager: dougeby -ms.date: 02/27/2024 +ms.date: 01/06/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps From da30911637e80e37df5863d577be6f3ec7de4bde Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Mon, 6 Jan 2025 14:19:57 -0800 Subject: [PATCH 181/237] erikre-docs-30636964 1.2 --- .../intune/apps/app-protection-policies-access-actions.md | 6 +++--- memdocs/intune/apps/app-protection-policies-exception.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policies-access-actions.md b/memdocs/intune/apps/app-protection-policies-access-actions.md index 8b646524374..507364357d8 100644 --- a/memdocs/intune/apps/app-protection-policies-access-actions.md +++ b/memdocs/intune/apps/app-protection-policies-access-actions.md @@ -85,7 +85,7 @@ Set one of the following actions: - Allow specified (Wipe nonspecified) **What happens if the IT admin inputs a different list of iOS/iPadOS model identifier(s) between policies targeted to the same apps for the same Intune user?**
    -When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. Thus, the resultant policy sent down to the targeted app opened by the targeted Intune user would be an intersection of the listed iOS/iPadOS model identifiers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies "iPhone5,2;iPhone5,3", while *Policy B* specifies "iPhone5,3", the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is "iPhone5,3". +When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. The resultant policy sent down to the targeted app opened by the targeted Intune user would be an intersection of the listed iOS/iPadOS model identifiers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies `iPhone5,2;iPhone5,3`, while *Policy B* specifies `iPhone5,3`, the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is `iPhone5,3`. ### Android policy settings @@ -111,7 +111,7 @@ To use the **Device manufacturer(s)** setting, input a semi-colon separated list Example input: *Manufacturer A;Manufacturer B* >[!NOTE] -> These are some common manufacturers reported from devices using Intune, and can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Samsung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk +> The following list are some common manufacturers reported from devices using Intune, and can be used as input: Asus;Blackberry;Bq;Gionee;Google;Hmd global;Htc;Huawei;Infinix;Kyocera;Lemobile;Lenovo;Lge;Motorola;Oneplus;Oppo;Samsung;Sharp;Sony;Tecno;Vivo;Vodafone;Xiaomi;Zte;Zuk On end-user devices, the Intune client would take action based on a simple matching of device model strings specified in Intune for Application Protection Policies. Matching depends entirely on what the device reports. You (the IT administrator) are encouraged to ensure that the intended behavior occurs by testing this setting based on various device manufacturers and models, and targeted to a small user group. The default value is **Not configured**.
    Set one of the following actions: @@ -119,7 +119,7 @@ Set one of the following actions: - Allow specified (Wipe on nonspecified) **What happens if the IT admin inputs a different list of Android manufacturer(s) between policies targeted to the same apps for the same Intune user?**
    -When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. Thus, the resultant policy sent down to the targeted app being opened by the targeted Intune user would be an intersection of the listed Android manufacturers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies "Google;Samsung", while *Policy B* specifies "Google", the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is "Google." +When conflicts arise between two app protection policies for configured values, Intune typically takes the most restrictive approach. The resultant policy sent down to the targeted app being opened by the targeted Intune user would be an intersection of the listed Android manufacturers in *Policy A* and *Policy B* targeted to the same app/user combination. For example, *Policy A* specifies `Google;Samsung`, while *Policy B* specifies `Google`, the resultant policy that the Intune user targeted by both *Policy A* and *Policy B* is `Google`. ### Additional settings and actions diff --git a/memdocs/intune/apps/app-protection-policies-exception.md b/memdocs/intune/apps/app-protection-policies-exception.md index 4208c4cd06d..b7516e4b217 100644 --- a/memdocs/intune/apps/app-protection-policies-exception.md +++ b/memdocs/intune/apps/app-protection-policies-exception.md @@ -36,7 +36,7 @@ ms.collection: As an administrator, you can create exceptions to the Intune App Protection Policy (APP) data transfer policy. An exception allows you to specifically choose which unmanaged apps can transfer data to and from managed apps. Your IT must trust the unmanaged apps that you include in the exception list. >[!WARNING] -> You are responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that are not managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that do not support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you do not consider to be data leak risks. +> You're responsible for making changes to the data transfer exception policy. Additions to this policy allow unmanaged apps (apps that aren't managed by Intune) to access data protected by managed apps. This access to protected data may result in data security leaks. Only add data transfer exceptions for apps that your organization must use, but that don't support Intune APP (Application Protection Policies). Additionally, only add exceptions for apps that you don't consider to be data leak risks. Within an Intune Application Protection Policy, setting **Allow app to transfer data to other apps** to **Policy managed apps** means that the app can transfer data only to apps managed by Intune. If you need to allow data to be transferred to specific apps that don't support Intune APP, you can create exceptions to this policy by using **Select apps to exempt**. Exemptions allow applications managed by Intune to invoke unmanaged applications based on URL protocol (iOS/iPadOS) or package name (Android). By default, Intune adds vital native applications to this list of exceptions. @@ -47,7 +47,7 @@ Within an Intune Application Protection Policy, setting **Allow app to transfer For a policy targeting iOS/iPadOS, you can configure data transfer exceptions by URL protocol. To add an exception, check the documentation provided by the developer of the app to find information about supported URL protocols. For more information about iOS/iPadOS data transfer exceptions, see [iOS/iPadOS app protection policy settings - Data transfer exemptions](app-protection-policy-settings-ios.md#data-transfer-exemptions). > [!NOTE] -> Microsoft does not have a method to manually find the URL protocol for creating app exceptions for third-party applications. +> Microsoft doesn't have a method to manually find the URL protocol for creating app exceptions for third-party applications. ## Android data transfer exceptions For a policy targeting Android, you can configure data transfer exceptions by app package name. You can check the **Google Play** store page for the app you would like to add an exception for to find the app package name. For more information about Android data transfer exceptions, see [Android app protection policy settings - Data transfer exemptions](app-protection-policy-settings-android.md#data-transfer-exemptions). From 9fb94f2767f02932aca4aaa9f15917b8e8d38057 Mon Sep 17 00:00:00 2001 From: mayganm <87776729+mayganm@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:31:50 -0800 Subject: [PATCH 182/237] Update intune-notices.md --- memdocs/intune/includes/intune-notices.md | 79 +---------------------- 1 file changed, 3 insertions(+), 76 deletions(-) diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md index 311e5c1ac31..f26aab018b5 100644 --- a/memdocs/intune/includes/intune-notices.md +++ b/memdocs/intune/includes/intune-notices.md @@ -4,7 +4,7 @@ description: include file author: dougeby ms.service: microsoft-intune ms.topic: include -ms.date: 11/13/2024 +ms.date: 1/6/2025 ms.author: dougeby manager: dougeby ms.custom: include file @@ -153,7 +153,7 @@ Check your Intune reporting to see what devices or users might be affected. For To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see [Manage operating system versions with Intune](../fundamentals/manage-os-versions.md). -### Plan for change: Intune is moving to support macOS 13 and higher later this year +### Plan for change: Intune is moving to support macOS 13 and higher later Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices. @@ -168,40 +168,6 @@ This change only affects you if you currently manage, or plan to manage, macOS d Check your Intune reporting to see what devices or users might be affected. Go to **Devices** > **All devices** and filter by macOS. You can add more columns to help identify who in your organization has devices running macOS 12.x or earlier. Ask your users to upgrade their devices to a supported OS version. -### Plan for Change: Ending support for Intune App SDK Xamarin Bindings in May 2024 - -With the [end of support for Xamarin Bindings](https://dotnet.microsoft.com/platform/support/policy/xamarin), Intune will end support for Xamarin apps and the Intune App SDK Xamarin Bindings beginning on **May 1, 2024**. - -#### How does this affect you or your users? - -If you have iOS and/or Android apps built with Xamarin and are using the Intune App SDK Xamarin Bindings to enable app protection policies, upgrade your apps to .NET MAUI. - -#### How can you prepare? - -Upgrade your Xamarin based apps to .NET MAUI. Review the following documentation for more information on Xamarin support and upgrading your apps: - -- [Xamarin Support Policy | .NET](https://dotnet.microsoft.com/platform/support/policy/xamarin) -- [Upgrade from Xamarin to .NET | Microsoft Lear](/dotnet/maui/migration/?view=net-maui-8.0&preserve-view=true) -- [Microsoft Intune App SDK for .NET MAUI – Android | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.android) -- [Microsoft Intune App SDK for .NET MAUI – iOS | NuGet Gallery](https://www.nuget.org/packages/Microsoft.Intune.Maui.Essentials.iOS) - -### Plan for Change: Update your PowerShell scripts with a Microsoft Entra ID registered app ID - -Last year we announced a [new Microsoft Intune GitHub repository](https://aka.ms/Intune/Scripts-blog) based on the Microsoft Graph SDK-based PowerShell module. The legacy Microsoft Intune PowerShell sample scripts GitHub repository is now read-only. Additionally, in **May 2024**, due to updated authentication methods in the Graph SDK-based PowerShell module, the global Microsoft Intune PowerShell application (client) ID based authentication method will be removed. - -#### How does this affect you or your users? - -If you're using the Intune PowerShell application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547), you'll need to update your scripts with a Microsoft Entra ID registered application ID to prevent your scripts from breaking. - -#### How can you prepare? - -Update your PowerShell scripts by: - -1. Creating a new app registration in the Microsoft Entra admin center. For detailed instructions, read: [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app). -2. Update scripts containing the Intune application ID (d1ddf0e4-d672-4dae-b554-9d5bdfd93547) with the new application ID created in step 1. - -For detailed step-by-step instructions visit [powershell-intune-samples/Updating App Registration (github.com)](https://github.com/microsoftgraph/powershell-intune-samples/blob/master/Updating%20App%20Registration). - ### Intune moving to support Android 10 and later for user-based management methods in October 2024 In October 2024, Intune will be moving to support Android 10 and later for user-based management methods, which includes: @@ -261,7 +227,7 @@ Update your documentation and user guidance as needed. If you currently use devi ### Plan for Change: Transition Jamf macOS devices from Conditional Access to Device Compliance -We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after September 1, 2024. +We've been working with Jamf on a migration plan to help customers transition macOS devices from Jamf Pro’s Conditional Access integration to their Device Compliance integration. The Device Compliance integration uses the newer Intune partner compliance management API, which involves a simpler setup than the partner device management API and brings macOS devices onto the same API as iOS devices managed by Jamf Pro. The platform Jamf Pro’s Conditional Access feature is built on will no longer be supported after January 31, 2025. Note that customers in some environments cannot be transitioned initially, for more details and updates read the blog: [Support tip: Transitioning Jamf macOS devices from Conditional Access to Device Compliance](https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-transitioning-jamf-macos-devices-from-conditional/ba-p/3913059). @@ -291,42 +257,3 @@ After Intune ends support for Android device administrator, devices with access Stop enrolling devices into Android device administrator and migrate impacted devices to other management methods. You can check your Intune reporting to see which devices or users might be affected. Go to **Devices** > **All devices** and filter the OS column to **Android (device administrator)** to see the list of devices. Read the blog, [Microsoft Intune ending support for Android device administrator on devices with GMS access](https://aka.ms/Intune-Android-DA-blog), for our recommended alternative Android device management methods and information about the impact to devices without access to GMS. - -### Plan for Change: Ending support for Microsoft Store for Business and Education apps - -In April 2023, we began ending support for the Microsoft Store for Business experience in Intune. This occurs in several stages. For more information, see: [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support). - -### How does this affect you or your users? - -If you're using Microsoft Store for Business and Education apps: - -1. On April 30, 2023, Intune will disconnect Microsoft Store for Business services. Microsoft Store for Business and Education apps won't be able to sync with Intune and the connector page will be removed from the Intune admin center. -2. On June 15, 2023, Intune will stop enforcing online and offline Microsoft Store for Business and Education apps on devices. Downloaded applications remain on the device with limited support. Users might still be able to access the app from their device, but the app won't be managed. Existing synced Intune app objects remain to allow admins to view the apps that had been synced and their assignments. Additionally, you'll not be able to sync apps via the Microsoft Graph API syncMicrosoftStoreForBusinessApps and related API properties will display stale data. -3. On September 15, 2023, Microsoft Store for Business and Education apps will be removed from the Intune admin center. Apps on the device remain until intentionally removed. The Microsoft Graph API microsoftStoreForBusinessApp will no longer be available about a month later. - -The retirement of Microsoft Store for Business and Education was [announced in 2021](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/evolving-the-microsoft-store-for-business-and-education/ba-p/2569423). When the Microsoft Store for Business and Education portals are retired, admins will no longer be able to manage the list of Microsoft Store for Business and Education apps that are synced or download offline content from the Microsoft Store for Business and Education portals. - -### How can you prepare? - -We recommend adding your apps through the new Microsoft Store app experience in Intune. If an app isn't available in the Microsoft Store, you need to retrieve an app package from the vendor and install it as a line-of-business (LOB) app or Win32 app. For instructions read the following articles: - -- [Add Microsoft Store apps to Microsoft Intune](../apps/store-apps-microsoft.md) -- [Add a Windows line-of-business app to Microsoft Intune](../apps/lob-apps-windows.md) -- [Add, assign, and monitor a Win32 app in Microsoft Intune](../apps/apps-win32-add.md) - -Related information - -- [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) -- [Unpacking Endpoint Management: The future of app management in Intune](https://techcommunity.microsoft.com/t5/endpoint-management-events/unpacking-endpoint-management-the-future-of-app-management-in/ev-p/3724878) - -### Plan for Change: Ending support for Windows Information Protection - -Microsoft Windows [announced](https://go.microsoft.com/fwlink/?linkid=2202124) they're ending support for Windows Information Protection (WIP). The Microsoft Intune family of products will be discontinuing future investments in managing and deploying WIP. In addition to limiting future investments, we removed support for WIP *without enrollment* scenario at the end of calendar year 2022. - -### How does this affect you or your users? - -If you have enabled WIP policies, you should turn off or disable these policies. - -### How can you prepare? - -We recommend disabling WIP to ensure users in your organization do not lose access to documents that have been protected by WIP policy. Read the blog [Support tip: End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support) for more details and options for removing WIP from your devices. From de08afdc249740bed7ed1b2d99d21fb4af99cadb Mon Sep 17 00:00:00 2001 From: mayganm <87776729+mayganm@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:42:40 -0800 Subject: [PATCH 183/237] Update whats-new-archive.md Updating broken links --- memdocs/intune/fundamentals/whats-new-archive.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md index a4abcd9077a..dfcef5c17d6 100644 --- a/memdocs/intune/fundamentals/whats-new-archive.md +++ b/memdocs/intune/fundamentals/whats-new-archive.md @@ -2578,7 +2578,7 @@ Applies to: ### App management #### Microsoft Store for Business or Microsoft Store for Education -Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the [new Microsoft Store app](../apps/store-apps-microsoft.md) to deploy Microsoft Store apps to devices or users. For related information, see [Plan for Change: Ending support for Microsoft Store for Business and Education apps](whats-new.md#plan-for-change-ending-support-for-microsoft-store-for-business-and-education-apps) for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed. +Apps added from the Microsoft Store for Business or Microsoft Store for Education won't deploy to devices and users. Apps show as "not applicable" in reporting. Apps already deployed are unaffected. Use the [new Microsoft Store app](../apps/store-apps-microsoft.md) to deploy Microsoft Store apps to devices or users. For related information, see [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support) for upcoming dates when Microsoft Store for Business apps will no longer deploy and Microsoft Store for Business apps will be removed. For more information, see the following resources: @@ -2903,7 +2903,7 @@ The Microsoft Store for Business connector is no longer available in the [Micros It's now also possible to delete Microsoft Store for Business apps from the **Apps** pane in the Microsoft Intune admin center so that you can clean up your environment as you move to the new Microsoft Store app type. -For related information, see [Plan for Change: Ending support for Microsoft Store for Business and Education apps](whats-new.md#plan-for-change-ending-support-for-microsoft-store-for-business-and-education-apps) for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed. +For related information, see [Adding your Microsoft Store for Business and Education apps to the Microsoft Store in Intune](https://aka.ms/Intune/MSfB-support) for upcoming dates when Microsoft Store for Business apps won't deploy and Microsoft Store for Business apps are removed. ### Device configuration @@ -4262,7 +4262,7 @@ All configurations need to be done in the Microsoft Intune admin center. The Mic ### App management #### Ending support for Windows Information Protection -Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the *without enrollment* scenario is complete. For more information, go to [Plan for Change: Ending support for Windows Information Protection](whats-new.md#plan-for-change-ending-support-for-windows-information-protection). +Windows Information Protection (WIP) policies without enrollment are being deprecated. You can no longer create new WIP policies without enrollment. Until December of 2022, you can modify existing policies until the deprecation of the *without enrollment* scenario is complete. For more information, go to [Support tip: End of support guidance for Windows Information Protection](https://aka.ms/Intune-WIP-support). ### Device Configuration @@ -5402,4 +5402,4 @@ Intune's remote action to [Collect diagnostics](../remote-actions/collect-diagno The new details that are collected include: - Files: `C:\Program Files\Microsoft Update Health Tools\Logs\*.etl` -- Registry Keys: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate` \ No newline at end of file +- Registry Keys: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CloudManagedUpdate` From 06fc7e9c79e0a2d4b657a3ebbb50c1cce308b2a2 Mon Sep 17 00:00:00 2001 From: mayganm <87776729+mayganm@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:47:57 -0800 Subject: [PATCH 184/237] Update Intune notice for macOS support timing --- memdocs/intune/includes/intune-notices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md index f26aab018b5..daf96741ff9 100644 --- a/memdocs/intune/includes/intune-notices.md +++ b/memdocs/intune/includes/intune-notices.md @@ -153,7 +153,7 @@ Check your Intune reporting to see what devices or users might be affected. For To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see [Manage operating system versions with Intune](../fundamentals/manage-os-versions.md). -### Plan for change: Intune is moving to support macOS 13 and higher later +### Plan for change: Intune is moving to support macOS 13 and higher later later this year Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices. From 32daf873a917c63a8b963abc7aeb26346ab8103d Mon Sep 17 00:00:00 2001 From: mayganm <87776729+mayganm@users.noreply.github.com> Date: Mon, 6 Jan 2025 15:00:20 -0800 Subject: [PATCH 185/237] Update Intune notices for clarity and consistency --- memdocs/intune/includes/intune-notices.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/includes/intune-notices.md b/memdocs/intune/includes/intune-notices.md index daf96741ff9..5d4d438d374 100644 --- a/memdocs/intune/includes/intune-notices.md +++ b/memdocs/intune/includes/intune-notices.md @@ -49,11 +49,11 @@ For apps running on iOS 18.2, you must update to the new version of the Intune A > [!IMPORTANT] > -> The above listed SDK releases have added support for blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to the above listed version of the SDK, screen capture block will be applied if you have configured *Send Org data to other apps* to a value other than *All apps*. See [iOS/iPadOS app protection policy settings](../apps/app-protection-policy-settings-ios.md#data-protection) for more info. You can configure app configuration policy setting **com.microsoft.intune.mam.screencapturecontrol = Disabled** if you wish to allow screen capture for your iOS devices. See [App configuration policies for Microsoft Intune](../apps/app-configuration-policies-overview.md#managed-apps) for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Please follow [What's new in Microsoft Intune](../fundamentals/whats-new.md) to stay up to date. +> The listed SDK releases support blocking screen capture, Genmojis and writing tools in response to new AI features in iOS 18.2. For apps that have updated to these SDK versions, screen capture block is applied if you have configured *Send Org data to other apps* to a value other than *All apps*. See [iOS/iPadOS app protection policy settings](../apps/app-protection-policy-settings-ios.md#data-protection) for more info. You can configure app configuration policy setting **com.microsoft.intune.mam.screencapturecontrol = Disabled** if you wish to allow screen capture for your iOS devices. See [App configuration policies for Microsoft Intune](../apps/app-configuration-policies-overview.md#managed-apps) for more info. Intune will be providing more granular controls for blocking specific AI features in the future. Follow [What's new in Microsoft Intune](../fundamentals/whats-new.md) to stay up to date. > > Notify your users as applicable, to ensure they upgrade their apps to the latest version prior to upgrading to iOS 18.2. You can review the Intune App SDK version in use by your users in the Microsoft Intune admin center by navigating to **Apps** > **Monitor** > **App protection status**, then review *Platform version* and *iOS SDK version*. > -> If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you have not already, navigate to the applicable GitHub repository and subscribe to *Releases* and *Discussions* (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements. +> If you have questions, leave a comment on the applicable GitHub announcement. Additionally, if you haven't already, navigate to the applicable GitHub repository and subscribe to *Releases* and *Discussions* (Watch > Custom > select Releases, Discussions) to ensure you stay up-to-date with the latest SDK releases, updates, and other important announcements. ### Plan for Change: Specific app configuration values will be automatically sent to specific apps @@ -153,7 +153,7 @@ Check your Intune reporting to see what devices or users might be affected. For To manage the supported OS version in your organization, you can use Microsoft Intune controls for both MDM and APP. For more information, see [Manage operating system versions with Intune](../fundamentals/manage-os-versions.md). -### Plan for change: Intune is moving to support macOS 13 and higher later later this year +### Plan for change: Intune is moving to support macOS 13 and higher later this year Later this year, we expect macOS 15 Sequoia to be released by Apple. Microsoft Intune, the Company Portal app and the Intune mobile device management agent will be moving to support macOS 13 and later. Since the Company Portal app for iOS and macOS are a unified app, this change will occur shortly after the release of macOS 15. This doesn't affect existing enrolled devices. @@ -210,7 +210,7 @@ For more information, review: [Manage operating system versions with Microsoft I Today, when creating iOS/iPadOS enrollment profiles, “Device enrollment with Company Portal” is shown as the default method. In an upcoming service release, the default method will change to “Web based device enrollment” during profile creation. Additionally for *new* tenants, if no enrollment profile is created, the user will enroll using web-based device enrollment. > [!NOTE] -> For web enrollment, you will need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md). +> For web enrollment, you need to deploy the single sign-on (SSO) extension policy to enable just in time (JIT) registration, for more information review: [Set up just in time registration in Microsoft Intune](../enrollment/set-up-just-in-time-registration.md). #### How does this affect you or your users? From 4d942f0ab9f892a167cd4502af05a44d6f5c4364 Mon Sep 17 00:00:00 2001 From: Ruchika Mittal Date: Tue, 7 Jan 2025 05:24:32 +0530 Subject: [PATCH 186/237] acro fix --- memdocs/intune/fundamentals/whats-new-archive.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/whats-new-archive.md b/memdocs/intune/fundamentals/whats-new-archive.md index dfcef5c17d6..9fa2578dc50 100644 --- a/memdocs/intune/fundamentals/whats-new-archive.md +++ b/memdocs/intune/fundamentals/whats-new-archive.md @@ -1626,7 +1626,7 @@ Applies to: For more information on these settings, see [Apple's developer website](https://developer.apple.com/documentation/devicemanagement/settingscommand/command/settings). For more information about configuring Settings Catalog profiles in Intune, see [Create a policy using settings catalog](../configuration/settings-catalog.md). -#### New setting available in the macOS settings catalog +#### New settings available in the macOS settings catalog The [Settings Catalog](../configuration/settings-catalog.md) lists all the settings you can configure in a device policy, and all in one place. @@ -2090,8 +2090,7 @@ In Intune, you can use the new **Store app** type to deploy Store apps to your d Now, you can use the **Turn off the Store application** policy to disable end users' direct access to Store apps. When it's disabled, end users can still access and install Store apps from the Windows Company Portal app and through Intune app management. If you want to allow random store app installs outside of Intune, then don't configure this policy. -The previous **Only display the private store within the Microsoft Store app** policy doesn't prevent end users from directly accessing the store using the Windows Package Manager `winget` APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the **Turn off the Store application** policy. Don't use the **Only display the private store within the Microsoft Store app** policy -. +The previous **Only display the private store within the Microsoft Store app** policy doesn't prevent end users from directly accessing the store using the Windows Package Manager `winget` APIs. So, if your goal is to block random unmanaged Store application installs on client devices, then it's recommended to use the **Turn off the Store application** policy. Don't use the **Only display the private store within the Microsoft Store app** policy. Applies to: - Windows 10 and later From 9b68748a255de60cf724ecf32de742100d0b5866 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Mon, 6 Jan 2025 17:53:43 -0800 Subject: [PATCH 187/237] Add items section to Apple School Manager enrollment. --- memdocs/intune/toc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml index 46175eae67c..6592adca5bb 100644 --- a/memdocs/intune/toc.yml +++ b/memdocs/intune/toc.yml @@ -1682,6 +1682,7 @@ items: href: ./enrollment/automated-device-enrollment-shared-device-mode.md displayName: devices, frontline worker, automated device enrollment - name: Walkthrough - Set up enrollment with Apple School Manager + items: - name: Prerequisites href: ./enrollment/apple-school-manager-set-up-ios.md - name: Step 1 - Get an Apple token and assign devices From 35c08bfd04a9bc7b729b992656f321d7d84deed2 Mon Sep 17 00:00:00 2001 From: Doug Eby <17034284+dougeby@users.noreply.github.com> Date: Mon, 6 Jan 2025 18:00:12 -0800 Subject: [PATCH 188/237] Update link in Remote Help documentation Fixed link to article --- memdocs/intune/fundamentals/remote-help-windows.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/remote-help-windows.md b/memdocs/intune/fundamentals/remote-help-windows.md index bea9de67538..f7ab9b00ab2 100644 --- a/memdocs/intune/fundamentals/remote-help-windows.md +++ b/memdocs/intune/fundamentals/remote-help-windows.md @@ -118,7 +118,7 @@ Download the latest version of Remote Help direct from Microsoft at [aka.ms/down The most recent version of Remote Help is **5.1.1419.0** ### Deploy Remote Help as an Enterprise App Catalog app -The Enterprise App Catalog is a collection of prepackaged Win32 apps that have been designed and prepared by Microsoft to support Intune. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type leverages the Win32 platform and has support for customizable capabilities. Remote Help is available in the Enterprise App Catalog. To learn more, see [Add an Enterprise App Catalog app to Microsoft Intune]([https://learn.microsoft.com/en-us/mem/intune/apps/apps-enterprise-app-management](https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-enterprise-app#add-a-windows-catalog-app-win32-to-intune)). +The Enterprise App Catalog is a collection of prepackaged Win32 apps that have been designed and prepared by Microsoft to support Intune. An Enterprise App Catalog app is a Windows app that you can add via the Enterprise App Catalog in Intune. This app type leverages the Win32 platform and has support for customizable capabilities. Remote Help is available in the Enterprise App Catalog. To learn more, see [Add an Enterprise App Catalog app to Microsoft Intune](/mem/intune/apps/apps-add-enterprise-app#add-a-windows-catalog-app-win32-to-intune). ### Deploy Remote Help as a Win32 app From b4cb5893e4535a176bc22ea076b43597df864183 Mon Sep 17 00:00:00 2001 From: Denish Donga <177508003+denishdonga27@users.noreply.github.com> Date: Tue, 7 Jan 2025 16:31:07 +0530 Subject: [PATCH 189/237] Learn Editor: Update advanced-threat-protection-manage-android.md --- .../protect/advanced-threat-protection-manage-android.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md index 4c8a580e3b9..dd69a96c329 100644 --- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md +++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md @@ -46,9 +46,9 @@ With Intune device configuration policy, you can turn off all or part of the web > [!IMPORTANT] > **Below browsers are supported with Defender loopback VPN** -> GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET, FIREFOX, BRAVE, TOR, WEB_BROWSER_LEOPARD, DUCKDUCKGO, DOLPHIN +> Chrome, Edge, Opera, Samsung Internet, Firefox, Brave, Tor, Browser Leopard, DuckDuckGo, Dolphin > **Following browsers are supported with accessibility service without Defender loopback VPN** -> GOOGLE_CHROME, EDGE, OPERA, SAMSUNG_INTERNET +> Chrome, Edge, Opera, Samsung Internet > **Note:** Work profile scenarios (BYOD -Android Enterprise personally owned devices using a work profile and COPE - Android Enterprise corporate owned work profile) do not support the accessibility service. To configure web protection on devices, use the following procedures to create and deploy the applicable configuration. From e650980e9ba7ca4b3bef246bf69c5a95f79df4b3 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 08:30:02 -0500 Subject: [PATCH 190/237] Acrolinx --- .../enrollment/apple-school-manager-step-2.md | 38 +++++++++---------- .../enrollment/apple-school-manager-step-3.md | 4 +- memdocs/intune/toc.yml | 3 +- 3 files changed, 23 insertions(+), 22 deletions(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md index 1dac2d1ef75..229742ceb2a 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-2.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md @@ -53,15 +53,15 @@ After you get your Apple token, you can create an enrollment profile for school - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work. -1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). +1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). > [!NOTE] - > If you want do any of the following, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**. + > If you want any of the following features, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**. > - use multifactor authentication > - prompt users who need to change their password when they first sign in > - prompt users to reset their expired passwords during enrollment > - > These aren't supported when authenticating with Apple Setup Assistant. + > These features aren't supported when authenticating with Apple Setup Assistant. 1. Choose **Device Management Settings** and choose if you want devices using this profile to be supervised. **Supervised** devices give you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. @@ -72,13 +72,13 @@ After you get your Apple token, you can create an enrollment profile for school - The **Settings** > **General** > **About** screen says: "This iPhone is supervised. Contoso can monitor your Internet traffic and locate this device." > [!NOTE] - > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. Learn more about this on [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac). + > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. For more information, see the [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac) (opens Apple Support). 1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *Yes*. 1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [Apple's shared iPad requirements](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). -1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. +1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. 1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import. @@ -88,21 +88,21 @@ After you get your Apple token, you can create an enrollment profile for school 1. Choose **Setup Assistant Settings** to configure the following profile settings: - | Setting | Description | + |Setting |Description | |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| - | Department Name | Appears when users tap About Configuration during activation. | - | Department Phone | Appears when the user clicks the Need Help button during activation. | - | Setup Assistant Options | The following optional settings can be set up later in the iOS/iPadOS Settings menu. | - | Passcode | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). | - | Location Services | If enabled, Setup Assistant prompts for the service during activation. | - | Restore | If enabled, Setup Assistant prompts for iCloud backup during activation. | - | iCloud and Apple ID | If enabled, Setup Assistant prompts the user to sign in an Apple ID and the Apps & Data screen will allow the device to be restored from iCloud backup. | - | Terms and Conditions | If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation. | - | Touch ID | If enabled, Setup Assistant prompts for this service during activation. | - | Apple Pay | If enabled, Setup Assistant prompts for this service during activation. | - | Zoom | If enabled, Setup Assistant prompts for this service during activation. | - | Siri | If enabled, Setup Assistant prompts for this service during activation. | - | Diagnostic Data | If enabled, Setup Assistant prompts for this service during activation. | + |**Department Name** | Appears when users tap About Configuration during activation. | + | **Department Phone** | Appears when the user clicks the Need Help button during activation. | + |**Setup Assistant Options** | The following optional settings can be set up later in the iOS/iPadOS Settings menu. | + |**Passcode** | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). | + |**Location Services** | If enabled, Setup Assistant prompts for the service during activation. | + |**Restore** |If enabled, Setup Assistant prompts for iCloud backup during activation. | + | **iCloud and Apple ID** | If enabled, Setup Assistant prompts the user to sign in with an Apple ID, and the Apps & Data screen allows the device to be restored from iCloud backup. | + | **Terms and Conditions**|If enabled, Setup Assistant prompts users to accept Apple's terms and conditions during activation.| + |**Touch ID**|If enabled, Setup Assistant prompts for this service during activation. | + |**Apple Pay** | If enabled, Setup Assistant prompts for this service during activation. | + | **Zoom** |If enabled, Setup Assistant prompts for this service during activation. | + | **Siri**|If enabled, Setup Assistant prompts for this service during activation. | + | **Diagnostic Data** |If enabled, Setup Assistant prompts for this service during activation. | 1. Choose **OK**. diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md index 0ea51cbebc9..4d0e57564cb 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-3.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md @@ -59,10 +59,10 @@ Apple School Manager devices managed by Intune must be assigned an enrollment pr ## Distribute devices to users -You have enabled management and syncing between Apple and Intune, and assigned a profile to let your Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it's enrolled for management by Intune. Profiles can't be applied to activated devices currently in use until the device is wiped. +You enabled management and syncing between Apple and Intune, and assigned a profile that lets Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it enrolls in Microsoft Intune. Profiles can't be applied to activated devices currently in use until the device is wiped. ## Connect School Data Sync -Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. If you have further questions, please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. +Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. Please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. ## Next steps This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. diff --git a/memdocs/intune/toc.yml b/memdocs/intune/toc.yml index 46175eae67c..c1b93ab35b0 100644 --- a/memdocs/intune/toc.yml +++ b/memdocs/intune/toc.yml @@ -1682,7 +1682,8 @@ items: href: ./enrollment/automated-device-enrollment-shared-device-mode.md displayName: devices, frontline worker, automated device enrollment - name: Walkthrough - Set up enrollment with Apple School Manager - - name: Prerequisites + items: + - name: Prerequisites href: ./enrollment/apple-school-manager-set-up-ios.md - name: Step 1 - Get an Apple token and assign devices href: ./enrollment/apple-school-manager-step-1.md From 14d479d33cf58a962ed7f2699d7d6507932321c4 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 09:44:51 -0500 Subject: [PATCH 191/237] Freshness check --- .../apple-school-manager-set-up-ios.md | 10 ++-- .../enrollment/apple-school-manager-step-1.md | 52 ++++++++++--------- .../enrollment/apple-school-manager-step-2.md | 33 ++++++------ .../enrollment/apple-school-manager-step-3.md | 22 ++++---- .../device-enrollment-program-enroll-ios.md | 10 ++-- 5 files changed, 68 insertions(+), 59 deletions(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md index b856d7e21e4..3cd8621aceb 100644 --- a/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md +++ b/memdocs/intune/enrollment/apple-school-manager-set-up-ios.md @@ -42,16 +42,16 @@ To enable Apple School Manager enrollment, you use both the Microsoft Intune adm - Get an [Apple mobile device management (MDM) push certificate](apple-mdm-push-certificate-get.md). - Set up the [MDM Authority](../fundamentals/mdm-authority-set.md). -- If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). For more information, see [Get adfs endpoint](/powershell/module/adfs/get-adfsendpoint). -- Devices must be purchased from the [Apple School Management](http://school.apple.com) program. +- If using Active Directory Federation Services (AD FS), user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). For more information, see [Get ADFS endpoint](/powershell/module/adfs/get-adfsendpoint). +- Devices must be purchased from [Apple School Manager](http://school.apple.com). -Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md). +Apple School Manager enrollment can't be used with the [device enrollment manager](device-enrollment-manager-enroll.md) account. ## Next steps This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. 1. 🡺 Prerequisites (*You are here*) -1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. [Get an Apple token for school devices](apple-school-manager-step-1.md) 1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) -1. [Sync managed devices](apple-school-manager-step-3.md) +1. [Sync and distribute devices](apple-school-manager-step-3.md) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-1.md b/memdocs/intune/enrollment/apple-school-manager-step-1.md index 747822c4176..80aa4ce7de4 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-1.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-1.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 01/06/2025 +ms.date: 01/07/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -29,42 +29,44 @@ ms.collection: - M365-identity-device-management --- -# Get an Apple token and assign devices +# Get an Apple token for school devices Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage. -## Step 1: Download the Intune public key certificate required to create an Apple token +## Step 1: +In the first set of steps, you download the Intune public key certificate required to create an Apple token. -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices**. +1. Expand **Device onboarding**, and then select **Enrollment**. 1. Select the **Apple** tab. -1. Choose **Enrollment Program Tokens**. -1. Select **Add**. -1. Select **Download your public key** to download and save the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. +1. Choose **Enrollment program tokens**. +1. Select **Create**. +1. Select **I agree** to give permission to Microsoft to send user and device information to Apple. +1. Select **Download your public key**. This step downloads and saves the encryption key (.pem) file locally. The .pem file is used to request a trust-relationship certificate from the Apple School Manager portal. -## Step 2: Download a token and assign devices -1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. -2. In the [Apple School Manager portal](https://school.apple.com), go to **MDM Servers**, and then choose **Add MDM Server** (upper right). -3. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server. -4. Choose **Upload File...** in the Apple portal, browse to the .pem file, and choose **Save MDM Server** (lower right). -5. Choose **Get Token** and then download the server token (.p7m) file to your computer. -6. Go to **Device Assignments**. Choose your devices by manually entering their serial numbers or order number. -7. Choose the action **Assign to Server**, and choose the **MDM Server** you created. -8. Specify how to **Choose Devices**, then provide device information and details. -9. Choose **Assign to Server** and choose the <ServerName> specified for Microsoft Intune, and then choose **OK**. - -## Step 3: Save the Apple ID used to create this token + In the next set of steps, you download a token and assign devices. Keep the browser and tab with the admin center open while you're completing steps in Apple School Manager. + + > [!TIP] + > The following steps describe what you need to do in Apple School Manager. For the specific steps, see the [Apple School Manager User Guide](https://support.apple.com/guide/apple-school-manager/device-workflow-axm6a88f692e/1/web/1) (opens Apple Support). -Return to the [admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID. +1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. +1. In the [Apple School Manager portal](https://school.apple.com), go to your MDM Server assignments to add an MDM server. +1. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server. +1. Upload the public key certificate file (.pem file). +1. Save your MDM server. +1. Select the download button to download the server token (.p7m) file to your computer. +1. Go to **Devices** and select the devices you want to assign to this token. You can sort by various device properties, like serial number. You can also select multiple devices simultaneously. +2. Select **Edit MDM Server**. Select the MDM server you just added, and then save your changes. This step assigns devices to the token. +1. Return to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID you used to create the token. -![Screenshot of specifying the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) + ![Example screenshot showing the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) -## Step 4: Upload your token -In the **Apple token** box, browse to the certificate (.pem) file, choose **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policy to enrolled mobile devices. Intune automatically synchronizes your Apple School Manager devices from Apple. +1. For **Apple token**, browse to the certificate (.pem) file. Select **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policies to enrolled mobile devices. Intune automatically syncs your Apple School Manager devices from Apple. ## Next steps This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. 1. [Prerequisites](apple-school-manager-set-up-ios.md) -1. 🡺 Get an Apple token and assign devices (*You are here*) +1. 🡺 Get an Apple token for school devices (*You are here*) 1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) -1. [Sync managed devices](apple-school-manager-step-3.md) \ No newline at end of file +1. [Sync and distribute devices](apple-school-manager-step-3.md) \ No newline at end of file diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md index 229742ceb2a..7dc566e0414 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-2.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md @@ -8,7 +8,7 @@ keywords: author: Lenewsad ms.author: lanewsad manager: dougeby -ms.date: 01/06/2025 +ms.date: 01/07/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: enrollment @@ -29,18 +29,19 @@ ms.collection: - M365-identity-device-management --- -# Create an Apple enrollment profile +# Create an Apple enrollment profile for school devices After you get your Apple token, you can create an enrollment profile for school devices. An essential part of setup is creating enrollment profiles. The profiles contain the settings that apply to devices during device enrollment. ## Create a profile -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**. +1. Expand **Device onboarding**, and then select **Enrollment**. 1. Select the **Apple** tab. 1. Under **Bulk Enrollment Methods**, Choose **Enrollment program tokens**. -1. Select a token. -1. Select **Profiles** > **Create profile** > **iOS/iPadOS**. +1. Choose a token, and then select **Profiles**. +1. Select **Create profile** > **iOS/iPadOS**. -1. Under **Create Profile**, enter a **Name** and **Description** for the profile, for administrative purposes. Users don't see these details. +1. For **Basics**, give the profile a **Name** and **Description** for administrative purposes. Users don't see these details. ![Example screenshot of the profile name and description fields in the admin center.](./media/apple-school-manager-set-up-ios/image05.png) @@ -49,11 +50,11 @@ After you get your Apple token, you can create an enrollment profile for school 1. For **User Affinity**, decide if devices with this profile must enroll with an assigned user or without an assigned user. - - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using ADFS, user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity. + - **Enroll with User Affinity** - Choose this option for devices that belong to users and that want to use the company portal for services like installing apps. This option also lets users authenticate their devices by using the company portal. If using Active Directory Federation Services (AD FS), user affinity requires [WS-Trust 1.3 Username/Mixed endpoint](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff608241(v=ws.10)). [Learn more](/powershell/module/adfs/get-adfsendpoint). Apple School Manager's Shared iPad mode requires user enroll without user affinity. - **Enroll without User Affinity** - Choose this option for devices unaffiliated with a single user, such as a shared device. Use this option for devices that perform tasks without accessing local user data. Apps like the Company Portal app don't work. -1. If you chose **Enroll with User Affinity**, you can let users authenticate with Company Portal, Setup Assistant (legacy), and Setup Assistant with modern authentication. Select the option. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). +1. If you chose **Enroll with User Affinity**, select how users must authenticate: Company Portal, Setup Assistant (legacy), or Setup Assistant with modern authentication. For more information about authentication methods, see [Authentication methods for automated device enrollment in Intune](automated-device-enrollment-authentication.md). > [!NOTE] > If you want any of the following features, set **Authenticate with Company Portal instead of Apple Setup Assistant** to **Yes**. @@ -63,8 +64,8 @@ After you get your Apple token, you can create an enrollment profile for school > > These features aren't supported when authenticating with Apple Setup Assistant. -1. Choose **Device Management Settings** and choose if you want devices using this profile to be supervised. - **Supervised** devices give you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. +1. Choose **Device Management Settings**, and choose if you want devices using this profile to be supervised. + *Supervision* gives you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. Users are notified that their devices are supervised in two ways: @@ -74,11 +75,11 @@ After you get your Apple token, you can create an enrollment profile for school > [!NOTE] > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. For more information, see the [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac) (opens Apple Support). -1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *Yes*. +1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *yes*. -1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [Apple's shared iPad requirements](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). +1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [shared iPad requirements for Apple](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). -1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that all devices using this profile won't be able to sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. +1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that devices using this profile can't sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. 1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import. @@ -91,7 +92,7 @@ After you get your Apple token, you can create an enrollment profile for school |Setting |Description | |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |**Department Name** | Appears when users tap About Configuration during activation. | - | **Department Phone** | Appears when the user clicks the Need Help button during activation. | + | **Department Phone** | Appears when the user selects the Need Help button during activation. | |**Setup Assistant Options** | The following optional settings can be set up later in the iOS/iPadOS Settings menu. | |**Passcode** | Prompt for passcode during activation. Always require a passcode for unsecured devices unless access is controlled in some other manner (like kiosk mode that restricts the device to one app). | |**Location Services** | If enabled, Setup Assistant prompts for the service during activation. | @@ -113,7 +114,7 @@ After you get your Apple token, you can create an enrollment profile for school This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. 1. [Prerequisites](apple-school-manager-set-up-ios.md) -1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. [Get an Apple token for school devices](apple-school-manager-step-1.md) 1. 🡺 Create an Apple enrollment profile (*You are here*) -1. [Sync managed devices](apple-school-manager-step-3.md) +1. [Sync and distribute devices](apple-school-manager-step-3.md) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md index 4d0e57564cb..4bc824b31f5 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-3.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md @@ -29,7 +29,7 @@ ms.collection: - M365-identity-device-management --- -# Sync managed devices +# Sync and distribute school devices After you assign Microsoft Intune permission to manage your Apple School Manager devices, sync Intune with the Apple service to see your managed devices in the admin center. @@ -43,15 +43,12 @@ After you assign Microsoft Intune permission to manage your Apple School Manager To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions: - A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune. - Any sync request is given 15 minutes to finish. During this time or until the request succeeds, the **Sync** button is disabled. -- Intune syncs new and removed devices with Apple every 24 hours. - ->[!NOTE] ->You can also assign Apple School Manager serial numbers to profiles from the **Enrollment Program Devices** blade. +- Intune syncs new and removed devices with Apple every 24 hours. ## Assign a profile to devices Apple School Manager devices managed by Intune must be assigned an enrollment profile before they're enrolled. -1. Return to **Enrollment Program Tokens**. +1. Return to **Enrollment program tokens**. 1. Select a token in the list. 1. Select **Devices**, and then choose your devices. 1. Select **Assign profile**. Then select a profile for the devices. @@ -62,12 +59,19 @@ Apple School Manager devices managed by Intune must be assigned an enrollment pr You enabled management and syncing between Apple and Intune, and assigned a profile that lets Apple School devices enroll. You can now distribute devices to users. When an iOS/iPadOS Apple School Manager device is turned on, it enrolls in Microsoft Intune. Profiles can't be applied to activated devices currently in use until the device is wiped. ## Connect School Data Sync -Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including decoupled data ingestion, faster syncs with fewer errors, support for larger organizations, and a modern user interface. Please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. +Microsoft Education is transitioning to a new School Data Sync (SDS) experience with enhanced features, starting August 2024 for the Northern Hemisphere and January 2025 for the Southern Hemisphere. The current Apple School Manager support will be retired by December 31, 2024. This new experience offers various enhancements over SDS (Classic) including: + +- Decoupled data ingestion +- Faster syncs with fewer errors +- Support for larger organizations +- A modern user interface + +Please contact Microsoft Education support with questions regarding the transition to the new School Data Sync experience. ## Next steps This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. 1. [Prerequisites](apple-school-manager-set-up-ios.md) -1. [Get an Apple token and assign devices](apple-school-manager-step-1.md) +1. [Get an Apple token for school devices](apple-school-manager-step-1.md) 1. [Create an Apple enrollment profile](apple-school-manager-step-2.md) -1. 🡺 Sync managed devices (*You are here*) +1. 🡺 Sync and distribute devices (*You are here*) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md index 99ee8c68977..e9ae8468f33 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md @@ -140,9 +140,10 @@ Use [Apple Business Manager (ABM)](https://business.apple.com/) or [Apple School ### Step 1: Download the Intune public key certificate -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**. +1. Expand **Device onboarding**, and then select **Enrollment**. 1. Select the **Apple** tab. -1. Select **Enrollment Program Tokens** > **Add**. +1. Select **Enrollment Program Tokens** > **Create**. 1. On the **Basics** tab: @@ -210,9 +211,10 @@ Now that you've installed your token, you can create an enrollment profile for a > [!NOTE] > Devices will be blocked from enrolling if there aren't enough Company Portal licenses for a VPP token or if the token expires. Intune alerts you when a token is about to expire or licenses are running low. -1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Enrollment**. +1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**. +1. Expand **Device onboarding**, and then select **Enrollment**. 1. Select the **Apple** tab. -1. Choose **Enrollment Program Tokens**. +1. Choose **Enrollment program tokens**. 1. Choose a token, and then select **Profiles**. 1. Select **Create profile** > **iOS/iPadOS**. 1. For **Basics**, give the profile a **Name** and **Description** for administrative purposes. Users don't see these details. From 2179bb0eacf92a0d5162ff20f5071e51606a34f4 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 10:05:05 -0500 Subject: [PATCH 192/237] Final review --- .../enrollment/apple-school-manager-step-1.md | 12 ++++++------ .../enrollment/apple-school-manager-step-2.md | 16 +++++++--------- .../enrollment/apple-school-manager-step-3.md | 2 +- 3 files changed, 14 insertions(+), 16 deletions(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-1.md b/memdocs/intune/enrollment/apple-school-manager-step-1.md index 80aa4ce7de4..68ee4297172 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-1.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-1.md @@ -33,7 +33,7 @@ ms.collection: Before you can enroll corporate-owned iOS/iPadOS devices with Apple School Manager, you need a token (.p7m) file from Apple. This token lets Intune sync information about Apple School Manager-participating devices. It also permits Intune to perform enrollment profile uploads to Apple and to assign devices to those profiles. While you are in the Apple portal, you can also assign device serial numbers to manage. -## Step 1: +## Get Apple token In the first set of steps, you download the Intune public key certificate required to create an Apple token. 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Devices**. @@ -49,17 +49,17 @@ In the first set of steps, you download the Intune public key certificate requir > [!TIP] > The following steps describe what you need to do in Apple School Manager. For the specific steps, see the [Apple School Manager User Guide](https://support.apple.com/guide/apple-school-manager/device-workflow-axm6a88f692e/1/web/1) (opens Apple Support). -1. Choose **Create a token via Apple School Manager**, and sign in to Apple School with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. -1. In the [Apple School Manager portal](https://school.apple.com), go to your MDM Server assignments to add an MDM server. -1. Enter the MDM server name. The server name is for your reference to identify the mobile device management (MDM) server. It isn't the name or URL of the Microsoft Intune server. +1. Choose **Create a token via Apple School Manager**, and sign in to [Apple School Manager](https://school.apple.com with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. +1. In Apple School Manager, go to your MDM Server assignments to add an MDM server. +1. Enter the mobile device management (MDM) server name. The server name is for your reference to identify the MDM server. It isn't the name or URL of the Microsoft Intune server. 1. Upload the public key certificate file (.pem file). 1. Save your MDM server. 1. Select the download button to download the server token (.p7m) file to your computer. 1. Go to **Devices** and select the devices you want to assign to this token. You can sort by various device properties, like serial number. You can also select multiple devices simultaneously. -2. Select **Edit MDM Server**. Select the MDM server you just added, and then save your changes. This step assigns devices to the token. +1. Select **Edit MDM Server**. Select the MDM server you just added, and then save your changes. This step assigns devices to the token. 1. Return to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and enter the Apple ID you used to create the token. - ![Example screenshot showing the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) + ![Example screenshot showing the Apple ID used to create the enrollment program token and browsing to the enrollment program token.](./media/apple-school-manager-set-up-ios/image03.png) 1. For **Apple token**, browse to the certificate (.pem) file. Select **Open**, and then choose **Create**. With the push certificate, Intune can enroll and manage iOS/iPadOS devices by pushing policies to enrolled mobile devices. Intune automatically syncs your Apple School Manager devices from Apple. diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md index 7dc566e0414..462363b2c09 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-2.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md @@ -43,10 +43,9 @@ After you get your Apple token, you can create an enrollment profile for school 1. For **Basics**, give the profile a **Name** and **Description** for administrative purposes. Users don't see these details. - ![Example screenshot of the profile name and description fields in the admin center.](./media/apple-school-manager-set-up-ios/image05.png) + ![Example screenshot of the profile name and description fields in the admin center.](./media/apple-school-manager-set-up-ios/image05.png) ->[!TIP] -> You can use the name you enter here to create a dynamic group in Microsoft Entra ID. To assign devices with this enrollment profile, for example, use the name to define the enrollmentProfileName parameter in your dynamic group rules. For more information, see [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices). + You can use the name you enter here to create a dynamic group in Microsoft Entra ID. To assign devices with this enrollment profile to a group, for example, enter the name in the *enrollmentProfileName* parameter in your dynamic group rules. For more information, see [Microsoft Entra dynamic groups](/azure/active-directory/active-directory-groups-dynamic-membership-azure-portal#rules-for-devices). 1. For **User Affinity**, decide if devices with this profile must enroll with an assigned user or without an assigned user. @@ -64,8 +63,7 @@ After you get your Apple token, you can create an enrollment profile for school > > These features aren't supported when authenticating with Apple Setup Assistant. -1. Choose **Device Management Settings**, and choose if you want devices using this profile to be supervised. - *Supervision* gives you more management options and disabled Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. +1. Choose **Device Management Settings**. Decide if you want devices using this profile to be supervised. *Supervision* gives you more management options and disables Apple Activation Lock by default. Microsoft recommends using ADE as the mechanism for enabling Intune's supervised mode, especially for organizations that are deploying large numbers of iOS/iPadOS devices. Users are notified that their devices are supervised in two ways: @@ -75,19 +73,19 @@ After you get your Apple token, you can create an enrollment profile for school > [!NOTE] > A device enrolled without supervision can only be reset to supervised by using the Apple Configurator. Resetting the device in this manner requires connecting an iOS/iPadOS device to a Mac with a USB cable. For more information, see the [Apple Configurator docs](https://support.apple.com/guide/apple-configurator-mac) (opens Apple Support). -1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the **Supervised** Management Mode set to *yes*. +1. Choose if you want locked enrollment for devices using this profile. **Locked enrollment** disables iOS/iPadOS settings that allow the management profile to be removed from the **Settings** menu. After device enrollment, you can't change this setting without wiping the device. Such devices must have the supervised management mode set to *yes*. 1. You can let multiple users sign on to enrolled iPads by using a managed Apple ID. To do so, choose **Yes** under **Shared iPad** (this option requires **Enroll without User Affinity** and **Supervised** mode set to **Yes**.) Managed Apple IDs are created in the Apple School Manager portal. Learn more about [shared iPad](../fundamentals/education-settings-configure-ios-shared.md) and [shared iPad requirements for Apple](https://help.apple.com/classroom/ipad/2.0/#/cad7e2e0cf56). -1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that devices using this profile can't sync with any data on any computer. If you choose **Allow Apple Configurator by certificate**, you must choose a certificate under **Apple Configurator Certificates**. +1. Choose if you want the devices using this profile to be able to **Sync with computers**. **Deny All** means that devices using this profile can't sync with any data on any computer. 1. If you chose **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator Certificate to import. 1. You can specify a naming format for devices that is automatically applied when they enroll. To do so, select **Yes** under **Apply device name template**. Then, in the **Device Name Template** box, enter the template to use for the names using this profile. You can specify a template format that includes the device type and serial number. -1. Choose **OK**. +1. Select **OK**. -1. Choose **Setup Assistant Settings** to configure the following profile settings: +1. Select **Setup Assistant Settings** to configure the following profile settings: |Setting |Description | |------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md index 4bc824b31f5..1625a728b3d 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-3.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md @@ -35,7 +35,7 @@ After you assign Microsoft Intune permission to manage your Apple School Manager ## Start a sync -1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), return to **Enrollment Program Tokens**. +1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), return to **Enrollment program tokens**. 1. Select a token in the list. 1. Select **Devices** > **Sync**. ![Screenshot of the Enrollment Program Devices node and Sync link.](./media/device-enrollment-program-enroll-ios/image06.png) From 19d89970c977f1c43f72c65f37e749f55c9faec3 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 10:14:37 -0500 Subject: [PATCH 193/237] added border line 42 --- memdocs/intune/enrollment/apple-school-manager-step-3.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-3.md b/memdocs/intune/enrollment/apple-school-manager-step-3.md index 1625a728b3d..abc459bced2 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-3.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-3.md @@ -38,7 +38,9 @@ After you assign Microsoft Intune permission to manage your Apple School Manager 1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), return to **Enrollment program tokens**. 1. Select a token in the list. 1. Select **Devices** > **Sync**. -![Screenshot of the Enrollment Program Devices node and Sync link.](./media/device-enrollment-program-enroll-ios/image06.png) + + > [!div class="mx-imgBorder"] + >![Screenshot of the Enrollment Program Devices node and Sync link.](./media/device-enrollment-program-enroll-ios/image06.png) To follow Apple's terms for acceptable enrollment program traffic, Intune imposes the following restrictions: - A full sync can run no more than once every seven days. During a full sync, Intune refreshes every Apple serial number assigned to Intune. If a full sync is attempted within seven days of the previous full sync, Intune only refreshes serial numbers that aren't already listed in Intune. From 7f7857172e8454fdff3d67a94428b7514384db57 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 10:19:43 -0500 Subject: [PATCH 194/237] article typo --- .../intune/enrollment/device-enrollment-program-enroll-ios.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md index e9ae8468f33..5b066beae38 100644 --- a/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md +++ b/memdocs/intune/enrollment/device-enrollment-program-enroll-ios.md @@ -313,7 +313,7 @@ Now that you've installed your token, you can create an enrollment profile for a > [!NOTE] > If you set **Sync with computers** to **Deny all**, the port will be limited on iOS and iPadOS devices. The port will be limited to only charging. It will be blocked from using iTunes or Apple Configurator 2. > - >If you set **Sync with computers** to **Allow Apple Configurator by certificate**, make sure you have a local copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's important to retain an copy of this certificate. If you want to connect to the iOS/iPadOS device from a Mac device, the same certificate must be installed on the device making the connection to the iOS/iPadOS device. + >If you set **Sync with computers** to **Allow Apple Configurator by certificate**, make sure you have a local copy of the certificate that you can use later. You won't be able to make changes to the uploaded copy, and it's important to retain a copy of this certificate. If you want to connect to the iOS/iPadOS device from a Mac device, the same certificate must be installed on the device making the connection to the iOS/iPadOS device. 1. If you selected **Allow Apple Configurator by certificate** in the previous step, choose an Apple Configurator certificate to import. The limit is 10 certificates. 1. For **Await final configuration**, your options are: @@ -390,7 +390,7 @@ The following table describes the Setup Assistant screens shown during automated | **Apple Pay** | Shows the Apple Pay setup pane, which gives users the option to set up Apple Pay on their devices. For iOS/iPadOS 7.0 and later. | | **Zoom** | Shows the zoom setup pane, which gives users the option to configure zoom settings. For iOS/iPadOS 8.3 and later, and deprecated in iOS/iPadOS 17. | | **Siri** | Shows the Siri setup pane to users. For iOS/iPadOS 7.0 and later. | -| **Diagnostics Data** | Shows the diagnostics pane where users can opt-in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. | +| **Diagnostics Data** | Shows the diagnostics pane where users can opt in to send diagnostic data to Apple. For iOS/iPadOS 7.0 and later. | | **Display Tone** | Shows the display tone setup pane, where users can configure the display's white balance settings. For iOS/iPadOS 9.3.2 and later, and deprecated in iOS/iPadOS 15. | | **Privacy** | Shows the privacy setup pane to the user. For iOS/iPadOS 11.3 and later. | | **Android Migration** | Shows a setup pane meant for previous Android users. On this screen, users can migrate data from an Android device. For iOS/iPadOS 9.0 and later.| From 1d363a22f809adb58beae4dc8ad9f5983e581819 Mon Sep 17 00:00:00 2001 From: brenduns Date: Tue, 7 Jan 2025 07:39:51 -0800 Subject: [PATCH 195/237] Adding settings catalog for android --- memdocs/intune/fundamentals/in-development.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 61d7fb6fd27..dad4ab99a9c 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -122,6 +122,26 @@ Applies to: ## Device configuration +### Android settings in the Settings Catalog + +The settings catalog will soon support Android Enterprise and AOSP. + +Currently, to configure Android settings, you use the built-in templates. The settings from these templates are also available in the settings catalog. More settings will continue to be added. + +In the Intune admin center, when you create a device configuration profile, you select the **Profile Type** (**Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > select your **Platform** > **Profile Type**). All the profile types are moved to **Profile Type** > **Templates**. + +This change: + +- Will be a UI change with no impact on your existing policies. Your existing policies won't changing. You will still be able to create, edit, and assign these policies the same way. +- Will be the same UI experience as iOS/iPadOS, macOS, and Windows templates. + +To get started with settings catalog, go to [Use the settings catalog to configure settings on your devices](/configuration/settings-catalog.md). + +Applies to: + +- Android Enterprise +- AOSP + ### Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows We're updating the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation. From c685cc83c52d53184dd28769f6cdedd364ec7a68 Mon Sep 17 00:00:00 2001 From: brenduns Date: Tue, 7 Jan 2025 08:28:11 -0800 Subject: [PATCH 196/237] Adding settings catalog for android --- memdocs/intune/fundamentals/in-development.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index dad4ab99a9c..2c989821855 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -135,7 +135,7 @@ This change: - Will be a UI change with no impact on your existing policies. Your existing policies won't changing. You will still be able to create, edit, and assign these policies the same way. - Will be the same UI experience as iOS/iPadOS, macOS, and Windows templates. -To get started with settings catalog, go to [Use the settings catalog to configure settings on your devices](/configuration/settings-catalog.md). +To get started with settings catalog, go to [Use the settings catalog to configure settings on your devices](../configuration/settings-catalog.md). Applies to: From 0bc224f18893afb4fda58de7f58daa24fb768268 Mon Sep 17 00:00:00 2001 From: Jason Sandys Date: Tue, 7 Jan 2025 10:48:11 -0600 Subject: [PATCH 197/237] Update cloud-native-endpoints-planning-guide.md Slight rewording to emphasize our recommendation to start clean with policies. --- .../cloud-native-endpoints-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md index 07a27c70f00..8e4aee85865 100644 --- a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md +++ b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md @@ -143,7 +143,7 @@ Your exact workloads, details, and how to update the workloads for cloud-native - Traditional policy enforcement using group policy isn't possible with cloud-native endpoints. Instead, you can use Intune to create policies to configure many settings, including built-in features like the [Settings Catalog](../../intune/configuration/settings-catalog.md) and [administrative templates](../../intune/configuration/administrative-templates-windows.md). - [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md) can analyze your on-premises GPOs, see if those same settings are supported in the cloud, and create a policy using those settings. + You can reference and analyze existing GPOs using [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md) which allows you to see if settings within your GPOs are supported in the cloud. Group Policy analytics also allows you to create Intune policies from GPOs if this makes sense. In general, we recommend that customers implement policies that conform to their requirements instead of directly migrating existing GPOs to Intune. This allows you to rationalize, optimize, and streamline policies within Intune. - If you have existing policies that issue certificates, manage BitLocker, and provide endpoint protection, then you need to create new policies in Intune or Configuration Manager (with a [CMG](../../configmgr/core/clients/manage/cmg/overview.md) and [co-management](../../configmgr/comanage/how-to-prepare-win10.md)). From 47e80b8086a9d6ca2613ac6037ec1ad4d5d5ffef Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 12:16:57 -0500 Subject: [PATCH 198/237] Update compliance policy evaluation section Style & voice edits --- memdocs/intune/protect/compliance-policy-monitor.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/protect/compliance-policy-monitor.md b/memdocs/intune/protect/compliance-policy-monitor.md index 4328e6019a8..46f9cf0f434 100644 --- a/memdocs/intune/protect/compliance-policy-monitor.md +++ b/memdocs/intune/protect/compliance-policy-monitor.md @@ -234,12 +234,12 @@ Policy conflicts can occur when multiple Intune policies are applied to a device To learn more about conflict resolution for policies, see [Compliance and device configuration policies that conflict](../configuration/device-profile-troubleshoot.md#compliance-and-device-configuration-policies-that-conflict). -## How Intune evaluates the Default Compliance Policy +## How Intune evaluates the default compliance policy -In Intune, the default compliance policy is evaluated for every device on every calculation. The evaluation process sets the device to non-compliant if any of the following is false. -- "Has a compliance policy assigned" - At least one applicable compliance policy must be assigned to device with an applicable setting inside. -- "Is active" - Device should remain in contact with Intune (turned on with internet and actively connecting. Default grace is 30 days.) -- "Enrolled user exists" - User that is actively using the device exist and has a valid Intune license. +In Intune, the default compliance policy is evaluated for every device on every calculation. The evaluation process identifies the device as noncompliant if any of the following statements are false: +- The device has a compliance policy assigned: At least one applicable compliance policy must be assigned to the device with an applicable setting. +- The device is active: The device should remain in contact with Intune. This requires it to to be turned on with an internet connection. The default grace period is 30 days. +- The enrolled user exists: The user that is actively using the device exists and has a valid Intune license. ## Next steps From be60ec3f218e6c717e4d57c6a596e4a17bd29de3 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Tue, 7 Jan 2025 12:20:59 -0500 Subject: [PATCH 199/237] Fix typo in compliance policy documentation Typo line 241 --- memdocs/intune/protect/compliance-policy-monitor.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/compliance-policy-monitor.md b/memdocs/intune/protect/compliance-policy-monitor.md index 46f9cf0f434..83ac6d88143 100644 --- a/memdocs/intune/protect/compliance-policy-monitor.md +++ b/memdocs/intune/protect/compliance-policy-monitor.md @@ -238,7 +238,7 @@ To learn more about conflict resolution for policies, see [Compliance and device In Intune, the default compliance policy is evaluated for every device on every calculation. The evaluation process identifies the device as noncompliant if any of the following statements are false: - The device has a compliance policy assigned: At least one applicable compliance policy must be assigned to the device with an applicable setting. -- The device is active: The device should remain in contact with Intune. This requires it to to be turned on with an internet connection. The default grace period is 30 days. +- The device is active: The device should remain in contact with Intune. This requires it to be turned on with an internet connection. The default grace period is 30 days. - The enrolled user exists: The user that is actively using the device exists and has a valid Intune license. ## Next steps From 67102589ace0c612d2d0c52fb2a09f6ba6aec40c Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Tue, 7 Jan 2025 23:24:06 +0530 Subject: [PATCH 200/237] Corrected the hyperlink format --- memdocs/intune/enrollment/apple-school-manager-step-1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-1.md b/memdocs/intune/enrollment/apple-school-manager-step-1.md index 68ee4297172..d423823728c 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-1.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-1.md @@ -49,7 +49,7 @@ In the first set of steps, you download the Intune public key certificate requir > [!TIP] > The following steps describe what you need to do in Apple School Manager. For the specific steps, see the [Apple School Manager User Guide](https://support.apple.com/guide/apple-school-manager/device-workflow-axm6a88f692e/1/web/1) (opens Apple Support). -1. Choose **Create a token via Apple School Manager**, and sign in to [Apple School Manager](https://school.apple.com with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. +1. Choose **Create a token via Apple School Manager**, and sign in to [Apple School Manager](https://school.apple.com) with your company Apple ID. You can use this Apple ID to renew your Apple School Manager token. 1. In Apple School Manager, go to your MDM Server assignments to add an MDM server. 1. Enter the mobile device management (MDM) server name. The server name is for your reference to identify the MDM server. It isn't the name or URL of the Microsoft Intune server. 1. Upload the public key certificate file (.pem file). From 414a890ff603f713b046374205226e84061cc78d Mon Sep 17 00:00:00 2001 From: Padma Jayaraman Date: Tue, 7 Jan 2025 23:33:27 +0530 Subject: [PATCH 201/237] Fixed punctuation --- memdocs/intune/enrollment/apple-school-manager-step-2.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/enrollment/apple-school-manager-step-2.md b/memdocs/intune/enrollment/apple-school-manager-step-2.md index 462363b2c09..27d3b5ea28f 100644 --- a/memdocs/intune/enrollment/apple-school-manager-step-2.md +++ b/memdocs/intune/enrollment/apple-school-manager-step-2.md @@ -37,7 +37,7 @@ After you get your Apple token, you can create an enrollment profile for school 1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices**. 1. Expand **Device onboarding**, and then select **Enrollment**. 1. Select the **Apple** tab. -1. Under **Bulk Enrollment Methods**, Choose **Enrollment program tokens**. +1. Under **Bulk Enrollment Methods**, choose **Enrollment program tokens**. 1. Choose a token, and then select **Profiles**. 1. Select **Create profile** > **iOS/iPadOS**. @@ -112,7 +112,7 @@ After you get your Apple token, you can create an enrollment profile for school This series of articles describes how to set up Microsoft Intune for devices purchased through Apple School Manager. 1. [Prerequisites](apple-school-manager-set-up-ios.md) -1. [Get an Apple token for school devices](apple-school-manager-step-1.md) -1. 🡺 Create an Apple enrollment profile (*You are here*) -1. [Sync and distribute devices](apple-school-manager-step-3.md) +1. [Get an Apple token for school devices](apple-school-manager-step-1.md). +1. 🡺 Create an Apple enrollment profile (*You are here*). +1. [Sync and distribute devices](apple-school-manager-step-3.md). From 7c9a0c1a209b0a222b24cf00f1b948299cc6fa43 Mon Sep 17 00:00:00 2001 From: brenduns Date: Tue, 7 Jan 2025 12:45:08 -0800 Subject: [PATCH 202/237] One more for Configure multiple displays setting --- memdocs/intune/fundamentals/in-development.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/in-development.md b/memdocs/intune/fundamentals/in-development.md index 2c989821855..ddbacd2ddac 100644 --- a/memdocs/intune/fundamentals/in-development.md +++ b/memdocs/intune/fundamentals/in-development.md @@ -142,6 +142,19 @@ Applies to: - Android Enterprise - AOSP + +### The Settings Catalog lists all the settings you can configure in a device policy + +The Settings Catalog lists all the settings you can configure in a device policy, and all in one place. + +There will soon be new settings in the Settings Catalog to *Configure Multiple Display Mode* for Windows 24H2. To see available settings, in the Microsoft Intune admin center, go to **Devices** > **Manage devices** > **Configuration** > **Create** > **New policy** > **Windows 10 and later for platform** > **Settings catalog** for profile type. + +The **Configure Multiple Display Mode** setting allows monitors to extend or clone the display by default, facilitating the need for manual setup. It streamlines the multi-monitor configuration process, ensuring a consistent and user-friendly experience. + +Applies to: + +- Windows + ### Low privileged account for Intune Connector for Active Directory for Hybrid join Autopilot flows We're updating the Intune Connector for Active Directory to use a low privileged account to increase the security of your environment. The old connector will no longer be available for download but will continue to work until deprecation. @@ -154,7 +167,13 @@ For more information, see [Deploy Microsoft Entra hybrid joined devices by using -## Device management +## Device management + +### Remote actions with multiple administrative approval (MAA) + +Intune *access policies* help protect against a compromised administrative account by requiring that a second administrative account is used to approve a change before the change is applied. This capability is known as multiple administrative approval (MAA). The remote actions **Retire**, **Wipe** and **Delete** will support MAA. Onboarding Remote device actions to MAA, will help mitigate the risk of unauthorized or compromised remote actions being taken on device(s) by a single administrative account thereby enhancing the overall security posture of the environment. + +For more information on multiple administrative approval, see [Use multiple administrative approvals in Intune](../fundamentals/multi-admin-approval.md). ### Remote Help supports Azure Virtual Desktop muti-session From 5e141f999a57b6f2d00c37a60d85946cdc6f8f93 Mon Sep 17 00:00:00 2001 From: gkomatsu <25205749+gkomatsu@users.noreply.github.com> Date: Tue, 7 Jan 2025 14:40:22 -0800 Subject: [PATCH 203/237] Update introduction-windows-365-frontline.md Adding note to clarify FL dedicated CPCs will take longer time to connect compared to Enterprise CPCs when they are being powered on. Addressing concerns, confusion from customers finding FL CPCs take long to connect. --- windows-365/enterprise/introduction-windows-365-frontline.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows-365/enterprise/introduction-windows-365-frontline.md b/windows-365/enterprise/introduction-windows-365-frontline.md index c0100e7145e..1892035645f 100644 --- a/windows-365/enterprise/introduction-windows-365-frontline.md +++ b/windows-365/enterprise/introduction-windows-365-frontline.md @@ -58,6 +58,11 @@ Windows 365 Frontline dedicated mode is designed specifically for workers who ne The maximum number of active Windows 365 Frontline Cloud PC sessions in your organization is equal to the number of Windows 365 Frontline licenses that you purchased. For example, if you purchase 10 licenses, up to 30 Cloud PCs can be provisioned in dedicated mode. Ten of those Cloud PCs can be active at a given time. The active sessions are managed automatically. When a user signs off from their Cloud PC, the session is released for another user to start using their Cloud PC. A concurrency buffer exists to exceed the maximum a limited number of times per day. For more information, see [Exceeding the maximum concurrency limit ](#exceeding-the-maximum-concurrency-limit). +> [!NOTE] +> +> Windows 365 Frontline Cloud PCs in dedicated mode will automatically power off after the user signs off from the Cloud PC, and will be powered on when the user attempts to connect. It may take more time for the user to connect when the Cloud PC is being powered on. This connection time does not include executing logon scripts set by organizations. +> After the user sign off, the Cloud PC remains powered on for two hours. If the user attempts to reconnect while the Cloud PC is powered on, the connection time will be same as Windows 365 Enterprise Cloud PCs. + ## Windows 365 Frontline in shared mode (preview) A single license: From 2bef06edb3ffa33134812eb0159e99b4c7b86469 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Tue, 7 Jan 2025 15:38:21 -0800 Subject: [PATCH 204/237] Fix formatting and clarify permission notification details --- .../app-configuration-managed-home-screen-app.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 165bbf9871e..7ee29ae3489 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -132,8 +132,8 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. -> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. - +> +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. **Configurations for a custom screensaver**: @@ -152,7 +152,8 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. -> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. +> +> > Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. **Configurations to help with troubleshooting issues on the device**: @@ -167,7 +168,8 @@ The following table lists the Managed Home Screen available configuration keys, >[!NOTE] > The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. ->On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. +> +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. **Configurations to customize Managed Home Screen experience when device is set up with Microsoft Entra shared device mode**: @@ -203,7 +205,8 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. -> On devices using some OS versions, a notification may be presented to users alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. This allows the user the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions when necessary. +> +> > Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. ## Enter JSON Data From ef098790f23a64789a2050cb936b8f4399069abd Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 8 Jan 2025 09:59:21 -0500 Subject: [PATCH 205/237] text edits --- .../cloud-native-endpoints-planning-guide.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md index 8e4aee85865..da54d069531 100644 --- a/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md +++ b/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md @@ -6,10 +6,9 @@ titleSuffix: Microsoft Intune description: To support hybrid and remote workers, convert or migrate your workloads to support cloud-native endpoints. This planning guide focuses on deploying apps and updates with Intune, moving from Group Policy Objects, and using Windows Autopilot. keywords: author: MandiOhlinger - ms.author: mandia manager: dougeby -ms.date: 01/09/2024 +ms.date: 01/08/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: @@ -143,7 +142,7 @@ Your exact workloads, details, and how to update the workloads for cloud-native - Traditional policy enforcement using group policy isn't possible with cloud-native endpoints. Instead, you can use Intune to create policies to configure many settings, including built-in features like the [Settings Catalog](../../intune/configuration/settings-catalog.md) and [administrative templates](../../intune/configuration/administrative-templates-windows.md). - You can reference and analyze existing GPOs using [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md) which allows you to see if settings within your GPOs are supported in the cloud. Group Policy analytics also allows you to create Intune policies from GPOs if this makes sense. In general, we recommend that customers implement policies that conform to their requirements instead of directly migrating existing GPOs to Intune. This allows you to rationalize, optimize, and streamline policies within Intune. + You can reference and analyze existing GPOs using [Group Policy analytics in Intune](../../intune/configuration/group-policy-analytics.md), which allows you to see if settings within your GPOs are supported in the cloud. Group Policy analytics also allows you to create Intune policies from GPOs, if that's the right step for your organization. In general, we recommend that customers implement policies that conform to their requirements, instead of directly migrating existing GPOs to Intune. When you create policies based off your requirements, then you rationalize, optimize, and streamline your Intune policies. - If you have existing policies that issue certificates, manage BitLocker, and provide endpoint protection, then you need to create new policies in Intune or Configuration Manager (with a [CMG](../../configmgr/core/clients/manage/cmg/overview.md) and [co-management](../../configmgr/comanage/how-to-prepare-win10.md)). From 3dcc40b3307b27c5211246a7b1b28a67a573799e Mon Sep 17 00:00:00 2001 From: abigail-stein <123512958+abigail-stein@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:03:33 -0500 Subject: [PATCH 206/237] Update app-configuration-managed-home-screen-app.md Aligned the formatting and edited the text --- .../apps/app-configuration-managed-home-screen-app.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 7ee29ae3489..096c0279618 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -133,7 +133,7 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. **Configurations for a custom screensaver**: @@ -153,7 +153,7 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> > Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to help with troubleshooting issues on the device**: @@ -169,7 +169,7 @@ The following table lists the Managed Home Screen available configuration keys, >[!NOTE] > The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to customize Managed Home Screen experience when device is set up with Microsoft Entra shared device mode**: @@ -206,7 +206,7 @@ The following table lists the Managed Home Screen available configuration keys, > [!NOTE] > The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> > Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen. The user will have the option to disable the permission and may allow users access to the settings app. It is recommended to only configure notifications and features which require permissions only when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. ## Enter JSON Data From 90eb9642a171e21ebe321f4f00d7efbda6b251e1 Mon Sep 17 00:00:00 2001 From: abigail-stein <123512958+abigail-stein@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:07:27 -0500 Subject: [PATCH 207/237] Update app-configuration-managed-home-screen-app.md Addition of Complex numeric only option in pin complexity --- .../intune/apps/app-configuration-managed-home-screen-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 096c0279618..6c0de4b3382 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -183,7 +183,7 @@ The following table lists the Managed Home Screen available configuration keys, | Enable show organization logo on sign in page | bool | TRUE | Turn this setting to True to use a company logo that will appear on the sign-in screen. This setting is used with **Organization logo on sign in page** and can only be used if **Enable sign in** has been set to TRUE. | ✔️ | | Organization logo on sign in page | string | | Allows you to brand your device with a logo of your choice on the Managed Home Screen sign-in screen. To use this setting, enter the URL of the image that you want set for the logo. This setting can only be used if **Enable show organization logo on sign in page** and **Enable sign in** have been set to True. | ✔️ | | Enable session PIN | bool | FALSE | Turn this setting to True if you want end-users to get prompted to create a local Session PIN after they've successfully signed in to Managed Home Screen. The Session PIN prompt will appear before end-user gets access to the home screen, and can be used in conjunction with other features. The Session PIN lasts for the duration of a user's sign-in, and is cleared upon sign-out. By default, this setting is off. This setting can only be used if **Enable sign in** has been set to True. | ✔️

    NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the session PIN screen. | -| Complexity of session PIN | string | | Choose whether the local session PIN should be **simple**, **complex**, or **alphanumeric complex**. If you choose **simple**, users will only be required to enter a numeric PIN. If you choose **complex**, users will get prompted to create a PIN with alphanumeric characters and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **alphanumeric complex**, then users will get prompted to create a PIN with alphanumeric characters, and at least one symbol or letter is required. No repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) characters. The default value for this setting is one (1), where one (1) means that the user must have at least one character in their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ✔️

    NOTE: The **alphanumeric complex** option is only available in app config today. | +| Complexity of session PIN | string | | Choose whether the local session PIN should be **simple**, **complex**, **complex numeric only**, or **alphanumeric complex**. If you choose **simple**, users will only be required to enter a numeric PIN. If you choose **complex**, users will get prompted to create a PIN with alphanumeric characters and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **complex numeric only**, users will get prompted to create a PIN with numerals only and no repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) digits/characters. If you choose **alphanumeric complex**, then users will get prompted to create a PIN with alphanumeric characters, and at least one symbol or letter is required. No repeating (444) or ordered sequences (123, 432, 246) are allowed. Evaluation of repeating and sequential patterns begins at three (3) characters. The default value for this setting is one (1), where one (1) means that the user must have at least one character in their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ✔️

    NOTE: The **complex numeric only** and **alphanumeric complex** options are only available in app config today. | | Minimum length for session PIN | string | | Define the minimum length a user's session PIN must adhere to. This can be used with any of the complexity values for session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ | | Maximum number of attempts for session PIN | string | | Define the maximum number of times a user can attempt to enter their session PIN before getting automatically logged out from Managed Home Screen. The default value is zero (0), where zero (0) means the user gets infinite tries. This can be used with any of the complexity values for session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ | | Customer facing folder | Bool | FALSE | Use this specification with **Create Managed Folder for grouping apps** to create a folder that can't be exited without a user entering their Session PIN. This setting can only be used if **Enable session PIN** and **Enable sign in** have been set to True. | ❌ | From 1ac603ed7966fe4c7b034c7ea8c18cf0435d2832 Mon Sep 17 00:00:00 2001 From: Dave Randall Date: Wed, 8 Jan 2025 08:59:02 -0800 Subject: [PATCH 208/237] Update intune-endpoints.md Removed 3 subnets no longer active. --- memdocs/intune/fundamentals/intune-endpoints.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 5d952afa076..fa04d90aa10 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -288,7 +288,7 @@ The following tables list the ports and services that the Intune client accesses |Domains |IP address | |-----------|----------------| | login.microsoftonline.com
    *.officeconfig.msocdn.com
    config.office.com
    graph.windows.net
    enterpriseregistration.windows.net | More information [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2) | -|*.manage.microsoft.com
    manage.microsoft.com
    |104.46.162.96/27
    13.67.13.176/28
    13.67.15.128/27
    13.69.231.128/28
    13.69.67.224/28
    13.70.78.128/28
    13.70.79.128/27
    13.71.199.64/28
    13.73.244.48/28
    13.74.111.192/27
    13.77.53.176/28
    13.86.221.176/28
    13.89.174.240/28
    13.89.175.192/28
    20.189.172.160/27
    20.189.229.0/25
    20.191.167.0/25
    20.37.153.0/24
    20.37.192.128/25
    20.38.81.0/24
    20.41.1.0/24
    20.42.1.0/24
    20.42.130.0/24
    20.42.224.128/25
    20.43.129.0/24
    20.44.19.224/27
    20.49.93.160/27
    20.192.174.216/29
    20.192.159.40/29
    20.204.193.12/30
    20.204.193.10/31
    40.119.8.128/25
    40.67.121.224/27
    40.70.151.32/28
    40.71.14.96/28
    40.74.25.0/24
    40.78.245.240/28
    40.78.247.128/27
    40.79.197.64/27
    40.79.197.96/28
    40.80.180.208/28
    40.80.180.224/27
    40.80.184.128/25
    40.82.248.224/28
    40.82.249.128/25
    52.150.137.0/25
    52.162.111.96/28
    52.168.116.128/27
    52.182.141.192/27
    52.236.189.96/27
    52.240.244.160/27| +|*.manage.microsoft.com
    manage.microsoft.com
    |104.46.162.96/27
    13.67.13.176/28
    13.67.15.128/27
    13.69.231.128/28
    13.69.67.224/28
    13.70.78.128/28
    13.70.79.128/27
    13.74.111.192/27
    13.77.53.176/28
    13.86.221.176/28
    13.89.174.240/28
    13.89.175.192/28
    20.189.172.160/27
    20.189.229.0/25
    20.191.167.0/25
    20.37.153.0/24
    20.37.192.128/25
    20.38.81.0/24
    20.41.1.0/24
    20.42.1.0/24
    20.42.130.0/24
    20.42.224.128/25
    20.43.129.0/24
    20.44.19.224/27
    20.192.174.216/29
    20.192.159.40/29
    20.204.193.12/30
    20.204.193.10/31
    40.119.8.128/25
    40.67.121.224/27
    40.70.151.32/28
    40.71.14.96/28
    40.74.25.0/24
    40.78.245.240/28
    40.78.247.128/27
    40.79.197.64/27
    40.79.197.96/28
    40.80.180.208/28
    40.80.180.224/27
    40.80.184.128/25
    40.82.248.224/28
    40.82.249.128/25
    52.150.137.0/25
    52.162.111.96/28
    52.168.116.128/27
    52.182.141.192/27
    52.236.189.96/27
    52.240.244.160/27| --> ## Network requirements for PowerShell scripts and Win32 apps From 6bd60abf9d12a54a0301b11063cde0b6ad3a2762 Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 8 Jan 2025 09:28:24 -0800 Subject: [PATCH 209/237] Revision note for delayed release --- memdocs/intune/fundamentals/whats-new.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index 537669d7aa2..a181a9e98f5 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 12/31/2024 +ms.date: 01/08/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: fundamentals @@ -96,11 +96,16 @@ For more information about customizing the Company Portal and Intune apps, see [ ### Device security #### Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint + +> [NOTE!] +> +> *Rollout of this feature is delayed and now expected to be available on or around January 18th, 2025.* You can now manage the Microsoft Defender for Endpoint CSP setting for [tamper protection](/windows/client-management/mdm/defender-csp) on unenrolled devices you mange as part of the [Defender for Endpoint security settings management](../protect/mde-security-integration.md#which-solution-should-i-use) scenario. With this support, tamper protection configurations from *Windows Security Experience* profiles for *Antivirus* policies now apply to all devices instead of only to those that are enrolled with Intune. + ### Device configuration #### Ending support for administrative templates when creating a new configuration profile From c8ddb4604dd959be911528293ec8bfaddc816b24 Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 8 Jan 2025 09:35:15 -0800 Subject: [PATCH 210/237] Note for MDE --- memdocs/intune/protect/mde-security-integration.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/protect/mde-security-integration.md b/memdocs/intune/protect/mde-security-integration.md index 2c9c5b09afd..d7b221a3b75 100644 --- a/memdocs/intune/protect/mde-security-integration.md +++ b/memdocs/intune/protect/mde-security-integration.md @@ -7,7 +7,7 @@ keywords: author: brenduns ms.author: brenduns manager: dougeby -ms.date: 12/13/2024 +ms.date: 01/08/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: protect @@ -272,15 +272,17 @@ To support use with Microsoft Defender security settings management, your polici | Antivirus | Defender Update controls | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | | Antivirus | Microsoft Defender Antivirus | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | | Antivirus | Microsoft Defender Antivirus exclusions| ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | -| Antivirus | Windows Security Experience | ![Supported](./media/mde-security-integration/green-check.png) ![Supported](./media/mde-security-integration/green-check.png) | +| Antivirus | Windows Security Experience | ![Supported](./media/mde-security-integration/green-check.png) *See note* ***2*** | ![Supported](./media/mde-security-integration/green-check.png) | | Attack Surface Reduction | Attack Surface Reduction Rules | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | -|Attack Surface Reduction|Device Control | *Note 1* | ![Supported](./media/mde-security-integration/green-check.png) | +|Attack Surface Reduction|Device Control | *Note* ***1*** | ![Supported](./media/mde-security-integration/green-check.png) | | Endpoint detection and response | Endpoint detection and response | ![Supported](./media/mde-security-integration/green-check.png)| ![Supported](./media/mde-security-integration/green-check.png)| | Firewall | Firewall | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | | Firewall | Firewall Rules | ![Supported](./media/mde-security-integration/green-check.png) | ![Supported](./media/mde-security-integration/green-check.png) | ***1*** - This profile is visible in the Defender portal but isn't supported for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario. This profile is supported only for devices managed by Intune. +***2*** - This profile is visible in the Defender portal. Support of this profile for devices managed only by Microsoft Defender through the Microsoft Defender security settings management scenario is delayed until on or around January 18th, 2025. When support for this scenario becomes available, this note will be removed. + **Each Intune endpoint security profile** is a discrete group of settings intended for use by security admins who focus on protecting devices in your organization. The following are descriptions of the profiles that are supported by the security settings management scenario: - **[Antivirus](endpoint-security-antivirus-policy.md)** policies manage the security configurations found in Microsoft Defender for Endpoint. From 758553b04ae4f772b332e6ae043569f17cb9aebe Mon Sep 17 00:00:00 2001 From: brenduns Date: Wed, 8 Jan 2025 09:35:49 -0800 Subject: [PATCH 211/237] Note for MDE --- memdocs/intune/fundamentals/whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/fundamentals/whats-new.md b/memdocs/intune/fundamentals/whats-new.md index a181a9e98f5..415637b30f0 100644 --- a/memdocs/intune/fundamentals/whats-new.md +++ b/memdocs/intune/fundamentals/whats-new.md @@ -97,7 +97,7 @@ For more information about customizing the Company Portal and Intune apps, see [ #### Support for tamper protection in policies for Security settings management for Microsoft Defender for Endpoint -> [NOTE!] +> [!NOTE] > > *Rollout of this feature is delayed and now expected to be available on or around January 18th, 2025.* From 32202c3b6cdc8c7cf0d52669bba0a051a27e6bd6 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Wed, 8 Jan 2025 10:29:02 -0800 Subject: [PATCH 212/237] erikre-docs-30786837 --- ...p-configuration-managed-home-screen-app.md | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md index 6c0de4b3382..38e0c6850d6 100644 --- a/memdocs/intune/apps/app-configuration-managed-home-screen-app.md +++ b/memdocs/intune/apps/app-configuration-managed-home-screen-app.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 12/12/2024 +ms.date: 01/08/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -41,7 +41,7 @@ The Managed Home Screen is the application used for corporate-owned Android Ente First, ensure that your devices are supported. Intune supports the enrollment of Android Enterprise dedicated devices and fully managed devices running OS version 8.0 and above. Similarly, Managed Home Screen supports Android devices running OS version 8.0 and above. -Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so will save you time, minimize errors, and will give you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen. +Typically, if settings are available to you through device configuration profiles (**Devices** > **Manage devices** > **Configuration**), configure the settings there. Doing so saves you time, minimize errors, and gives you a better Intune-support experience. However, some of the Managed Home Screen settings are currently only available via the **App configuration policies** pane in the Intune admin center. Use this document to learn how to configure the different settings either using the configuration designer or a JSON script. Additionally, use this document to learn what Managed Home Screen settings are available using device configuration profiles. You may also see [Device settings](../configuration/device-restrictions-android-for-work.md#device-experience) for a full list of settings available in **Devices** > **Manage devices** > **Configuration** that impact the Managed Home Screen. If using App configuration, navigate to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Apps** > **App configuration policies**. Add a configuration policy for **Managed devices** running **Android** and choose **Managed Home Screen** as the associated app. Select **Configuration settings** to configure the different available Managed Home Screen settings. @@ -58,7 +58,7 @@ If you add properties with Configuration Designer, you can automatically convert ## Using Configuration Designer -Configuration designer allows you to select pre-populated settings and their associated values. +Configuration designer allows you to select prepopulated settings and their associated values. :::image type="content" alt-text="Screenshot of added configuration settings" source="./media/app-configuration-managed-home-screen-app/app-configuration-managed-home-screen-app_02.png"::: @@ -68,21 +68,21 @@ The following table lists the Managed Home Screen available configuration keys, | Configuration Key | Value Type | Default Value | Description | Available in device configuration profile | |-|-|-|-|-| -| Set allow-listed applications | bundleArray | See **Enter JSON Data** section of this document. | Allows you to define the set of apps visible on the home screen from amongst the apps installed on the device. You can define the apps by entering the app package name of the apps that you want visible. For example, `com.microsoft.emmx` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | ✔️ | +| Set allow-listed applications | bundleArray | See **Enter JSON Data** section of this document. | Allows you to define the set of apps visible on the home screen from among the apps installed on the device. You can define the apps by entering the app package name of the apps that you want visible. For example, `com.microsoft.emmx` would make settings accessible on the home screen. The apps that you allow-list in this section should already be installed on the device to be visible on the home screen. | ✔️ | | Set pinned web links | bundleArray | See **Enter JSON Data** section of this document. | Allows you to pin websites as quick launch icons on the home screen. With this configuration, you can define the URL and add it to the home screen for the end user to launch in the browser with a single tap. Note: We recommend that you create, assign, and approve Managed Google Play web links to your devices. When you do, they're treated like allow-listed applications. | ✔️ | -| Create Managed Folder for grouping apps | bundleArray | See **Enter JSON Data** section of this document. | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders will appear in the order created, and apps within the folders will appear alphabetically. Note: all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | ✔️ | +| Create Managed Folder for grouping apps | bundleArray | See **Enter JSON Data** section of this document. | Allows you to create and name folders and group apps within these folders. End users can't move folders, rename the folders, or move the apps within the folders. Folders appear in the order created, and apps within the folders appear alphabetically. Note: all apps that you want to group into folders must be assigned as required to the device and must have been added to the Managed Home Screen. | ✔️ | | Set Grid Size | string | Auto | Allows you to set the grid size for apps to be positioned on the managed home screen. You can set the number of app rows and columns to define grid size in the following format: `columns;rows`. If you define the grid size, then the maximum number of apps that shown in a row on the home screen is the number of rows you set. The maximum number of apps shown in a column in the home screen is the number of columns you set. | ✔️ | | Lock Home Screen | bool | TRUE | Removes the ability of the end user to move around app icons on the home screen. If you enable this configuration key, the app icons on the home screen are locked. End users can't drag and drop to different grid positions on the home screen. If turned to false, end users can move around application and weblink icons on the Managed Home Screen. | ✔️ | | Application order enabled | bool | FALSE | Turning this setting to True enables the ability to set the order of applications, weblinks, and folders on the Managed Home Screen. Once enabled, set the ordering with app_order. | ✔️ | | Application order | bundleArray | See **Enter JSON Data** section of this document. | Allows you to specify the order of applications, weblinks, and folders on the Managed Home Screen. To use this setting, Lock Home Screen must be enabled, Set grid size must be defined, and Application order enabled must be set to True. | ✔️ | -| Applications in folder are ordered by name | bool | TRUE | False allows items in a folder to appear in the order they're specified. Otherwise, they'll appear in the folder alphabetically. | ❌ | +| Applications in folder are ordered by name | bool | TRUE | False allows items in a folder to appear in the order they're specified. Otherwise, they appear in the folder alphabetically. | ❌ | | Set app icon size | integer | 2 | Allows you to set the icon size for apps displayed on the home screen. You can choose the following values in this configuration for different sizes - 0 (Smallest), 1 (Small), 2 (Regular), 3 (Large) and 4 (Largest). | ✔️ | | Set app folder icon | integer | 0 | Allows you to define the appearance of app folders on the home screen. You can choose the appearance from following values: Dark Square(0); Dark Circle(1); Light Square(2); Light Circle(3). | ✔️ | | Set screen orientation | integer | 1 | Allows you to set the orientation of the home screen to portrait mode, landscape mode or allow auto rotate. You can set the orientation by entering values 1 (for portrait mode), 2 (for Landscape mode), 3 (for Autorotate). | ✔️ | | Set device wall paper | string | Default | Allows you to set a wallpaper of your choice. Enter the URL of the image that you want to set as a wallpaper. | ✔️ | | Define theme color | string | light | Specify if you want Managed Home Screen to run in "light" or "dark" mode. | ❌ | | Block pinning browser web pages to MHS | bool | FALSE | Set this restriction to `true` to block users from pinning web pages from any browser onto Managed Home Screen. | ❌ | -| Top Bar Primary Element | choice | | Use this key to select whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. This setting can only be used if **Enable sign in** key is set to **false**. If the **Enable sign in** key is set to **true**, the user's name will be shown as the primary element. If you select serial number, **Show serial number for all supported OS versions on MHS** must be set to `{{SerialNumber}}`. If you select device name, **Show device name for all supported OS version on MHS** must be set to `{{DeviceName}}`. | ❌ | +| Top Bar Primary Element | choice | | Use this key to select whether the primary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. This setting can only be used if **Enable sign in** key is set to **false**. If the **Enable sign in** key is set to **true**, the user's name is shown as the primary element. If you select serial number, **Show serial number for all supported OS versions on MHS** must be set to `{{SerialNumber}}`. If you select device name, **Show device name for all supported OS version on MHS** must be set to `{{DeviceName}}`. | ❌ | | Top Bar Secondary Element | choice | | Use this key to select whether the secondary element of the top bar will be the device Serial Number, Device Name, or Tenant Name. If you select serial number, **Show serial number for all supported OS versions on MHS** must be set to `{{SerialNumber}}`. If you select device name, **Show device name for all supported OS version on MHS** must be set to `{{DeviceName}}`. | ❌ | | Top Bar User Name Style | choice | | Use this setting to select the style of the user's name in the top bar based on the following list:

    • display name
    • last name, first name
    • first name, last name
    • first name, last initial

    This setting can only be used if the **Enable sign in** key is set to **true**. | ❌ | @@ -90,7 +90,7 @@ The following table lists the Managed Home Screen available configuration keys, | Configuration Key | Value Type | Default Value | Description | Available in device configuration | |-|-|-|-|-| -| Show Managed Setting | bool | TRUE | The **Managed Settings** menu is specific to the Managed Home Screen app. It is visible on the top bar of the app. Specific settings appear in this menu only if you've configured these settings for quick access. These settings can include the **Show Wi-Fi setting**, **Show Bluetooth setting**, **Show volume setting**, and **Show flashlight setting**. Set this key to FALSE to hide the **Managed Settings** menu from the top bar. If required permissions are missing or the device is configured with sign-in enabled, the settings menu will be visible to allow users access to required permissions and profile information. Note that even if **Show Managed settings** is set to FALSE, you can choose to configure other settings to appear, which will allow the **Managed Settings** menu to be visible.

    **NOTE**: Access to the settings menu has changed with the Managed Home Screen updated user experience. To learn more about the changes, see [Updates to the Managed Home Screen experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-managed-home-screen-experience/ba-p/3974412). | ✔️ | +| Show Managed Setting | bool | TRUE | The **Managed Settings** menu is specific to the Managed Home Screen app. It's visible on the top bar of the app. Specific settings appear in this menu only if you've configured these settings for quick access. These settings can include the **Show Wi-Fi setting**, **Show Bluetooth setting**, **Show volume setting**, and **Show flashlight setting**. Set this key to FALSE to hide the **Managed Settings** menu from the top bar. If required permissions are missing or the device is configured with sign-in enabled, the settings menu is visible to allow users access to required permissions and profile information. Note that even if **Show Managed settings** is set to FALSE, you can choose to configure other settings to appear, which will allow the **Managed Settings** menu to be visible.

    **NOTE**: Access to the settings menu has changed with the Managed Home Screen updated user experience. To learn more about the changes, see [Updates to the Managed Home Screen experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-managed-home-screen-experience/ba-p/3974412). | ✔️ | | Show Wi-Fi setting | bool | FALSE | Turning this setting to True allows the end user to connect to different Wi-Fi networks. | ✔️ | | Enable Wi-Fi allow-list | bool | FALSE | True fills out the Wi-Fi allow-list key to restrict what Wi-Fi networks are shown within Managed Home Screen. Set to False to show all possible available Wi-Fi networks the device has discovered. This setting is only relevant if show Wi-Fi setting has been set to True and the Wi-Fi allow-list has been filled out. | ✔️ | | Wi-Fi allow-list | bundleArray | See **Enter JSON Data** section of this document. | Allows you to list all the SSIDs of what Wi-Fi networks you want the device to show within Managed Home Screen. This list is only relevant if show Wi-Fi setting and Enable Wi-Fi allow-list have been set to True. If either setting has been set to False, then you don't need to modify this configuration. | ✔️ | @@ -112,12 +112,12 @@ The following table lists the Managed Home Screen available configuration keys, > [!IMPORTANT] > The Managed Home Screen app has been updated at the API level to better adhere with the Google Play Store's requirements. In doing so, there were some changes to how Wi-Fi configuration works from Managed Home Screen. The changes include the following: -> - Being unable to change (enable or disable) the Wi-Fi connection for the device. Users will be able to switch between networks, but will not be able to turn on/off Wi-Fi. +> - Being unable to change (enable or disable) the Wi-Fi connection for the device. Users will be able to switch between networks, but won't be able to turn on/off Wi-Fi. > - Being unable to automatically connect to a configured Wi-Fi network that requires a password for the first time. The configured network will automatically connect after you enter the password the first time. > -> On Android devices running OS 11, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent pop-up. This pop-up comes from the Android platform, and is not specific to the Managed Home Screen app. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not connected to a network. Devices that are already connected to a stable network will not be able connect to a password protected network via the Managed Home Screen app. +> On Android devices running OS 11, when an end-user tries to connect to a network via the Managed Home Screen app, they'll get prompted with a consent pop-up. This pop-up comes from the Android platform, and isn't specific to the Managed Home Screen app. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they'll be asked to input the password. Even if the password is correct, the network will only change if the device isn't connected to a network. Devices that are already connected to a stable network won't be able connect to a password protected network via the Managed Home Screen app. > -> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they will get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for fully managed and dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they will be asked to input the password. Even if the password is correct, the network will only change if the device is not already connected to a stable network. +> On Android devices running OS 10, when an end-user tries to connect to a network via the Managed Home Screen app, they'll get prompted with a consent via notifications. Because of this prompt, users on OS 10 will need to have access to the status bar and notifications in order to complete the consent step. Use the [General settings for fully managed and dedicated devices](../configuration/device-restrictions-android-for-work.md#dedicated-devices) to make status bar and notifications available to your end-users, if appropriate. Additionally, when an end-user tries to connect to a password protected network via the Managed Home Screen app, they'll be asked to input the password. Even if the password is correct, the network will only change if the device isn't already connected to a stable network. > [!IMPORTANT] > End users cannot automatically connect to Enterprise Wi-Fi networks they select from the MHS settings menu, even if that network has been pre-configured using either Intune or another external source. While managed devices can still reliably utilize these networks, end users cannot initialize a connection from within MHS to the preconfigured networks. @@ -131,29 +131,29 @@ The following table lists the Managed Home Screen available configuration keys, > For more information on how to enable Android system apps, go to: [Manage Android Enterprise system apps](apps-ae-system.md#enable-a-system-app-in-intune) > [!NOTE] -> The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. +> The virtual home button requires granting overlay permission to MHS. The notification badge functionality requires granting notification permission to MHS.The brightness slider, adaptive brightness toggle, and autorotate toggle require granting write settings permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant these permissions to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations for a custom screensaver**: | Configuration Key | Value Type | Default Value | Description | Available in device configuration profile | |-|-|-|-|-| | Enable screen saver | bool | FALSE | To enable screen saver mode or not. If set to true, you can configure screen_saver_image, screen_saver_show_time, inactive_time_to_show_screen_saver, and media_detect_screen_saver. | ✔️ | -| Screen saver image | string | | Set the URL of the screen saver image. If no URL is set, devices will show the default screen saver image when screen saver is activated. The default image shows the Managed Home Screen app icon. | ✔️ | -| Screen saver show time | integer | 0 | Gives option to set the amount of time in seconds the device will display the screen saver during screen saver mode. If set to 0, the screen saver will show on screen saver mode indefinitely until the device becomes active. | ✔️ | +| Screen saver image | string | | Set the URL of the screen saver image. If no URL is set, devices show the default screen saver image when screen saver is activated. The default image shows the Managed Home Screen app icon. | ✔️ | +| Screen saver show time | integer | 0 | Gives option to set the amount of time in seconds the device displays the screen saver during screen saver mode. If set to 0, the screen saver shows on screen saver mode indefinitely until the device becomes active. | ✔️ | | Inactive time to enable screen saver | integer | 30 | The number of seconds the device is inactive before triggering the screen saver. If set to 0, the device will never go into screen saver mode. | ✔️ | -| Media detect before showing screen saver | bool | TRUE | Choose whether the device screen should show screen saver if audio/video is playing on device. If set to true, the device won't play audio/video, regardless of the value in inactive_time_to_show_scree_saver. If set to false, device screen will show screen saver according to value set in inactive_time_to_show_screen_saver. | ✔️ | +| Media detect before showing screen saver | bool | TRUE | Choose whether the device screen should show screen saver if audio/video is playing on device. If set to true, the device won't play audio/video, regardless of the value in inactive_time_to_show_scree_saver. If set to false, device screen shows screen saver according to value set in inactive_time_to_show_screen_saver. | ✔️ | > [!NOTE] -> Managed Home Screen will start the screensaver whenever the lock screen appears. If the system's lock screen timeout is longer than **Screensaver show time** then the -> screen saver will show until the lock screen appears. If the system's lock screen timeout is shorter than **inactive time to enable screen saver** the screensaver will appear +> Managed Home Screen starts the screensaver whenever the lock screen appears. If the system's lock screen timeout is longer than **Screensaver show time** then the +> screen saver shows until the lock screen appears. If the system's lock screen timeout is shorter than **inactive time to enable screen saver** the screensaver appears > as soon as the device's lock screen appears. > [!NOTE] -> The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> The screensaver requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to help with troubleshooting issues on the device**: @@ -162,14 +162,14 @@ The following table lists the Managed Home Screen available configuration keys, | Exit lock task mode password | string | | Enter a 4-6-digit code to use to temporarily drop out of lock-task mode for troubleshooting. | ✔️ | | Enable easy access debug menu | bool | FALSE | Turn this setting to True to access the debug menu from the Managed Settings menu while in Managed Home Screen. The debug menu is currently where the capability to exit kiosk mode lives, and is accessed by clicking the back button about 15 times. Keep this setting set to False to keep the entry point to debug menu only accessible via the back button. | ✔️ | | Enable MAX inactive time outside of MHS | bool | FALSE | Turn this setting to True to automatically re-launch Managed Home Screen after a set period of inactivity. The timer will only count inactive time and, when configured, will reset each time the user interacts with the device while outside of Managed Home Screen. Use **MAX inactive time outside MHS** to set the inactivity timer. By default, this setting is off. This setting can only be used if **Exit lock task mode password** has been configured. | ❌ | -| MAX inactive time outside MHS | integer | 180 | Set the maximum amount of inactive time, in seconds, that a user can spend outside of Managed Home Screen before it is automatically re-launched. By default, this configuration is set to 180 seconds. **Enable MAX inactive time outside of MHS** must be set to true to use this setting. | ❌ | +| MAX inactive time outside MHS | integer | 180 | Set the maximum amount of inactive time, in seconds, that a user can spend outside of Managed Home Screen before it's automatically re-launched. By default, this configuration is set to 180 seconds. **Enable MAX inactive time outside of MHS** must be set to true to use this setting. | ❌ | | Enable MAX time outside MHS | bool | FALSE | Turn this setting to True to automatically re-launch Managed Home Screen after a set period of time has passed. The timer will factor in both inactive and active time spent outside of Managed Home Screen. Use **MAX time outside MHS** to set the inactivity timer. By default, this setting is off. This setting can only be used if **Exit lock task mode password** has been configured. | ❌ | -| MAX time outside MHS | integer | 600 | Set the maximum amount of absolute time, in seconds, that a user can spend outside of Managed Home Screen before it is automatically re-launched. By default, this configuration is set to 600 seconds. **Enable MAX time outside of MHS** must be set to true to use this setting. | ❌ | +| MAX time outside MHS | integer | 600 | Set the maximum amount of absolute time, in seconds, that a user can spend outside of Managed Home Screen before it's automatically re-launched. By default, this configuration is set to 600 seconds. **Enable MAX time outside of MHS** must be set to true to use this setting. | ❌ | >[!NOTE] -> The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. +> The automatic relaunch functionality requires granting exact alarm permission to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. **Configurations to customize Managed Home Screen experience when device is set up with Microsoft Entra shared device mode**: @@ -177,7 +177,7 @@ The following table lists the Managed Home Screen available configuration keys, |-|-|-|-|-| | Enable sign in | bool | FALSE | Turn this setting to True to enable end-users to sign into Managed Home Screen. When used with Microsoft Entra shared device mode, users who sign in to Managed Home Screen will get automatically signed in to all other apps on the device that have participated with Microsoft Entra shared device mode. By default this setting is off.

    NOTE: After rebooting the device, end users must reauthenticate by signing in to Managed Home Screen. | ✔️

    NOTE: On devices that have a device configuration profile with the [**Enabled System Navigation Features** setting](../configuration/device-restrictions-android-for-work.md#dedicated-devices) set to **Home and Overview buttons**, end users can ignore and skip the sign in screen. | | Sign in type | string | Microsoft Entra ID | Set this configuration to "AAD" to sign in with a Microsoft Entra account. Otherwise, set this configuration to "Other". Users who sign in with a non-AAD account won't get single sign-on to all apps that have integrated with Microsoft Entra shared device mode, but will still get signed in to Managed Home Screen. By default, this setting uses "AAD" user accounts. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | -| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this is not set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration.

    **NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | +| Domain name | string | | Set a domain name to be appended to usernames for sign in. If this isn't set, users will need to enter the domain name. To allow users to select between multiple domain name options, add semicolon delimited strings. Enable sign in must be set to TRUE to use this configuration.

    **NOTE**: This setting does not prevent users from inputting alternative domain names. | ❌ | | Login hint text | string | | Set a custom login hint string by entering a string. If no string is set, the default string "Enter email or phone number" will be displayed. Enable sign in must be set to TRUE to use this configuration. | ❌ | | Set to the url of wallpaper | string | | Allows you to set a wallpaper of your choice for the sign in screen. To use this setting, enter the URL of the image that you want set for the sign-in screen wallpaper. This image can be different than the Managed Home Screen wallpaper that is configured with **Set device wallpaper**. This setting can only be used if **Enable sign in** has been set to True. | ✔️ | | Enable show organization logo on sign in page | bool | TRUE | Turn this setting to True to use a company logo that will appear on the sign-in screen. This setting is used with **Organization logo on sign in page** and can only be used if **Enable sign in** has been set to TRUE. | ✔️ | @@ -201,12 +201,12 @@ The following table lists the Managed Home Screen available configuration keys, > - Launch a screen saver after a set period of inactivity > - Automatically relaunch MHS after a certain period of time when a user exits kiosk mode > -> For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality is not impacted, end-users will be prompted to grant exact alarm permission upon first launch of Managed Home Screen. +> For devices running Android 14 and higher, by default, the exact alarm permission will be denied. To make sure critical user functionality isn't impacted, end-users will be prompted to grant exact alarm permission upon first launch of Managed Home Screen. > [!NOTE] -> The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it is recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. +> The automatic sign out feature requires granting overlay permission and exact alarm permission (OS 14+) to MHS. Users will be prompted for permission upon startup of MHS, which requires the use of the Settings application. When possible, it's recommended to use OEMconfig to auto-grant overlay and exact alarm permission to prevent possible breakout scenarios from the Settings application. > -> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It is recommended to only configure access to notifications and features which require permissions when necessary. +> Based on the OS version of the device, a notification may be presented to the user alerting them that the permission has been granted, even if the permissions were auto-granted. This notification will bring the user to the permission-granting screen which may allow the user access to the settings app. It's recommended to only configure access to notifications and features which require permissions when necessary. ## Enter JSON Data From 5e14a47fdd7dbf8b87e1377c8cf45a9cb80d6934 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 8 Jan 2025 15:23:34 -0500 Subject: [PATCH 213/237] text changes --- memdocs/intune/configuration/platform-sso-macos.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/platform-sso-macos.md b/memdocs/intune/configuration/platform-sso-macos.md index 83d0e056c6a..f33ec228292 100644 --- a/memdocs/intune/configuration/platform-sso-macos.md +++ b/memdocs/intune/configuration/platform-sso-macos.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 09/03/2024 +ms.date: 01/08/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: configuration @@ -250,7 +250,10 @@ To configure the Platform SSO policy, use the following steps to create an [Intu 11. In **Assignments**, select the user or device groups that receive your profile. For devices with user affinity, assign to users or user groups. For devices with multiple users that are enrolled without user affinity, assign to devices or device groups. > [!IMPORTANT] - > For devices with user affinity, assignments using device groups or filters are not supported for Platform SSO settings. When using device group assignment or user group assignment with filters on devices with user affinity, the user may be unable to access resources protected by Conditional Access as a result of Platform SSO settings being applied incorrectly or Entra device registration being bypassed by the Company Portal app when Platform SSO is not enabled. + > For Platform SSO settings on devices with user affinity, it's not supported to assign to device groups or filters. When using device group assignment or user group assignment with filters on devices with user affinity, the user might be unable to access resources protected by Conditional Access. This issue can happen: + > + > - If the Platform SSO settings are applied incorrectly. Or, + > - If the Company Portal app bypasses Microsoft Entra device registration when Platform SSO isn't enabled. For more information on assigning profiles, go to [Assign user and device profiles](device-profile-assign.md). From 757f7b404a951ee1c9f391c53913525562932665 Mon Sep 17 00:00:00 2001 From: Brent Dunsire Date: Wed, 8 Jan 2025 12:38:29 -0800 Subject: [PATCH 214/237] Update supported browsers for Defender VPN and accessibility service Removing list of browsers from note, and adding themn as core doc detail. Keeping 'note' from the defunct note as note. Due to the series of browsers, listing as bulelts. Changing spacial refernce of 'below', to be 'the following' --- ...vanced-threat-protection-manage-android.md | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/memdocs/intune/protect/advanced-threat-protection-manage-android.md b/memdocs/intune/protect/advanced-threat-protection-manage-android.md index dd69a96c329..033f377a360 100644 --- a/memdocs/intune/protect/advanced-threat-protection-manage-android.md +++ b/memdocs/intune/protect/advanced-threat-protection-manage-android.md @@ -44,12 +44,26 @@ With Intune device configuration policy, you can turn off all or part of the web - **Android Enterprise Fully Managed profile**. Use an app configuration profile and the [configuration designer](../apps/app-configuration-policies-use-android.md#use-the-configuration-designer) to disable the entire web protection feature or to disable only the use of VPNs. +**The following browsers are supported with Defender loopback VPN:** +- Chrome- +- Microsoft Edge +- Opera +- Samsung Internet +- Firefox +- Brave +- Tor +- Browser Leopard +- DuckDuckGo +- Dolphin + +**The following browsers are supported with accessibility service without Defender loopback VPN:** +- Chrome +- Edge +- Opera +- Samsung Internet + > [!IMPORTANT] -> **Below browsers are supported with Defender loopback VPN** -> Chrome, Edge, Opera, Samsung Internet, Firefox, Brave, Tor, Browser Leopard, DuckDuckGo, Dolphin -> **Following browsers are supported with accessibility service without Defender loopback VPN** -> Chrome, Edge, Opera, Samsung Internet -> **Note:** Work profile scenarios (BYOD -Android Enterprise personally owned devices using a work profile and COPE - Android Enterprise corporate owned work profile) do not support the accessibility service. +> Work profile scenarios (Android Enterprise personally owned devices using a work profile and Android Enterprise corporate owned work profile) do not support the accessibility service. To configure web protection on devices, use the following procedures to create and deploy the applicable configuration. From 9d05f08ce755ec7fa3f149fbaf6430d64420caa8 Mon Sep 17 00:00:00 2001 From: iye-ms Date: Wed, 8 Jan 2025 16:40:27 -0500 Subject: [PATCH 215/237] Update intune-endpoints.md with macOS azureedge.net domains + depreciation date of 3/31/2025 --- memdocs/intune/fundamentals/intune-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 5d952afa076..1b6e4271001 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -314,9 +314,9 @@ To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsof |Azure Scale Unit (ASU) | CDN | Port | | --- |------------- | --- | -|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | macsidecar.manage.microsoft.com | **TCP:** 443 | -| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | macsidecareu.manage.microsoft.com | **TCP:** 443 | -| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| macsidecarap.manage.microsoft.com |**TCP:** 443 | +|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | macsidecar.manage.microsoft.com
    macsidecarprod.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) | **TCP:** 443 | +| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | macsidecareu.manage.microsoft.com
    macsidecarprodeu.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) | **TCP:** 443 | +| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| macsidecarap.manage.microsoft.com
    macsidecarprodap.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) |**TCP:** 443 | ## Microsoft Store From d8ba593fadd16d2f85166345d1d5bc6542bf7a37 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 8 Jan 2025 17:45:03 -0500 Subject: [PATCH 216/237] ms.reviewer --- .../device-restrictions-android-enterprise-personal.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md b/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md index 2159afa9e83..e4351628178 100644 --- a/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md +++ b/memdocs/intune/configuration/device-restrictions-android-enterprise-personal.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium #audience: params: siblings_only: true -ms.reviewer: andreibiswas, anuragjain +ms.reviewer: arnab, anuragjain ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: From ec5cecbc2cc125ea6980cb60c486815b2cb2eb85 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Wed, 8 Jan 2025 17:45:57 -0500 Subject: [PATCH 217/237] ms.reviewer PM alias --- .../configuration/device-restrictions-android-for-work.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/device-restrictions-android-for-work.md b/memdocs/intune/configuration/device-restrictions-android-for-work.md index 17ce9a929b3..f7fd491beb2 100644 --- a/memdocs/intune/configuration/device-restrictions-android-for-work.md +++ b/memdocs/intune/configuration/device-restrictions-android-for-work.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium #audience: params: siblings_only: true -ms.reviewer: andreibiswas, anuragjain +ms.reviewer: arnab, anuragjain ms.suite: ems search.appverid: MET150 #ms.tgt_pltfrm: From 0288734abf00c226c87a30200d50ed1cd9b8acb2 Mon Sep 17 00:00:00 2001 From: mnahum <65397448+mnahum@users.noreply.github.com> Date: Thu, 9 Jan 2025 14:40:57 +0100 Subject: [PATCH 218/237] Update app-protection-policy-settings-android.md Add the 2 new providers added in October --- memdocs/intune/apps/app-protection-policy-settings-android.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 64d73ce8164..3c711dae19e 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -114,6 +114,9 @@ There are some exempt apps and platform services that Intune app protection poli |com.google.android.apps.maps |Google Maps |Addresses are allowed for navigation. | |com.android.documentsui|Android Document Picker|Allowed when opening or creating a file.| |com.google.android.documentsui |Android Document Picker (Android 10+)|Allowed when opening or creating a file.| + |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + For more information, see [Data transfer policy exceptions for apps](app-protection-policies-exception.md). From 2201830ed9f1a4fae65b0f5de517b1866a2e889c Mon Sep 17 00:00:00 2001 From: mnahum <65397448+mnahum@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:43:34 +0100 Subject: [PATCH 219/237] Update app-protection-policy-settings-android.md fix location of providers --- .../intune/apps/app-protection-policy-settings-android.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 3c711dae19e..7d4750ea54b 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -101,6 +101,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.azure.authenticator |Azure Authenticator app, which is required for successful authentication in many scenarios. | |com.microsoft.windowsintune.companyportal |Intune Company Portal| |com.android.providers.contacts |Native contacts app | + |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | ### Conditional exemptions These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions. @@ -114,8 +116,7 @@ There are some exempt apps and platform services that Intune app protection poli |com.google.android.apps.maps |Google Maps |Addresses are allowed for navigation. | |com.android.documentsui|Android Document Picker|Allowed when opening or creating a file.| |com.google.android.documentsui |Android Document Picker (Android 10+)|Allowed when opening or creating a file.| - |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | - |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + For more information, see [Data transfer policy exceptions for apps](app-protection-policies-exception.md). From afcd913d18b834232c7295c1828c86e9a6d8733e Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Thu, 9 Jan 2025 10:22:18 -0500 Subject: [PATCH 220/237] Update apps-deploy.md Added Device Available + Device Uninstall clarification conflicts table --- memdocs/intune/apps/apps-deploy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/memdocs/intune/apps/apps-deploy.md b/memdocs/intune/apps/apps-deploy.md index c28f632a85d..7f538ea5788 100644 --- a/memdocs/intune/apps/apps-deploy.md +++ b/memdocs/intune/apps/apps-deploy.md @@ -135,6 +135,8 @@ The information in the following table can help you understand the resulting int |User Uninstall|Device Required|Both exist, Intune resolves Required| |User Uninstall|Device Uninstall|Both exist, Intune resolves Uninstall| |Device Required|Device Uninstall|Required| +|Device Required|Device Available|Required and Available| +|Device Available|Device Uninstall|Uninstall| |User Required and Available|User Available|Required and Available| |User Required and Available|User Uninstall|Required and Available| |User Required and Available|Device Required|Both exist, Required and Available From 84665caf478f5d05ecb5e4be6485edf39292b170 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Thu, 9 Jan 2025 11:52:46 -0500 Subject: [PATCH 221/237] Update certificates-imported-pfx-configure.md Added new info for 29248329 --- memdocs/intune/protect/certificates-imported-pfx-configure.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/protect/certificates-imported-pfx-configure.md b/memdocs/intune/protect/certificates-imported-pfx-configure.md index f1c6b12b307..12a66ea0078 100644 --- a/memdocs/intune/protect/certificates-imported-pfx-configure.md +++ b/memdocs/intune/protect/certificates-imported-pfx-configure.md @@ -225,7 +225,7 @@ For more information about other available commands, see the readme file at [PFX ## Create a PKCS imported certificate profile -After importing the certificates to Intune, create a **PKCS imported certificate** profile, and assign it to Microsoft Entra groups. +After importing the certificates to Intune, create a **PKCS imported certificate** profile, and assign it to Microsoft Entra groups. > [!NOTE] > After you create a PKCS imported certificate profile, the **Intended Purpose** and **Key storage provider** (KSP) values in the profile are read-only and can't be edited. If you need a different value for either of these settings, create and deploy a new profile. @@ -248,7 +248,7 @@ After importing the certificates to Intune, create a **PKCS imported certificate 7. In **Configuration settings**, enter the following properties: - - **Intended purpose**: Specify the intended purpose of the certificates that are imported for this profile. Administrators can import certificates with different intended purposes (like S/MIME signing or S/MIME encryption). The intended purpose selected in the certificate profile matches the certificate profile with the right imported certificates. Intended purpose is a tag to group imported certificates together and doesn't guarantee that certificates imported with that tag will meet the intended purpose. + - **Intended purpose**: Specify the intended purpose of the certificates that are imported for this profile. Administrators can import certificates with different intended purposes (like S/MIME signing or S/MIME encryption). The intended purpose selected in the certificate profile matches the certificate profile with the right imported certificates. Intended purpose is a tag to group imported certificates together and doesn't guarantee that certificates imported with that tag will meet the intended purpose. When multiple certificates are imported for a single user, Intune selects the imported certificate that has the most recent certificate start date and time in case there is more than one certificate with the same intended purpose. - **Key storage provider (KSP)**: For Windows, select where to store the keys on the device. From a1250f5298b9c950101139b03e8c67492c0f1087 Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:23:02 -0800 Subject: [PATCH 222/237] Update 'depreciated' to 'disabled' in endpoints --- memdocs/intune/fundamentals/intune-endpoints.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index 1b6e4271001..fc1567ce326 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -314,9 +314,9 @@ To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsof |Azure Scale Unit (ASU) | CDN | Port | | --- |------------- | --- | -|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | macsidecar.manage.microsoft.com
    macsidecarprod.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) | **TCP:** 443 | -| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | macsidecareu.manage.microsoft.com
    macsidecarprodeu.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) | **TCP:** 443 | -| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| macsidecarap.manage.microsoft.com
    macsidecarprodap.azureedge.net (azureedge.net domains will be depreciated after 3/31/2025) |**TCP:** 443 | +|AMSUA0601
    AMSUA0602
    AMSUA0101
    AMSUA0102
    AMSUA0201
    AMSUA0202
    AMSUA0401
    AMSUA0402
    AMSUA0501
    AMSUA0502
    AMSUA0601
    AMSUA0701
    AMSUA0702
    AMSUA0801
    AMSUA0901 | macsidecar.manage.microsoft.com
    macsidecarprod.azureedge.net (azureedge.net domains will be disabled after 3/31/2025) | **TCP:** 443 | +| AMSUB0101
    AMSUB0102
    AMSUB0201
    AMSUB0202
    AMSUB0301
    AMSUB0302
    AMSUB0501
    AMSUB0502
    AMSUB0601
    AMSUB0701 | macsidecareu.manage.microsoft.com
    macsidecarprodeu.azureedge.net (azureedge.net domains will be disabled after 3/31/2025) | **TCP:** 443 | +| AMSUC0101
    AMSUC0201
    AMSUC0301
    AMSUC0501
    AMSUC0601
    AMSUD0101| macsidecarap.manage.microsoft.com
    macsidecarprodap.azureedge.net (azureedge.net domains will be disabled after 3/31/2025) |**TCP:** 443 | ## Microsoft Store From ca88102aa4ad5067cf12bd40028b055036b5ac2b Mon Sep 17 00:00:00 2001 From: Smriti Bhardwaj <95657523+Smritib17@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:50:47 -0800 Subject: [PATCH 223/237] updated description --- memdocs/intune/fundamentals/intune-endpoints.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/fundamentals/intune-endpoints.md b/memdocs/intune/fundamentals/intune-endpoints.md index fa04d90aa10..cc474b3eb91 100644 --- a/memdocs/intune/fundamentals/intune-endpoints.md +++ b/memdocs/intune/fundamentals/intune-endpoints.md @@ -8,7 +8,7 @@ keywords: author: Smritib17 ms.author: smbhardwaj manager: dougeby -ms.date: 12/20/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: fundamentals @@ -293,7 +293,7 @@ The following tables list the ports and services that the Intune client accesses ## Network requirements for PowerShell scripts and Win32 apps -If you're using Intune to deploy PowerShell scripts or Win32 apps, you also need to grant access to endpoints in which your tenant currently resides. +If you are using Intune for scenarios that use the Intune management extension, like deploying [Win32 apps](../apps/apps-win32-app-management.md), [Powershell scripts](../apps/intune-management-extension.md), [Remediations](../fundamentals/remediations.md), [Endpoint analytics](../../analytics/overview.md), [Custom compliance policies](../protect/compliance-use-custom-settings.md) or [BIOS configuration profiles](../configuration/bios-configuration.md), you also need to grant access to endpoints in which your tenant currently resides. To find your tenant location or Azure Scale Unit (ASU), sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Tenant administration** > **Tenant details**. The location is under **Tenant location** as something like North America 0501 or Europe 0202. Look for the matching number in the following table. That row tells you which storage name and CDN endpoints to grant access to. The rows are differentiated by geographic region, as indicated by the first two letters in the names (na = North America, eu = Europe, ap = Asia Pacific). Your tenant location is one of these three regions although your organization's actual geographic location might be elsewhere. From 62f454c4c8f36047abe85fa68a8e666b8c155e63 Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Thu, 9 Jan 2025 13:20:21 -0500 Subject: [PATCH 224/237] Listed all version --- .../intune/fundamentals/deployment-guide-enrollment-linux.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md index 8786258dca5..4591e9fa18c 100644 --- a/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md +++ b/memdocs/intune/fundamentals/deployment-guide-enrollment-linux.md @@ -7,7 +7,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 04/23/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: enrollment @@ -48,7 +48,7 @@ Use for personal/BYOD and organization-owned devices running Linux. --- | Feature | Use this enrollment option when | | --- | --- | -| You use Ubuntu Desktop (20.04 LTS or later on x86/64). | ✅ | +| You use Ubuntu Desktop (24.04, 22.04, or 20.04 LTS on x86/64). | ✅ | | You use Ubuntu Server. | ❌ | | You use RedHat Enterprise Linux 8 or 9. |✅ | | Devices are owned by the organization or school. | ✅ | From 4b9c6239b2b7a483650199a5a230a1ee7d42cd4c Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Thu, 9 Jan 2025 13:32:43 -0500 Subject: [PATCH 225/237] text edits --- memdocs/intune/configuration/custom-settings-linux.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md index 187f986c685..c0538ff30e0 100644 --- a/memdocs/intune/configuration/custom-settings-linux.md +++ b/memdocs/intune/configuration/custom-settings-linux.md @@ -8,7 +8,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 05/15/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: configuration @@ -61,7 +61,7 @@ This article lists the steps to add an existing script and has a GitHub repo wit - **Execution context**: Select the context the script is executed in. Your options: - **User** (default): When a user signs in to the device, the script runs. If a user never signs into the device, or there isn't any user affinity, then the script doesn't run. - - **Root**: The script always runs (with or without users logged in) at the device level. (**Note**: The user will have to give consent for the first time the script is executing, afterward it will continue to execute in its schedule) + - **Root**: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule. - **Execution frequency**: Select how frequently the script is executed. The default is **Every 15 minutes**. From 1c864dcb374f20c83e54e0e15c9f1b3b825614b1 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 9 Jan 2025 12:37:22 -0800 Subject: [PATCH 226/237] Update date and punctuation in policy settings --- .../intune/apps/app-protection-policy-settings-android.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 7d4750ea54b..4f1626b965c 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/23/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -101,8 +101,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.azure.authenticator |Azure Authenticator app, which is required for successful authentication in many scenarios. | |com.microsoft.windowsintune.companyportal |Intune Company Portal| |com.android.providers.contacts |Native contacts app | - |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | - |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + |com.samsung.android.providers.contacts | Samsung contacts provider. Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider. Allowed for Android devices. | ### Conditional exemptions These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions. From 3a9c66e4e65531c50f712071d35b313af32e1007 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 9 Jan 2025 12:54:33 -0800 Subject: [PATCH 227/237] erikre-docs-30803316 --- memdocs/intune/apps/apps-deploy.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/apps/apps-deploy.md b/memdocs/intune/apps/apps-deploy.md index 7f538ea5788..38ef14ef911 100644 --- a/memdocs/intune/apps/apps-deploy.md +++ b/memdocs/intune/apps/apps-deploy.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 06/27/2024 +ms.date: 01/09/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -39,7 +39,7 @@ ms.collection: After you've [added an app](apps-add.md) to Microsoft Intune, you can assign the app to users and devices. It's important to note that you can deploy an app to a device whether or not the device is managed by Intune. > [!NOTE] -> The **Available for enrolled devices** deployment intent is supported for **user groups** and **device groups** when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally-enabled (COPE) devices. +> The **Available for enrolled devices** deployment intent is supported for **user groups** and **device groups** when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally enabled (COPE) devices. ## Options when assigning managed apps @@ -64,7 +64,7 @@ The following table lists the various options when *assigning* apps to users and > > For almost all app types and platforms, *Available assignments* are only valid when assigning to user groups, not device groups. Win32 apps can be assigned to either user or device groups. > -> If managed Google Play pre-production track apps are assigned as required on Android Enterprise personally-owned work profile devices, they will not install on the device. To work around this, create two identical user groups and assign the pre-production track as "available" to one and "required" to the other. The result will be that the pre-production track successfully deploys to the device. +> If managed Google Play preproduction track apps are assigned as required on Android Enterprise personally owned work profile devices, they won't install on the device. To work around this, create two identical user groups and assign the preproduction track as "available" to one and "required" to the other. The result will be that the preproduction track successfully deploys to the device. ## Assign an app @@ -85,10 +85,10 @@ The following table lists the various options when *assigning* apps to users and > - To configure what happens to managed apps when devices are no longer managed, you can select the intended setting under **Uninstall on device removal**. For more information, see [App uninstall setting for iOS/iPadOS managed apps](apps-deploy.md#app-uninstall-setting-for-ios-managed-apps). > - If you have created an iOS/iPadOS VPN profile that contains per-app VPN settings, you can select the VPN profile under **VPN**. When the app is run, the VPN connection is opened. For more information, see [VPN settings for iOS/iPadOS devices](../configuration/vpn-settings-ios.md). > - To configure whether a required iOS/iPadOS app is installed as a removable app by end users, you can select the setting under **Install as removable**. - > - To configure a way to prevent the iCloud backup of the managed iOS/iPadOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). + > - To configure a way to prevent the iCloud backup of the managed iOS/iPadOS app, you can select on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). > > **For macOS apps only**: - > - To configure a way to prevent the iCloud backup of the managed macOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). + > - To configure a way to prevent the iCloud backup of the managed macOS app, you can select on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). > > **For Android apps only**: > - If you deploy an Android app as **Available with or without enrollment**, reporting status will only be available on enrolled devices. @@ -150,10 +150,10 @@ The information in the following table can help you understand the resulting int > [!NOTE] > For managed iOS store apps only, when you add these apps to Microsoft Intune and assign them as **Required**, the apps are automatically created with both **Required** and **Available** intents.

    > iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.

    -> When conflicts occur in **Uninstall on device removal** setting, the app is not removed from the device when the device is no longer managed. +> When conflicts occur in **Uninstall on device removal** setting, the app isn't removed from the device when the device is no longer managed. > [!NOTE] -> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices cannot be uninstalled manually by the user. +> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices can't be uninstalled manually by the user. ## Managed Google Play app deployment to unmanaged devices From 9ce7fa0e9aeb62ba6fbc945fd21faac310e35048 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:30:38 -0800 Subject: [PATCH 228/237] Update defender baseline --- .../security-baseline-settings-defender.md | 93 ++++++++++--------- 1 file changed, 51 insertions(+), 42 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-defender.md b/memdocs/intune/protect/security-baseline-settings-defender.md index 63c246d31b5..848f5150feb 100644 --- a/memdocs/intune/protect/security-baseline-settings-defender.md +++ b/memdocs/intune/protect/security-baseline-settings-defender.md @@ -39,37 +39,46 @@ zone_pivot_groups: atp-baseline-versions --> -# List of the settings in the Microsoft Defender for Endpoint security baseline in Intune +# Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune -This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Microsoft Defender for Endpoint security baseline for Microsoft Intune. + +## About this reference article + +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -For each setting this reference identifies the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, can also set different defaults. +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -When the Intune UI includes a *Learn more* link for a setting, you’ll find that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +- A list of each setting and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that are created prior to the availability of a new version: +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to: +This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="mde-v24h1" -**Microsoft Defender for Endpoint baseline version 24H1** +## Microsoft Defender for Endpoint baseline version 24H1 ::: zone-end ::: zone pivot="atp-december-2020" -**Microsoft Defender for Endpoint baseline for December 2020 - version 6** +## Microsoft Defender for Endpoint baseline for December 2020 - version 6 ::: zone-end ::: zone pivot="atp-sept-2020" -**Microsoft Defender for Endpoint baseline for September 2020 - version 5** +## Microsoft Defender for Endpoint baseline for September 2020 - version 5 ::: zone-end ::: zone pivot="atp-april-2020" -**Microsoft Defender for Endpoint baseline for April 2020 - version 4** +## Microsoft Defender for Endpoint baseline for April 2020 - version 4 ::: zone-end ::: zone pivot="atp-march-2020" -**Microsoft Defender for Endpoint baseline for March 2020 - version 3** +## Microsoft Defender for Endpoint baseline for March 2020 - version 3 ::: zone-end The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using [Microsoft Defender for Endpoint](advanced-threat-protection.md#prerequisites). @@ -78,9 +87,9 @@ This baseline is optimized for physical devices and isn't recommended for use on ::: zone pivot="mde-v24h1" -## Administrative Templates +### Administrative Templates -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -92,7 +101,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Also apply to matching devices that are already installed.** Baseline default: *False* -### Windows Components > BitLocker Drive Encryption +#### Windows Components > BitLocker Drive Encryption - **Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)** Baseline default: *Enabled* @@ -107,7 +116,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select the encryption method for fixed data drives:** Baseline default: *XTS-AES 128-bit (default)* -### Windows Components > BitLocker Drive Encryption > Fixed Data Drives +#### Windows Components > BitLocker Drive Encryption > Fixed Data Drives - **Choose how BitLocker-protected fixed drives can be recovered** Baseline default: *Enabled* @@ -119,7 +128,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Allow data recovery agent** Baseline default: *True* - - **Configure storage of BitLocker recovery information to AD DS:** + - **Configure storage of BitLocker recovery information to AD DS** Baseline default: *Backup recovery passwords and key packages* Value: *Allow 256-bit recovery key* @@ -144,7 +153,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select the encryption type: (Device)** Baseline default: *Used Space Only encryption* -### Windows Components > BitLocker Drive Encryption > Operating System Drives +#### Windows Components > BitLocker Drive Encryption > Operating System Drives - **Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.** Baseline default: *Disabled* @@ -208,7 +217,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Configure TPM startup key:** Baseline default: *Do not allow startup key with TPM* -### Windows Components > BitLocker Drive Encryption > Removable Data Drives +#### Windows Components > BitLocker Drive Encryption > Removable Data Drives - **Control use of BitLocker on removable drives** Baseline default: *Enabled* @@ -234,7 +243,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Do not allow write access to devices configured in another organization** Baseline default: *False* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -243,7 +252,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Pick one of the following settings: (Device)** Baseline default: *Warn and prevent bypass* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet** Baseline default: *Enabled* @@ -260,7 +269,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select SmartScreen Filter mode** Baseline default: *On* -## BitLocker +### BitLocker - **Allow Warning For Other Disk Encryption** Baseline default: *Enabled* @@ -274,7 +283,7 @@ This baseline is optimized for physical devices and isn't recommended for use on Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#requiredeviceencryption) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -464,19 +473,19 @@ This baseline is optimized for physical devices and isn't recommended for use on Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-Defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Credential Guard** Baseline default: *(Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Firewall +### Firewall - **Certificate revocation list verification** Baseline default: *None* @@ -620,7 +629,7 @@ This baseline is optimized for physical devices and isn't recommended for use on Value: *300* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreglobalsaidletime) -## Microsoft Edge +### Microsoft Edge - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -646,7 +655,7 @@ This baseline is optimized for physical devices and isn't recommended for use on ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" -## Attack Surface Reduction Rules +### Attack Surface Reduction Rules Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. @@ -716,7 +725,7 @@ To learn more, see [Attack surface reduction rules](/windows/security/threat-pro ::: zone pivot="atp-march-2020,atp-april-2020" -## Application Guard +### Application Guard For more information, see [WindowsDefenderApplicationGuard CSP](/windows/client-management/mdm/windowsdefenderapplicationguard-csp) in the Windows documentation. @@ -744,7 +753,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-december-2020,atp-sept-2020,atp-march-2020,atp-april-2020" -## BitLocker +### BitLocker ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020" @@ -927,7 +936,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone pivot="atp-march-2020,atp-april-2020" -## Browser +### Browser - **Require SmartScreen for Microsoft Edge** Baseline default: *Yes* @@ -941,7 +950,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your Baseline default: *Yes* [Learn more](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) -## Data Protection +### Data Protection - **Block direct memory access** Baseline default: *Yes* @@ -950,13 +959,13 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Device Guard +### Device Guard - **Turn on credential guard** Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020" @@ -1000,7 +1009,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" -## DMA Guard +### DMA Guard ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" @@ -1021,7 +1030,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Endpoint Detection and Response +### Endpoint Detection and Response - **Sample sharing for all files** Baseline default: *Yes* @@ -1034,7 +1043,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Firewall +### Firewall - **Stateful File Transfer Protocol (FTP)** Baseline default: *Disabled* @@ -1200,7 +1209,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Microsoft Defender +### Microsoft Defender ::: zone-end ::: zone pivot="atp-december-2020" @@ -1591,7 +1600,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Microsoft Defender Security Center +### Microsoft Defender Security Center - **Block users from editing the Exploit Guard protection interface** Baseline default: *Yes* @@ -1600,7 +1609,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Smart Screen +### Smart Screen - **Block users from ignoring SmartScreen warnings** Baseline default: *Yes* @@ -1649,7 +1658,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Windows Hello for Business +### Windows Hello for Business For more information, see [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) in the Windows documentation. From 603f3a7f96166a5237c67d9a6aee8b5f8e5c483a Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:38:15 -0800 Subject: [PATCH 229/237] Update older Edge baseline --- .../security-baseline-settings-edge.md | 39 ++++++++++++------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-edge.md b/memdocs/intune/protect/security-baseline-settings-edge.md index ab1ce8e995d..2376a40c8f6 100644 --- a/memdocs/intune/protect/security-baseline-settings-edge.md +++ b/memdocs/intune/protect/security-baseline-settings-edge.md @@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli author: brenduns ms.author: brenduns manager: dougeby -ms.date: 03/26/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -32,37 +32,46 @@ zone_pivot_groups: edge-baseline-versions # List of the settings in the Microsoft Edge security baseline in Intune -This article is a reference for the settings that are available in the different versions of the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Microsoft Edge security baseline for Microsoft Intune. -For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types could also set different defaults. +In May 2023, the settings for the Microsoft Edge baselines updated to a new format. This article provides a reference for Microsoft Edge baselines version 85 and earlier. To view the settings reference for newer baselines, see [Microsoft Edge security baseline settings reference for Microsoft Intune](../protect/security-baseline-v2-edge-settings.md). - -Although the settings in the Intune UI for this baseline omit *Learn more* links, this article includes links to relevant content. +## About this reference article -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version: +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. + +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to: - -- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="edge-sept-2020" -**Microsoft Edge baseline for September 2020 (Edge version 85)** +## Microsoft Edge baseline for September 2020 (Edge version 85) + ::: zone-end ::: zone pivot="edge-april-2020" -**Microsoft Edge baseline for April 2020 (Edge version 80)** +## Microsoft Edge baseline for April 2020 (Edge version 80) ::: zone-end ::: zone pivot="edge-october-2019" -**Microsoft Edge baseline for October 2019** +## Microsoft Edge baseline for October 2019 > [!NOTE] -> The Microsoft Edge baseline for October 2019 is in Public Preview. +> The Microsoft Edge baseline for October 2019 is a Public Preview. ::: zone-end -## Microsoft Edge +### Microsoft Edge ::: zone pivot="edge-sept-2020,edge-april-2020" From d5dbee87b0f58e01ed58fbcbd082fe2688ed5d0d Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:48:53 -0800 Subject: [PATCH 230/237] Update Windows Security baselines --- .../security-baseline-settings-mdm-all.md | 292 +++++++++--------- 1 file changed, 152 insertions(+), 140 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md index 31c02051079..90e7e495b0d 100644 --- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md +++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md @@ -7,7 +7,7 @@ description: View the default setting configuration of the various Microsoft Int author: brenduns ms.author: brenduns manager: dougeby -ms.date: 07/01/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -29,42 +29,54 @@ ms.collection: zone_pivot_groups: windows-mdm-versions --- -# List of the settings in the Windows MDM security baseline in Intune +# Windows MDM security baseline settings reference for Microsoft Intunein Intune -This article is a reference for the settings that are available in the different versions of the Windows Mobile Device Management (MDM) security baseline for Windows 10 and Windows 11 devices that you manage with Microsoft Intune. You can use the provided Tabs to select and view the settings in the current baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Windows Mobile Device Management (MDM) security baseline for Microsoft Intune. -For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, could also set different defaults. +## About this reference article -When the Intune UI includes a *Learn more* link for a setting, you’ll find that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created before the availability of a new version: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="mdm-23h2" -**Security Baseline for Windows, version 23H2** +## Security Baseline for Windows, version 23H2 The settings in this baseline are taken from the **version 23H2** of the Group Policy security baseline as found in the [Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) from the Microsoft Download Center, and include only the settings that apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline. ::: zone-end ::: zone pivot="mdm-november-2021" -**Security Baseline for Windows, November 2021** +## Security Baseline for Windows, November 2021 + ::: zone-end ::: zone pivot="mdm-december-2020" -**Security Baseline for Windows, December 2020** +## Security Baseline for Windows, December 2020 + ::: zone-end ::: zone pivot="mdm-august-2020" -**Security Baseline for Windows, August 2020** +## Security Baseline for Windows, August 2020 + ::: zone-end ::: zone pivot="mdm-23h2" -## Administrative Templates +### Administrative Templates -### Control Panel > Personalization +#### Control Panel > Personalization - **Prevent enabling lock screen camera** Baseline default: *Enabled* @@ -74,7 +86,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#preventlockscreenslideshow) -### MS Security Guide +#### MS Security Guide - **Apply UAC restrictions to local accounts on network logons** Baseline default: *Enabled* @@ -98,7 +110,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-mssecurityguide?WT.mc_id=Portal-fx#wdigestauthentication) -### MSS (Legacy) +#### MSS (Legacy) - **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** Baseline default: *Enabled* @@ -120,19 +132,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-msslegacy?WT.mc_id=Portal-fx#allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -### Network > DNS Client +#### Network > DNS Client - **Turn off multicast name resolution** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-dnsclient?WT.mc_id=Portal-fx#turn_off_multicast) -### Network > Network Connections +#### Network > Network Connections - **Prohibit use of Internet Connection Sharing on your DNS domain network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-networkconnections?WT.mc_id=Portal-fx#nc-showsharedaccessui) -### Network > Network Provider +#### Network > Network Provider - **Hardened UNC Paths** Baseline default: *Enabled* @@ -145,13 +157,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P | `\\*\SYSVOL` | RequireMutualAuthentication=1,RequireIntegrity=1 | | `\\*\NETLOGON` | RequireMutualAuthentication=1,RequireIntegrity=1 | -### Network > Windows Connection Manager +#### Network > Windows Connection Manager - **Prohibit connection to non-domain networks when connected to domain authenticated network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-windowsconnectionmanager?WT.mc_id=Portal-fx#prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -### Printers +#### Printers - **Configure Redirection Guard** Baseline default: *Enabled* @@ -191,13 +203,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Manage processing of Queue-specific files: (Device)** Baseline default: *Limit Queue-specific files to Color profiles* -### Start Menu and Taskbar > Notifications +#### Start Menu and Taskbar > Notifications - **Turn off toast notifications on the lock screen (User)** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-wpn?WT.mc_id=Portal-fx#nolockscreentoastnotification) -### System > Credentials Delegation +#### System > Credentials Delegation - **Encryption Oracle Remediation** Baseline default: *Enabled* @@ -209,7 +221,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsdelegation?WT.mc_id=Portal-fx#remotehostallowsdelegationofnonexportablecredentials) -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -219,7 +231,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Prevented Classes** Baseline default: *{d48179be-ec20-11d1-b6b8-00c04fa372a7}* -### System > Early Launch Antimalware +#### System > Early Launch Antimalware - **Boot-Start Driver Initialization Policy** Baseline default: *Enabled* @@ -227,7 +239,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Choose the boot-start drivers that can be initialized:** Baseline default: *Good, unknown and bad but critical* -### System > Group Policy +#### System > Group Policy - **Configure registry policy processing** Baseline default: *Enabled* @@ -237,7 +249,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Process even if the Group Policy objects have not changed (Device)** Baseline default: *True* -### System > Internet Communication Management > Internet Communication settings +#### System > Internet Communication Management > Internet Communication settings - **Turn off downloading of print drivers** Baseline default: *Enabled* @@ -247,13 +259,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disableinternetdownloadforwebpublishingandonlineorderingwizards) -### System > Local Security Authority +#### System > Local Security Authority - **Allow Custom SSPs and APs to be loaded into LSASS** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-lsa#allowcustomsspsaps) -### System > Power Management > Sleep Settings +#### System > Power Management > Sleep Settings - **Allow standby states (S1-S3) when sleeping (on battery)** Baseline default: *Disabled* @@ -271,13 +283,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#requirepasswordwhencomputerwakespluggedin) -### System > Remote Assistance +#### System > Remote Assistance - **Configure Solicited Remote Assistance** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-remoteassistance?WT.mc_id=Portal-fx#solicitedremoteassistance) -### System > Remote Procedure Call +#### System > Remote Procedure Call - **Restrict Unauthenticated RPC clients** Baseline default: *Enabled* @@ -285,13 +297,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **RPC Runtime Unauthenticated Client Restriction to Apply:** Baseline default: *Authenticated* -### Windows Components > App runtime +#### Windows Components > App runtime - **Allow Microsoft accounts to be optional** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-appruntime?WT.mc_id=Portal-fx#allowmicrosoftaccountstobeoptional) -### Windows Components > AutoPlay Policies +#### Windows Components > AutoPlay Policies - **Disallow Autoplay for non-volume devices** Baseline default: *Enabled* @@ -309,13 +321,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Turn off Autoplay on:** Baseline default: *All drives* -### Windows Components > BitLocker Drive Encryption > Fixed Data Drives +#### Windows Components > BitLocker Drive Encryption > Fixed Data Drives - **Deny write access to fixed drives not protected by BitLocker** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#fixeddrivesrequireencryption) -### Windows Components > BitLocker Drive Encryption > Removable Data Drives +#### Windows Components > BitLocker Drive Encryption > Removable Data Drives - **Deny write access to removable drives not protected by BitLocker** Baseline default: *Enabled* @@ -323,13 +335,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Do not allow write access to devices configured in another organization** Baseline default: *False* -### Windows Components > Credential User Interface +#### Windows Components > Credential User Interface - **Enumerate administrator accounts on elevation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsui?WT.mc_id=Portal-fx#enumerateadministrators) -### Windows Components > Event Log Service > Application +#### Windows Components > Event Log Service > Application - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -337,7 +349,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > Event Log Service > Security +#### Windows Components > Event Log Service > Security - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -345,7 +357,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *196608* -### Windows Components > Event Log Service > System +#### Windows Components > Event Log Service > System - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -353,7 +365,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -369,7 +381,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-fileexplorer?WT.mc_id=Portal-fx#turnoffheapterminationoncorruption) -### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page +#### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page - **Allow software to run or install even if the signature is invalid** Baseline default: *Disabled* @@ -401,13 +413,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowenhancedprotectedmode) -### Windows Components > Internet Explorer > Internet Control Panel +#### Windows Components > Internet Explorer > Internet Control Panel - **Prevent ignoring certificate errors** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableignoringcertificateerrors) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -595,7 +607,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page - **Intranet Sites: Include all network paths (UNCs)** Baseline default: *Disabled* @@ -605,7 +617,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowcertificateaddressmismatchwarning) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -625,7 +637,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -639,7 +651,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone - **Turn on SmartScreen Filter scan** Baseline default: *Enabled* @@ -647,7 +659,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone - **Java permissions** Baseline default: *Enabled* @@ -655,7 +667,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone - **Java permissions** Baseline default: *Enabled* @@ -663,7 +675,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -677,7 +689,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -685,7 +697,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -921,7 +933,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -941,7 +953,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings** Baseline default: *Enabled* @@ -989,7 +1001,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowautocomplete) -### Windows Components > Internet Explorer > Security Features > Add-on Management +#### Windows Components > Internet Explorer > Security Features > Add-on Management - **Remove "Run this time" button for outdated ActiveX controls in Internet Explorer** Baseline default: *Enabled* @@ -999,7 +1011,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#donotblockoutdatedactivexcontrols) -### Windows Components > Internet Explorer > Security Features +#### Windows Components > Internet Explorer > Security Features - **Allow fallback to SSL 3.0 (Internet Explorer)** Baseline default: *Enabled* @@ -1007,91 +1019,91 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Allow insecure fallback for:** Baseline default: *No Sites* -### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling +#### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#consistentmimehandlinginternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature +#### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mimesniffingsafetyfeatureinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction +#### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mkprotocolsecurityrestrictioninternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Notification bar +#### Windows Components > Internet Explorer > Security Features > Notification bar - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#notificationbarinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation +#### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#protectionfromzoneelevationinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install +#### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictactivexinstallinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict File Download +#### Windows Components > Internet Explorer > Security Features > Restrict File Download - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictfiledownloadinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions +#### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -### Windows Components > Microsoft Defender Antivirus > MAPS +#### Windows Components > Microsoft Defender Antivirus > MAPS - **Configure the 'Block at First Sight' feature** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableblockatfirstseen) -### Windows Components > Microsoft Defender Antivirus > Real-time Protection +#### Windows Components > Microsoft Defender Antivirus > Real-time Protection - **Turn on process scanning whenever real-time protection is enabled** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#realtimeprotection-disablescanonrealtimeenable) -### Windows Components > Microsoft Defender Antivirus > Scan +#### Windows Components > Microsoft Defender Antivirus > Scan - **Scan packed executables** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan-disablepackedexescanning) -### Windows Components > Microsoft Defender Antivirus +#### Windows Components > Microsoft Defender Antivirus - **Turn off routine remediation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableroutinelytakingaction) -### Windows Components > Remote Desktop Services > Remote Desktop Connection Client +#### Windows Components > Remote Desktop Services > Remote Desktop Connection Client - **Do not allow passwords to be saved** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowpasswordsaving) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - **Do not allow drive redirection** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowdriveredirection) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security - **Always prompt for password upon connection** Baseline default: *Enabled* @@ -1107,13 +1119,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Encryption Level** Baseline default: *High Level* -### Windows Components > RSS Feeds +#### Windows Components > RSS Feeds - **Prevent downloading of enclosures** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableenclosuredownloading) -### Windows Components > Windows Logon Options +#### Windows Components > Windows Logon Options - **Enable MPR notifications for the system** Baseline default: *Disabled* @@ -1123,7 +1135,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-windowslogon?WT.mc_id=Portal-fx#allowautomaticrestartsignon) -### Windows Components > Windows PowerShell +#### Windows Components > Windows PowerShell - **Turn on PowerShell Script Block Logging** Baseline default: *Enabled* @@ -1131,7 +1143,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Log script block invocation start / stop events:** Baseline default: *False* -### Windows Components > Windows Remote Management (WinRM) > WinRM Client +#### Windows Components > Windows Remote Management (WinRM) > WinRM Client - **Allow Basic authentication** Baseline default: *Disabled* @@ -1145,7 +1157,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowdigestauthentication) -### Windows Components > Windows Remote Management (WinRM) > WinRM Service +#### Windows Components > Windows Remote Management (WinRM) > WinRM Service - **Allow Basic authentication** Baseline default: *Disabled* @@ -1159,7 +1171,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowstoringofrunascredentials) -## Auditing +### Auditing - **Account Logon Audit Credential Validation** Baseline default: *Success+ Failure* @@ -1253,7 +1265,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Success+ Failure* [Learn more](/windows/client-management/mdm/policy-csp-Audit?WT.mc_id=Portal-fx#system_auditsystemintegrity) -## Browser +### Browser - **Allow Password Manager** Baseline default: *Block* @@ -1275,13 +1287,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#preventsmartscreenpromptoverrideforfiles) -## Data Protection +### Data Protection - **Allow Direct Memory Access** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-dataprotection?WT.mc_id=Portal-fx#allowdirectmemoryaccess) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -1385,7 +1397,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Configure System Guard Launch** Baseline default: *Unmanaged Enables Secure Launch if supported by hardware* @@ -1403,7 +1415,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Turns on VBS with Secure Boot.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures) -## Device Lock +### Device Lock - **Device Password Enabled** Baseline default: *Enabled* @@ -1417,13 +1429,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Value: *14* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#mindevicepasswordlength) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Experience +### Experience - **Allow Windows Spotlight (User)** Baseline default: *Allow* @@ -1435,7 +1447,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowthirdpartysuggestionsinwindowsspotlight) -## Firewall +### Firewall - **Enable Domain Network Firewall** Baseline default: *True* @@ -1509,13 +1521,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *False* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge) -## Lanman Workstation +### Lanman Workstation - **Enable Insecure Guest Logons** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-LanmanWorkstation?WT.mc_id=Portal-fx#enableinsecureguestlogons) -## Local Policies Security Options +### Local Policies Security Options - **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only** Baseline default: *Enabled* @@ -1603,14 +1615,14 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations) -## Local Security Authority +### Local Security Authority - **Configure Lsa Protected Process** Baseline default: *Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.* [Learn more](/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess) -## Microsoft App Store +### Microsoft App Store - **Allow Game DVR** Baseline default: *Block* @@ -1624,9 +1636,9 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-ApplicationManagement?WT.mc_id=Portal-fx#msialwaysinstallwithelevatedprivileges) -## Microsoft Edge +### Microsoft Edge -### SmartScreen settings +#### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -1634,19 +1646,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Prevent bypassing Microsoft Defender SmartScreen prompts for sites** Baseline default: *Enabled* -## Privacy +### Privacy - **Let Apps Activate With Voice Above Lock** Baseline default: *Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.* [Learn more](/windows/client-management/mdm/policy-csp-Privacy?WT.mc_id=Portal-fx#letappsactivatewithvoiceabovelock) -## Search +### Search - **Allow Indexing Encrypted Stores Or Items** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Search?WT.mc_id=Portal-fx#allowindexingencryptedstoresoritems) -## Smart Screen +### Smart Screen - **Enable Smart Screen In Shell** Baseline default: *Enabled* @@ -1656,7 +1668,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-smartscreen?WT.mc_id=Portal-fx#preventoverrideforfilesinshell) -### Enhanced Phishing Protection +#### Enhanced Phishing Protection - **Notify Malicious** Baseline default: *Enabled* @@ -1670,7 +1682,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Service Enabled** Baseline default: *Enabled* -## System Services +### System Services - **Configure Xbox Accessory Management Service Startup Mode** Baseline default: *Disabled* @@ -1688,13 +1700,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxlivenetworkingservicestartupmode) -## Task Scheduler +### Task Scheduler - **Enable Xbox Game Save Task** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-TaskScheduler?WT.mc_id=Portal-fx#enablexboxgamesavetask) -## User Rights +### User Rights - **Access From Network** Baseline default: *Configured* @@ -1781,13 +1793,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Value: *Administrators* (*S-1-5-32-544) [Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#takeownership) -## Virtualization Based Technology +### Virtualization Based Technology - **Hypervisor Enforced Code Integrity** Baseline default: *(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity) -## Wi-Fi Settings +### Wi-Fi Settings - **Allow Auto Connect To Wi Fi Sense Hotspots** Baseline default: *Block* @@ -1797,19 +1809,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-wifi?WT.mc_id=Portal-fx#allowinternetsharing) -## Windows Hello For Business +### Windows Hello For Business - **Facial Features Use Enhanced Anti Spoofing** Baseline default: *true* [Learn more](/windows/client-management/mdm/PassportForWork-csp/?WT.mc_id=Portal-fx#devicebiometricsfacialfeaturesuseenhancedantispoofing) -## Windows Ink Workspace +### Windows Ink Workspace - **Allow Windows Ink Workspace** Baseline default: *Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.* [Learn more](/windows/client-management/mdm/policy-csp-WindowsInkWorkspace?WT.mc_id=Portal-fx#allowwindowsinkworkspace) -## LAPS +### LAPS - **Backup Directory** Baseline default: *Backup the password to Azure AD only* @@ -1822,7 +1834,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## Above Lock +### Above Lock - **Voice activate apps from locked screen**: Baseline default: *Disabled* @@ -1832,7 +1844,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Yes* [Learn More](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts) -## App Runtime +### App Runtime - **Microsoft accounts optional for Microsoft store apps**: Baseline default: *Enabled* @@ -1841,7 +1853,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## Application Management +### Application Management - **Block app installations with elevated privileges**: Baseline default: *Yes* @@ -1855,7 +1867,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Yes* [Learn more](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowgamedvr) -## Audit +### Audit Audit settings configure the events that are generated for the conditions of the setting. @@ -1931,7 +1943,7 @@ Audit settings configure the events that are generated for the conditions of the - **System Audit System Integrity (Device)**: Baseline default: *Success and Failure* -## Auto Play +### Auto Play - **Auto play default auto run behavior**: Baseline default: *Do not execute* @@ -1945,7 +1957,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-autoplay#autoplay-disallowautoplayfornonvolumedevices) -## BitLocker +### BitLocker - **BitLocker removable drive policy**: Baseline default: *Configure* @@ -1955,7 +1967,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872540) -## Browser +### Browser - **Block Password Manager**: Baseline default: *Yes* @@ -1977,7 +1989,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067126) -## Connectivity +### Connectivity - **Configure secure access to UNC paths**: Baseline default: *Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements* @@ -1994,25 +2006,25 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067136) -## Credentials Delegation +### Credentials Delegation - **Remote host delegation of non-exportable credentials**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067103) -## Credentials UI +### Credentials UI - **Enumerate administrators**: Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067021) -## Data Protection +### Data Protection - **Block direct memory access**: Baseline default: Yes [Learn more](https://go.microsoft.com/fwlink/?linkid=2067031) -## Device Guard +### Device Guard - **Virtualization based security**: Baseline default: *Enable VBS with secure boot* @@ -2028,7 +2040,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation - **Block hardware device installation by setup classes**: Baseline default: *Yes* @@ -2063,7 +2075,7 @@ Audit settings configure the events that are generated for the conditions of the - **Hardware device identifiers that are blocked**: Baseline default: *No default configuration* -## Device Lock +### Device Lock - **Require password**: Baseline default: *Yes* @@ -2109,12 +2121,12 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067105) -## DMA Guard +### DMA Guard - **Enumeration of external devices incompatible with Kernel DMA Protection**: Baseline default: *Block all* -## Event Log Service +### Event Log Service - **Application log maximum file size in KB**: Baseline default: *32768* @@ -2128,7 +2140,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *196608* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067042) -## Experience +### Experience - **Block Windows Spotlight**: Baseline default: *Yes* @@ -2145,7 +2157,7 @@ Audit settings configure the events that are generated for the conditions of the ::: zone-end ::: zone pivot="mdm-august-2020" -## Exploit Guard +### Exploit Guard - **Upload XML**: Baseline default: *Sample xml is provided* @@ -2154,7 +2166,7 @@ Audit settings configure the events that are generated for the conditions of the ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## File Explorer +### File Explorer - **Block data execution prevention**: Baseline default: *Disabled* @@ -2164,7 +2176,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067107) -## Firewall +### Firewall For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlink/?linkid=2066796) in the Windows Protocols documentation. @@ -2236,7 +2248,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872567) -## Internet Explorer +### Internet Explorer - **Internet Explorer encryption support**: @@ -2711,7 +2723,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer#allowautocomplete) -## Local Policies Security Options +### Local Policies Security Options - **Block remote logon with blank password**: @@ -2801,7 +2813,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin ::: zone-end ::: zone pivot="mdm-december-2020,mdm-november-2021" -## Microsoft Defender +### Microsoft Defender - **Block Adobe Reader from creating child processes**: Baseline default: *Enable* @@ -3018,7 +3030,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## MS Security Guide +### MS Security Guide - **SMB v1 client driver start configuration**: Baseline default: *Disabled driver* @@ -3040,7 +3052,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067193) -## MSS Legacy +### MSS Legacy - **Network IPv6 source routing protection level**: Baseline default: *Highest protection* @@ -3058,7 +3070,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067326) -## Power +### Power - **Require password on wake while on battery**: Baseline default: *Enabled* @@ -3076,13 +3088,13 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067196) -## Remote Assistance +### Remote Assistance - **Remote Assistance solicited**: Baseline default: *Disable Remote Assistance* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067198) -## Remote Desktop Services +### Remote Desktop Services - **Remote desktop services client connection encryption level**: Baseline default: *High* @@ -3103,7 +3115,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067248) -## Remote Management +### Remote Management - **Block client digest authentication**: Baseline default: *Enabled* @@ -3129,19 +3141,19 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067226) -## Remote Procedure Call +### Remote Procedure Call - **RPC unauthenticated client options**: Baseline default: *Authenticated* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067225) -## Search +### Search - **Disable indexing encrypted items**: Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067303) -## Smart Screen +### Smart Screen - **Turn on Windows SmartScreen** Baseline default: *Yes* @@ -3151,13 +3163,13 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872783) -## System +### System - **System boot start driver initialization**: Baseline default: *Good unknown and bad critical* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067307) -## Wi-Fi +### Wi-Fi - **Block Automatically connecting to Wi-Fi hotspots**: Baseline default: *Yes* @@ -3167,19 +3179,19 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067327) -## Windows Connection Manager +### Windows Connection Manager - **Block connection to non-domain networks**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067323) -## Windows Ink Workspace +### Windows Ink Workspace - **Ink Workspace**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067241) -## Windows PowerShell +### Windows PowerShell - **PowerShell script block logging**: Baseline default: *Enabled* From 41cd07461f2a3dc7e5008025a760d383d0a36283 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:56:19 -0800 Subject: [PATCH 231/237] Update Windows 365 cloud pc security baselines --- .../security-baseline-settings-windows-365.md | 257 +++++++++--------- 1 file changed, 131 insertions(+), 126 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md index d1527ba5f08..bf680f38419 100644 --- a/memdocs/intune/protect/security-baseline-settings-windows-365.md +++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md @@ -35,33 +35,38 @@ zone_pivot_groups: windows-365-versions - win365-nov21 > November 2021 --> -# List of the settings in the Windows 365 Cloud PC security baseline in Intune +# Windows 365 Cloud PC security baseline settings reference for Microsoft Intune -This article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline that you can deploy with Microsoft Intune. +TThis article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline for Microsoft Intune. -For each setting we list the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, could also set different defaults. +## About this reference article -When the Intune UI includes a *Learn more* link for a setting, we include that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. To learn more about using security baselines, see: - -- [Use security baselines](security-baselines.md) -- [Manage security baselines](security-baselines-configure.md) +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) ::: zone pivot="win365-24h1" -**Windows 365 Cloud PC security baseline version 24H1**: +## Windows 365 Cloud PC security baseline version 24H1 The settings in this baseline apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline. -## Administrative Templates +### Administrative Templates -### Control Panel > Personalization +#### Control Panel > Personalization - **Prevent enabling lock screen camera** Baseline default: *Enabled* @@ -71,7 +76,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#preventlockscreenslideshow) -### MS Security Guide +#### MS Security Guide - **Apply UAC restrictions to local accounts on network logons** Baseline default: *Enabled* @@ -96,7 +101,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-mssecurityguide?WT.mc_id=Portal-fx#wdigestauthentication) -### MSS (Legacy) +#### MSS (Legacy) - **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** Baseline default: *Enabled* @@ -120,19 +125,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-msslegacy?WT.mc_id=Portal-fx#allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -### Network > DNS Client +#### Network > DNS Client - **Turn off multicast name resolution** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-dnsclient?WT.mc_id=Portal-fx#turn_off_multicast) -### Network > Network Connections +#### Network > Network Connections - **Prohibit use of Internet Connection Sharing on your DNS domain network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-networkconnections?WT.mc_id=Portal-fx#nc-showsharedaccessui) -### Network > Network Provider +#### Network > Network Provider - **Hardened UNC Paths** Baseline default: *Enabled* @@ -145,19 +150,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W | `\\*\SYSVOL` | RequireMutualAuthentication=1,RequireIntegrity=1 | | `\\*\NETLOGON` | RequireMutualAuthentication=1,RequireIntegrity=1 | -### Network > Windows Connection Manager +#### Network > Windows Connection Manager - **Prohibit connection to non-domain networks when connected to domain authenticated network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-windowsconnectionmanager?WT.mc_id=Portal-fx#prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -### Start Menu and Taskbar > Notifications +#### Start Menu and Taskbar > Notifications - **Turn off toast notifications on the lock screen (User)** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-wpn?WT.mc_id=Portal-fx#nolockscreentoastnotification) -### System > Credentials Delegation +#### System > Credentials Delegation - **Encryption Oracle Remediation** Baseline default: *Enabled* @@ -169,7 +174,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsdelegation?WT.mc_id=Portal-fx#remotehostallowsdelegationofnonexportablecredentials) -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -180,7 +185,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Also apply to matching devices that are already installed** Baseline default: *True* -### System > Early Launch Antimalware +#### System > Early Launch Antimalware - **Boot-Start Driver Initialization Policy** Baseline default: *Enabled* @@ -188,7 +193,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Choose the boot-start drivers that can be initialized:** Baseline default: *Good, unknown and bad but critical* -### System > Group Policy +#### System > Group Policy - **Configure registry policy processing** Baseline default: *Enabled* @@ -199,7 +204,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Process even if the Group Policy objects have not changed (Device)** Baseline default: *True* -### System > Internet Communication Management > Internet Communication settings +#### System > Internet Communication Management > Internet Communication settings - **Turn off downloading of print drivers over HTTP** Baseline default: *Enabled* @@ -209,13 +214,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disableinternetdownloadforwebpublishingandonlineorderingwizards) -### System > Remote Assistance +#### System > Remote Assistance - **Configure Solicited Remote Assistance** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-remoteassistance?WT.mc_id=Portal-fx#solicitedremoteassistance) -### System > Remote Procedure Call +#### System > Remote Procedure Call - **Restrict Unauthenticated RPC clients** Baseline default: *Enabled* @@ -223,13 +228,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **RPC Runtime Unauthenticated Client Restriction to Apply:** Baseline default: *Authenticated* -### Windows Components > App runtime +#### Windows Components > App runtime - **Allow Microsoft accounts to be optional** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-appruntime?WT.mc_id=Portal-fx#allowmicrosoftaccountstobeoptional) -### Windows Components > AutoPlay Policies +#### Windows Components > AutoPlay Policies - **Disallow Autoplay for non-volume devices** Baseline default: *Enabled* @@ -247,13 +252,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Turn off Autoplay on:** Baseline default: *All drives* -### Windows Components > Credential User Interface +#### Windows Components > Credential User Interface - **Enumerate administrator accounts on elevation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsui?WT.mc_id=Portal-fx#enumerateadministrators) -### Windows Components > Event Log Service > Application +#### Windows Components > Event Log Service > Application - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -261,7 +266,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > Event Log Service > Security +#### Windows Components > Event Log Service > Security - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -269,7 +274,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *196608* -### Windows Components > Event Log Service > System +#### Windows Components > Event Log Service > System - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -277,7 +282,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -293,7 +298,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-fileexplorer?WT.mc_id=Portal-fx#turnoffheapterminationoncorruption) -### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page +#### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page - **Allow software to run or install even if the signature is invalid** Baseline default: *Disabled* @@ -325,13 +330,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowenhancedprotectedmode) -### Windows Components > Internet Explorer > Internet Control Panel +#### Windows Components > Internet Explorer > Internet Control Panel - **Prevent ignoring certificate errors** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableignoringcertificateerrors) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -525,7 +530,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page - **Intranet Sites: Include all network paths (UNCs)** Baseline default: *Disabled* @@ -535,7 +540,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowcertificateaddressmismatchwarning) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -555,7 +560,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -569,7 +574,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone - **Turn on SmartScreen Filter scan** Baseline default: *Enabled* @@ -577,7 +582,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone - **Java permissions** Baseline default: *Enabled* @@ -585,7 +590,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone - **Java permissions** Baseline default: *Enabled* @@ -593,7 +598,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -608,7 +613,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -616,7 +621,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -855,7 +860,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -875,7 +880,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings** Baseline default: *Enabled* @@ -923,7 +928,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowautocomplete) -### Windows Components > Internet Explorer > Security Features > Add-on Management +#### Windows Components > Internet Explorer > Security Features > Add-on Management - **Remove "Run this time" button for outdated ActiveX controls in Internet Explorer** Baseline default: *Enabled* @@ -933,7 +938,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#donotblockoutdatedactivexcontrols) -### Windows Components > Internet Explorer > Security Features +#### Windows Components > Internet Explorer > Security Features - **Allow fallback to SSL 3.0 (Internet Explorer)** Baseline default: *Enabled* @@ -941,91 +946,91 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Allow insecure fallback for:** Baseline default: *No Sites* -### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling +#### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#consistentmimehandlinginternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature +#### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mimesniffingsafetyfeatureinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction +#### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mkprotocolsecurityrestrictioninternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Notification bar +#### Windows Components > Internet Explorer > Security Features > Notification bar - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#notificationbarinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation +#### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#protectionfromzoneelevationinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install +#### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictactivexinstallinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict File Download +#### Windows Components > Internet Explorer > Security Features > Restrict File Download - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictfiledownloadinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions +#### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -### Windows Components > Microsoft Defender Antivirus > MAPS +#### Windows Components > Microsoft Defender Antivirus > MAPS - **Configure the 'Block at First Sight' feature** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableblockatfirstseen) -### Windows Components > Microsoft Defender Antivirus > Real-time Protection +#### Windows Components > Microsoft Defender Antivirus > Real-time Protection - **Turn on process scanning whenever real-time protection is enabled** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#realtimeprotection-disablescanonrealtimeenable) -### Windows Components > Microsoft Defender Antivirus > Scan +#### Windows Components > Microsoft Defender Antivirus > Scan - **Scan packed executables** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan-disablepackedexescanning) -### Windows Components > Microsoft Defender Antivirus +#### Windows Components > Microsoft Defender Antivirus - **Turn off routine remediation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableroutinelytakingaction) -### Windows Components > Remote Desktop Services > Remote Desktop Connection Client +#### Windows Components > Remote Desktop Services > Remote Desktop Connection Client - **Do not allow passwords to be saved** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowpasswordsaving) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - **Do not allow drive redirection** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowdriveredirection) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security - **Always prompt for password upon connection** Baseline default: *Enabled* @@ -1041,19 +1046,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Encryption Level** Baseline default: *High Level* -### Windows Components > RSS Feeds +#### Windows Components > RSS Feeds - **Prevent downloading of enclosures** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableenclosuredownloading) -### Windows Components > Windows Logon Options +#### Windows Components > Windows Logon Options - **Sign-in and lock last interactive user automatically after a restart** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-windowslogon?WT.mc_id=Portal-fx#allowautomaticrestartsignon) -### Windows Components > Windows PowerShell +#### Windows Components > Windows PowerShell - **Turn on PowerShell Script Block Logging** Baseline default: *Enabled* @@ -1061,7 +1066,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Log script block invocation start / stop events:** Baseline default: *False* -### Windows Components > Windows Remote Management (WinRM) > WinRM Client +#### Windows Components > Windows Remote Management (WinRM) > WinRM Client - **Allow Basic authentication** Baseline default: *Disabled* @@ -1075,7 +1080,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowdigestauthentication) -### Windows Components > Windows Remote Management (WinRM) > WinRM Service +#### Windows Components > Windows Remote Management (WinRM) > WinRM Service - **Allow Basic authentication** Baseline default: *Disabled* @@ -1089,7 +1094,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowstoringofrunascredentials) -## Auditing +### Auditing - **Account Logon Audit Credential Validation** Baseline default: *Success+ Failure* @@ -1183,13 +1188,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Success+ Failure* [Learn more](/windows/client-management/mdm/policy-csp-Audit?WT.mc_id=Portal-fx#system_auditsystemintegrity) -## Data Protection +### Data Protection - **Allow Direct Memory Access** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-dataprotection?WT.mc_id=Portal-fx#allowdirectmemoryaccess) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -1304,7 +1309,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Configure System Guard Launch** Baseline default: *Unmanaged Enables Secure Launch if supported by hardware* @@ -1322,7 +1327,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Turns on VBS with Secure Boot.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures) -## Device Lock +### Device Lock - **Device Password Enabled** Baseline default: *Enabled* @@ -1338,13 +1343,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Value: *14* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#mindevicepasswordlength) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Experience +### Experience - **Allow Windows Spotlight (User)** Baseline default: *Allow* @@ -1358,7 +1363,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowthirdpartysuggestionsinwindowsspotlight) -## Firewall +### Firewall - **Enable Domain Network Firewall** Baseline default: *True* @@ -1455,19 +1460,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *False* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge) -## Lanman Workstation +### Lanman Workstation - **Enable Insecure Guest Logons** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-LanmanWorkstation?WT.mc_id=Portal-fx#enableinsecureguestlogons) -## Local Security Authority +### Local Security Authority - **Configure Lsa Protected Process** Baseline default: *Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.* [Learn more](/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess) -## Microsoft App Store +### Microsoft App Store - **Allow Game DVR** Baseline default: *Block* @@ -1481,9 +1486,9 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-ApplicationManagement?WT.mc_id=Portal-fx#msialwaysinstallwithelevatedprivileges) -## Microsoft Edge +### Microsoft Edge -### Content settings +#### Content settings - **Default Adobe Flash setting** Baseline default: *Disabled* @@ -1503,7 +1508,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Minimum TLS version enabled (User)** Baseline default: *TLS 1.2* -### SmartScreen settings +#### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -1511,19 +1516,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Prevent bypassing Microsoft Defender SmartScreen prompts for sites** Baseline default: *Enabled* -## Privacy +### Privacy - **Let Apps Activate With Voice Above Lock** Baseline default: *Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.* [Learn more](/windows/client-management/mdm/policy-csp-Privacy?WT.mc_id=Portal-fx#letappsactivatewithvoiceabovelock) -## Search +### Search - **Allow Indexing Encrypted Stores Or Items** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Search?WT.mc_id=Portal-fx#allowindexingencryptedstoresoritems) -## Smart Screen +### Smart Screen - **Enable Smart Screen In Shell** Baseline default: *Enabled* @@ -1533,7 +1538,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-smartscreen?WT.mc_id=Portal-fx#preventoverrideforfilesinshell) -### Enhanced Phishing Protection +#### Enhanced Phishing Protection - **Notify Malicious** Baseline default: *Enabled* @@ -1547,7 +1552,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Service Enabled** Baseline default: *Enabled* -## User Rights +### User Rights - **Access From Network** Baseline default: *Configured* @@ -1659,19 +1664,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - `*S-1-5-32-544` [Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#takeownership) -## Virtualization Based Technology +### Virtualization Based Technology - **Hypervisor Enforced Code Integrity** Baseline default: *(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity) -## Windows Ink Workspace +### Windows Ink Workspace - **Allow Windows Ink Workspace** Baseline default: *Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.* [Learn more](/windows/client-management/mdm/policy-csp-WindowsInkWorkspace?WT.mc_id=Portal-fx#allowwindowsinkworkspace) -## Local Policies Security Options +### Local Policies Security Options - **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only** Baseline default: *Enabled* @@ -1764,7 +1769,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W **Windows 365 Cloud PC security baseline November 2021**: -## Above Lock +### Above Lock - **Voice activate apps from locked screen**: Baseline default: *Disabled* @@ -1774,13 +1779,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067101) -## App Runtime +### App Runtime - **Microsoft accounts optional for Microsoft store apps**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067104) -## Application management +### Application management - **Block app installations with elevated privileges**: Baseline default: *Yes* @@ -1794,7 +1799,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067056) -## Attack Surface Reduction Rules +### Attack Surface Reduction Rules For general information, see [Learn about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide&preserve-view=true). @@ -1846,7 +1851,7 @@ For general information, see [Learn about attack surface reduction rules](/micro Baseline default: *Block* [Learn more](https://go.microsoft.com/fwlink/?linkid=872980) -## Audit +### Audit Audit settings configure the events that are generated for the conditions of the setting. @@ -1922,7 +1927,7 @@ Audit settings configure the events that are generated for the conditions of the - **System Audit System Integrity (Device)**: Baseline default: *Success and Failure* -## Auto Play +### Auto Play - **Auto play default auto run behavior**: Baseline default: *Do not execute* @@ -1936,7 +1941,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067106) -## Browser +### Browser - **Block Password Manager**: Baseline default: *Yes* @@ -1958,7 +1963,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067126) -## Connectivity +### Connectivity - **Configure secure access to UNC paths**: Baseline default: *Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements* @@ -1975,19 +1980,19 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067136) -## Credentials Delegation +### Credentials Delegation - **Remote host delegation of non-exportable credentials**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067103) -## Credentials UI +### Credentials UI - **Enumerate administrators**: Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067021) -## Device Guard +### Device Guard - **Virtualization based security**: Baseline default: *Enable VBS with secure boot* @@ -2003,7 +2008,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation - **Block hardware device installation by setup classes** Baseline default: *Yes* @@ -2013,12 +2018,12 @@ Audit settings configure the events that are generated for the conditions of the - **Block list** *Not configured by default. Manually add one or more Identifiers.* -## DMA Guard +### DMA Guard - **Enumeration of external devices incompatible with Kernel DMA Protection** Baseline default: *Block all* -## Event Log Service +### Event Log Service - **Application log maximum file size in KB** Baseline default: *32768* @@ -2032,13 +2037,13 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *196608* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067042) -## Experience +### Experience - **Block Windows Spotlight** Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067037) -## File Explorer +### File Explorer - **Block data execution prevention** Baseline default: *Disabled* @@ -2048,7 +2053,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067107) -## Firewall +### Firewall For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlink/?linkid=2066796) in the Windows Protocols documentation. @@ -2120,7 +2125,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872567) -## Internet Explorer +### Internet Explorer View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/policy-csp-internetexplorer). @@ -2596,7 +2601,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067122) -## Local Policies Security Options +### Local Policies Security Options - **Block remote logon with blank password** Baseline default: *Yes* @@ -2682,7 +2687,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067321) -## Microsoft Defender +### Microsoft Defender - **Turn on real-time protection** Baseline default: *Yes* @@ -2730,7 +2735,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2113937) -## Microsoft Defender Antivirus Exclusions +### Microsoft Defender Antivirus Exclusions > [!WARNING] > **Defining exclusions lowers the protection offered by Microsoft Defender Antivirus**. Always evaluate the risks that are associated with implementing exclusions. Only exclude files you know aren't malicious. @@ -2746,7 +2751,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po - **Defender Files And Folders To Exclude** Baseline default: *Not configured by default. Manually add one or more entries.* -## Microsoft Edge +### Microsoft Edge - **Control which extensions cannot be installed** Baseline default: *Enabled* @@ -2796,7 +2801,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po - **Supported authentication schemes** Baseline defaults: Two items: *NTLM* and *Negotiate* -## MS Security Guide +### MS Security Guide - **SMB v1 client driver start configuration** Baseline default: *Disable driver* @@ -2818,7 +2823,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067193) -## MSS Legacy +### MSS Legacy - **Network IPv6 source routing protection level** Baseline default: *Highest protection* @@ -2836,13 +2841,13 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067326) -## Remote Assistance +### Remote Assistance - **Remote Assistance solicited** Baseline default: *Disable Remote Assistance* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067198) -## Remote Desktop Services +### Remote Desktop Services - **Remote desktop services client connection encryption level** Baseline default: *High* @@ -2863,7 +2868,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067248) -## Remote Management +### Remote Management - **Block client digest authentication** Baseline default: *Enabled* @@ -2889,19 +2894,19 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067226) -## Remote Procedure Call +### Remote Procedure Call - **RPC unauthenticated client options** Baseline default: *Authenticated* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067225) -## Search +### Search - **Disable indexing encrypted items** Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067303) -## Smart Screen +### Smart Screen - **Turn on Windows SmartScreen** Baseline default: *Yes* @@ -2911,31 +2916,31 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872783) -## System +### System - **System boot start driver initialization** Baseline default: *Good unknown and bad critical* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067307) -## Windows Connection Manager +### Windows Connection Manager - **Block connection to non-domain networks** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067323) -## Windows Ink Workspace +### Windows Ink Workspace - **Ink Workspace** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067241) -## Windows PowerShell +### Windows PowerShell - **PowerShell script block logging** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067330) -## Windows Security +### Windows Security - **Enable tamper protection to prevent Microsoft Defender being disabled** Baseline default: *Enable* From 1e0d58406b57e8ef890c8dce48e99ed61d56650c Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 15:10:12 -0800 Subject: [PATCH 232/237] Update M365 Apps security baselines --- .../security-baseline-v2-office-settings.md | 115 +++++++++--------- 1 file changed, 56 insertions(+), 59 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-v2-office-settings.md b/memdocs/intune/protect/security-baseline-v2-office-settings.md index 2417c6ae4e1..0de8c6d843e 100644 --- a/memdocs/intune/protect/security-baseline-v2-office-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-office-settings.md @@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli author: brenduns ms.author: brenduns manager: dougeby -ms.date: 09/13/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -52,27 +52,26 @@ This article is a reference for the settings that are available in the Microsoft ## About this reference article -Each security baseline is a group of preconfigured settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -The details that are displayed in this article are based on baseline version that is selected at the top of the article. For each selection, this article displays: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each setting in that baseline version. -- The default configuration of each setting in that baseline version. -- When available, a link to the underlying configuration service provider (CSP) documentation, or other related content from the relevant product group that provides context and possibly additional details for the settings use. +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. To learn more about using security baselines, see: - - [Use security baselines](../protect/security-baselines.md) -- [Manage security baselines](../protect/security-baselines-configure.md). +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) ::: zone pivot="office-may-2023" -**Microsoft 365 Apps for Enterprise security baseline for May 2023** +## Microsoft 365 Apps for Enterprise security baseline for May 2023 This baseline version was first made available in May of 2023. It was replaced by the Baseline *Version 2306* @@ -81,7 +80,7 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="v2306" -**Microsoft 365 Apps for Enterprise for security baseline version 2306** +## Microsoft 365 Apps for Enterprise for security baseline version 2306 This baseline version was first made available in November 2023, and replaces the *May 2023* version. @@ -90,9 +89,9 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="office-may-2023,v2306" -## Administrative Templates +### Administrative Templates -*MS Security Guide* +### MS Security Guide - **Block Flash activation in Office documents** Baseline default: *Enabled* @@ -130,11 +129,9 @@ For more information about the following settings that are included in this base - **Word: (Device)** Baseline default: *69632* +### Microsoft Access 2016 - -## Microsoft Access 2016 - -*Application Settings > Security > Trust Center* +#### Application Settings > Security > Trust Center - **Block macros from running in Office files from the Internet (User)** Baseline default: *Enabled* @@ -156,29 +153,29 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all with notification* -*Application Settings > Security > Trust Center > Trusted Locations* +#### Application Settings > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* ### Microsoft Excel 2016 -*Data Recovery* +#### Data Recovery - **Do not show data extraction options when opening corrupt workbooks (User)** Baseline default: *Enabled* -*Excel Options > Advanced* +#### Excel Options > Advanced - **Ask to update automatic links (User)** Baseline default: *Enabled* -*Excel Options > Advanced > General* +#### Excel Options > Advanced > General - **Load pictures from Web pages not created in Excel (User)** Baseline default: *Disabled* -*Excel Options > Save* +#### Excel Options > Save - **Disable AutoRepublish (User)** Baseline default: *Enabled* @@ -186,7 +183,7 @@ For more information about the following settings that are included in this base - **Do not show AutoRepublish warning alert (User)** Baseline default: *Disabled* -*Excel Options > Security* +#### Excel Options > Security - **Force file extension to match file type (User)** Baseline default: *Enabled* @@ -203,7 +200,7 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all with notification* -*Excel Options > Security > Trust Center* +#### Excel Options > Security > Trust Center ::: zone-end ::: zone pivot="v2306" @@ -239,7 +236,7 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Excel Options > Security > Trust Center > External Content* +#### Excel Options > Security > Trust Center > External Content - **Always prevent untrusted Microsoft Query files from opening (User)** Baseline default: *Enabled* @@ -257,7 +254,7 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="office-may-2023,v2306" -*Excel Options > Security > Trust Center > File Block Settings* +#### Excel Options > Security > Trust Center > File Block Settings - **dBase III / IV files (User)** Baseline default: *Enabled* @@ -328,7 +325,7 @@ For more information about the following settings that are included in this base - **File block setting: (User)** Baseline default: *Open/Save blocked, use open policy* -*Excel Options > Security > Trust Center > Protected View* +#### Excel Options > Security > Trust Center > Protected View - **Always open untrusted database files in Protected View (User)** Baseline default: *Enabled* @@ -348,12 +345,12 @@ For more information about the following settings that are included in this base - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*Excel Options > Security > Trust Center > Trusted Locations* +#### Excel Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* -## Microsoft Lync Feature Policies +### Microsoft Lync Feature Policies - **Configure SIP security mode** Baseline default: *Enabled* @@ -361,9 +358,9 @@ For more information about the following settings that are included in this base - **Disable HTTP fallback for SIP connection** Baseline default: *Enabled* -## Microsoft Office 2016 +### Microsoft Office 2016 -*Customize* +#### Customize - **Disable UI extending from documents and templates (User)** Baseline default: *Enabled* @@ -395,7 +392,7 @@ For more information about the following settings that are included in this base - **Disallow in Visio (User)** Baseline default: *True* -*Security Settings* +#### Security Settings - **ActiveX Control Initialization (User)** Baseline default: *Enabled* @@ -467,24 +464,24 @@ For more information about the following settings that are included in this base - **Protect document metadata for rights managed Office Open XML Files (User)** Baseline default: *Enabled* -*Security Settings > Trust Center* +#### Security Settings > Trust Center - **Allow mix of policy and user locations (User)** Baseline default: *Disabled* -*Server Settings* +#### Server Settings - **Disable the Office client from polling the SharePoint Server for published links (User)** Baseline default: *Enabled* -*Smart Documents (Word, Excel)* +#### Smart Documents (Word, Excel) - **Disable Smart Document's use of manifests (User)** Baseline default: *Enabled* -## Microsoft Office 2016 (Machine) +### Microsoft Office 2016 (Machine) -*Security Settings > IE Security* +#### Security Settings > IE Security - **Add-on Management** Baseline default: *Enabled* @@ -1071,9 +1068,9 @@ For more information about the following settings that are included in this base - **spDesign.exe (Device)** Baseline default: *True* -## Microsoft Outlook 2016 +### Microsoft Outlook 2016 -*Security > Security Form Settings* +#### Security > Security Form Settings The "Outlook Security Mode" policy controls how security settings in Outlook are enforced. To manage any of the dependent Outlook security policies using Microsoft Intune, Office cloud policy service, or Group policy this policy must be enabled and the Outlook Security Policy dropdown set to "Use Outlook Security Group Policy". @@ -1195,9 +1192,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Guard behavior: (User) Baseline default: *Automatically Deny* -## Microsoft PowerPoint 2016 +### Microsoft PowerPoint 2016 -*PowerPoint Options > Security* +#### PowerPoint Options > Security ::: zone-end ::: zone pivot="v2306" @@ -1224,7 +1221,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off file validation (User)** Baseline default: *Disabled* -*PowerPoint Options > Security > Trust Center* +#### PowerPoint Options > Security > Trust Center - **Block macros from running in Office files from the Internet (User**) Baseline default: *Enabled* @@ -1248,7 +1245,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*PowerPoint Options > Security > Trust Center > File Block Settings* +#### PowerPoint Options > Security > Trust Center > File Block Settings - **PowerPoint 97-2003 presentations, shows, templates and add-in files (User)** Baseline default: *Enabled* @@ -1259,7 +1256,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Blocked files are not opened* -*PowerPoint Options > Security > Trust Center > Protected View* +#### PowerPoint Options > Security > Trust Center > Protected View - **Do not open files from the Internet zone in Protected View (User)** Baseline default: *Disabled* @@ -1277,14 +1274,14 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*PowerPoint Options > Security > Trust Center > Trusted Locations* +#### PowerPoint Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* -## Microsoft Project 2016 +### Microsoft Project 2016 -*Project Options > Security > Trust Center* +#### Project Options > Security > Trust Center - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* @@ -1308,15 +1305,15 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -## Microsoft Publisher 2016 +### Microsoft Publisher 2016 -*Security* +#### Security - **Publisher Automation Security Level (User)** Baseline default: *Enabled* - Baseline default: *By UI (prompted)* -*Security > Trust Center* +#### Security > Trust Center ::: zone-end ::: zone pivot="v2306" @@ -1341,9 +1338,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -## Microsoft Visio 2016 +### Microsoft Visio 2016 -*Visio Options > Security > Trust Center* +#### Visio Options > Security > Trust Center - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* @@ -1370,7 +1367,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Visio Options > Security > Trust Center > File Block Settings* +#### Visio Options > Security > Trust Center > File Block Settings - **Visio 2000-2002 Binary Drawings, Templates and Stencils (User)** Baseline default: *Enabled* @@ -1387,9 +1384,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **File block setting: (User)** Baseline default: *Open/Save blocked* -## Microsoft Word 2016 +### Microsoft Word 2016 -*Word Options > Security > Trust Center* +#### Word Options > Security > Trust Center - **Block macros from running in Office files from the Internet (User)** Baseline default: *Enabled* @@ -1420,7 +1417,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Word Options > Security > Trust Center > File Block Settings* +#### Word Options > Security > Trust Center > File Block Settings - **Set default file block behavior (User)** Baseline default: *Enabled* @@ -1466,7 +1463,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **File block setting: (User)** Baseline default: *Open/Save blocked, use open policy* -*Word Options > Security > Trust Center > Protected View* +#### Word Options > Security > Trust Center > Protected View - **Do not open files from the Internet zone in Protected View (User)** Baseline default: *Disabled* @@ -1485,12 +1482,12 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*Word Options > Security* +#### Word Options > Security - **Turn off file validation (User)** Baseline default: *Disabled* -*Word Options > Security > Trust Center > Trusted Locations* +#### Word Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* From 9929f8d2f4563c9ee06af2609855c3f95e802be8 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 15:29:27 -0800 Subject: [PATCH 233/237] Minor formatting fix --- .../intune/protect/security-baseline-settings-windows-365.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md index bf680f38419..b4148c2b53a 100644 --- a/memdocs/intune/protect/security-baseline-settings-windows-365.md +++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md @@ -1767,7 +1767,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W ::: zone pivot="win365-nov21" -**Windows 365 Cloud PC security baseline November 2021**: +## Windows 365 Cloud PC security baseline November 2021 ### Above Lock From d3ee2c712f90398abc92c956a5e928b73a438199 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 10 Jan 2025 08:31:03 -0800 Subject: [PATCH 234/237] minor fix --- .../intune/protect/security-baseline-settings-defender.md | 4 +--- memdocs/intune/protect/security-baseline-settings-edge.md | 2 +- .../intune/protect/security-baseline-settings-mdm-all.md | 2 +- .../protect/security-baseline-settings-windows-365.md | 2 +- .../intune/protect/security-baseline-v2-edge-settings.md | 7 +++---- .../intune/protect/security-baseline-v2-office-settings.md | 2 +- 6 files changed, 8 insertions(+), 11 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-defender.md b/memdocs/intune/protect/security-baseline-settings-defender.md index 848f5150feb..4384b50f9b4 100644 --- a/memdocs/intune/protect/security-baseline-settings-defender.md +++ b/memdocs/intune/protect/security-baseline-settings-defender.md @@ -49,7 +49,7 @@ Each security baseline is a group of preconfigured Windows settings that help yo The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each setting and its configuration as found in the default instance of that baseline version. +- A list of each setting with its configuration as found in the default instance of that baseline version. - When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: @@ -57,8 +57,6 @@ When a new version of a baseline becomes available, it replaces the previous ver - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. - Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. -This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. - To learn more about using security baselines, see: - [Use security baselines](../protect/security-baselines.md) - [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) diff --git a/memdocs/intune/protect/security-baseline-settings-edge.md b/memdocs/intune/protect/security-baseline-settings-edge.md index 2376a40c8f6..0c37a57bcbf 100644 --- a/memdocs/intune/protect/security-baseline-settings-edge.md +++ b/memdocs/intune/protect/security-baseline-settings-edge.md @@ -42,7 +42,7 @@ Each security baseline is a group of preconfigured Windows settings that help yo The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each and its configuration as found in the default instance of that baseline version. +- A list of each setting with its configuration as found in the default instance of that baseline version. - When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md index 90e7e495b0d..4ec759002c4 100644 --- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md +++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md @@ -39,7 +39,7 @@ Each security baseline is a group of preconfigured Windows settings that help yo The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each and its configuration as found in the default instance of that baseline version. +- A list of each setting with its configuration as found in the default instance of that baseline version. - When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md index b4148c2b53a..393de6a40de 100644 --- a/memdocs/intune/protect/security-baseline-settings-windows-365.md +++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md @@ -45,7 +45,7 @@ Each security baseline is a group of preconfigured Windows settings that help yo The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each and its configuration as found in the default instance of that baseline version. +- A list of each setting with its configuration as found in the default instance of that baseline version. - When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: diff --git a/memdocs/intune/protect/security-baseline-v2-edge-settings.md b/memdocs/intune/protect/security-baseline-v2-edge-settings.md index f61d7cb1fd1..68b40b7fb12 100644 --- a/memdocs/intune/protect/security-baseline-v2-edge-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-edge-settings.md @@ -55,13 +55,12 @@ If you use a security baseline for Microsoft Edge version 85 or earlier, see [Li ## About this reference article -Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. The details that are displayed in this article are based on baseline version that is selected at the top of the article. For each selection, this article displays: -- A list of each setting in that baseline version. -- The default configuration of each setting in that baseline version. -- When available, a link to the underlying configuration service provider (CSP) documentation, or other related content from the relevant product group that provides context and possibly additional details for the settings use. +- A list of each setting with its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: diff --git a/memdocs/intune/protect/security-baseline-v2-office-settings.md b/memdocs/intune/protect/security-baseline-v2-office-settings.md index 0de8c6d843e..cd4395a10a8 100644 --- a/memdocs/intune/protect/security-baseline-v2-office-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-office-settings.md @@ -56,7 +56,7 @@ Each security baseline is a group of preconfigured Windows settings that help yo The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each and its configuration as found in the default instance of that baseline version. +- A list of each setting with its configuration as found in the default instance of that baseline version. - When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: From ca2bfddf74f8c5ffdeaa3d4b5ed7a9f3378e0bb9 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 10 Jan 2025 08:34:44 -0800 Subject: [PATCH 235/237] Title fix --- memdocs/intune/protect/security-baseline-settings-mdm-all.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md index 4ec759002c4..35c9e714f77 100644 --- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md +++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md @@ -29,7 +29,7 @@ ms.collection: zone_pivot_groups: windows-mdm-versions --- -# Windows MDM security baseline settings reference for Microsoft Intunein Intune +# Windows MDM security baseline settings reference for Microsoft Intune This article is a reference for the settings that are available in the Windows Mobile Device Management (MDM) security baseline for Microsoft Intune. From cc34b25494c060e7a28c1cdadd80ac660546e690 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 10 Jan 2025 08:47:20 -0800 Subject: [PATCH 236/237] edits --- memdocs/intune/protect/security-baseline-settings-mdm-all.md | 1 + memdocs/intune/protect/security-baseline-v2-edge-settings.md | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md index 35c9e714f77..fd9899df65d 100644 --- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md +++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md @@ -48,6 +48,7 @@ When a new version of a baseline becomes available, it replaces the previous ver - Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. To learn more about using security baselines, see: + - [Use security baselines](../protect/security-baselines.md) - [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) - [Manage security baselines](../protect/security-baselines-configure.md) diff --git a/memdocs/intune/protect/security-baseline-v2-edge-settings.md b/memdocs/intune/protect/security-baseline-v2-edge-settings.md index 68b40b7fb12..5923a86a186 100644 --- a/memdocs/intune/protect/security-baseline-v2-edge-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-edge-settings.md @@ -73,7 +73,9 @@ When a new version of a baseline becomes available, it replaces the previous ver To learn more about using security baselines, see: - [Use security baselines](../protect/security-baselines.md) -- [Manage security baselines](../protect/security-baselines-configure.md). +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) + ## Microsoft Edge From 5a56cd8f3db6aa0b7b6c9e79279036e6a056f252 Mon Sep 17 00:00:00 2001 From: brenduns Date: Fri, 10 Jan 2025 08:51:22 -0800 Subject: [PATCH 237/237] edits --- .../security-baseline-v2-edge-settings.md | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-v2-edge-settings.md b/memdocs/intune/protect/security-baseline-v2-edge-settings.md index 5923a86a186..3e3f94367fe 100644 --- a/memdocs/intune/protect/security-baseline-v2-edge-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-edge-settings.md @@ -76,12 +76,9 @@ To learn more about using security baselines, see: - [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) - [Manage security baselines](../protect/security-baselines-configure.md) - -## Microsoft Edge - ::: zone pivot="edge-v117" -**Microsoft Edge baseline for November 2023 (Edge version 117)** +## Microsoft Edge baseline for November 2023 (Edge version 117) For information about the most recent baseline versions and settings from Microsoft, including versions of this baseline that might not be available through Intune, download the [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) from the Microsoft Download Center. @@ -112,7 +109,7 @@ For information about the most recent baseline versions and settings from Micros - **Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context** Baseline default: *Disabled* -**Extensions**: +### Extensions - **Control which extensions cannot be installed** Baseline default: *Enabled* @@ -120,7 +117,7 @@ For information about the most recent baseline versions and settings from Micros - **Extension IDs the user should be prevented from installing (or * for all) (Device)** Baseline default: *\** -**HTTP authentication**: +### HTTP authentication - **Allow Basic authentication for HTTP** Baseline default: *Disabled* @@ -129,17 +126,17 @@ For information about the most recent baseline versions and settings from Micros Baseline default: *Enabled* [Learn more](/deployedge/microsoft-edge-policies#authschemes) -**Native Messaging**: +### Native Messaging - **Allow user-level native messaging hosts (installed without admin permissions)** Baseline default: *Disabled* -**Private Network Request Settings**: +### Private Network Request Settings - **Specifies whether to allow insecure websites to make requests to more-private network endpoints** Baseline default: *Disabled* -**SmartScreen settings**: +### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -162,7 +159,7 @@ For information about the most recent baseline versions and settings from Micros ::: zone-end ::: zone pivot="edge-v112" -**Microsoft Edge baseline for May 2023 (Edge version 112)** +## Microsoft Edge baseline for May 2023 (Edge version 112) For information about the most recent baseline versions and settings from Microsoft, including versions of this baseline that might not be available through Intune, download the [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) from the Microsoft Download Center. @@ -196,7 +193,7 @@ For information about the most recent baseline versions and settings from Micros - **Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context** Baseline default: *Disabled* -**Extensions**: +### Extensions - **Control which extensions cannot be installed** Baseline default: *Enabled* @@ -204,7 +201,7 @@ For information about the most recent baseline versions and settings from Micros - **Extension IDs the user should be prevented from installing (or * for all) (Device)** Baseline default: *\** -**HTTP authentication**: +### HTTP authentication - **Allow Basic authentication for HTTP** Baseline default: *Disabled* @@ -216,23 +213,23 @@ For information about the most recent baseline versions and settings from Micros - **Supported authentication schemes (Device)** Baseline default: *ntlm,negotiate* -**Native Messaging**: +### Native Messaging - **Allow user-level native messaging hosts (installed without admin permissions)** Baseline default: *Disabled* -**Password manager and protection**: +### Password manager and protection - **Enable saving passwords to the password manager** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) -**Private Network Request Settings**: +### Private Network Request Settings - **Specifies whether to allow insecure websites to make requests to more-private network endpoints** Baseline default: *Disabled* -**SmartScreen settings**: +### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled*