diff --git a/404.html b/404.html index fa3c951869..807c1686c6 100644 --- a/404.html +++ b/404.html @@ -12,7 +12,7 @@ - + @@ -20,7 +20,7 @@ - + @@ -162,7 +162,7 @@
- +
GitHub @@ -207,7 +207,7 @@
- +
GitHub diff --git a/Admin/Clear-MailboxPermission/index.html b/Admin/Clear-MailboxPermission/index.html index 609951db79..9ea5ca57e7 100644 --- a/Admin/Clear-MailboxPermission/index.html +++ b/Admin/Clear-MailboxPermission/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/CrossTenantMailboxMigrationValidation/index.html b/Admin/CrossTenantMailboxMigrationValidation/index.html index f1919c85ca..a6ffafb6e1 100644 --- a/Admin/CrossTenantMailboxMigrationValidation/index.html +++ b/Admin/CrossTenantMailboxMigrationValidation/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Find-AmbiguousSids/index.html b/Admin/Find-AmbiguousSids/index.html index 1d3a2b7235..156e4cc0c4 100644 --- a/Admin/Find-AmbiguousSids/index.html +++ b/Admin/Find-AmbiguousSids/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Get-EASMailboxLogs/index.html b/Admin/Get-EASMailboxLogs/index.html index ade09aff2c..71058f3c8a 100644 --- a/Admin/Get-EASMailboxLogs/index.html +++ b/Admin/Get-EASMailboxLogs/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Get-SimpleAuditLogReport/index.html b/Admin/Get-SimpleAuditLogReport/index.html index aa4536a813..72d59e6398 100644 --- a/Admin/Get-SimpleAuditLogReport/index.html +++ b/Admin/Get-SimpleAuditLogReport/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/MonitorExchangeAuthCertificate/index.html b/Admin/MonitorExchangeAuthCertificate/index.html index a21129638b..c742e7c776 100644 --- a/Admin/MonitorExchangeAuthCertificate/index.html +++ b/Admin/MonitorExchangeAuthCertificate/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Remove-CertExpiryNotifications/index.html b/Admin/Remove-CertExpiryNotifications/index.html index 523540b087..60928f0c8f 100644 --- a/Admin/Remove-CertExpiryNotifications/index.html +++ b/Admin/Remove-CertExpiryNotifications/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Reset-ScanEngineVersion/index.html b/Admin/Reset-ScanEngineVersion/index.html index b2cd1e7c90..593673b6e7 100644 --- a/Admin/Reset-ScanEngineVersion/index.html +++ b/Admin/Reset-ScanEngineVersion/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/SetUnifiedContentPath/index.html b/Admin/SetUnifiedContentPath/index.html index 48bfc09b31..35ce3ec996 100644 --- a/Admin/SetUnifiedContentPath/index.html +++ b/Admin/SetUnifiedContentPath/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Test-AMSI/index.html b/Admin/Test-AMSI/index.html index 7c114e20f4..d4ec2968bd 100644 --- a/Admin/Test-AMSI/index.html +++ b/Admin/Test-AMSI/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Test-ExchangePropertyPermissions/index.html b/Admin/Test-ExchangePropertyPermissions/index.html index f36ba8587a..98a92c6b79 100644 --- a/Admin/Test-ExchangePropertyPermissions/index.html +++ b/Admin/Test-ExchangePropertyPermissions/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Admin/Update-Engines/index.html b/Admin/Update-Engines/index.html index bd19d85676..6b27187c1c 100644 --- a/Admin/Update-Engines/index.html +++ b/Admin/Update-Engines/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Calendar/Check-SharingStatus/index.html b/Calendar/Check-SharingStatus/index.html index 7dd1d28036..adfbac8894 100644 --- a/Calendar/Check-SharingStatus/index.html +++ b/Calendar/Check-SharingStatus/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Calendar/Get-CalendarDiagnosticObjectsSummary/index.html b/Calendar/Get-CalendarDiagnosticObjectsSummary/index.html index eebc103550..3f685e4495 100644 --- a/Calendar/Get-CalendarDiagnosticObjectsSummary/index.html +++ b/Calendar/Get-CalendarDiagnosticObjectsSummary/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Calendar/Get-RBASummary/index.html b/Calendar/Get-RBASummary/index.html index 785e9fbc13..9635a2a775 100644 --- a/Calendar/Get-RBASummary/index.html +++ b/Calendar/Get-RBASummary/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Databases/Analyze-SpaceDump/index.html b/Databases/Analyze-SpaceDump/index.html index 55d4038893..7ac25c5d03 100644 --- a/Databases/Analyze-SpaceDump/index.html +++ b/Databases/Analyze-SpaceDump/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Databases/Compare-MailboxStatistics/index.html b/Databases/Compare-MailboxStatistics/index.html index 326b417a39..bc4b97933b 100644 --- a/Databases/Compare-MailboxStatistics/index.html +++ b/Databases/Compare-MailboxStatistics/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Databases/VSSTester/index.html b/Databases/VSSTester/index.html index c2103179cc..20ddea3ff1 100644 --- a/Databases/VSSTester/index.html +++ b/Databases/VSSTester/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/ExTRA/index.html b/Diagnostics/ExTRA/index.html index c8e395e756..90c5ab64ed 100644 --- a/Diagnostics/ExTRA/index.html +++ b/Diagnostics/ExTRA/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/ExchangeLogCollector/index.html b/Diagnostics/ExchangeLogCollector/index.html index 93d2c5069d..198b6812a3 100644 --- a/Diagnostics/ExchangeLogCollector/index.html +++ b/Diagnostics/ExchangeLogCollector/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/FindFrontEndActivity/FindFrontEndActivity/index.html b/Diagnostics/FindFrontEndActivity/FindFrontEndActivity/index.html index 130b45f554..e8bc74b74e 100644 --- a/Diagnostics/FindFrontEndActivity/FindFrontEndActivity/index.html +++ b/Diagnostics/FindFrontEndActivity/FindFrontEndActivity/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/ADSiteCount/index.html b/Diagnostics/HealthChecker/ADSiteCount/index.html index 75aeb03d02..b16c08a44d 100644 --- a/Diagnostics/HealthChecker/ADSiteCount/index.html +++ b/Diagnostics/HealthChecker/ADSiteCount/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/AMSIIntegration/index.html b/Diagnostics/HealthChecker/AMSIIntegration/index.html index 5160455d4c..10eebd8ec8 100644 --- a/Diagnostics/HealthChecker/AMSIIntegration/index.html +++ b/Diagnostics/HealthChecker/AMSIIntegration/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/AuthCertificateCheck/index.html b/Diagnostics/HealthChecker/AuthCertificateCheck/index.html index 1feabb8c5d..88ea745c86 100644 --- a/Diagnostics/HealthChecker/AuthCertificateCheck/index.html +++ b/Diagnostics/HealthChecker/AuthCertificateCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/index.html b/Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/index.html index 66a2f29bbd..6a9ef3ffad 100644 --- a/Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/index.html +++ b/Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/CertificateCheck/index.html b/Diagnostics/HealthChecker/CertificateCheck/index.html index 696608ae02..a7c19bb23d 100644 --- a/Diagnostics/HealthChecker/CertificateCheck/index.html +++ b/Diagnostics/HealthChecker/CertificateCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/CloudConnectorCheck/index.html b/Diagnostics/HealthChecker/CloudConnectorCheck/index.html index a8667ec7fd..3cb2e283f5 100644 --- a/Diagnostics/HealthChecker/CloudConnectorCheck/index.html +++ b/Diagnostics/HealthChecker/CloudConnectorCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/CredentialGuardCheck/index.html b/Diagnostics/HealthChecker/CredentialGuardCheck/index.html index f96d2d3c93..97b1f9ec1a 100644 --- a/Diagnostics/HealthChecker/CredentialGuardCheck/index.html +++ b/Diagnostics/HealthChecker/CredentialGuardCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/DownloadDomainCheck/index.html b/Diagnostics/HealthChecker/DownloadDomainCheck/index.html index 75ed2ff9ab..2fb15a1a6b 100644 --- a/Diagnostics/HealthChecker/DownloadDomainCheck/index.html +++ b/Diagnostics/HealthChecker/DownloadDomainCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/EEMSCheck/index.html b/Diagnostics/HealthChecker/EEMSCheck/index.html index 3fb55a1844..9b00680828 100644 --- a/Diagnostics/HealthChecker/EEMSCheck/index.html +++ b/Diagnostics/HealthChecker/EEMSCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/ExchangeComputerMembership/index.html b/Diagnostics/HealthChecker/ExchangeComputerMembership/index.html index 9044e20ae0..e5c587226c 100644 --- a/Diagnostics/HealthChecker/ExchangeComputerMembership/index.html +++ b/Diagnostics/HealthChecker/ExchangeComputerMembership/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/index.html b/Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/index.html index 28fd326376..1a88761cfc 100644 --- a/Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/index.html +++ b/Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/ExoConnectorCheck/index.html b/Diagnostics/HealthChecker/ExoConnectorCheck/index.html index 1797b7e1ba..2b96880123 100644 --- a/Diagnostics/HealthChecker/ExoConnectorCheck/index.html +++ b/Diagnostics/HealthChecker/ExoConnectorCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/FIPFSCheck/index.html b/Diagnostics/HealthChecker/FIPFSCheck/index.html index e385d42ac5..057ffcf077 100644 --- a/Diagnostics/HealthChecker/FIPFSCheck/index.html +++ b/Diagnostics/HealthChecker/FIPFSCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/GeneralHardwareInformation/index.html b/Diagnostics/HealthChecker/GeneralHardwareInformation/index.html index 50ffe2582e..c26a8c9b2b 100644 --- a/Diagnostics/HealthChecker/GeneralHardwareInformation/index.html +++ b/Diagnostics/HealthChecker/GeneralHardwareInformation/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/HyperThreadingCheck/index.html b/Diagnostics/HealthChecker/HyperThreadingCheck/index.html index 996b431e21..d7ed4f5c32 100644 --- a/Diagnostics/HealthChecker/HyperThreadingCheck/index.html +++ b/Diagnostics/HealthChecker/HyperThreadingCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/IISInformation/index.html b/Diagnostics/HealthChecker/IISInformation/index.html index a35fa8d23a..771cbf4768 100644 --- a/Diagnostics/HealthChecker/IISInformation/index.html +++ b/Diagnostics/HealthChecker/IISInformation/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/IISWebConfigCheck/index.html b/Diagnostics/HealthChecker/IISWebConfigCheck/index.html index e62691011e..db57678e5b 100644 --- a/Diagnostics/HealthChecker/IISWebConfigCheck/index.html +++ b/Diagnostics/HealthChecker/IISWebConfigCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/IPv6EnabledCheck/index.html b/Diagnostics/HealthChecker/IPv6EnabledCheck/index.html index 3160aa1580..98b3f54736 100644 --- a/Diagnostics/HealthChecker/IPv6EnabledCheck/index.html +++ b/Diagnostics/HealthChecker/IPv6EnabledCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/InternalTransportCertificateCheck/index.html b/Diagnostics/HealthChecker/InternalTransportCertificateCheck/index.html index 522eb8bc55..7f77f79a03 100644 --- a/Diagnostics/HealthChecker/InternalTransportCertificateCheck/index.html +++ b/Diagnostics/HealthChecker/InternalTransportCertificateCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/index.html b/Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/index.html index 3870e6ddad..39630ba22d 100644 --- a/Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/index.html +++ b/Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/index.html b/Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/index.html index c24f6ee119..e848f1c5d4 100644 --- a/Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/index.html +++ b/Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/May22SU/index.html b/Diagnostics/HealthChecker/May22SU/index.html index f437a6d75f..cacd1d3bd0 100644 --- a/Diagnostics/HealthChecker/May22SU/index.html +++ b/Diagnostics/HealthChecker/May22SU/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/index.html b/Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/index.html index 5e50278c02..e9431312ee 100644 --- a/Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/index.html +++ b/Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/index.html b/Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/index.html index 8dcabbbd0c..7d4292d6d2 100644 --- a/Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/index.html +++ b/Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/NumaBiosCheck/index.html b/Diagnostics/HealthChecker/NumaBiosCheck/index.html index 1d8bae6ef5..a1c68d5e35 100644 --- a/Diagnostics/HealthChecker/NumaBiosCheck/index.html +++ b/Diagnostics/HealthChecker/NumaBiosCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/OpenRelayDomain/index.html b/Diagnostics/HealthChecker/OpenRelayDomain/index.html index 8ce3c3a4ac..1df68b24e4 100644 --- a/Diagnostics/HealthChecker/OpenRelayDomain/index.html +++ b/Diagnostics/HealthChecker/OpenRelayDomain/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/PacketsLossCheck/index.html b/Diagnostics/HealthChecker/PacketsLossCheck/index.html index 9c73872ac9..55f1595fa2 100644 --- a/Diagnostics/HealthChecker/PacketsLossCheck/index.html +++ b/Diagnostics/HealthChecker/PacketsLossCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/PagefileSizeCheck/index.html b/Diagnostics/HealthChecker/PagefileSizeCheck/index.html index ae9a97fdf4..62d306c5c8 100644 --- a/Diagnostics/HealthChecker/PagefileSizeCheck/index.html +++ b/Diagnostics/HealthChecker/PagefileSizeCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/ProcessorCheck/index.html b/Diagnostics/HealthChecker/ProcessorCheck/index.html index 380cd42cfa..4f2ad2acc3 100644 --- a/Diagnostics/HealthChecker/ProcessorCheck/index.html +++ b/Diagnostics/HealthChecker/ProcessorCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/index.html b/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/index.html index 45f08bc992..585ef1596c 100644 --- a/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/index.html +++ b/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/RSSEnabledCheck/index.html b/Diagnostics/HealthChecker/RSSEnabledCheck/index.html index b64e76550f..93ab0b8b3f 100644 --- a/Diagnostics/HealthChecker/RSSEnabledCheck/index.html +++ b/Diagnostics/HealthChecker/RSSEnabledCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/RebootPending/index.html b/Diagnostics/HealthChecker/RebootPending/index.html index 0f2152b869..5dbe3f2357 100644 --- a/Diagnostics/HealthChecker/RebootPending/index.html +++ b/Diagnostics/HealthChecker/RebootPending/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/RunHCViaSchedTask/index.html b/Diagnostics/HealthChecker/RunHCViaSchedTask/index.html index f4fec470da..604a731c44 100644 --- a/Diagnostics/HealthChecker/RunHCViaSchedTask/index.html +++ b/Diagnostics/HealthChecker/RunHCViaSchedTask/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/SMBv1Check/index.html b/Diagnostics/HealthChecker/SMBv1Check/index.html index 254cc98359..d048d6bd06 100644 --- a/Diagnostics/HealthChecker/SMBv1Check/index.html +++ b/Diagnostics/HealthChecker/SMBv1Check/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/SerializedDataSigningCheck/index.html b/Diagnostics/HealthChecker/SerializedDataSigningCheck/index.html index fb9781c921..6f1969d1ac 100644 --- a/Diagnostics/HealthChecker/SerializedDataSigningCheck/index.html +++ b/Diagnostics/HealthChecker/SerializedDataSigningCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/SettingOverridesCheck/index.html b/Diagnostics/HealthChecker/SettingOverridesCheck/index.html index 526899d9c4..16485a0834 100644 --- a/Diagnostics/HealthChecker/SettingOverridesCheck/index.html +++ b/Diagnostics/HealthChecker/SettingOverridesCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/SleepyNICCheck/index.html b/Diagnostics/HealthChecker/SleepyNICCheck/index.html index 3d62849791..ac7e43a4af 100644 --- a/Diagnostics/HealthChecker/SleepyNICCheck/index.html +++ b/Diagnostics/HealthChecker/SleepyNICCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/TCPIPSettingsCheck/index.html b/Diagnostics/HealthChecker/TCPIPSettingsCheck/index.html index 57abcc890c..27e21bc820 100644 --- a/Diagnostics/HealthChecker/TCPIPSettingsCheck/index.html +++ b/Diagnostics/HealthChecker/TCPIPSettingsCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/TLSConfigurationCheck/index.html b/Diagnostics/HealthChecker/TLSConfigurationCheck/index.html index 186dacc9ca..2f8e453036 100644 --- a/Diagnostics/HealthChecker/TLSConfigurationCheck/index.html +++ b/Diagnostics/HealthChecker/TLSConfigurationCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/index.html b/Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/index.html index 3e8867ab59..3bd5cb910a 100644 --- a/Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/index.html +++ b/Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/VulnerabilityCheck/index.html b/Diagnostics/HealthChecker/VulnerabilityCheck/index.html index 0e6e821bdd..93931aa6b9 100644 --- a/Diagnostics/HealthChecker/VulnerabilityCheck/index.html +++ b/Diagnostics/HealthChecker/VulnerabilityCheck/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/HealthChecker/index.html b/Diagnostics/HealthChecker/index.html index 51efa299ac..3a291d3aa7 100644 --- a/Diagnostics/HealthChecker/index.html +++ b/Diagnostics/HealthChecker/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/ManagedAvailabilityTroubleshooter/index.html b/Diagnostics/ManagedAvailabilityTroubleshooter/index.html index 979cda4d5b..0c382d4291 100644 --- a/Diagnostics/ManagedAvailabilityTroubleshooter/index.html +++ b/Diagnostics/ManagedAvailabilityTroubleshooter/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Diagnostics/Test-ExchAVExclusions/index.html b/Diagnostics/Test-ExchAVExclusions/index.html index 2396cc1795..70980f69a3 100644 --- a/Diagnostics/Test-ExchAVExclusions/index.html +++ b/Diagnostics/Test-ExchAVExclusions/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Emerging-Issues/index.html b/Emerging-Issues/index.html index a93ba3c5b6..beb54a7c2d 100644 --- a/Emerging-Issues/index.html +++ b/Emerging-Issues/index.html @@ -16,7 +16,7 @@ - + @@ -24,7 +24,7 @@ - + @@ -171,7 +171,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Hybrid/Test-HMAEAS/index.html b/Hybrid/Test-HMAEAS/index.html index f82ac4b32f..da6834574c 100644 --- a/Hybrid/Test-HMAEAS/index.html +++ b/Hybrid/Test-HMAEAS/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/M365/DLT365Groupsupgrade/index.html b/M365/DLT365Groupsupgrade/index.html index 6f9e932074..5b60343ba9 100644 --- a/M365/DLT365Groupsupgrade/index.html +++ b/M365/DLT365Groupsupgrade/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/M365/MDO/MDOThreatPolicyChecker/index.html b/M365/MDO/MDOThreatPolicyChecker/index.html index 212964f141..4074fb94ac 100644 --- a/M365/MDO/MDOThreatPolicyChecker/index.html +++ b/M365/MDO/MDOThreatPolicyChecker/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub @@ -3385,6 +3385,7 @@

MDOThreatPolicyChecker

Download the latest release: MDOThreatPolicyChecker.ps1

This script checks which Microsoft Defender for Office 365 and Exchange Online Protection threat policies cover a particular user, including anti-malware, anti-phishing, inbound and outbound anti-spam, as well as Safe Attachments and Safe Links policies in case these are licensed for your tenant. In addition, the script can check for threat policies that have inclusion and/or exclusion settings that may be redundant or confusing and lead to missed coverage of users or coverage by an unexpected threat policy.

+

It also includes an option to show all the actions and settings of the policies that apply to a user.

Common Usage

The script uses Exchange Online cmdlets from Exchange Online module and Microsoft.Graph cmdLets from Microsoft.Graph.Authentication, Microsoft.Graph.Groups and Microsoft.Graph.Users modules.

To run the PowerShell Graph cmdlets used in this script, you need only the following modules from the Microsoft.Graph PowerShell SDK: @@ -3498,7 +3499,7 @@

Parameters

- July 2, 2024 + July 22, 2024 diff --git a/NewUserGuide/index.html b/NewUserGuide/index.html index 40fc76f4e0..6021ff212f 100644 --- a/NewUserGuide/index.html +++ b/NewUserGuide/index.html @@ -14,7 +14,7 @@ - + @@ -22,7 +22,7 @@ - + @@ -169,7 +169,7 @@
- +
GitHub @@ -216,7 +216,7 @@
- +
GitHub diff --git a/Performance/ExPerfAnalyzer/index.html b/Performance/ExPerfAnalyzer/index.html index 9e4ab039f8..9596d45bc0 100644 --- a/Performance/ExPerfAnalyzer/index.html +++ b/Performance/ExPerfAnalyzer/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Performance/ExPerfWiz/index.html b/Performance/ExPerfWiz/index.html index 2efb8bf40a..f8fef8ecc2 100644 --- a/Performance/ExPerfWiz/index.html +++ b/Performance/ExPerfWiz/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Performance/SimplePerf/index.html b/Performance/SimplePerf/index.html index 242bc749ba..58d307c54e 100644 --- a/Performance/SimplePerf/index.html +++ b/Performance/SimplePerf/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/PublicFolders/SourceSideValidations/index.html b/PublicFolders/SourceSideValidations/index.html index e3e8987522..4437f9fbd8 100644 --- a/PublicFolders/SourceSideValidations/index.html +++ b/PublicFolders/SourceSideValidations/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/PublicFolders/ValidateEXOPFDumpster/index.html b/PublicFolders/ValidateEXOPFDumpster/index.html index 52763b9fe0..508490c0c4 100644 --- a/PublicFolders/ValidateEXOPFDumpster/index.html +++ b/PublicFolders/ValidateEXOPFDumpster/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/PublicFolders/ValidateMailEnabledPublicFolders/index.html b/PublicFolders/ValidateMailEnabledPublicFolders/index.html index 54585e40c8..02e61a5ad6 100644 --- a/PublicFolders/ValidateMailEnabledPublicFolders/index.html +++ b/PublicFolders/ValidateMailEnabledPublicFolders/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Retention/Get-MRMDetails/index.html b/Retention/Get-MRMDetails/index.html index 4146ec7a87..4be0f059bc 100644 --- a/Retention/Get-MRMDetails/index.html +++ b/Retention/Get-MRMDetails/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Search/Troubleshoot-ModernSearch/index.html b/Search/Troubleshoot-ModernSearch/index.html index c34eebb617..901c209168 100644 --- a/Search/Troubleshoot-ModernSearch/index.html +++ b/Search/Troubleshoot-ModernSearch/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/CVE-2023-21709/index.html b/Security/CVE-2023-21709/index.html index 03ca1ca3aa..1534b12aca 100644 --- a/Security/CVE-2023-21709/index.html +++ b/Security/CVE-2023-21709/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/CVE-2023-23397/FAQ/index.html b/Security/CVE-2023-23397/FAQ/index.html index 455f16d030..ec6458fa99 100644 --- a/Security/CVE-2023-23397/FAQ/index.html +++ b/Security/CVE-2023-23397/FAQ/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/CVE-2023-23397/index.html b/Security/CVE-2023-23397/index.html index 443dd2b6fa..cdab00d9e1 100644 --- a/Security/CVE-2023-23397/index.html +++ b/Security/CVE-2023-23397/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/ConfigureFipFsTextExtractionOverrides/index.html b/Security/ConfigureFipFsTextExtractionOverrides/index.html index 1f89205c0c..c00b004152 100644 --- a/Security/ConfigureFipFsTextExtractionOverrides/index.html +++ b/Security/ConfigureFipFsTextExtractionOverrides/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/EOMT/index.html b/Security/EOMT/index.html index 9d88222685..69119cb0de 100644 --- a/Security/EOMT/index.html +++ b/Security/EOMT/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/EOMTv2/index.html b/Security/EOMTv2/index.html index 1c7167d437..8606fed5fb 100644 --- a/Security/EOMTv2/index.html +++ b/Security/EOMTv2/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/ExchangeExtendedProtectionManagement/index.html b/Security/ExchangeExtendedProtectionManagement/index.html index 0dfbe9ee19..d156961753 100644 --- a/Security/ExchangeExtendedProtectionManagement/index.html +++ b/Security/ExchangeExtendedProtectionManagement/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/ExchangeMitigations/index.html b/Security/ExchangeMitigations/index.html index a15486d67a..b7595e6ccb 100644 --- a/Security/ExchangeMitigations/index.html +++ b/Security/ExchangeMitigations/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/Extended-Protection/index.html b/Security/Extended-Protection/index.html index 3c17b43146..85a055503b 100644 --- a/Security/Extended-Protection/index.html +++ b/Security/Extended-Protection/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/Test-CVE-2021-34470/index.html b/Security/Test-CVE-2021-34470/index.html index fba6f1cf5b..47e82c6cf7 100644 --- a/Security/Test-CVE-2021-34470/index.html +++ b/Security/Test-CVE-2021-34470/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Security/Test-ProxyLogon/index.html b/Security/Test-ProxyLogon/index.html index e6c62a9a0b..4dd8c67602 100644 --- a/Security/Test-ProxyLogon/index.html +++ b/Security/Test-ProxyLogon/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/CopyMissingDlls/index.html b/Setup/CopyMissingDlls/index.html index c571c6833f..aa46c44507 100644 --- a/Setup/CopyMissingDlls/index.html +++ b/Setup/CopyMissingDlls/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/FixInstallerCache/index.html b/Setup/FixInstallerCache/index.html index 37eed89270..935b5f5a0a 100644 --- a/Setup/FixInstallerCache/index.html +++ b/Setup/FixInstallerCache/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/Set-ExchAVExclusions/index.html b/Setup/Set-ExchAVExclusions/index.html index 632d34fa79..a9890df23a 100644 --- a/Setup/Set-ExchAVExclusions/index.html +++ b/Setup/Set-ExchAVExclusions/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupAssist/ComputersContainer/index.html b/Setup/SetupAssist/ComputersContainer/index.html index 4f4909094f..e343c8dd34 100644 --- a/Setup/SetupAssist/ComputersContainer/index.html +++ b/Setup/SetupAssist/ComputersContainer/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupAssist/InstallWatermark/index.html b/Setup/SetupAssist/InstallWatermark/index.html index a6026ece6a..1b54eb21f8 100644 --- a/Setup/SetupAssist/InstallWatermark/index.html +++ b/Setup/SetupAssist/InstallWatermark/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupAssist/ReadOnlyDomainControllerContainer/index.html b/Setup/SetupAssist/ReadOnlyDomainControllerContainer/index.html index 4adec6bfca..d572be5886 100644 --- a/Setup/SetupAssist/ReadOnlyDomainControllerContainer/index.html +++ b/Setup/SetupAssist/ReadOnlyDomainControllerContainer/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupAssist/RebootPending/index.html b/Setup/SetupAssist/RebootPending/index.html index 17a7a20aac..3b82e2d8d0 100644 --- a/Setup/SetupAssist/RebootPending/index.html +++ b/Setup/SetupAssist/RebootPending/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupAssist/index.html b/Setup/SetupAssist/index.html index a282c8f9b4..42bfddeda7 100644 --- a/Setup/SetupAssist/index.html +++ b/Setup/SetupAssist/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Setup/SetupLogReviewer/index.html b/Setup/SetupLogReviewer/index.html index 7b7c659dd4..15fbbc9fd2 100644 --- a/Setup/SetupLogReviewer/index.html +++ b/Setup/SetupLogReviewer/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Transport/Compute-TopExoRecipientsFromMessageTrace/index.html b/Transport/Compute-TopExoRecipientsFromMessageTrace/index.html index 9b81290d58..2ebcd2c95b 100644 --- a/Transport/Compute-TopExoRecipientsFromMessageTrace/index.html +++ b/Transport/Compute-TopExoRecipientsFromMessageTrace/index.html @@ -18,7 +18,7 @@ - + @@ -26,7 +26,7 @@ - + @@ -173,7 +173,7 @@
- +
GitHub @@ -218,7 +218,7 @@
- +
GitHub diff --git a/Transport/ReplayQueueDatabases/index.html b/Transport/ReplayQueueDatabases/index.html index 86b7dfc8ce..e6d1422294 100644 --- a/Transport/ReplayQueueDatabases/index.html +++ b/Transport/ReplayQueueDatabases/index.html @@ -16,7 +16,7 @@ - + @@ -24,7 +24,7 @@ - + @@ -171,7 +171,7 @@
- +
GitHub @@ -216,7 +216,7 @@
- +
GitHub diff --git a/assets/stylesheets/main.3cba04c6.min.css b/assets/stylesheets/main.3cba04c6.min.css new file mode 100644 index 0000000000..873f8feef2 --- /dev/null +++ b/assets/stylesheets/main.3cba04c6.min.css @@ -0,0 +1 @@ +@charset "UTF-8";html{-webkit-text-size-adjust:none;-moz-text-size-adjust:none;text-size-adjust:none;box-sizing:border-box}*,:after,:before{box-sizing:inherit}@media (prefers-reduced-motion){*,:after,:before{transition:none!important}}body{margin:0}a,button,input,label{-webkit-tap-highlight-color:transparent}a{color:inherit;text-decoration:none}hr{border:0;box-sizing:initial;display:block;height:.05rem;overflow:visible;padding:0}small{font-size:80%}sub,sup{line-height:1em}img{border-style:none}table{border-collapse:initial;border-spacing:0}td,th{font-weight:400;vertical-align:top}button{background:#0000;border:0;font-family:inherit;font-size:inherit;margin:0;padding:0}input{border:0;outline:none}:root{--md-primary-fg-color:#4051b5;--md-primary-fg-color--light:#5d6cc0;--md-primary-fg-color--dark:#303fa1;--md-primary-bg-color:#fff;--md-primary-bg-color--light:#ffffffb3;--md-accent-fg-color:#526cfe;--md-accent-fg-color--transparent:#526cfe1a;--md-accent-bg-color:#fff;--md-accent-bg-color--light:#ffffffb3}[data-md-color-scheme=default]{color-scheme:light}[data-md-color-scheme=default] img[src$="#gh-dark-mode-only"],[data-md-color-scheme=default] img[src$="#only-dark"]{display:none}:root,[data-md-color-scheme=default]{--md-hue:225deg;--md-default-fg-color:#000000de;--md-default-fg-color--light:#0000008a;--md-default-fg-color--lighter:#00000052;--md-default-fg-color--lightest:#00000012;--md-default-bg-color:#fff;--md-default-bg-color--light:#ffffffb3;--md-default-bg-color--lighter:#ffffff4d;--md-default-bg-color--lightest:#ffffff1f;--md-code-fg-color:#36464e;--md-code-bg-color:#f5f5f5;--md-code-hl-color:#4287ff;--md-code-hl-color--light:#4287ff1a;--md-code-hl-number-color:#d52a2a;--md-code-hl-special-color:#db1457;--md-code-hl-function-color:#a846b9;--md-code-hl-constant-color:#6e59d9;--md-code-hl-keyword-color:#3f6ec6;--md-code-hl-string-color:#1c7d4d;--md-code-hl-name-color:var(--md-code-fg-color);--md-code-hl-operator-color:var(--md-default-fg-color--light);--md-code-hl-punctuation-color:var(--md-default-fg-color--light);--md-code-hl-comment-color:var(--md-default-fg-color--light);--md-code-hl-generic-color:var(--md-default-fg-color--light);--md-code-hl-variable-color:var(--md-default-fg-color--light);--md-typeset-color:var(--md-default-fg-color);--md-typeset-a-color:var(--md-primary-fg-color);--md-typeset-del-color:#f5503d26;--md-typeset-ins-color:#0bd57026;--md-typeset-kbd-color:#fafafa;--md-typeset-kbd-accent-color:#fff;--md-typeset-kbd-border-color:#b8b8b8;--md-typeset-mark-color:#ffff0080;--md-typeset-table-color:#0000001f;--md-typeset-table-color--light:rgba(0,0,0,.035);--md-admonition-fg-color:var(--md-default-fg-color);--md-admonition-bg-color:var(--md-default-bg-color);--md-warning-fg-color:#000000de;--md-warning-bg-color:#ff9;--md-footer-fg-color:#fff;--md-footer-fg-color--light:#ffffffb3;--md-footer-fg-color--lighter:#ffffff73;--md-footer-bg-color:#000000de;--md-footer-bg-color--dark:#00000052;--md-shadow-z1:0 0.2rem 0.5rem #0000000d,0 0 0.05rem #0000001a;--md-shadow-z2:0 0.2rem 0.5rem #0000001a,0 0 0.05rem #00000040;--md-shadow-z3:0 0.2rem 0.5rem #0003,0 0 0.05rem #00000059}.md-icon svg{fill:currentcolor;display:block;height:1.2rem;width:1.2rem}body{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;--md-text-font-family:var(--md-text-font,_),-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif;--md-code-font-family:var(--md-code-font,_),SFMono-Regular,Consolas,Menlo,monospace}aside,body,input{font-feature-settings:"kern","liga";color:var(--md-typeset-color);font-family:var(--md-text-font-family)}code,kbd,pre{font-feature-settings:"kern";font-family:var(--md-code-font-family)}:root{--md-typeset-table-sort-icon:url('data:image/svg+xml;charset=utf-8,');--md-typeset-table-sort-icon--asc:url('data:image/svg+xml;charset=utf-8,');--md-typeset-table-sort-icon--desc:url('data:image/svg+xml;charset=utf-8,')}.md-typeset{-webkit-print-color-adjust:exact;color-adjust:exact;font-size:.8rem;line-height:1.6}@media print{.md-typeset{font-size:.68rem}}.md-typeset blockquote,.md-typeset dl,.md-typeset figure,.md-typeset ol,.md-typeset pre,.md-typeset ul{margin-bottom:1em;margin-top:1em}.md-typeset h1{color:var(--md-default-fg-color--light);font-size:2em;line-height:1.3;margin:0 0 1.25em}.md-typeset h1,.md-typeset h2{font-weight:300;letter-spacing:-.01em}.md-typeset h2{font-size:1.5625em;line-height:1.4;margin:1.6em 0 .64em}.md-typeset h3{font-size:1.25em;font-weight:400;letter-spacing:-.01em;line-height:1.5;margin:1.6em 0 .8em}.md-typeset h2+h3{margin-top:.8em}.md-typeset h4{font-weight:700;letter-spacing:-.01em;margin:1em 0}.md-typeset h5,.md-typeset h6{color:var(--md-default-fg-color--light);font-size:.8em;font-weight:700;letter-spacing:-.01em;margin:1.25em 0}.md-typeset h5{text-transform:uppercase}.md-typeset hr{border-bottom:.05rem solid var(--md-default-fg-color--lightest);display:flow-root;margin:1.5em 0}.md-typeset a{color:var(--md-typeset-a-color);word-break:break-word}.md-typeset a,.md-typeset a:before{transition:color 125ms}.md-typeset a:focus,.md-typeset a:hover{color:var(--md-accent-fg-color)}.md-typeset a:focus code,.md-typeset a:hover code{background-color:var(--md-accent-fg-color--transparent)}.md-typeset a code{color:currentcolor;transition:background-color 125ms}.md-typeset a.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-typeset code,.md-typeset kbd,.md-typeset pre{color:var(--md-code-fg-color);direction:ltr;font-variant-ligatures:none}@media print{.md-typeset code,.md-typeset kbd,.md-typeset pre{white-space:pre-wrap}}.md-typeset code{background-color:var(--md-code-bg-color);border-radius:.1rem;-webkit-box-decoration-break:clone;box-decoration-break:clone;font-size:.85em;padding:0 .2941176471em;word-break:break-word}.md-typeset code:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}.md-typeset pre{display:flow-root;line-height:1.4;position:relative}.md-typeset pre>code{-webkit-box-decoration-break:slice;box-decoration-break:slice;box-shadow:none;display:block;margin:0;outline-color:var(--md-accent-fg-color);overflow:auto;padding:.7720588235em 1.1764705882em;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin;touch-action:auto;word-break:normal}.md-typeset pre>code:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-typeset pre>code::-webkit-scrollbar{height:.2rem;width:.2rem}.md-typeset pre>code::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-typeset pre>code::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}.md-typeset kbd{background-color:var(--md-typeset-kbd-color);border-radius:.1rem;box-shadow:0 .1rem 0 .05rem var(--md-typeset-kbd-border-color),0 .1rem 0 var(--md-typeset-kbd-border-color),0 -.1rem .2rem var(--md-typeset-kbd-accent-color) inset;color:var(--md-default-fg-color);display:inline-block;font-size:.75em;padding:0 .6666666667em;vertical-align:text-top;word-break:break-word}.md-typeset mark{background-color:var(--md-typeset-mark-color);-webkit-box-decoration-break:clone;box-decoration-break:clone;color:inherit;word-break:break-word}.md-typeset abbr{border-bottom:.05rem dotted var(--md-default-fg-color--light);cursor:help;text-decoration:none}.md-typeset small{opacity:.75}[dir=ltr] .md-typeset sub,[dir=ltr] .md-typeset sup{margin-left:.078125em}[dir=rtl] .md-typeset sub,[dir=rtl] .md-typeset sup{margin-right:.078125em}[dir=ltr] .md-typeset blockquote{padding-left:.6rem}[dir=rtl] .md-typeset blockquote{padding-right:.6rem}[dir=ltr] .md-typeset blockquote{border-left:.2rem solid var(--md-default-fg-color--lighter)}[dir=rtl] .md-typeset blockquote{border-right:.2rem solid var(--md-default-fg-color--lighter)}.md-typeset blockquote{color:var(--md-default-fg-color--light);margin-left:0;margin-right:0}.md-typeset ul{list-style-type:disc}[dir=ltr] .md-typeset ol,[dir=ltr] .md-typeset ul{margin-left:.625em}[dir=rtl] .md-typeset ol,[dir=rtl] .md-typeset ul{margin-right:.625em}.md-typeset ol,.md-typeset ul{padding:0}.md-typeset ol:not([hidden]),.md-typeset ul:not([hidden]){display:flow-root}.md-typeset ol ol,.md-typeset ul ol{list-style-type:lower-alpha}.md-typeset ol ol ol,.md-typeset ul ol ol{list-style-type:lower-roman}[dir=ltr] .md-typeset ol li,[dir=ltr] .md-typeset ul li{margin-left:1.25em}[dir=rtl] .md-typeset ol li,[dir=rtl] .md-typeset ul li{margin-right:1.25em}.md-typeset ol li,.md-typeset ul li{margin-bottom:.5em}.md-typeset ol li blockquote,.md-typeset ol li p,.md-typeset ul li blockquote,.md-typeset ul li p{margin:.5em 0}.md-typeset ol li:last-child,.md-typeset ul li:last-child{margin-bottom:0}[dir=ltr] .md-typeset ol li ol,[dir=ltr] .md-typeset ol li ul,[dir=ltr] .md-typeset ul li ol,[dir=ltr] .md-typeset ul li ul{margin-left:.625em}[dir=rtl] .md-typeset ol li ol,[dir=rtl] .md-typeset ol li ul,[dir=rtl] .md-typeset ul li ol,[dir=rtl] .md-typeset ul li ul{margin-right:.625em}.md-typeset ol li ol,.md-typeset ol li ul,.md-typeset ul li ol,.md-typeset ul li ul{margin-bottom:.5em;margin-top:.5em}[dir=ltr] .md-typeset dd{margin-left:1.875em}[dir=rtl] .md-typeset dd{margin-right:1.875em}.md-typeset dd{margin-bottom:1.5em;margin-top:1em}.md-typeset img,.md-typeset svg,.md-typeset video{height:auto;max-width:100%}.md-typeset img[align=left]{margin:1em 1em 1em 0}.md-typeset img[align=right]{margin:1em 0 1em 1em}.md-typeset img[align]:only-child{margin-top:0}.md-typeset figure{display:flow-root;margin:1em auto;max-width:100%;text-align:center;width:-moz-fit-content;width:fit-content}.md-typeset figure img{display:block;margin:0 auto}.md-typeset figcaption{font-style:italic;margin:1em auto;max-width:24rem}.md-typeset iframe{max-width:100%}.md-typeset table:not([class]){background-color:var(--md-default-bg-color);border:.05rem solid var(--md-typeset-table-color);border-radius:.1rem;display:inline-block;font-size:.64rem;max-width:100%;overflow:auto;touch-action:auto}@media print{.md-typeset table:not([class]){display:table}}.md-typeset table:not([class])+*{margin-top:1.5em}.md-typeset table:not([class]) td>:first-child,.md-typeset table:not([class]) th>:first-child{margin-top:0}.md-typeset table:not([class]) td>:last-child,.md-typeset table:not([class]) th>:last-child{margin-bottom:0}.md-typeset table:not([class]) td:not([align]),.md-typeset table:not([class]) th:not([align]){text-align:left}[dir=rtl] .md-typeset table:not([class]) td:not([align]),[dir=rtl] .md-typeset table:not([class]) th:not([align]){text-align:right}.md-typeset table:not([class]) th{font-weight:700;min-width:5rem;padding:.9375em 1.25em;vertical-align:top}.md-typeset table:not([class]) td{border-top:.05rem solid var(--md-typeset-table-color);padding:.9375em 1.25em;vertical-align:top}.md-typeset table:not([class]) tbody tr{transition:background-color 125ms}.md-typeset table:not([class]) tbody tr:hover{background-color:var(--md-typeset-table-color--light);box-shadow:0 .05rem 0 var(--md-default-bg-color) inset}.md-typeset table:not([class]) a{word-break:normal}.md-typeset table th[role=columnheader]{cursor:pointer}[dir=ltr] .md-typeset table th[role=columnheader]:after{margin-left:.5em}[dir=rtl] .md-typeset table th[role=columnheader]:after{margin-right:.5em}.md-typeset table th[role=columnheader]:after{content:"";display:inline-block;height:1.2em;-webkit-mask-image:var(--md-typeset-table-sort-icon);mask-image:var(--md-typeset-table-sort-icon);-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color 125ms;vertical-align:text-bottom;width:1.2em}.md-typeset table th[role=columnheader]:hover:after{background-color:var(--md-default-fg-color--lighter)}.md-typeset table th[role=columnheader][aria-sort=ascending]:after{background-color:var(--md-default-fg-color--light);-webkit-mask-image:var(--md-typeset-table-sort-icon--asc);mask-image:var(--md-typeset-table-sort-icon--asc)}.md-typeset table th[role=columnheader][aria-sort=descending]:after{background-color:var(--md-default-fg-color--light);-webkit-mask-image:var(--md-typeset-table-sort-icon--desc);mask-image:var(--md-typeset-table-sort-icon--desc)}.md-typeset__scrollwrap{margin:1em -.8rem;overflow-x:auto;touch-action:auto}.md-typeset__table{display:inline-block;margin-bottom:.5em;padding:0 .8rem}@media print{.md-typeset__table{display:block}}html .md-typeset__table table{display:table;margin:0;overflow:hidden;width:100%}@media screen and (max-width:44.984375em){.md-content__inner>pre{margin:1em -.8rem}.md-content__inner>pre code{border-radius:0}}.md-typeset .md-author{border-radius:100%;display:block;flex-shrink:0;height:1.6rem;overflow:hidden;position:relative;transition:color 125ms,transform 125ms;width:1.6rem}.md-typeset .md-author img{display:block}.md-typeset .md-author--more{background:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--lighter);font-size:.6rem;font-weight:700;line-height:1.6rem;text-align:center}.md-typeset .md-author--long{height:2.4rem;width:2.4rem}.md-typeset a.md-author{transform:scale(1)}.md-typeset a.md-author img{border-radius:100%;filter:grayscale(100%) opacity(75%);transition:filter 125ms}.md-typeset a.md-author:focus,.md-typeset a.md-author:hover{transform:scale(1.1);z-index:1}.md-typeset a.md-author:focus img,.md-typeset a.md-author:hover img{filter:grayscale(0)}.md-banner{background-color:var(--md-footer-bg-color);color:var(--md-footer-fg-color);overflow:auto}@media print{.md-banner{display:none}}.md-banner--warning{background-color:var(--md-warning-bg-color);color:var(--md-warning-fg-color)}.md-banner__inner{font-size:.7rem;margin:.6rem auto;padding:0 .8rem}[dir=ltr] .md-banner__button{float:right}[dir=rtl] .md-banner__button{float:left}.md-banner__button{color:inherit;cursor:pointer;transition:opacity .25s}.no-js .md-banner__button{display:none}.md-banner__button:hover{opacity:.7}html{font-size:125%;height:100%;overflow-x:hidden}@media screen and (min-width:100em){html{font-size:137.5%}}@media screen and (min-width:125em){html{font-size:150%}}body{background-color:var(--md-default-bg-color);display:flex;flex-direction:column;font-size:.5rem;min-height:100%;position:relative;width:100%}@media print{body{display:block}}@media screen and (max-width:59.984375em){body[data-md-scrolllock]{position:fixed}}.md-grid{margin-left:auto;margin-right:auto;max-width:61rem}.md-container{display:flex;flex-direction:column;flex-grow:1}@media print{.md-container{display:block}}.md-main{flex-grow:1}.md-main__inner{display:flex;height:100%;margin-top:1.5rem}.md-ellipsis{overflow:hidden;text-overflow:ellipsis}.md-toggle{display:none}.md-option{height:0;opacity:0;position:absolute;width:0}.md-option:checked+label:not([hidden]){display:block}.md-option.focus-visible+label{outline-color:var(--md-accent-fg-color);outline-style:auto}.md-skip{background-color:var(--md-default-fg-color);border-radius:.1rem;color:var(--md-default-bg-color);font-size:.64rem;margin:.5rem;opacity:0;outline-color:var(--md-accent-fg-color);padding:.3rem .5rem;position:fixed;transform:translateY(.4rem);z-index:-1}.md-skip:focus{opacity:1;transform:translateY(0);transition:transform .25s cubic-bezier(.4,0,.2,1),opacity 175ms 75ms;z-index:10}@page{margin:25mm}:root{--md-clipboard-icon:url('data:image/svg+xml;charset=utf-8,')}.md-clipboard{border-radius:.1rem;color:var(--md-default-fg-color--lightest);cursor:pointer;height:1.5em;outline-color:var(--md-accent-fg-color);outline-offset:.1rem;position:absolute;right:.5em;top:.5em;transition:color .25s;width:1.5em;z-index:1}@media print{.md-clipboard{display:none}}.md-clipboard:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}:hover>.md-clipboard{color:var(--md-default-fg-color--light)}.md-clipboard:focus,.md-clipboard:hover{color:var(--md-accent-fg-color)}.md-clipboard:after{background-color:currentcolor;content:"";display:block;height:1.125em;margin:0 auto;-webkit-mask-image:var(--md-clipboard-icon);mask-image:var(--md-clipboard-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:1.125em}.md-clipboard--inline{cursor:pointer}.md-clipboard--inline code{transition:color .25s,background-color .25s}.md-clipboard--inline:focus code,.md-clipboard--inline:hover code{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-typeset .md-code__content{display:grid}@keyframes consent{0%{opacity:0;transform:translateY(100%)}to{opacity:1;transform:translateY(0)}}@keyframes overlay{0%{opacity:0}to{opacity:1}}.md-consent__overlay{animation:overlay .25s both;-webkit-backdrop-filter:blur(.1rem);backdrop-filter:blur(.1rem);background-color:#0000008a;height:100%;opacity:1;position:fixed;top:0;width:100%;z-index:5}.md-consent__inner{animation:consent .5s cubic-bezier(.1,.7,.1,1) both;background-color:var(--md-default-bg-color);border:0;border-radius:.1rem;bottom:0;box-shadow:0 0 .2rem #0000001a,0 .2rem .4rem #0003;max-height:100%;overflow:auto;padding:0;position:fixed;width:100%;z-index:5}.md-consent__form{padding:.8rem}.md-consent__settings{display:none;margin:1em 0}input:checked+.md-consent__settings{display:block}.md-consent__controls{margin-bottom:.8rem}.md-typeset .md-consent__controls .md-button{display:inline}@media screen and (max-width:44.984375em){.md-typeset .md-consent__controls .md-button{display:block;margin-top:.4rem;text-align:center;width:100%}}.md-consent label{cursor:pointer}.md-content{flex-grow:1;min-width:0}.md-content__inner{margin:0 .8rem 1.2rem;padding-top:.6rem}@media screen and (min-width:76.25em){[dir=ltr] .md-sidebar--primary:not([hidden])~.md-content>.md-content__inner{margin-left:1.2rem}[dir=ltr] .md-sidebar--secondary:not([hidden])~.md-content>.md-content__inner,[dir=rtl] .md-sidebar--primary:not([hidden])~.md-content>.md-content__inner{margin-right:1.2rem}[dir=rtl] .md-sidebar--secondary:not([hidden])~.md-content>.md-content__inner{margin-left:1.2rem}}.md-content__inner:before{content:"";display:block;height:.4rem}.md-content__inner>:last-child{margin-bottom:0}[dir=ltr] .md-content__button{float:right}[dir=rtl] .md-content__button{float:left}[dir=ltr] .md-content__button{margin-left:.4rem}[dir=rtl] .md-content__button{margin-right:.4rem}.md-content__button{margin:.4rem 0;padding:0}@media print{.md-content__button{display:none}}.md-typeset .md-content__button{color:var(--md-default-fg-color--lighter)}.md-content__button svg{display:inline;vertical-align:top}[dir=rtl] .md-content__button svg{transform:scaleX(-1)}[dir=ltr] .md-dialog{right:.8rem}[dir=rtl] .md-dialog{left:.8rem}.md-dialog{background-color:var(--md-default-fg-color);border-radius:.1rem;bottom:.8rem;box-shadow:var(--md-shadow-z3);min-width:11.1rem;opacity:0;padding:.4rem .6rem;pointer-events:none;position:fixed;transform:translateY(100%);transition:transform 0ms .4s,opacity .4s;z-index:4}@media print{.md-dialog{display:none}}.md-dialog--active{opacity:1;pointer-events:auto;transform:translateY(0);transition:transform .4s cubic-bezier(.075,.85,.175,1),opacity .4s}.md-dialog__inner{color:var(--md-default-bg-color);font-size:.7rem}.md-feedback{margin:2em 0 1em;text-align:center}.md-feedback fieldset{border:none;margin:0;padding:0}.md-feedback__title{font-weight:700;margin:1em auto}.md-feedback__inner{position:relative}.md-feedback__list{display:flex;flex-wrap:wrap;place-content:baseline center;position:relative}.md-feedback__list:hover .md-icon:not(:disabled){color:var(--md-default-fg-color--lighter)}:disabled .md-feedback__list{min-height:1.8rem}.md-feedback__icon{color:var(--md-default-fg-color--light);cursor:pointer;flex-shrink:0;margin:0 .1rem;transition:color 125ms}.md-feedback__icon:not(:disabled).md-icon:hover{color:var(--md-accent-fg-color)}.md-feedback__icon:disabled{color:var(--md-default-fg-color--lightest);pointer-events:none}.md-feedback__note{opacity:0;position:relative;transform:translateY(.4rem);transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s}.md-feedback__note>*{margin:0 auto;max-width:16rem}:disabled .md-feedback__note{opacity:1;transform:translateY(0)}.md-footer{background-color:var(--md-footer-bg-color);color:var(--md-footer-fg-color)}@media print{.md-footer{display:none}}.md-footer__inner{justify-content:space-between;overflow:auto;padding:.2rem}.md-footer__inner:not([hidden]){display:flex}.md-footer__link{align-items:end;display:flex;flex-grow:0.01;margin-bottom:.4rem;margin-top:1rem;max-width:100%;outline-color:var(--md-accent-fg-color);overflow:hidden;transition:opacity .25s}.md-footer__link:focus,.md-footer__link:hover{opacity:.7}[dir=rtl] .md-footer__link svg{transform:scaleX(-1)}@media screen and (max-width:44.984375em){.md-footer__link--prev{flex-shrink:0}.md-footer__link--prev .md-footer__title{display:none}}[dir=ltr] .md-footer__link--next{margin-left:auto}[dir=rtl] .md-footer__link--next{margin-right:auto}.md-footer__link--next{text-align:right}[dir=rtl] .md-footer__link--next{text-align:left}.md-footer__title{flex-grow:1;font-size:.9rem;margin-bottom:.7rem;max-width:calc(100% - 2.4rem);padding:0 1rem;white-space:nowrap}.md-footer__button{margin:.2rem;padding:.4rem}.md-footer__direction{font-size:.64rem;opacity:.7}.md-footer-meta{background-color:var(--md-footer-bg-color--dark)}.md-footer-meta__inner{display:flex;flex-wrap:wrap;justify-content:space-between;padding:.2rem}html .md-footer-meta.md-typeset a{color:var(--md-footer-fg-color--light)}html .md-footer-meta.md-typeset a:focus,html .md-footer-meta.md-typeset a:hover{color:var(--md-footer-fg-color)}.md-copyright{color:var(--md-footer-fg-color--lighter);font-size:.64rem;margin:auto .6rem;padding:.4rem 0;width:100%}@media screen and (min-width:45em){.md-copyright{width:auto}}.md-copyright__highlight{color:var(--md-footer-fg-color--light)}.md-social{display:inline-flex;gap:.2rem;margin:0 .4rem;padding:.2rem 0 .6rem}@media screen and (min-width:45em){.md-social{padding:.6rem 0}}.md-social__link{display:inline-block;height:1.6rem;text-align:center;width:1.6rem}.md-social__link:before{line-height:1.9}.md-social__link svg{fill:currentcolor;max-height:.8rem;vertical-align:-25%}.md-typeset .md-button{border:.1rem solid;border-radius:.1rem;color:var(--md-primary-fg-color);cursor:pointer;display:inline-block;font-weight:700;padding:.625em 2em;transition:color 125ms,background-color 125ms,border-color 125ms}.md-typeset .md-button--primary{background-color:var(--md-primary-fg-color);border-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color)}.md-typeset .md-button:focus,.md-typeset .md-button:hover{background-color:var(--md-accent-fg-color);border-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}[dir=ltr] .md-typeset .md-input{border-top-left-radius:.1rem}[dir=ltr] .md-typeset .md-input,[dir=rtl] .md-typeset .md-input{border-top-right-radius:.1rem}[dir=rtl] .md-typeset .md-input{border-top-left-radius:.1rem}.md-typeset .md-input{border-bottom:.1rem solid var(--md-default-fg-color--lighter);box-shadow:var(--md-shadow-z1);font-size:.8rem;height:1.8rem;padding:0 .6rem;transition:border .25s,box-shadow .25s}.md-typeset .md-input:focus,.md-typeset .md-input:hover{border-bottom-color:var(--md-accent-fg-color);box-shadow:var(--md-shadow-z2)}.md-typeset .md-input--stretch{width:100%}.md-header{background-color:var(--md-primary-fg-color);box-shadow:0 0 .2rem #0000,0 .2rem .4rem #0000;color:var(--md-primary-bg-color);display:block;left:0;position:sticky;right:0;top:0;z-index:4}@media print{.md-header{display:none}}.md-header[hidden]{transform:translateY(-100%);transition:transform .25s cubic-bezier(.8,0,.6,1),box-shadow .25s}.md-header--shadow{box-shadow:0 0 .2rem #0000001a,0 .2rem .4rem #0003;transition:transform .25s cubic-bezier(.1,.7,.1,1),box-shadow .25s}.md-header__inner{align-items:center;display:flex;padding:0 .2rem}.md-header__button{color:currentcolor;cursor:pointer;margin:.2rem;outline-color:var(--md-accent-fg-color);padding:.4rem;position:relative;transition:opacity .25s;vertical-align:middle;z-index:1}.md-header__button:hover{opacity:.7}.md-header__button:not([hidden]){display:inline-block}.md-header__button:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}.md-header__button.md-logo{margin:.2rem;padding:.4rem}@media screen and (max-width:76.234375em){.md-header__button.md-logo{display:none}}.md-header__button.md-logo img,.md-header__button.md-logo svg{fill:currentcolor;display:block;height:1.2rem;width:auto}@media screen and (min-width:60em){.md-header__button[for=__search]{display:none}}.no-js .md-header__button[for=__search]{display:none}[dir=rtl] .md-header__button[for=__search] svg{transform:scaleX(-1)}@media screen and (min-width:76.25em){.md-header__button[for=__drawer]{display:none}}.md-header__topic{display:flex;max-width:100%;position:absolute;transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s;white-space:nowrap}.md-header__topic+.md-header__topic{opacity:0;pointer-events:none;transform:translateX(1.25rem);transition:transform .4s cubic-bezier(1,.7,.1,.1),opacity .15s;z-index:-1}[dir=rtl] .md-header__topic+.md-header__topic{transform:translateX(-1.25rem)}.md-header__topic:first-child{font-weight:700}[dir=ltr] .md-header__title{margin-left:1rem;margin-right:.4rem}[dir=rtl] .md-header__title{margin-left:.4rem;margin-right:1rem}.md-header__title{flex-grow:1;font-size:.9rem;height:2.4rem;line-height:2.4rem}.md-header__title--active .md-header__topic{opacity:0;pointer-events:none;transform:translateX(-1.25rem);transition:transform .4s cubic-bezier(1,.7,.1,.1),opacity .15s;z-index:-1}[dir=rtl] .md-header__title--active .md-header__topic{transform:translateX(1.25rem)}.md-header__title--active .md-header__topic+.md-header__topic{opacity:1;pointer-events:auto;transform:translateX(0);transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s;z-index:0}.md-header__title>.md-header__ellipsis{height:100%;position:relative;width:100%}.md-header__option{display:flex;flex-shrink:0;max-width:100%;transition:max-width 0ms .25s,opacity .25s .25s;white-space:nowrap}[data-md-toggle=search]:checked~.md-header .md-header__option{max-width:0;opacity:0;transition:max-width 0ms,opacity 0ms}.md-header__option>input{bottom:0}.md-header__source{display:none}@media screen and (min-width:60em){[dir=ltr] .md-header__source{margin-left:1rem}[dir=rtl] .md-header__source{margin-right:1rem}.md-header__source{display:block;max-width:11.7rem;width:11.7rem}}@media screen and (min-width:76.25em){[dir=ltr] .md-header__source{margin-left:1.4rem}[dir=rtl] .md-header__source{margin-right:1.4rem}}.md-meta{color:var(--md-default-fg-color--light);font-size:.7rem;line-height:1.3}.md-meta__list{display:inline-flex;flex-wrap:wrap;list-style:none;margin:0;padding:0}.md-meta__item:not(:last-child):after{content:"·";margin-left:.2rem;margin-right:.2rem}.md-meta__link{color:var(--md-typeset-a-color)}.md-meta__link:focus,.md-meta__link:hover{color:var(--md-accent-fg-color)}.md-draft{background-color:#ff1744;border-radius:.125em;color:#fff;display:inline-block;font-weight:700;padding-left:.5714285714em;padding-right:.5714285714em}:root{--md-nav-icon--prev:url('data:image/svg+xml;charset=utf-8,');--md-nav-icon--next:url('data:image/svg+xml;charset=utf-8,');--md-toc-icon:url('data:image/svg+xml;charset=utf-8,')}.md-nav{font-size:.7rem;line-height:1.3}.md-nav__title{color:var(--md-default-fg-color--light);display:block;font-weight:700;overflow:hidden;padding:0 .6rem;text-overflow:ellipsis}.md-nav__title .md-nav__button{display:none}.md-nav__title .md-nav__button img{height:100%;width:auto}.md-nav__title .md-nav__button.md-logo img,.md-nav__title .md-nav__button.md-logo svg{fill:currentcolor;display:block;height:2.4rem;max-width:100%;object-fit:contain;width:auto}.md-nav__list{list-style:none;margin:0;padding:0}.md-nav__link{align-items:flex-start;display:flex;gap:.4rem;margin-top:.625em;scroll-snap-align:start;transition:color 125ms}.md-nav__link--passed{color:var(--md-default-fg-color--light)}.md-nav__item .md-nav__link--active,.md-nav__item .md-nav__link--active code{color:var(--md-typeset-a-color)}.md-nav__link .md-ellipsis{position:relative}[dir=ltr] .md-nav__link .md-icon:last-child{margin-left:auto}[dir=rtl] .md-nav__link .md-icon:last-child{margin-right:auto}.md-nav__link svg{fill:currentcolor;flex-shrink:0;height:1.3em;position:relative}.md-nav__link[for]:focus,.md-nav__link[for]:hover,.md-nav__link[href]:focus,.md-nav__link[href]:hover{color:var(--md-accent-fg-color);cursor:pointer}.md-nav__link.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-nav--primary .md-nav__link[for=__toc]{display:none}.md-nav--primary .md-nav__link[for=__toc] .md-icon:after{background-color:currentcolor;display:block;height:100%;-webkit-mask-image:var(--md-toc-icon);mask-image:var(--md-toc-icon);width:100%}.md-nav--primary .md-nav__link[for=__toc]~.md-nav{display:none}.md-nav__container>.md-nav__link{margin-top:0}.md-nav__container>.md-nav__link:first-child{flex-grow:1;min-width:0}.md-nav__icon{flex-shrink:0}.md-nav__source{display:none}@media screen and (max-width:76.234375em){.md-nav--primary,.md-nav--primary .md-nav{background-color:var(--md-default-bg-color);display:flex;flex-direction:column;height:100%;left:0;position:absolute;right:0;top:0;z-index:1}.md-nav--primary .md-nav__item,.md-nav--primary .md-nav__title{font-size:.8rem;line-height:1.5}.md-nav--primary .md-nav__title{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light);cursor:pointer;height:5.6rem;line-height:2.4rem;padding:3rem .8rem .2rem;position:relative;white-space:nowrap}[dir=ltr] .md-nav--primary .md-nav__title .md-nav__icon{left:.4rem}[dir=rtl] .md-nav--primary .md-nav__title .md-nav__icon{right:.4rem}.md-nav--primary .md-nav__title .md-nav__icon{display:block;height:1.2rem;margin:.2rem;position:absolute;top:.4rem;width:1.2rem}.md-nav--primary .md-nav__title .md-nav__icon:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-nav-icon--prev);mask-image:var(--md-nav-icon--prev);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}.md-nav--primary .md-nav__title~.md-nav__list{background-color:var(--md-default-bg-color);box-shadow:0 .05rem 0 var(--md-default-fg-color--lightest) inset;overflow-y:auto;scroll-snap-type:y mandatory;touch-action:pan-y}.md-nav--primary .md-nav__title~.md-nav__list>:first-child{border-top:0}.md-nav--primary .md-nav__title[for=__drawer]{background-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color);font-weight:700}.md-nav--primary .md-nav__title .md-logo{display:block;left:.2rem;margin:.2rem;padding:.4rem;position:absolute;right:.2rem;top:.2rem}.md-nav--primary .md-nav__list{flex:1}.md-nav--primary .md-nav__item{border-top:.05rem solid var(--md-default-fg-color--lightest)}.md-nav--primary .md-nav__item--active>.md-nav__link{color:var(--md-typeset-a-color)}.md-nav--primary .md-nav__item--active>.md-nav__link:focus,.md-nav--primary .md-nav__item--active>.md-nav__link:hover{color:var(--md-accent-fg-color)}.md-nav--primary .md-nav__link{margin-top:0;padding:.6rem .8rem}.md-nav--primary .md-nav__link svg{margin-top:.1em}.md-nav--primary .md-nav__link>.md-nav__link{padding:0}[dir=ltr] .md-nav--primary .md-nav__link .md-nav__icon{margin-right:-.2rem}[dir=rtl] .md-nav--primary .md-nav__link .md-nav__icon{margin-left:-.2rem}.md-nav--primary .md-nav__link .md-nav__icon{font-size:1.2rem;height:1.2rem;width:1.2rem}.md-nav--primary .md-nav__link .md-nav__icon:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-nav-icon--next);mask-image:var(--md-nav-icon--next);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}[dir=rtl] .md-nav--primary .md-nav__icon:after{transform:scale(-1)}.md-nav--primary .md-nav--secondary .md-nav{background-color:initial;position:static}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav__link{padding-left:1.4rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav__link{padding-right:1.4rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav__link{padding-left:2rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav__link{padding-right:2rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav__link{padding-left:2.6rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav__link{padding-right:2.6rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav .md-nav__link{padding-left:3.2rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav .md-nav__link{padding-right:3.2rem}.md-nav--secondary{background-color:initial}.md-nav__toggle~.md-nav{display:flex;opacity:0;transform:translateX(100%);transition:transform .25s cubic-bezier(.8,0,.6,1),opacity 125ms 50ms}[dir=rtl] .md-nav__toggle~.md-nav{transform:translateX(-100%)}.md-nav__toggle:checked~.md-nav{opacity:1;transform:translateX(0);transition:transform .25s cubic-bezier(.4,0,.2,1),opacity 125ms 125ms}.md-nav__toggle:checked~.md-nav>.md-nav__list{-webkit-backface-visibility:hidden;backface-visibility:hidden}}@media screen and (max-width:59.984375em){.md-nav--primary .md-nav__link[for=__toc]{display:flex}.md-nav--primary .md-nav__link[for=__toc] .md-icon:after{content:""}.md-nav--primary .md-nav__link[for=__toc]+.md-nav__link{display:none}.md-nav--primary .md-nav__link[for=__toc]~.md-nav{display:flex}.md-nav__source{background-color:var(--md-primary-fg-color--dark);color:var(--md-primary-bg-color);display:block;padding:0 .2rem}}@media screen and (min-width:60em) and (max-width:76.234375em){.md-nav--integrated .md-nav__link[for=__toc]{display:flex}.md-nav--integrated .md-nav__link[for=__toc] .md-icon:after{content:""}.md-nav--integrated .md-nav__link[for=__toc]+.md-nav__link{display:none}.md-nav--integrated .md-nav__link[for=__toc]~.md-nav{display:flex}}@media screen and (min-width:60em){.md-nav{margin-bottom:-.4rem}.md-nav--secondary .md-nav__title{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);position:sticky;top:0;z-index:1}.md-nav--secondary .md-nav__title[for=__toc]{scroll-snap-align:start}.md-nav--secondary .md-nav__title .md-nav__icon{display:none}[dir=ltr] .md-nav--secondary .md-nav__list{padding-left:.6rem}[dir=rtl] .md-nav--secondary .md-nav__list{padding-right:.6rem}.md-nav--secondary .md-nav__list{padding-bottom:.4rem}[dir=ltr] .md-nav--secondary .md-nav__item>.md-nav__link{margin-right:.4rem}[dir=rtl] .md-nav--secondary .md-nav__item>.md-nav__link{margin-left:.4rem}}@media screen and (min-width:76.25em){.md-nav{margin-bottom:-.4rem;transition:max-height .25s cubic-bezier(.86,0,.07,1)}.md-nav--primary .md-nav__title{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);position:sticky;top:0;z-index:1}.md-nav--primary .md-nav__title[for=__drawer]{scroll-snap-align:start}.md-nav--primary .md-nav__title .md-nav__icon{display:none}[dir=ltr] .md-nav--primary .md-nav__list{padding-left:.6rem}[dir=rtl] .md-nav--primary .md-nav__list{padding-right:.6rem}.md-nav--primary .md-nav__list{padding-bottom:.4rem}[dir=ltr] .md-nav--primary .md-nav__item>.md-nav__link{margin-right:.4rem}[dir=rtl] .md-nav--primary .md-nav__item>.md-nav__link{margin-left:.4rem}.md-nav__toggle~.md-nav{display:grid;grid-template-rows:0fr;opacity:0;transition:grid-template-rows .25s cubic-bezier(.86,0,.07,1),opacity .25s,visibility 0ms .25s;visibility:collapse}.md-nav__toggle~.md-nav>.md-nav__list{overflow:hidden}.md-nav__toggle.md-toggle--indeterminate~.md-nav,.md-nav__toggle:checked~.md-nav{grid-template-rows:1fr;opacity:1;transition:grid-template-rows .25s cubic-bezier(.86,0,.07,1),opacity .15s .1s,visibility 0ms;visibility:visible}.md-nav__toggle.md-toggle--indeterminate~.md-nav{transition:none}.md-nav__item--nested>.md-nav>.md-nav__title{display:none}.md-nav__item--section{display:block;margin:1.25em 0}.md-nav__item--section:last-child{margin-bottom:0}.md-nav__item--section>.md-nav__link{font-weight:700}.md-nav__item--section>.md-nav__link[for]{color:var(--md-default-fg-color--light)}.md-nav__item--section>.md-nav__link:not(.md-nav__container){pointer-events:none}.md-nav__item--section>.md-nav__link .md-icon,.md-nav__item--section>.md-nav__link>[for]{display:none}[dir=ltr] .md-nav__item--section>.md-nav{margin-left:-.6rem}[dir=rtl] .md-nav__item--section>.md-nav{margin-right:-.6rem}.md-nav__item--section>.md-nav{display:block;opacity:1;visibility:visible}.md-nav__item--section>.md-nav>.md-nav__list>.md-nav__item{padding:0}.md-nav__icon{border-radius:100%;height:.9rem;transition:background-color .25s;width:.9rem}.md-nav__icon:hover{background-color:var(--md-accent-fg-color--transparent)}.md-nav__icon:after{background-color:currentcolor;border-radius:100%;content:"";display:inline-block;height:100%;-webkit-mask-image:var(--md-nav-icon--next);mask-image:var(--md-nav-icon--next);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:transform .25s;vertical-align:-.1rem;width:100%}[dir=rtl] .md-nav__icon:after{transform:rotate(180deg)}.md-nav__item--nested .md-nav__toggle:checked~.md-nav__link .md-nav__icon:after,.md-nav__item--nested .md-toggle--indeterminate~.md-nav__link .md-nav__icon:after{transform:rotate(90deg)}.md-nav--lifted>.md-nav__list>.md-nav__item,.md-nav--lifted>.md-nav__title{display:none}.md-nav--lifted>.md-nav__list>.md-nav__item--active{display:block}.md-nav--lifted>.md-nav__list>.md-nav__item--active>.md-nav__link{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);margin-top:0;position:sticky;top:0;z-index:1}.md-nav--lifted>.md-nav__list>.md-nav__item--active>.md-nav__link:not(.md-nav__container){pointer-events:none}.md-nav--lifted>.md-nav__list>.md-nav__item--active.md-nav__item--section{margin:0}[dir=ltr] .md-nav--lifted>.md-nav__list>.md-nav__item>.md-nav:not(.md-nav--secondary){margin-left:-.6rem}[dir=rtl] .md-nav--lifted>.md-nav__list>.md-nav__item>.md-nav:not(.md-nav--secondary){margin-right:-.6rem}.md-nav--lifted>.md-nav__list>.md-nav__item>[for]{color:var(--md-default-fg-color--light)}.md-nav--lifted .md-nav[data-md-level="1"]{grid-template-rows:1fr;opacity:1;visibility:visible}[dir=ltr] .md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{border-left:.05rem solid var(--md-primary-fg-color)}[dir=rtl] .md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{border-right:.05rem solid var(--md-primary-fg-color)}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{display:block;margin-bottom:1.25em;opacity:1;visibility:visible}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary>.md-nav__list{overflow:visible;padding-bottom:0}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary>.md-nav__title{display:none}}.md-pagination{font-size:.8rem;font-weight:700;gap:.4rem}.md-pagination,.md-pagination>*{align-items:center;display:flex;justify-content:center}.md-pagination>*{border-radius:.2rem;height:1.8rem;min-width:1.8rem;text-align:center}.md-pagination__current{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light)}.md-pagination__link{transition:color 125ms,background-color 125ms}.md-pagination__link:focus,.md-pagination__link:hover{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-pagination__link:focus svg,.md-pagination__link:hover svg{color:var(--md-accent-fg-color)}.md-pagination__link.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-pagination__link svg{fill:currentcolor;color:var(--md-default-fg-color--lighter);display:block;max-height:100%;width:1.2rem}.md-post__back{border-bottom:.05rem solid var(--md-default-fg-color--lightest);margin-bottom:1.2rem;padding-bottom:1.2rem}@media screen and (max-width:76.234375em){.md-post__back{display:none}}[dir=rtl] .md-post__back svg{transform:scaleX(-1)}.md-post__authors{display:flex;flex-direction:column;gap:.6rem;margin:0 .6rem 1.2rem}.md-post .md-post__meta a{transition:color 125ms}.md-post .md-post__meta a:focus,.md-post .md-post__meta a:hover{color:var(--md-accent-fg-color)}.md-post__title{color:var(--md-default-fg-color--light);font-weight:700}.md-post--excerpt{margin-bottom:3.2rem}.md-post--excerpt .md-post__header{align-items:center;display:flex;gap:.6rem;min-height:1.6rem}.md-post--excerpt .md-post__authors{align-items:center;display:inline-flex;flex-direction:row;gap:.2rem;margin:0;min-height:2.4rem}[dir=ltr] .md-post--excerpt .md-post__meta .md-meta__list{margin-right:.4rem}[dir=rtl] .md-post--excerpt .md-post__meta .md-meta__list{margin-left:.4rem}.md-post--excerpt .md-post__content>:first-child{--md-scroll-margin:6rem;margin-top:0}.md-post>.md-nav--secondary{margin:1em 0}.md-profile{align-items:center;display:flex;font-size:.7rem;gap:.6rem;line-height:1.4;width:100%}.md-profile__description{flex-grow:1}.md-content--post{display:flex}@media screen and (max-width:76.234375em){.md-content--post{flex-flow:column-reverse}}.md-content--post>.md-content__inner{min-width:0}@media screen and (min-width:76.25em){[dir=ltr] .md-content--post>.md-content__inner{margin-left:1.2rem}[dir=rtl] .md-content--post>.md-content__inner{margin-right:1.2rem}}@media screen and (max-width:76.234375em){.md-sidebar.md-sidebar--post{padding:0;position:static;width:100%}.md-sidebar.md-sidebar--post .md-sidebar__scrollwrap{overflow:visible}.md-sidebar.md-sidebar--post .md-sidebar__inner{padding:0}.md-sidebar.md-sidebar--post .md-post__meta{margin-left:.6rem;margin-right:.6rem}.md-sidebar.md-sidebar--post .md-nav__item{border:none;display:inline}.md-sidebar.md-sidebar--post .md-nav__list{display:inline-flex;flex-wrap:wrap;gap:.6rem;padding-bottom:.6rem;padding-top:.6rem}.md-sidebar.md-sidebar--post .md-nav__link{padding:0}.md-sidebar.md-sidebar--post .md-nav{height:auto;margin-bottom:0;position:static}}:root{--md-progress-value:0;--md-progress-delay:400ms}.md-progress{background:var(--md-primary-bg-color);height:.075rem;opacity:min(clamp(0,var(--md-progress-value),1),clamp(0,100 - var(--md-progress-value),1));position:fixed;top:0;transform:scaleX(calc(var(--md-progress-value)*1%));transform-origin:left;transition:transform .5s cubic-bezier(.19,1,.22,1),opacity .25s var(--md-progress-delay);width:100%;z-index:4}:root{--md-search-result-icon:url('data:image/svg+xml;charset=utf-8,')}.md-search{position:relative}@media screen and (min-width:60em){.md-search{padding:.2rem 0}}.no-js .md-search{display:none}.md-search__overlay{opacity:0;z-index:1}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__overlay{left:-2.2rem}[dir=rtl] .md-search__overlay{right:-2.2rem}.md-search__overlay{background-color:var(--md-default-bg-color);border-radius:1rem;height:2rem;overflow:hidden;pointer-events:none;position:absolute;top:-1rem;transform-origin:center;transition:transform .3s .1s,opacity .2s .2s;width:2rem}[data-md-toggle=search]:checked~.md-header .md-search__overlay{opacity:1;transition:transform .4s,opacity .1s}}@media screen and (min-width:60em){[dir=ltr] .md-search__overlay{left:0}[dir=rtl] .md-search__overlay{right:0}.md-search__overlay{background-color:#0000008a;cursor:pointer;height:0;position:fixed;top:0;transition:width 0ms .25s,height 0ms .25s,opacity .25s;width:0}[data-md-toggle=search]:checked~.md-header .md-search__overlay{height:200vh;opacity:1;transition:width 0ms,height 0ms,opacity .25s;width:100%}}@media screen and (max-width:29.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(45)}}@media screen and (min-width:30em) and (max-width:44.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(60)}}@media screen and (min-width:45em) and (max-width:59.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(75)}}.md-search__inner{-webkit-backface-visibility:hidden;backface-visibility:hidden}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__inner{left:0}[dir=rtl] .md-search__inner{right:0}.md-search__inner{height:0;opacity:0;overflow:hidden;position:fixed;top:0;transform:translateX(5%);transition:width 0ms .3s,height 0ms .3s,transform .15s cubic-bezier(.4,0,.2,1) .15s,opacity .15s .15s;width:0;z-index:2}[dir=rtl] .md-search__inner{transform:translateX(-5%)}[data-md-toggle=search]:checked~.md-header .md-search__inner{height:100%;opacity:1;transform:translateX(0);transition:width 0ms 0ms,height 0ms 0ms,transform .15s cubic-bezier(.1,.7,.1,1) .15s,opacity .15s .15s;width:100%}}@media screen and (min-width:60em){[dir=ltr] .md-search__inner{float:right}[dir=rtl] .md-search__inner{float:left}.md-search__inner{padding:.1rem 0;position:relative;transition:width .25s cubic-bezier(.1,.7,.1,1);width:11.7rem}}@media screen and (min-width:60em) and (max-width:76.234375em){[data-md-toggle=search]:checked~.md-header .md-search__inner{width:23.4rem}}@media screen and (min-width:76.25em){[data-md-toggle=search]:checked~.md-header .md-search__inner{width:34.4rem}}.md-search__form{background-color:var(--md-default-bg-color);box-shadow:0 0 .6rem #0000;height:2.4rem;position:relative;transition:color .25s,background-color .25s;z-index:2}@media screen and (min-width:60em){.md-search__form{background-color:#00000042;border-radius:.1rem;height:1.8rem}.md-search__form:hover{background-color:#ffffff1f}}[data-md-toggle=search]:checked~.md-header .md-search__form{background-color:var(--md-default-bg-color);border-radius:.1rem .1rem 0 0;box-shadow:0 0 .6rem #00000012;color:var(--md-default-fg-color)}[dir=ltr] .md-search__input{padding-left:3.6rem;padding-right:2.2rem}[dir=rtl] .md-search__input{padding-left:2.2rem;padding-right:3.6rem}.md-search__input{background:#0000;font-size:.9rem;height:100%;position:relative;text-overflow:ellipsis;width:100%;z-index:2}.md-search__input::placeholder{transition:color .25s}.md-search__input::placeholder,.md-search__input~.md-search__icon{color:var(--md-default-fg-color--light)}.md-search__input::-ms-clear{display:none}@media screen and (max-width:59.984375em){.md-search__input{font-size:.9rem;height:2.4rem;width:100%}}@media screen and (min-width:60em){[dir=ltr] .md-search__input{padding-left:2.2rem}[dir=rtl] .md-search__input{padding-right:2.2rem}.md-search__input{color:inherit;font-size:.8rem}.md-search__input::placeholder{color:var(--md-primary-bg-color--light)}.md-search__input+.md-search__icon{color:var(--md-primary-bg-color)}[data-md-toggle=search]:checked~.md-header .md-search__input{text-overflow:clip}[data-md-toggle=search]:checked~.md-header .md-search__input+.md-search__icon{color:var(--md-default-fg-color--light)}[data-md-toggle=search]:checked~.md-header .md-search__input::placeholder{color:#0000}}.md-search__icon{cursor:pointer;display:inline-block;height:1.2rem;transition:color .25s,opacity .25s;width:1.2rem}.md-search__icon:hover{opacity:.7}[dir=ltr] .md-search__icon[for=__search]{left:.5rem}[dir=rtl] .md-search__icon[for=__search]{right:.5rem}.md-search__icon[for=__search]{position:absolute;top:.3rem;z-index:2}[dir=rtl] .md-search__icon[for=__search] svg{transform:scaleX(-1)}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__icon[for=__search]{left:.8rem}[dir=rtl] .md-search__icon[for=__search]{right:.8rem}.md-search__icon[for=__search]{top:.6rem}.md-search__icon[for=__search] svg:first-child{display:none}}@media screen and (min-width:60em){.md-search__icon[for=__search]{pointer-events:none}.md-search__icon[for=__search] svg:last-child{display:none}}[dir=ltr] .md-search__options{right:.5rem}[dir=rtl] .md-search__options{left:.5rem}.md-search__options{pointer-events:none;position:absolute;top:.3rem;z-index:2}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__options{right:.8rem}[dir=rtl] .md-search__options{left:.8rem}.md-search__options{top:.6rem}}[dir=ltr] .md-search__options>.md-icon{margin-left:.2rem}[dir=rtl] .md-search__options>.md-icon{margin-right:.2rem}.md-search__options>.md-icon{color:var(--md-default-fg-color--light);opacity:0;transform:scale(.75);transition:transform .15s cubic-bezier(.1,.7,.1,1),opacity .15s}.md-search__options>.md-icon:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}[data-md-toggle=search]:checked~.md-header .md-search__input:valid~.md-search__options>.md-icon{opacity:1;pointer-events:auto;transform:scale(1)}[data-md-toggle=search]:checked~.md-header .md-search__input:valid~.md-search__options>.md-icon:hover{opacity:.7}[dir=ltr] .md-search__suggest{padding-left:3.6rem;padding-right:2.2rem}[dir=rtl] .md-search__suggest{padding-left:2.2rem;padding-right:3.6rem}.md-search__suggest{align-items:center;color:var(--md-default-fg-color--lighter);display:flex;font-size:.9rem;height:100%;opacity:0;position:absolute;top:0;transition:opacity 50ms;white-space:nowrap;width:100%}@media screen and (min-width:60em){[dir=ltr] .md-search__suggest{padding-left:2.2rem}[dir=rtl] .md-search__suggest{padding-right:2.2rem}.md-search__suggest{font-size:.8rem}}[data-md-toggle=search]:checked~.md-header .md-search__suggest{opacity:1;transition:opacity .3s .1s}[dir=ltr] .md-search__output{border-bottom-left-radius:.1rem}[dir=ltr] .md-search__output,[dir=rtl] .md-search__output{border-bottom-right-radius:.1rem}[dir=rtl] .md-search__output{border-bottom-left-radius:.1rem}.md-search__output{overflow:hidden;position:absolute;width:100%;z-index:1}@media screen and (max-width:59.984375em){.md-search__output{bottom:0;top:2.4rem}}@media screen and (min-width:60em){.md-search__output{opacity:0;top:1.9rem;transition:opacity .4s}[data-md-toggle=search]:checked~.md-header .md-search__output{box-shadow:var(--md-shadow-z3);opacity:1}}.md-search__scrollwrap{-webkit-backface-visibility:hidden;backface-visibility:hidden;background-color:var(--md-default-bg-color);height:100%;overflow-y:auto;touch-action:pan-y}@media (-webkit-max-device-pixel-ratio:1),(max-resolution:1dppx){.md-search__scrollwrap{transform:translateZ(0)}}@media screen and (min-width:60em) and (max-width:76.234375em){.md-search__scrollwrap{width:23.4rem}}@media screen and (min-width:76.25em){.md-search__scrollwrap{width:34.4rem}}@media screen and (min-width:60em){.md-search__scrollwrap{max-height:0;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin}[data-md-toggle=search]:checked~.md-header .md-search__scrollwrap{max-height:75vh}.md-search__scrollwrap:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-search__scrollwrap::-webkit-scrollbar{height:.2rem;width:.2rem}.md-search__scrollwrap::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-search__scrollwrap::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}}.md-search-result{color:var(--md-default-fg-color);word-break:break-word}.md-search-result__meta{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light);font-size:.64rem;line-height:1.8rem;padding:0 .8rem;scroll-snap-align:start}@media screen and (min-width:60em){[dir=ltr] .md-search-result__meta{padding-left:2.2rem}[dir=rtl] .md-search-result__meta{padding-right:2.2rem}}.md-search-result__list{list-style:none;margin:0;padding:0;-webkit-user-select:none;user-select:none}.md-search-result__item{box-shadow:0 -.05rem var(--md-default-fg-color--lightest)}.md-search-result__item:first-child{box-shadow:none}.md-search-result__link{display:block;outline:none;scroll-snap-align:start;transition:background-color .25s}.md-search-result__link:focus,.md-search-result__link:hover{background-color:var(--md-accent-fg-color--transparent)}.md-search-result__link:last-child p:last-child{margin-bottom:.6rem}.md-search-result__more>summary{cursor:pointer;display:block;outline:none;position:sticky;scroll-snap-align:start;top:0;z-index:1}.md-search-result__more>summary::marker{display:none}.md-search-result__more>summary::-webkit-details-marker{display:none}.md-search-result__more>summary>div{color:var(--md-typeset-a-color);font-size:.64rem;padding:.75em .8rem;transition:color .25s,background-color .25s}@media screen and (min-width:60em){[dir=ltr] .md-search-result__more>summary>div{padding-left:2.2rem}[dir=rtl] .md-search-result__more>summary>div{padding-right:2.2rem}}.md-search-result__more>summary:focus>div,.md-search-result__more>summary:hover>div{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-search-result__more[open]>summary{background-color:var(--md-default-bg-color)}.md-search-result__article{overflow:hidden;padding:0 .8rem;position:relative}@media screen and (min-width:60em){[dir=ltr] .md-search-result__article{padding-left:2.2rem}[dir=rtl] .md-search-result__article{padding-right:2.2rem}}[dir=ltr] .md-search-result__icon{left:0}[dir=rtl] .md-search-result__icon{right:0}.md-search-result__icon{color:var(--md-default-fg-color--light);height:1.2rem;margin:.5rem;position:absolute;width:1.2rem}@media screen and (max-width:59.984375em){.md-search-result__icon{display:none}}.md-search-result__icon:after{background-color:currentcolor;content:"";display:inline-block;height:100%;-webkit-mask-image:var(--md-search-result-icon);mask-image:var(--md-search-result-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}[dir=rtl] .md-search-result__icon:after{transform:scaleX(-1)}.md-search-result .md-typeset{color:var(--md-default-fg-color--light);font-size:.64rem;line-height:1.6}.md-search-result .md-typeset h1{color:var(--md-default-fg-color);font-size:.8rem;font-weight:400;line-height:1.4;margin:.55rem 0}.md-search-result .md-typeset h1 mark{text-decoration:none}.md-search-result .md-typeset h2{color:var(--md-default-fg-color);font-size:.64rem;font-weight:700;line-height:1.6;margin:.5em 0}.md-search-result .md-typeset h2 mark{text-decoration:none}.md-search-result__terms{color:var(--md-default-fg-color);display:block;font-size:.64rem;font-style:italic;margin:.5em 0}.md-search-result mark{background-color:initial;color:var(--md-accent-fg-color);text-decoration:underline}.md-select{position:relative;z-index:1}.md-select__inner{background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);left:50%;margin-top:.2rem;max-height:0;opacity:0;position:absolute;top:calc(100% - .2rem);transform:translate3d(-50%,.3rem,0);transition:transform .25s 375ms,opacity .25s .25s,max-height 0ms .5s}.md-select:focus-within .md-select__inner,.md-select:hover .md-select__inner{max-height:10rem;opacity:1;transform:translate3d(-50%,0,0);transition:transform .25s cubic-bezier(.1,.7,.1,1),opacity .25s,max-height 0ms}.md-select__inner:after{border-bottom:.2rem solid #0000;border-bottom-color:var(--md-default-bg-color);border-left:.2rem solid #0000;border-right:.2rem solid #0000;border-top:0;content:"";height:0;left:50%;margin-left:-.2rem;margin-top:-.2rem;position:absolute;top:0;width:0}.md-select__list{border-radius:.1rem;font-size:.8rem;list-style-type:none;margin:0;max-height:inherit;overflow:auto;padding:0}.md-select__item{line-height:1.8rem}[dir=ltr] .md-select__link{padding-left:.6rem;padding-right:1.2rem}[dir=rtl] .md-select__link{padding-left:1.2rem;padding-right:.6rem}.md-select__link{cursor:pointer;display:block;outline:none;scroll-snap-align:start;transition:background-color .25s,color .25s;width:100%}.md-select__link:focus,.md-select__link:hover{color:var(--md-accent-fg-color)}.md-select__link:focus{background-color:var(--md-default-fg-color--lightest)}.md-sidebar{align-self:flex-start;flex-shrink:0;padding:1.2rem 0;position:sticky;top:2.4rem;width:12.1rem}@media print{.md-sidebar{display:none}}@media screen and (max-width:76.234375em){[dir=ltr] .md-sidebar--primary{left:-12.1rem}[dir=rtl] .md-sidebar--primary{right:-12.1rem}.md-sidebar--primary{background-color:var(--md-default-bg-color);display:block;height:100%;position:fixed;top:0;transform:translateX(0);transition:transform .25s cubic-bezier(.4,0,.2,1),box-shadow .25s;width:12.1rem;z-index:5}[data-md-toggle=drawer]:checked~.md-container .md-sidebar--primary{box-shadow:var(--md-shadow-z3);transform:translateX(12.1rem)}[dir=rtl] [data-md-toggle=drawer]:checked~.md-container .md-sidebar--primary{transform:translateX(-12.1rem)}.md-sidebar--primary .md-sidebar__scrollwrap{bottom:0;left:0;margin:0;overflow:hidden;position:absolute;right:0;scroll-snap-type:none;top:0}}@media screen and (min-width:76.25em){.md-sidebar{height:0}.no-js .md-sidebar{height:auto}.md-header--lifted~.md-container .md-sidebar{top:4.8rem}}.md-sidebar--secondary{display:none;order:2}@media screen and (min-width:60em){.md-sidebar--secondary{height:0}.no-js .md-sidebar--secondary{height:auto}.md-sidebar--secondary:not([hidden]){display:block}.md-sidebar--secondary .md-sidebar__scrollwrap{touch-action:pan-y}}.md-sidebar__scrollwrap{scrollbar-gutter:stable;-webkit-backface-visibility:hidden;backface-visibility:hidden;margin:0 .2rem;overflow-y:auto;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin}.md-sidebar__scrollwrap::-webkit-scrollbar{height:.2rem;width:.2rem}.md-sidebar__scrollwrap:focus-within,.md-sidebar__scrollwrap:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-sidebar__scrollwrap:focus-within::-webkit-scrollbar-thumb,.md-sidebar__scrollwrap:hover::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-sidebar__scrollwrap:focus-within::-webkit-scrollbar-thumb:hover,.md-sidebar__scrollwrap:hover::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}@supports selector(::-webkit-scrollbar){.md-sidebar__scrollwrap{scrollbar-gutter:auto}[dir=ltr] .md-sidebar__inner{padding-right:calc(100% - 11.5rem)}[dir=rtl] .md-sidebar__inner{padding-left:calc(100% - 11.5rem)}}@media screen and (max-width:76.234375em){.md-overlay{background-color:#0000008a;height:0;opacity:0;position:fixed;top:0;transition:width 0ms .25s,height 0ms .25s,opacity .25s;width:0;z-index:5}[data-md-toggle=drawer]:checked~.md-overlay{height:100%;opacity:1;transition:width 0ms,height 0ms,opacity .25s;width:100%}}@keyframes facts{0%{height:0}to{height:.65rem}}@keyframes fact{0%{opacity:0;transform:translateY(100%)}50%{opacity:0}to{opacity:1;transform:translateY(0)}}:root{--md-source-forks-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-repositories-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-stars-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-version-icon:url('data:image/svg+xml;charset=utf-8,')}.md-source{-webkit-backface-visibility:hidden;backface-visibility:hidden;display:block;font-size:.65rem;line-height:1.2;outline-color:var(--md-accent-fg-color);transition:opacity .25s;white-space:nowrap}.md-source:hover{opacity:.7}.md-source__icon{display:inline-block;height:2.4rem;vertical-align:middle;width:2rem}[dir=ltr] .md-source__icon svg{margin-left:.6rem}[dir=rtl] .md-source__icon svg{margin-right:.6rem}.md-source__icon svg{margin-top:.6rem}[dir=ltr] .md-source__icon+.md-source__repository{padding-left:2rem}[dir=rtl] .md-source__icon+.md-source__repository{padding-right:2rem}[dir=ltr] .md-source__icon+.md-source__repository{margin-left:-2rem}[dir=rtl] .md-source__icon+.md-source__repository{margin-right:-2rem}[dir=ltr] .md-source__repository{margin-left:.6rem}[dir=rtl] .md-source__repository{margin-right:.6rem}.md-source__repository{display:inline-block;max-width:calc(100% - 1.2rem);overflow:hidden;text-overflow:ellipsis;vertical-align:middle}.md-source__facts{display:flex;font-size:.55rem;gap:.4rem;list-style-type:none;margin:.1rem 0 0;opacity:.75;overflow:hidden;padding:0;width:100%}.md-source__repository--active .md-source__facts{animation:facts .25s ease-in}.md-source__fact{overflow:hidden;text-overflow:ellipsis}.md-source__repository--active .md-source__fact{animation:fact .4s ease-out}[dir=ltr] .md-source__fact:before{margin-right:.1rem}[dir=rtl] .md-source__fact:before{margin-left:.1rem}.md-source__fact:before{background-color:currentcolor;content:"";display:inline-block;height:.6rem;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;vertical-align:text-top;width:.6rem}.md-source__fact:nth-child(1n+2){flex-shrink:0}.md-source__fact--version:before{-webkit-mask-image:var(--md-source-version-icon);mask-image:var(--md-source-version-icon)}.md-source__fact--stars:before{-webkit-mask-image:var(--md-source-stars-icon);mask-image:var(--md-source-stars-icon)}.md-source__fact--forks:before{-webkit-mask-image:var(--md-source-forks-icon);mask-image:var(--md-source-forks-icon)}.md-source__fact--repositories:before{-webkit-mask-image:var(--md-source-repositories-icon);mask-image:var(--md-source-repositories-icon)}.md-source-file{margin:1em 0}[dir=ltr] .md-source-file__fact{margin-right:.6rem}[dir=rtl] .md-source-file__fact{margin-left:.6rem}.md-source-file__fact{align-items:center;color:var(--md-default-fg-color--light);display:inline-flex;font-size:.68rem;gap:.3rem}.md-source-file__fact .md-icon{flex-shrink:0;margin-bottom:.05rem}[dir=ltr] .md-source-file__fact .md-author{float:left}[dir=rtl] .md-source-file__fact .md-author{float:right}.md-source-file__fact .md-author{margin-right:.2rem}.md-source-file__fact svg{width:.9rem}:root{--md-status:url('data:image/svg+xml;charset=utf-8,');--md-status--new:url('data:image/svg+xml;charset=utf-8,');--md-status--deprecated:url('data:image/svg+xml;charset=utf-8,');--md-status--encrypted:url('data:image/svg+xml;charset=utf-8,')}.md-status:after{background-color:var(--md-default-fg-color--light);content:"";display:inline-block;height:1.125em;-webkit-mask-image:var(--md-status);mask-image:var(--md-status);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;vertical-align:text-bottom;width:1.125em}.md-status:hover:after{background-color:currentcolor}.md-status--new:after{-webkit-mask-image:var(--md-status--new);mask-image:var(--md-status--new)}.md-status--deprecated:after{-webkit-mask-image:var(--md-status--deprecated);mask-image:var(--md-status--deprecated)}.md-status--encrypted:after{-webkit-mask-image:var(--md-status--encrypted);mask-image:var(--md-status--encrypted)}.md-tabs{background-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color);display:block;line-height:1.3;overflow:auto;width:100%;z-index:3}@media print{.md-tabs{display:none}}@media screen and (max-width:76.234375em){.md-tabs{display:none}}.md-tabs[hidden]{pointer-events:none}[dir=ltr] .md-tabs__list{margin-left:.2rem}[dir=rtl] .md-tabs__list{margin-right:.2rem}.md-tabs__list{contain:content;display:flex;list-style:none;margin:0;overflow:auto;padding:0;scrollbar-width:none;white-space:nowrap}.md-tabs__list::-webkit-scrollbar{display:none}.md-tabs__item{height:2.4rem;padding-left:.6rem;padding-right:.6rem}.md-tabs__item--active .md-tabs__link{color:inherit;opacity:1}.md-tabs__link{-webkit-backface-visibility:hidden;backface-visibility:hidden;display:flex;font-size:.7rem;margin-top:.8rem;opacity:.7;outline-color:var(--md-accent-fg-color);outline-offset:.2rem;transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .25s}.md-tabs__link:focus,.md-tabs__link:hover{color:inherit;opacity:1}[dir=ltr] .md-tabs__link svg{margin-right:.4rem}[dir=rtl] .md-tabs__link svg{margin-left:.4rem}.md-tabs__link svg{fill:currentcolor;height:1.3em}.md-tabs__item:nth-child(2) .md-tabs__link{transition-delay:20ms}.md-tabs__item:nth-child(3) .md-tabs__link{transition-delay:40ms}.md-tabs__item:nth-child(4) .md-tabs__link{transition-delay:60ms}.md-tabs__item:nth-child(5) .md-tabs__link{transition-delay:80ms}.md-tabs__item:nth-child(6) .md-tabs__link{transition-delay:.1s}.md-tabs__item:nth-child(7) .md-tabs__link{transition-delay:.12s}.md-tabs__item:nth-child(8) .md-tabs__link{transition-delay:.14s}.md-tabs__item:nth-child(9) .md-tabs__link{transition-delay:.16s}.md-tabs__item:nth-child(10) .md-tabs__link{transition-delay:.18s}.md-tabs__item:nth-child(11) .md-tabs__link{transition-delay:.2s}.md-tabs__item:nth-child(12) .md-tabs__link{transition-delay:.22s}.md-tabs__item:nth-child(13) .md-tabs__link{transition-delay:.24s}.md-tabs__item:nth-child(14) .md-tabs__link{transition-delay:.26s}.md-tabs__item:nth-child(15) .md-tabs__link{transition-delay:.28s}.md-tabs__item:nth-child(16) .md-tabs__link{transition-delay:.3s}.md-tabs[hidden] .md-tabs__link{opacity:0;transform:translateY(50%);transition:transform 0ms .1s,opacity .1s}:root{--md-tag-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .md-tags:not([hidden]){display:inline-flex;flex-wrap:wrap;gap:.5em;margin-bottom:.75em;margin-top:-.125em}.md-typeset .md-tag{align-items:center;background:var(--md-default-fg-color--lightest);border-radius:2.4rem;display:inline-flex;font-size:.64rem;font-size:min(.8em,.64rem);font-weight:700;gap:.5em;letter-spacing:normal;line-height:1.6;padding:.3125em .78125em}.md-typeset .md-tag[href]{-webkit-tap-highlight-color:transparent;color:inherit;outline:none;transition:color 125ms,background-color 125ms}.md-typeset .md-tag[href]:focus,.md-typeset .md-tag[href]:hover{background-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}[id]>.md-typeset .md-tag{vertical-align:text-top}.md-typeset .md-tag-icon:before{background-color:var(--md-default-fg-color--lighter);content:"";display:inline-block;height:1.2em;-webkit-mask-image:var(--md-tag-icon);mask-image:var(--md-tag-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color 125ms;vertical-align:text-bottom;width:1.2em}.md-typeset .md-tag-icon[href]:focus:before,.md-typeset .md-tag-icon[href]:hover:before{background-color:var(--md-accent-bg-color)}@keyframes pulse{0%{transform:scale(.95)}75%{transform:scale(1)}to{transform:scale(.95)}}:root{--md-annotation-bg-icon:url('data:image/svg+xml;charset=utf-8,');--md-annotation-icon:url('data:image/svg+xml;charset=utf-8,')}.md-tooltip{-webkit-backface-visibility:hidden;backface-visibility:hidden;background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);font-family:var(--md-text-font-family);left:clamp(var(--md-tooltip-0,0rem) + .8rem,var(--md-tooltip-x),100vw + var(--md-tooltip-0,0rem) + .8rem - var(--md-tooltip-width) - 2 * .8rem);max-width:calc(100vw - 1.6rem);opacity:0;position:absolute;top:var(--md-tooltip-y);transform:translateY(-.4rem);transition:transform 0ms .25s,opacity .25s,z-index .25s;width:var(--md-tooltip-width);z-index:0}.md-tooltip--active{opacity:1;transform:translateY(0);transition:transform .25s cubic-bezier(.1,.7,.1,1),opacity .25s,z-index 0ms;z-index:2}.md-tooltip--inline{font-weight:700;-webkit-user-select:none;user-select:none;width:auto}.md-tooltip--inline:not(.md-tooltip--active){transform:translateY(.2rem) scale(.9)}.md-tooltip--inline .md-tooltip__inner{font-size:.5rem;padding:.2rem .4rem}[hidden]+.md-tooltip--inline{display:none}.focus-visible>.md-tooltip,.md-tooltip:target{outline:var(--md-accent-fg-color) auto}.md-tooltip__inner{font-size:.64rem;padding:.8rem}.md-tooltip__inner.md-typeset>:first-child{margin-top:0}.md-tooltip__inner.md-typeset>:last-child{margin-bottom:0}.md-annotation{font-style:normal;font-weight:400;outline:none;text-align:initial;vertical-align:text-bottom;white-space:normal}[dir=rtl] .md-annotation{direction:rtl}code .md-annotation{font-family:var(--md-code-font-family);font-size:inherit}.md-annotation:not([hidden]){display:inline-block;line-height:1.25}.md-annotation__index{border-radius:.01px;cursor:pointer;display:inline-block;margin-left:.4ch;margin-right:.4ch;outline:none;overflow:hidden;position:relative;-webkit-user-select:none;user-select:none;vertical-align:text-top;z-index:0}.md-annotation .md-annotation__index{transition:z-index .25s}@media screen{.md-annotation__index{width:2.2ch}[data-md-visible]>.md-annotation__index{animation:pulse 2s infinite}.md-annotation__index:before{background:var(--md-default-bg-color);-webkit-mask-image:var(--md-annotation-bg-icon);mask-image:var(--md-annotation-bg-icon)}.md-annotation__index:after,.md-annotation__index:before{content:"";height:2.2ch;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:-.1ch;width:2.2ch;z-index:-1}.md-annotation__index:after{background-color:var(--md-default-fg-color--lighter);-webkit-mask-image:var(--md-annotation-icon);mask-image:var(--md-annotation-icon);transform:scale(1.0001);transition:background-color .25s,transform .25s}.md-tooltip--active+.md-annotation__index:after{transform:rotate(45deg)}.md-tooltip--active+.md-annotation__index:after,:hover>.md-annotation__index:after{background-color:var(--md-accent-fg-color)}}.md-tooltip--active+.md-annotation__index{animation-play-state:paused;transition-duration:0ms;z-index:2}.md-annotation__index [data-md-annotation-id]{display:inline-block}@media print{.md-annotation__index [data-md-annotation-id]{background:var(--md-default-fg-color--lighter);border-radius:2ch;color:var(--md-default-bg-color);font-weight:700;padding:0 .6ch;white-space:nowrap}.md-annotation__index [data-md-annotation-id]:after{content:attr(data-md-annotation-id)}}.md-typeset .md-annotation-list{counter-reset:xxx;list-style:none}.md-typeset .md-annotation-list li{position:relative}[dir=ltr] .md-typeset .md-annotation-list li:before{left:-2.125em}[dir=rtl] .md-typeset .md-annotation-list li:before{right:-2.125em}.md-typeset .md-annotation-list li:before{background:var(--md-default-fg-color--lighter);border-radius:2ch;color:var(--md-default-bg-color);content:counter(xxx);counter-increment:xxx;font-size:.8875em;font-weight:700;height:2ch;line-height:1.25;min-width:2ch;padding:0 .6ch;position:absolute;text-align:center;top:.25em}:root{--md-tooltip-width:20rem;--md-tooltip-tail:0.3rem}.md-tooltip2{-webkit-backface-visibility:hidden;backface-visibility:hidden;color:var(--md-default-fg-color);font-family:var(--md-text-font-family);opacity:0;pointer-events:none;position:absolute;top:calc(var(--md-tooltip-host-y) + var(--md-tooltip-y));transform:translateY(-.4rem);transform-origin:calc(var(--md-tooltip-host-x) + var(--md-tooltip-x)) 0;transition:transform 0ms .25s,opacity .25s,z-index .25s;width:100%;z-index:0}.md-tooltip2:before{border-left:var(--md-tooltip-tail) solid #0000;border-right:var(--md-tooltip-tail) solid #0000;content:"";display:block;left:clamp(1.5 * .8rem,var(--md-tooltip-host-x) + var(--md-tooltip-x) - var(--md-tooltip-tail),100vw - 2 * var(--md-tooltip-tail) - 1.5 * .8rem);position:absolute;z-index:1}.md-tooltip2--top:before{border-top:var(--md-tooltip-tail) solid var(--md-default-bg-color);bottom:calc(var(--md-tooltip-tail)*-1 + .025rem);filter:drop-shadow(0 1px 0 hsla(0,0%,0%,.05))}.md-tooltip2--bottom:before{border-bottom:var(--md-tooltip-tail) solid var(--md-default-bg-color);filter:drop-shadow(0 -1px 0 hsla(0,0%,0%,.05));top:calc(var(--md-tooltip-tail)*-1 + .025rem)}.md-tooltip2--active{opacity:1;transform:translateY(0);transition:transform .4s cubic-bezier(0,1,.5,1),opacity .25s,z-index 0ms;z-index:2}.md-tooltip2__inner{scrollbar-gutter:stable;background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);left:clamp(.8rem,var(--md-tooltip-host-x) - .8rem,100vw - var(--md-tooltip-width) - .8rem);max-height:40vh;max-width:calc(100vw - 1.6rem);position:relative;scrollbar-width:thin}.md-tooltip2__inner::-webkit-scrollbar{height:.2rem;width:.2rem}.md-tooltip2__inner::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-tooltip2__inner::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}[role=tooltip]>.md-tooltip2__inner{font-size:.5rem;font-weight:700;left:clamp(.8rem,var(--md-tooltip-host-x) + var(--md-tooltip-x) - var(--md-tooltip-width)/2,100vw - var(--md-tooltip-width) - .8rem);max-width:min(100vw - 2 * .8rem,400px);padding:.2rem .4rem;-webkit-user-select:none;user-select:none;width:-moz-fit-content;width:fit-content}.md-tooltip2__inner.md-typeset>:first-child{margin-top:0}.md-tooltip2__inner.md-typeset>:last-child{margin-bottom:0}[dir=ltr] .md-top{margin-left:50%}[dir=rtl] .md-top{margin-right:50%}.md-top{background-color:var(--md-default-bg-color);border-radius:1.6rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color--light);cursor:pointer;display:block;font-size:.7rem;outline:none;padding:.4rem .8rem;position:fixed;top:3.2rem;transform:translate(-50%);transition:color 125ms,background-color 125ms,transform 125ms cubic-bezier(.4,0,.2,1),opacity 125ms;z-index:2}@media print{.md-top{display:none}}[dir=rtl] .md-top{transform:translate(50%)}.md-top[hidden]{opacity:0;pointer-events:none;transform:translate(-50%,.2rem);transition-duration:0ms}[dir=rtl] .md-top[hidden]{transform:translate(50%,.2rem)}.md-top:focus,.md-top:hover{background-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}.md-top svg{display:inline-block;vertical-align:-.5em}@keyframes hoverfix{0%{pointer-events:none}}:root{--md-version-icon:url('data:image/svg+xml;charset=utf-8,')}.md-version{flex-shrink:0;font-size:.8rem;height:2.4rem}[dir=ltr] .md-version__current{margin-left:1.4rem;margin-right:.4rem}[dir=rtl] .md-version__current{margin-left:.4rem;margin-right:1.4rem}.md-version__current{color:inherit;cursor:pointer;outline:none;position:relative;top:.05rem}[dir=ltr] .md-version__current:after{margin-left:.4rem}[dir=rtl] .md-version__current:after{margin-right:.4rem}.md-version__current:after{background-color:currentcolor;content:"";display:inline-block;height:.6rem;-webkit-mask-image:var(--md-version-icon);mask-image:var(--md-version-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:.4rem}.md-version__alias{margin-left:.3rem;opacity:.7}.md-version__list{background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);list-style-type:none;margin:.2rem .8rem;max-height:0;opacity:0;overflow:auto;padding:0;position:absolute;scroll-snap-type:y mandatory;top:.15rem;transition:max-height 0ms .5s,opacity .25s .25s;z-index:3}.md-version:focus-within .md-version__list,.md-version:hover .md-version__list{max-height:10rem;opacity:1;transition:max-height 0ms,opacity .25s}@media (hover:none),(pointer:coarse){.md-version:hover .md-version__list{animation:hoverfix .25s forwards}.md-version:focus-within .md-version__list{animation:none}}.md-version__item{line-height:1.8rem}[dir=ltr] .md-version__link{padding-left:.6rem;padding-right:1.2rem}[dir=rtl] .md-version__link{padding-left:1.2rem;padding-right:.6rem}.md-version__link{cursor:pointer;display:block;outline:none;scroll-snap-align:start;transition:color .25s,background-color .25s;white-space:nowrap;width:100%}.md-version__link:focus,.md-version__link:hover{color:var(--md-accent-fg-color)}.md-version__link:focus{background-color:var(--md-default-fg-color--lightest)}:root{--md-admonition-icon--note:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--abstract:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--info:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--tip:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--success:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--question:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--warning:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--failure:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--danger:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--bug:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--example:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--quote:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .admonition,.md-typeset details{background-color:var(--md-admonition-bg-color);border:.075rem solid #448aff;border-radius:.2rem;box-shadow:var(--md-shadow-z1);color:var(--md-admonition-fg-color);display:flow-root;font-size:.64rem;margin:1.5625em 0;padding:0 .6rem;page-break-inside:avoid;transition:box-shadow 125ms}@media print{.md-typeset .admonition,.md-typeset details{box-shadow:none}}.md-typeset .admonition:focus-within,.md-typeset details:focus-within{box-shadow:0 0 0 .2rem #448aff1a}.md-typeset .admonition>*,.md-typeset details>*{box-sizing:border-box}.md-typeset .admonition .admonition,.md-typeset .admonition details,.md-typeset details .admonition,.md-typeset details details{margin-bottom:1em;margin-top:1em}.md-typeset .admonition .md-typeset__scrollwrap,.md-typeset details .md-typeset__scrollwrap{margin:1em -.6rem}.md-typeset .admonition .md-typeset__table,.md-typeset details .md-typeset__table{padding:0 .6rem}.md-typeset .admonition>.tabbed-set:only-child,.md-typeset details>.tabbed-set:only-child{margin-top:0}html .md-typeset .admonition>:last-child,html .md-typeset details>:last-child{margin-bottom:.6rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{padding-left:2rem;padding-right:.6rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{padding-left:.6rem;padding-right:2rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{border-left-width:.2rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-right-width:.2rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{border-top-left-radius:.1rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary,[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-top-right-radius:.1rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-top-left-radius:.1rem}.md-typeset .admonition-title,.md-typeset summary{background-color:#448aff1a;border:none;font-weight:700;margin:0 -.6rem;padding-bottom:.4rem;padding-top:.4rem;position:relative}html .md-typeset .admonition-title:last-child,html .md-typeset summary:last-child{margin-bottom:0}[dir=ltr] .md-typeset .admonition-title:before,[dir=ltr] .md-typeset summary:before{left:.6rem}[dir=rtl] .md-typeset .admonition-title:before,[dir=rtl] .md-typeset summary:before{right:.6rem}.md-typeset .admonition-title:before,.md-typeset summary:before{background-color:#448aff;content:"";height:1rem;-webkit-mask-image:var(--md-admonition-icon--note);mask-image:var(--md-admonition-icon--note);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.625em;width:1rem}.md-typeset .admonition-title code,.md-typeset summary code{box-shadow:0 0 0 .05rem var(--md-default-fg-color--lightest)}.md-typeset .admonition.note,.md-typeset details.note{border-color:#448aff}.md-typeset .admonition.note:focus-within,.md-typeset details.note:focus-within{box-shadow:0 0 0 .2rem #448aff1a}.md-typeset .note>.admonition-title,.md-typeset .note>summary{background-color:#448aff1a}.md-typeset .note>.admonition-title:before,.md-typeset .note>summary:before{background-color:#448aff;-webkit-mask-image:var(--md-admonition-icon--note);mask-image:var(--md-admonition-icon--note)}.md-typeset .note>.admonition-title:after,.md-typeset .note>summary:after{color:#448aff}.md-typeset .admonition.abstract,.md-typeset details.abstract{border-color:#00b0ff}.md-typeset .admonition.abstract:focus-within,.md-typeset details.abstract:focus-within{box-shadow:0 0 0 .2rem #00b0ff1a}.md-typeset .abstract>.admonition-title,.md-typeset .abstract>summary{background-color:#00b0ff1a}.md-typeset .abstract>.admonition-title:before,.md-typeset .abstract>summary:before{background-color:#00b0ff;-webkit-mask-image:var(--md-admonition-icon--abstract);mask-image:var(--md-admonition-icon--abstract)}.md-typeset .abstract>.admonition-title:after,.md-typeset .abstract>summary:after{color:#00b0ff}.md-typeset .admonition.info,.md-typeset details.info{border-color:#00b8d4}.md-typeset .admonition.info:focus-within,.md-typeset details.info:focus-within{box-shadow:0 0 0 .2rem #00b8d41a}.md-typeset .info>.admonition-title,.md-typeset .info>summary{background-color:#00b8d41a}.md-typeset .info>.admonition-title:before,.md-typeset .info>summary:before{background-color:#00b8d4;-webkit-mask-image:var(--md-admonition-icon--info);mask-image:var(--md-admonition-icon--info)}.md-typeset .info>.admonition-title:after,.md-typeset .info>summary:after{color:#00b8d4}.md-typeset .admonition.tip,.md-typeset details.tip{border-color:#00bfa5}.md-typeset .admonition.tip:focus-within,.md-typeset details.tip:focus-within{box-shadow:0 0 0 .2rem #00bfa51a}.md-typeset .tip>.admonition-title,.md-typeset .tip>summary{background-color:#00bfa51a}.md-typeset .tip>.admonition-title:before,.md-typeset .tip>summary:before{background-color:#00bfa5;-webkit-mask-image:var(--md-admonition-icon--tip);mask-image:var(--md-admonition-icon--tip)}.md-typeset .tip>.admonition-title:after,.md-typeset .tip>summary:after{color:#00bfa5}.md-typeset .admonition.success,.md-typeset details.success{border-color:#00c853}.md-typeset .admonition.success:focus-within,.md-typeset details.success:focus-within{box-shadow:0 0 0 .2rem #00c8531a}.md-typeset .success>.admonition-title,.md-typeset .success>summary{background-color:#00c8531a}.md-typeset .success>.admonition-title:before,.md-typeset .success>summary:before{background-color:#00c853;-webkit-mask-image:var(--md-admonition-icon--success);mask-image:var(--md-admonition-icon--success)}.md-typeset .success>.admonition-title:after,.md-typeset .success>summary:after{color:#00c853}.md-typeset .admonition.question,.md-typeset details.question{border-color:#64dd17}.md-typeset .admonition.question:focus-within,.md-typeset details.question:focus-within{box-shadow:0 0 0 .2rem #64dd171a}.md-typeset .question>.admonition-title,.md-typeset .question>summary{background-color:#64dd171a}.md-typeset .question>.admonition-title:before,.md-typeset .question>summary:before{background-color:#64dd17;-webkit-mask-image:var(--md-admonition-icon--question);mask-image:var(--md-admonition-icon--question)}.md-typeset .question>.admonition-title:after,.md-typeset .question>summary:after{color:#64dd17}.md-typeset .admonition.warning,.md-typeset details.warning{border-color:#ff9100}.md-typeset .admonition.warning:focus-within,.md-typeset details.warning:focus-within{box-shadow:0 0 0 .2rem #ff91001a}.md-typeset .warning>.admonition-title,.md-typeset .warning>summary{background-color:#ff91001a}.md-typeset .warning>.admonition-title:before,.md-typeset .warning>summary:before{background-color:#ff9100;-webkit-mask-image:var(--md-admonition-icon--warning);mask-image:var(--md-admonition-icon--warning)}.md-typeset .warning>.admonition-title:after,.md-typeset .warning>summary:after{color:#ff9100}.md-typeset .admonition.failure,.md-typeset details.failure{border-color:#ff5252}.md-typeset .admonition.failure:focus-within,.md-typeset details.failure:focus-within{box-shadow:0 0 0 .2rem #ff52521a}.md-typeset .failure>.admonition-title,.md-typeset .failure>summary{background-color:#ff52521a}.md-typeset .failure>.admonition-title:before,.md-typeset .failure>summary:before{background-color:#ff5252;-webkit-mask-image:var(--md-admonition-icon--failure);mask-image:var(--md-admonition-icon--failure)}.md-typeset .failure>.admonition-title:after,.md-typeset .failure>summary:after{color:#ff5252}.md-typeset .admonition.danger,.md-typeset details.danger{border-color:#ff1744}.md-typeset .admonition.danger:focus-within,.md-typeset details.danger:focus-within{box-shadow:0 0 0 .2rem #ff17441a}.md-typeset .danger>.admonition-title,.md-typeset .danger>summary{background-color:#ff17441a}.md-typeset .danger>.admonition-title:before,.md-typeset .danger>summary:before{background-color:#ff1744;-webkit-mask-image:var(--md-admonition-icon--danger);mask-image:var(--md-admonition-icon--danger)}.md-typeset .danger>.admonition-title:after,.md-typeset .danger>summary:after{color:#ff1744}.md-typeset .admonition.bug,.md-typeset details.bug{border-color:#f50057}.md-typeset .admonition.bug:focus-within,.md-typeset details.bug:focus-within{box-shadow:0 0 0 .2rem #f500571a}.md-typeset .bug>.admonition-title,.md-typeset .bug>summary{background-color:#f500571a}.md-typeset .bug>.admonition-title:before,.md-typeset .bug>summary:before{background-color:#f50057;-webkit-mask-image:var(--md-admonition-icon--bug);mask-image:var(--md-admonition-icon--bug)}.md-typeset .bug>.admonition-title:after,.md-typeset .bug>summary:after{color:#f50057}.md-typeset .admonition.example,.md-typeset details.example{border-color:#7c4dff}.md-typeset .admonition.example:focus-within,.md-typeset details.example:focus-within{box-shadow:0 0 0 .2rem #7c4dff1a}.md-typeset .example>.admonition-title,.md-typeset .example>summary{background-color:#7c4dff1a}.md-typeset .example>.admonition-title:before,.md-typeset .example>summary:before{background-color:#7c4dff;-webkit-mask-image:var(--md-admonition-icon--example);mask-image:var(--md-admonition-icon--example)}.md-typeset .example>.admonition-title:after,.md-typeset .example>summary:after{color:#7c4dff}.md-typeset .admonition.quote,.md-typeset details.quote{border-color:#9e9e9e}.md-typeset .admonition.quote:focus-within,.md-typeset details.quote:focus-within{box-shadow:0 0 0 .2rem #9e9e9e1a}.md-typeset .quote>.admonition-title,.md-typeset .quote>summary{background-color:#9e9e9e1a}.md-typeset .quote>.admonition-title:before,.md-typeset .quote>summary:before{background-color:#9e9e9e;-webkit-mask-image:var(--md-admonition-icon--quote);mask-image:var(--md-admonition-icon--quote)}.md-typeset .quote>.admonition-title:after,.md-typeset .quote>summary:after{color:#9e9e9e}:root{--md-footnotes-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .footnote{color:var(--md-default-fg-color--light);font-size:.64rem}[dir=ltr] .md-typeset .footnote>ol{margin-left:0}[dir=rtl] .md-typeset .footnote>ol{margin-right:0}.md-typeset .footnote>ol>li{transition:color 125ms}.md-typeset .footnote>ol>li:target{color:var(--md-default-fg-color)}.md-typeset .footnote>ol>li:focus-within .footnote-backref{opacity:1;transform:translateX(0);transition:none}.md-typeset .footnote>ol>li:hover .footnote-backref,.md-typeset .footnote>ol>li:target .footnote-backref{opacity:1;transform:translateX(0)}.md-typeset .footnote>ol>li>:first-child{margin-top:0}.md-typeset .footnote-ref{font-size:.75em;font-weight:700}html .md-typeset .footnote-ref{outline-offset:.1rem}.md-typeset [id^="fnref:"]:target>.footnote-ref{outline:auto}.md-typeset .footnote-backref{color:var(--md-typeset-a-color);display:inline-block;font-size:0;opacity:0;transform:translateX(.25rem);transition:color .25s,transform .25s .25s,opacity 125ms .25s;vertical-align:text-bottom}@media print{.md-typeset .footnote-backref{color:var(--md-typeset-a-color);opacity:1;transform:translateX(0)}}[dir=rtl] .md-typeset .footnote-backref{transform:translateX(-.25rem)}.md-typeset .footnote-backref:hover{color:var(--md-accent-fg-color)}.md-typeset .footnote-backref:before{background-color:currentcolor;content:"";display:inline-block;height:.8rem;-webkit-mask-image:var(--md-footnotes-icon);mask-image:var(--md-footnotes-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:.8rem}[dir=rtl] .md-typeset .footnote-backref:before svg{transform:scaleX(-1)}[dir=ltr] .md-typeset .headerlink{margin-left:.5rem}[dir=rtl] .md-typeset .headerlink{margin-right:.5rem}.md-typeset .headerlink{color:var(--md-default-fg-color--lighter);display:inline-block;opacity:0;transition:color .25s,opacity 125ms}@media print{.md-typeset .headerlink{display:none}}.md-typeset .headerlink:focus,.md-typeset :hover>.headerlink,.md-typeset :target>.headerlink{opacity:1;transition:color .25s,opacity 125ms}.md-typeset .headerlink:focus,.md-typeset .headerlink:hover,.md-typeset :target>.headerlink{color:var(--md-accent-fg-color)}.md-typeset :target{--md-scroll-margin:3.6rem;--md-scroll-offset:0rem;scroll-margin-top:calc(var(--md-scroll-margin) - var(--md-scroll-offset))}@media screen and (min-width:76.25em){.md-header--lifted~.md-container .md-typeset :target{--md-scroll-margin:6rem}}.md-typeset h1:target,.md-typeset h2:target,.md-typeset h3:target{--md-scroll-offset:0.2rem}.md-typeset h4:target{--md-scroll-offset:0.15rem}.md-typeset div.arithmatex{overflow:auto}@media screen and (max-width:44.984375em){.md-typeset div.arithmatex{margin:0 -.8rem}.md-typeset div.arithmatex>*{width:min-content}}.md-typeset div.arithmatex>*{margin-left:auto!important;margin-right:auto!important;padding:0 .8rem;touch-action:auto}.md-typeset div.arithmatex>* mjx-container{margin:0!important}.md-typeset div.arithmatex mjx-assistive-mml{height:0}.md-typeset del.critic{background-color:var(--md-typeset-del-color)}.md-typeset del.critic,.md-typeset ins.critic{-webkit-box-decoration-break:clone;box-decoration-break:clone}.md-typeset ins.critic{background-color:var(--md-typeset-ins-color)}.md-typeset .critic.comment{-webkit-box-decoration-break:clone;box-decoration-break:clone;color:var(--md-code-hl-comment-color)}.md-typeset .critic.comment:before{content:"/* "}.md-typeset .critic.comment:after{content:" */"}.md-typeset .critic.block{box-shadow:none;display:block;margin:1em 0;overflow:auto;padding-left:.8rem;padding-right:.8rem}.md-typeset .critic.block>:first-child{margin-top:.5em}.md-typeset .critic.block>:last-child{margin-bottom:.5em}:root{--md-details-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset details{display:flow-root;overflow:visible;padding-top:0}.md-typeset details[open]>summary:after{transform:rotate(90deg)}.md-typeset details:not([open]){box-shadow:none;padding-bottom:0}.md-typeset details:not([open])>summary{border-radius:.1rem}[dir=ltr] .md-typeset summary{padding-right:1.8rem}[dir=rtl] .md-typeset summary{padding-left:1.8rem}[dir=ltr] .md-typeset summary{border-top-left-radius:.1rem}[dir=ltr] .md-typeset summary,[dir=rtl] .md-typeset summary{border-top-right-radius:.1rem}[dir=rtl] .md-typeset summary{border-top-left-radius:.1rem}.md-typeset summary{cursor:pointer;display:block;min-height:1rem;overflow:hidden}.md-typeset summary.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-typeset summary:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}[dir=ltr] .md-typeset summary:after{right:.4rem}[dir=rtl] .md-typeset summary:after{left:.4rem}.md-typeset summary:after{background-color:currentcolor;content:"";height:1rem;-webkit-mask-image:var(--md-details-icon);mask-image:var(--md-details-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.625em;transform:rotate(0deg);transition:transform .25s;width:1rem}[dir=rtl] .md-typeset summary:after{transform:rotate(180deg)}.md-typeset summary::marker{display:none}.md-typeset summary::-webkit-details-marker{display:none}.md-typeset .emojione,.md-typeset .gemoji,.md-typeset .twemoji{--md-icon-size:1.125em;display:inline-flex;height:var(--md-icon-size);vertical-align:text-top}.md-typeset .emojione svg,.md-typeset .gemoji svg,.md-typeset .twemoji svg{fill:currentcolor;max-height:100%;width:var(--md-icon-size)}.md-typeset .lg,.md-typeset .xl,.md-typeset .xxl,.md-typeset .xxxl{vertical-align:text-bottom}.md-typeset .middle{vertical-align:middle}.md-typeset .lg{--md-icon-size:1.5em}.md-typeset .xl{--md-icon-size:2.25em}.md-typeset .xxl{--md-icon-size:3em}.md-typeset .xxxl{--md-icon-size:4em}.highlight .o,.highlight .ow{color:var(--md-code-hl-operator-color)}.highlight .p{color:var(--md-code-hl-punctuation-color)}.highlight .cpf,.highlight .l,.highlight .s,.highlight .s1,.highlight .s2,.highlight .sb,.highlight .sc,.highlight .si,.highlight .ss{color:var(--md-code-hl-string-color)}.highlight .cp,.highlight .se,.highlight .sh,.highlight .sr,.highlight .sx{color:var(--md-code-hl-special-color)}.highlight .il,.highlight .m,.highlight .mb,.highlight .mf,.highlight .mh,.highlight .mi,.highlight .mo{color:var(--md-code-hl-number-color)}.highlight .k,.highlight .kd,.highlight .kn,.highlight .kp,.highlight .kr,.highlight .kt{color:var(--md-code-hl-keyword-color)}.highlight .kc,.highlight .n{color:var(--md-code-hl-name-color)}.highlight .bp,.highlight .nb,.highlight .no{color:var(--md-code-hl-constant-color)}.highlight .nc,.highlight .ne,.highlight .nf,.highlight .nn{color:var(--md-code-hl-function-color)}.highlight .nd,.highlight .ni,.highlight .nl,.highlight .nt{color:var(--md-code-hl-keyword-color)}.highlight .c,.highlight .c1,.highlight .ch,.highlight .cm,.highlight .cs,.highlight .sd{color:var(--md-code-hl-comment-color)}.highlight .na,.highlight .nv,.highlight .vc,.highlight .vg,.highlight .vi{color:var(--md-code-hl-variable-color)}.highlight .ge,.highlight .gh,.highlight .go,.highlight .gp,.highlight .gr,.highlight .gs,.highlight .gt,.highlight .gu{color:var(--md-code-hl-generic-color)}.highlight .gd,.highlight .gi{border-radius:.1rem;margin:0 -.125em;padding:0 .125em}.highlight .gd{background-color:var(--md-typeset-del-color)}.highlight .gi{background-color:var(--md-typeset-ins-color)}.highlight .hll{background-color:var(--md-code-hl-color--light);box-shadow:2px 0 0 0 var(--md-code-hl-color) inset;display:block;margin:0 -1.1764705882em;padding:0 1.1764705882em}.highlight span.filename{background-color:var(--md-code-bg-color);border-bottom:.05rem solid var(--md-default-fg-color--lightest);border-top-left-radius:.1rem;border-top-right-radius:.1rem;display:flow-root;font-size:.85em;font-weight:700;margin-top:1em;padding:.6617647059em 1.1764705882em;position:relative}.highlight span.filename+pre{margin-top:0}.highlight span.filename+pre>code{border-top-left-radius:0;border-top-right-radius:0}.highlight [data-linenos]:before{background-color:var(--md-code-bg-color);box-shadow:-.05rem 0 var(--md-default-fg-color--lightest) inset;color:var(--md-default-fg-color--light);content:attr(data-linenos);float:left;left:-1.1764705882em;margin-left:-1.1764705882em;margin-right:1.1764705882em;padding-left:1.1764705882em;position:sticky;-webkit-user-select:none;user-select:none;z-index:3}.highlight code a[id]{position:absolute;visibility:hidden}.highlight code[data-md-copying]{display:initial}.highlight code[data-md-copying] .hll{display:contents}.highlight code[data-md-copying] .md-annotation{display:none}.highlighttable{display:flow-root}.highlighttable tbody,.highlighttable td{display:block;padding:0}.highlighttable tr{display:flex}.highlighttable pre{margin:0}.highlighttable th.filename{flex-grow:1;padding:0;text-align:left}.highlighttable th.filename span.filename{margin-top:0}.highlighttable .linenos{background-color:var(--md-code-bg-color);border-bottom-left-radius:.1rem;border-top-left-radius:.1rem;font-size:.85em;padding:.7720588235em 0 .7720588235em 1.1764705882em;-webkit-user-select:none;user-select:none}.highlighttable .linenodiv{box-shadow:-.05rem 0 var(--md-default-fg-color--lightest) inset;padding-right:.5882352941em}.highlighttable .linenodiv pre{color:var(--md-default-fg-color--light);text-align:right}.highlighttable .code{flex:1;min-width:0}.linenodiv a{color:inherit}.md-typeset .highlighttable{direction:ltr;margin:1em 0}.md-typeset .highlighttable>tbody>tr>.code>div>pre>code{border-bottom-left-radius:0;border-top-left-radius:0}.md-typeset .highlight+.result{border:.05rem solid var(--md-code-bg-color);border-bottom-left-radius:.1rem;border-bottom-right-radius:.1rem;border-top-width:.1rem;margin-top:-1.125em;overflow:visible;padding:0 1em}.md-typeset .highlight+.result:after{clear:both;content:"";display:block}@media screen and (max-width:44.984375em){.md-content__inner>.highlight{margin:1em -.8rem}.md-content__inner>.highlight>.filename,.md-content__inner>.highlight>.highlighttable>tbody>tr>.code>div>pre>code,.md-content__inner>.highlight>.highlighttable>tbody>tr>.filename span.filename,.md-content__inner>.highlight>.highlighttable>tbody>tr>.linenos,.md-content__inner>.highlight>pre>code{border-radius:0}.md-content__inner>.highlight+.result{border-left-width:0;border-radius:0;border-right-width:0;margin-left:-.8rem;margin-right:-.8rem}}.md-typeset .keys kbd:after,.md-typeset .keys kbd:before{-moz-osx-font-smoothing:initial;-webkit-font-smoothing:initial;color:inherit;margin:0;position:relative}.md-typeset .keys span{color:var(--md-default-fg-color--light);padding:0 .2em}.md-typeset .keys .key-alt:before,.md-typeset .keys .key-left-alt:before,.md-typeset .keys .key-right-alt:before{content:"⎇";padding-right:.4em}.md-typeset .keys .key-command:before,.md-typeset .keys .key-left-command:before,.md-typeset .keys .key-right-command:before{content:"⌘";padding-right:.4em}.md-typeset .keys .key-control:before,.md-typeset .keys .key-left-control:before,.md-typeset .keys .key-right-control:before{content:"⌃";padding-right:.4em}.md-typeset .keys .key-left-meta:before,.md-typeset .keys .key-meta:before,.md-typeset .keys .key-right-meta:before{content:"◆";padding-right:.4em}.md-typeset .keys .key-left-option:before,.md-typeset .keys .key-option:before,.md-typeset .keys .key-right-option:before{content:"⌥";padding-right:.4em}.md-typeset .keys .key-left-shift:before,.md-typeset .keys .key-right-shift:before,.md-typeset .keys .key-shift:before{content:"⇧";padding-right:.4em}.md-typeset .keys .key-left-super:before,.md-typeset .keys .key-right-super:before,.md-typeset .keys .key-super:before{content:"❖";padding-right:.4em}.md-typeset .keys .key-left-windows:before,.md-typeset .keys .key-right-windows:before,.md-typeset .keys .key-windows:before{content:"⊞";padding-right:.4em}.md-typeset .keys .key-arrow-down:before{content:"↓";padding-right:.4em}.md-typeset .keys .key-arrow-left:before{content:"←";padding-right:.4em}.md-typeset .keys .key-arrow-right:before{content:"→";padding-right:.4em}.md-typeset .keys .key-arrow-up:before{content:"↑";padding-right:.4em}.md-typeset .keys .key-backspace:before{content:"⌫";padding-right:.4em}.md-typeset .keys .key-backtab:before{content:"⇤";padding-right:.4em}.md-typeset .keys .key-caps-lock:before{content:"⇪";padding-right:.4em}.md-typeset .keys .key-clear:before{content:"⌧";padding-right:.4em}.md-typeset .keys .key-context-menu:before{content:"☰";padding-right:.4em}.md-typeset .keys .key-delete:before{content:"⌦";padding-right:.4em}.md-typeset .keys .key-eject:before{content:"⏏";padding-right:.4em}.md-typeset .keys .key-end:before{content:"⤓";padding-right:.4em}.md-typeset .keys .key-escape:before{content:"⎋";padding-right:.4em}.md-typeset .keys .key-home:before{content:"⤒";padding-right:.4em}.md-typeset .keys .key-insert:before{content:"⎀";padding-right:.4em}.md-typeset .keys .key-page-down:before{content:"⇟";padding-right:.4em}.md-typeset .keys .key-page-up:before{content:"⇞";padding-right:.4em}.md-typeset .keys .key-print-screen:before{content:"⎙";padding-right:.4em}.md-typeset .keys .key-tab:after{content:"⇥";padding-left:.4em}.md-typeset .keys .key-num-enter:after{content:"⌤";padding-left:.4em}.md-typeset .keys .key-enter:after{content:"⏎";padding-left:.4em}:root{--md-tabbed-icon--prev:url('data:image/svg+xml;charset=utf-8,');--md-tabbed-icon--next:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .tabbed-set{border-radius:.1rem;display:flex;flex-flow:column wrap;margin:1em 0;position:relative}.md-typeset .tabbed-set>input{height:0;opacity:0;position:absolute;width:0}.md-typeset .tabbed-set>input:target{--md-scroll-offset:0.625em}.md-typeset .tabbed-set>input.focus-visible~.tabbed-labels:before{background-color:var(--md-accent-fg-color)}.md-typeset .tabbed-labels{-ms-overflow-style:none;box-shadow:0 -.05rem var(--md-default-fg-color--lightest) inset;display:flex;max-width:100%;overflow:auto;scrollbar-width:none}@media print{.md-typeset .tabbed-labels{display:contents}}@media screen{.js .md-typeset .tabbed-labels{position:relative}.js .md-typeset .tabbed-labels:before{background:var(--md-default-fg-color);bottom:0;content:"";display:block;height:2px;left:0;position:absolute;transform:translateX(var(--md-indicator-x));transition:width 225ms,background-color .25s,transform .25s;transition-timing-function:cubic-bezier(.4,0,.2,1);width:var(--md-indicator-width)}}.md-typeset .tabbed-labels::-webkit-scrollbar{display:none}.md-typeset .tabbed-labels>label{border-bottom:.1rem solid #0000;border-radius:.1rem .1rem 0 0;color:var(--md-default-fg-color--light);cursor:pointer;flex-shrink:0;font-size:.64rem;font-weight:700;padding:.78125em 1.25em .625em;scroll-margin-inline-start:1rem;transition:background-color .25s,color .25s;white-space:nowrap;width:auto}@media print{.md-typeset .tabbed-labels>label:first-child{order:1}.md-typeset .tabbed-labels>label:nth-child(2){order:2}.md-typeset .tabbed-labels>label:nth-child(3){order:3}.md-typeset .tabbed-labels>label:nth-child(4){order:4}.md-typeset .tabbed-labels>label:nth-child(5){order:5}.md-typeset .tabbed-labels>label:nth-child(6){order:6}.md-typeset .tabbed-labels>label:nth-child(7){order:7}.md-typeset .tabbed-labels>label:nth-child(8){order:8}.md-typeset .tabbed-labels>label:nth-child(9){order:9}.md-typeset .tabbed-labels>label:nth-child(10){order:10}.md-typeset .tabbed-labels>label:nth-child(11){order:11}.md-typeset .tabbed-labels>label:nth-child(12){order:12}.md-typeset .tabbed-labels>label:nth-child(13){order:13}.md-typeset .tabbed-labels>label:nth-child(14){order:14}.md-typeset .tabbed-labels>label:nth-child(15){order:15}.md-typeset .tabbed-labels>label:nth-child(16){order:16}.md-typeset .tabbed-labels>label:nth-child(17){order:17}.md-typeset .tabbed-labels>label:nth-child(18){order:18}.md-typeset .tabbed-labels>label:nth-child(19){order:19}.md-typeset .tabbed-labels>label:nth-child(20){order:20}}.md-typeset .tabbed-labels>label:hover{color:var(--md-default-fg-color)}.md-typeset .tabbed-labels>label>[href]:first-child{color:inherit}.md-typeset .tabbed-labels--linked>label{padding:0}.md-typeset .tabbed-labels--linked>label>a{display:block;padding:.78125em 1.25em .625em}.md-typeset .tabbed-content{width:100%}@media print{.md-typeset .tabbed-content{display:contents}}.md-typeset .tabbed-block{display:none}@media print{.md-typeset .tabbed-block{display:block}.md-typeset .tabbed-block:first-child{order:1}.md-typeset .tabbed-block:nth-child(2){order:2}.md-typeset .tabbed-block:nth-child(3){order:3}.md-typeset .tabbed-block:nth-child(4){order:4}.md-typeset .tabbed-block:nth-child(5){order:5}.md-typeset .tabbed-block:nth-child(6){order:6}.md-typeset .tabbed-block:nth-child(7){order:7}.md-typeset .tabbed-block:nth-child(8){order:8}.md-typeset .tabbed-block:nth-child(9){order:9}.md-typeset .tabbed-block:nth-child(10){order:10}.md-typeset .tabbed-block:nth-child(11){order:11}.md-typeset .tabbed-block:nth-child(12){order:12}.md-typeset .tabbed-block:nth-child(13){order:13}.md-typeset .tabbed-block:nth-child(14){order:14}.md-typeset .tabbed-block:nth-child(15){order:15}.md-typeset .tabbed-block:nth-child(16){order:16}.md-typeset .tabbed-block:nth-child(17){order:17}.md-typeset .tabbed-block:nth-child(18){order:18}.md-typeset .tabbed-block:nth-child(19){order:19}.md-typeset .tabbed-block:nth-child(20){order:20}}.md-typeset .tabbed-block>.highlight:first-child>pre,.md-typeset .tabbed-block>pre:first-child{margin:0}.md-typeset .tabbed-block>.highlight:first-child>pre>code,.md-typeset .tabbed-block>pre:first-child>code{border-top-left-radius:0;border-top-right-radius:0}.md-typeset .tabbed-block>.highlight:first-child>.filename{border-top-left-radius:0;border-top-right-radius:0;margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable{margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.filename span.filename,.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.linenos{border-top-left-radius:0;border-top-right-radius:0;margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.code>div>pre>code{border-top-left-radius:0;border-top-right-radius:0}.md-typeset .tabbed-block>.highlight:first-child+.result{margin-top:-.125em}.md-typeset .tabbed-block>.tabbed-set{margin:0}.md-typeset .tabbed-button{align-self:center;border-radius:100%;color:var(--md-default-fg-color--light);cursor:pointer;display:block;height:.9rem;margin-top:.1rem;pointer-events:auto;transition:background-color .25s;width:.9rem}.md-typeset .tabbed-button:hover{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-typeset .tabbed-button:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-tabbed-icon--prev);mask-image:var(--md-tabbed-icon--prev);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color .25s,transform .25s;width:100%}.md-typeset .tabbed-control{background:linear-gradient(to right,var(--md-default-bg-color) 60%,#0000);display:flex;height:1.9rem;justify-content:start;pointer-events:none;position:absolute;transition:opacity 125ms;width:1.2rem}[dir=rtl] .md-typeset .tabbed-control{transform:rotate(180deg)}.md-typeset .tabbed-control[hidden]{opacity:0}.md-typeset .tabbed-control--next{background:linear-gradient(to left,var(--md-default-bg-color) 60%,#0000);justify-content:end;right:0}.md-typeset .tabbed-control--next .tabbed-button:after{-webkit-mask-image:var(--md-tabbed-icon--next);mask-image:var(--md-tabbed-icon--next)}@media screen and (max-width:44.984375em){[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels{padding-left:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels{padding-right:.8rem}.md-content__inner>.tabbed-set .tabbed-labels{margin:0 -.8rem;max-width:100vw;scroll-padding-inline-start:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels:after{padding-right:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels:after{padding-left:.8rem}.md-content__inner>.tabbed-set .tabbed-labels:after{content:""}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{padding-left:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{padding-right:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{margin-left:-.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{margin-right:-.8rem}.md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{width:2rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{padding-right:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{padding-left:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{margin-right:-.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{margin-left:-.8rem}.md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{width:2rem}}@media screen{.md-typeset .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9){color:var(--md-default-fg-color)}.md-typeset .no-js .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.md-typeset .no-js .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.md-typeset .no-js .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.md-typeset .no-js .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.md-typeset .no-js .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.md-typeset .no-js .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.md-typeset .no-js .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.md-typeset .no-js .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.md-typeset .no-js .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.md-typeset .no-js .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.md-typeset .no-js .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.md-typeset .no-js .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.md-typeset .no-js .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.md-typeset .no-js .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.md-typeset .no-js .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.md-typeset .no-js .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.md-typeset .no-js .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.md-typeset .no-js .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.md-typeset .no-js .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.md-typeset .no-js .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9),.no-js .md-typeset .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.no-js .md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.no-js .md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.no-js .md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.no-js .md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.no-js .md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.no-js .md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.no-js .md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.no-js .md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.no-js .md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.no-js .md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.no-js .md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.no-js .md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.no-js .md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.no-js .md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.no-js .md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.no-js .md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.no-js .md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.no-js .md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.no-js .md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9){border-color:var(--md-default-fg-color)}}.md-typeset .tabbed-set>input:first-child.focus-visible~.tabbed-labels>:first-child,.md-typeset .tabbed-set>input:nth-child(10).focus-visible~.tabbed-labels>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11).focus-visible~.tabbed-labels>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12).focus-visible~.tabbed-labels>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13).focus-visible~.tabbed-labels>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14).focus-visible~.tabbed-labels>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15).focus-visible~.tabbed-labels>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16).focus-visible~.tabbed-labels>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17).focus-visible~.tabbed-labels>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18).focus-visible~.tabbed-labels>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19).focus-visible~.tabbed-labels>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2).focus-visible~.tabbed-labels>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20).focus-visible~.tabbed-labels>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3).focus-visible~.tabbed-labels>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4).focus-visible~.tabbed-labels>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5).focus-visible~.tabbed-labels>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6).focus-visible~.tabbed-labels>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7).focus-visible~.tabbed-labels>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8).focus-visible~.tabbed-labels>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9).focus-visible~.tabbed-labels>:nth-child(9){color:var(--md-accent-fg-color)}.md-typeset .tabbed-set>input:first-child:checked~.tabbed-content>:first-child,.md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-content>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-content>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-content>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-content>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-content>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-content>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-content>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-content>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-content>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-content>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-content>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-content>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-content>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-content>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-content>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-content>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-content>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-content>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-content>:nth-child(9){display:block}:root{--md-tasklist-icon:url('data:image/svg+xml;charset=utf-8,');--md-tasklist-icon--checked:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .task-list-item{list-style-type:none;position:relative}[dir=ltr] .md-typeset .task-list-item [type=checkbox]{left:-2em}[dir=rtl] .md-typeset .task-list-item [type=checkbox]{right:-2em}.md-typeset .task-list-item [type=checkbox]{position:absolute;top:.45em}.md-typeset .task-list-control [type=checkbox]{opacity:0;z-index:-1}[dir=ltr] .md-typeset .task-list-indicator:before{left:-1.5em}[dir=rtl] .md-typeset .task-list-indicator:before{right:-1.5em}.md-typeset .task-list-indicator:before{background-color:var(--md-default-fg-color--lightest);content:"";height:1.25em;-webkit-mask-image:var(--md-tasklist-icon);mask-image:var(--md-tasklist-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.15em;width:1.25em}.md-typeset [type=checkbox]:checked+.task-list-indicator:before{background-color:#00e676;-webkit-mask-image:var(--md-tasklist-icon--checked);mask-image:var(--md-tasklist-icon--checked)}:root>*{--md-mermaid-font-family:var(--md-text-font-family),sans-serif;--md-mermaid-edge-color:var(--md-code-fg-color);--md-mermaid-node-bg-color:var(--md-accent-fg-color--transparent);--md-mermaid-node-fg-color:var(--md-accent-fg-color);--md-mermaid-label-bg-color:var(--md-default-bg-color);--md-mermaid-label-fg-color:var(--md-code-fg-color);--md-mermaid-sequence-actor-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-actor-fg-color:var(--md-mermaid-label-fg-color);--md-mermaid-sequence-actor-border-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-actor-line-color:var(--md-default-fg-color--lighter);--md-mermaid-sequence-actorman-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-actorman-line-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-box-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-box-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-label-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-label-fg-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-loop-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-loop-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-loop-border-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-message-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-message-line-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-note-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-note-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-note-border-color:var(--md-mermaid-label-fg-color);--md-mermaid-sequence-number-bg-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-number-fg-color:var(--md-accent-bg-color)}.mermaid{line-height:normal;margin:1em 0}.md-typeset .grid{grid-gap:.4rem;display:grid;grid-template-columns:repeat(auto-fit,minmax(min(100%,16rem),1fr));margin:1em 0}.md-typeset .grid.cards>ol,.md-typeset .grid.cards>ul{display:contents}.md-typeset .grid.cards>ol>li,.md-typeset .grid.cards>ul>li,.md-typeset .grid>.card{border:.05rem solid var(--md-default-fg-color--lightest);border-radius:.1rem;display:block;margin:0;padding:.8rem;transition:border .25s,box-shadow .25s}.md-typeset .grid.cards>ol>li:focus-within,.md-typeset .grid.cards>ol>li:hover,.md-typeset .grid.cards>ul>li:focus-within,.md-typeset .grid.cards>ul>li:hover,.md-typeset .grid>.card:focus-within,.md-typeset .grid>.card:hover{border-color:#0000;box-shadow:var(--md-shadow-z2)}.md-typeset .grid.cards>ol>li>hr,.md-typeset .grid.cards>ul>li>hr,.md-typeset .grid>.card>hr{margin-bottom:1em;margin-top:1em}.md-typeset .grid.cards>ol>li>:first-child,.md-typeset .grid.cards>ul>li>:first-child,.md-typeset .grid>.card>:first-child{margin-top:0}.md-typeset .grid.cards>ol>li>:last-child,.md-typeset .grid.cards>ul>li>:last-child,.md-typeset .grid>.card>:last-child{margin-bottom:0}.md-typeset .grid>*,.md-typeset .grid>.admonition,.md-typeset .grid>.highlight>*,.md-typeset .grid>.highlighttable,.md-typeset .grid>.md-typeset details,.md-typeset .grid>details,.md-typeset .grid>pre{margin-bottom:0;margin-top:0}.md-typeset .grid>.highlight>pre:only-child,.md-typeset .grid>.highlight>pre>code,.md-typeset .grid>.highlighttable,.md-typeset .grid>.highlighttable>tbody,.md-typeset .grid>.highlighttable>tbody>tr,.md-typeset .grid>.highlighttable>tbody>tr>.code,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight>pre,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight>pre>code{height:100%}.md-typeset .grid>.tabbed-set{margin-bottom:0;margin-top:0}@media screen and (min-width:45em){[dir=ltr] .md-typeset .inline{float:left}[dir=rtl] .md-typeset .inline{float:right}[dir=ltr] .md-typeset .inline{margin-right:.8rem}[dir=rtl] .md-typeset .inline{margin-left:.8rem}.md-typeset .inline{margin-bottom:.8rem;margin-top:0;width:11.7rem}[dir=ltr] .md-typeset .inline.end{float:right}[dir=rtl] .md-typeset .inline.end{float:left}[dir=ltr] .md-typeset .inline.end{margin-left:.8rem;margin-right:0}[dir=rtl] .md-typeset .inline.end{margin-left:0;margin-right:.8rem}} \ No newline at end of file diff --git a/assets/stylesheets/main.3cba04c6.min.css.map b/assets/stylesheets/main.3cba04c6.min.css.map new file mode 100644 index 0000000000..0d8f7b6bd1 --- /dev/null +++ b/assets/stylesheets/main.3cba04c6.min.css.map @@ -0,0 +1 @@ +{"version":3,"sources":["src/templates/assets/stylesheets/main/components/_meta.scss","../../../../src/templates/assets/stylesheets/main.scss","src/templates/assets/stylesheets/main/_resets.scss","src/templates/assets/stylesheets/main/_colors.scss","src/templates/assets/stylesheets/main/_icons.scss","src/templates/assets/stylesheets/main/_typeset.scss","src/templates/assets/stylesheets/utilities/_break.scss","src/templates/assets/stylesheets/main/components/_author.scss","src/templates/assets/stylesheets/main/components/_banner.scss","src/templates/assets/stylesheets/main/components/_base.scss","src/templates/assets/stylesheets/main/components/_clipboard.scss","src/templates/assets/stylesheets/main/components/_code.scss","src/templates/assets/stylesheets/main/components/_consent.scss","src/templates/assets/stylesheets/main/components/_content.scss","src/templates/assets/stylesheets/main/components/_dialog.scss","src/templates/assets/stylesheets/main/components/_feedback.scss","src/templates/assets/stylesheets/main/components/_footer.scss","src/templates/assets/stylesheets/main/components/_form.scss","src/templates/assets/stylesheets/main/components/_header.scss","node_modules/material-design-color/material-color.scss","src/templates/assets/stylesheets/main/components/_nav.scss","src/templates/assets/stylesheets/main/components/_pagination.scss","src/templates/assets/stylesheets/main/components/_post.scss","src/templates/assets/stylesheets/main/components/_progress.scss","src/templates/assets/stylesheets/main/components/_search.scss","src/templates/assets/stylesheets/main/components/_select.scss","src/templates/assets/stylesheets/main/components/_sidebar.scss","src/templates/assets/stylesheets/main/components/_source.scss","src/templates/assets/stylesheets/main/components/_status.scss","src/templates/assets/stylesheets/main/components/_tabs.scss","src/templates/assets/stylesheets/main/components/_tag.scss","src/templates/assets/stylesheets/main/components/_tooltip.scss","src/templates/assets/stylesheets/main/components/_tooltip2.scss","src/templates/assets/stylesheets/main/components/_top.scss","src/templates/assets/stylesheets/main/components/_version.scss","src/templates/assets/stylesheets/main/extensions/markdown/_admonition.scss","src/templates/assets/stylesheets/main/extensions/markdown/_footnotes.scss","src/templates/assets/stylesheets/main/extensions/markdown/_toc.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_arithmatex.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_critic.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_details.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_emoji.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_highlight.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_keys.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_tabbed.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_tasklist.scss","src/templates/assets/stylesheets/main/integrations/_mermaid.scss","src/templates/assets/stylesheets/main/modifiers/_grid.scss","src/templates/assets/stylesheets/main/modifiers/_inline.scss"],"names":[],"mappings":"AA0CE,gBCqxCF,CCnyCA,KAEE,6BAAA,CAAA,0BAAA,CAAA,qBAAA,CADA,qBDzBF,CC8BA,iBAGE,kBD3BF,CC8BE,gCANF,iBAOI,yBDzBF,CACF,CC6BA,KACE,QD1BF,CC8BA,qBAIE,uCD3BF,CC+BA,EACE,aAAA,CACA,oBD5BF,CCgCA,GAME,QAAA,CALA,kBAAA,CACA,aAAA,CACA,aAAA,CAEA,gBAAA,CADA,SD3BF,CCiCA,MACE,aD9BF,CCkCA,QAEE,eD/BF,CCmCA,IACE,iBDhCF,CCoCA,MAEE,uBAAA,CADA,gBDhCF,CCqCA,MAEE,eAAA,CACA,kBDlCF,CCsCA,OAKE,gBAAA,CACA,QAAA,CAHA,mBAAA,CACA,iBAAA,CAFA,QAAA,CADA,SD9BF,CCuCA,MACE,QAAA,CACA,YDpCF,CErDA,MAIE,6BAAA,CACA,oCAAA,CACA,mCAAA,CACA,0BAAA,CACA,sCAAA,CAGA,4BAAA,CACA,2CAAA,CACA,yBAAA,CACA,qCFmDF,CE7CA,+BAIE,kBF6CF,CE1CE,oHAEE,YF4CJ,CEnCA,qCAIE,eAAA,CAGA,+BAAA,CACA,sCAAA,CACA,wCAAA,CACA,yCAAA,CACA,0BAAA,CACA,sCAAA,CACA,wCAAA,CACA,yCAAA,CAGA,0BAAA,CACA,0BAAA,CAGA,0BAAA,CACA,mCAAA,CAGA,iCAAA,CACA,kCAAA,CACA,mCAAA,CACA,mCAAA,CACA,kCAAA,CACA,iCAAA,CACA,+CAAA,CACA,6DAAA,CACA,gEAAA,CACA,4DAAA,CACA,4DAAA,CACA,6DAAA,CAGA,6CAAA,CAGA,+CAAA,CAGA,gCAAA,CACA,gCAAA,CAGA,8BAAA,CACA,kCAAA,CACA,qCAAA,CAGA,iCAAA,CAGA,kCAAA,CACA,gDAAA,CAGA,mDAAA,CACA,mDAAA,CAGA,+BAAA,CACA,0BAAA,CAGA,yBAAA,CACA,qCAAA,CACA,uCAAA,CACA,8BAAA,CACA,oCAAA,CAGA,8DAAA,CAKA,8DAAA,CAKA,0DFKF,CG9HE,aAIE,iBAAA,CAHA,aAAA,CAEA,aAAA,CADA,YHmIJ,CIxIA,KACE,kCAAA,CACA,iCAAA,CAGA,uGAAA,CAKA,mFJyIF,CInIA,iBAIE,mCAAA,CACA,6BAAA,CAFA,sCJwIF,CIlIA,aAIE,4BAAA,CADA,sCJsIF,CI7HA,MACE,0NAAA,CACA,mNAAA,CACA,oNJgIF,CIzHA,YAGE,gCAAA,CAAA,kBAAA,CAFA,eAAA,CACA,eJ6HF,CIxHE,aAPF,YAQI,gBJ2HF,CACF,CIxHE,uGAME,iBAAA,CAAA,cJ0HJ,CItHE,eAKE,uCAAA,CAHA,aAAA,CAEA,eAAA,CAHA,iBJ6HJ,CIpHE,8BAPE,eAAA,CAGA,qBJ+HJ,CI3HE,eAEE,kBAAA,CAEA,eAAA,CAHA,oBJ0HJ,CIlHE,eAEE,gBAAA,CACA,eAAA,CAEA,qBAAA,CADA,eAAA,CAHA,mBJwHJ,CIhHE,kBACE,eJkHJ,CI9GE,eAEE,eAAA,CACA,qBAAA,CAFA,YJkHJ,CI5GE,8BAKE,uCAAA,CAFA,cAAA,CACA,eAAA,CAEA,qBAAA,CAJA,eJkHJ,CI1GE,eACE,wBJ4GJ,CIxGE,eAGE,+DAAA,CAFA,iBAAA,CACA,cJ2GJ,CItGE,cACE,+BAAA,CACA,qBJwGJ,CIrGI,mCAEE,sBJsGN,CIlGI,wCACE,+BJoGN,CIjGM,kDACE,uDJmGR,CI9FI,mBACE,kBAAA,CACA,iCJgGN,CI5FI,4BACE,uCAAA,CACA,oBJ8FN,CIzFE,iDAIE,6BAAA,CACA,aAAA,CAFA,2BJ6FJ,CIxFI,aARF,iDASI,oBJ6FJ,CACF,CIzFE,iBAIE,wCAAA,CACA,mBAAA,CACA,kCAAA,CAAA,0BAAA,CAJA,eAAA,CADA,uBAAA,CAEA,qBJ8FJ,CIxFI,qCAEE,uCAAA,CADA,YJ2FN,CIrFE,gBAEE,iBAAA,CACA,eAAA,CAFA,iBJyFJ,CIpFI,qBASE,kCAAA,CAAA,0BAAA,CADA,eAAA,CAPA,aAAA,CAEA,QAAA,CAIA,uCAAA,CAHA,aAAA,CAFA,oCAAA,CASA,yDAAA,CADA,oBAAA,CAJA,iBAAA,CADA,iBJ4FN,CInFM,2BACE,+CJqFR,CIjFM,wCAEE,YAAA,CADA,WJoFR,CI/EM,8CACE,oDJiFR,CI9EQ,oDACE,0CJgFV,CIzEE,gBAOE,4CAAA,CACA,mBAAA,CACA,mKACE,CANF,gCAAA,CAHA,oBAAA,CAEA,eAAA,CADA,uBAAA,CAIA,uBAAA,CADA,qBJ+EJ,CIpEE,iBAGE,6CAAA,CACA,kCAAA,CAAA,0BAAA,CAHA,aAAA,CACA,qBJwEJ,CIlEE,iBAGE,6DAAA,CADA,WAAA,CADA,oBJsEJ,CIhEE,kBACE,WJkEJ,CI9DE,oDAEE,qBJgEJ,CIlEE,oDAEE,sBJgEJ,CI5DE,iCACE,kBJiEJ,CIlEE,iCACE,mBJiEJ,CIlEE,iCAIE,2DJ8DJ,CIlEE,iCAIE,4DJ8DJ,CIlEE,uBAGE,uCAAA,CADA,aAAA,CAAA,cJgEJ,CI1DE,eACE,oBJ4DJ,CIxDE,kDAGE,kBJ0DJ,CI7DE,kDAGE,mBJ0DJ,CI7DE,8BAEE,SJ2DJ,CIvDI,0DACE,iBJ0DN,CItDI,oCACE,2BJyDN,CItDM,0CACE,2BJyDR,CIpDI,wDACE,kBJwDN,CIzDI,wDACE,mBJwDN,CIzDI,oCAEE,kBJuDN,CIpDM,kGAEE,aJwDR,CIpDM,0DACE,eJuDR,CInDM,4HAEE,kBJsDR,CIxDM,4HAEE,mBJsDR,CIxDM,oFACE,kBAAA,CAAA,eJuDR,CIhDE,yBAEE,mBJkDJ,CIpDE,yBAEE,oBJkDJ,CIpDE,eACE,mBAAA,CAAA,cJmDJ,CI9CE,kDAIE,WAAA,CADA,cJiDJ,CIzCI,4BAEE,oBJ2CN,CIvCI,6BAEE,oBJyCN,CIrCI,kCACE,YJuCN,CIlCE,mBACE,iBAAA,CAGA,eAAA,CADA,cAAA,CAEA,iBAAA,CAHA,sBAAA,CAAA,iBJuCJ,CIjCI,uBACE,aAAA,CACA,aJmCN,CI9BE,uBAGE,iBAAA,CADA,eAAA,CADA,eJkCJ,CI5BE,mBACE,cJ8BJ,CI1BE,+BAME,2CAAA,CACA,iDAAA,CACA,mBAAA,CAPA,oBAAA,CAGA,gBAAA,CAFA,cAAA,CACA,aAAA,CAEA,iBJ+BJ,CIzBI,aAXF,+BAYI,aJ4BJ,CACF,CIvBI,iCACE,gBJyBN,CIlBM,8FACE,YJoBR,CIhBM,4FACE,eJkBR,CIbI,8FACE,eJeN,CIZM,kHACE,gBJcR,CITI,kCAGE,eAAA,CAFA,cAAA,CACA,sBAAA,CAEA,kBJWN,CIPI,kCAGE,qDAAA,CAFA,sBAAA,CACA,kBJUN,CILI,wCACE,iCJON,CIJM,8CACE,qDAAA,CACA,sDJMR,CIDI,iCACE,iBJGN,CIEE,wCACE,cJAJ,CIGI,wDAIE,gBJKN,CITI,wDAIE,iBJKN,CITI,8CAME,UAAA,CALA,oBAAA,CAEA,YAAA,CAKA,oDAAA,CAAA,4CAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAHA,iCAAA,CAFA,0BAAA,CAHA,WJON,CIKI,oDACE,oDJHN,CIOI,mEACE,kDAAA,CACA,yDAAA,CAAA,iDJLN,CISI,oEACE,kDAAA,CACA,0DAAA,CAAA,kDJPN,CIYE,wBACE,iBAAA,CACA,eAAA,CACA,iBJVJ,CIcE,mBACE,oBAAA,CAEA,kBAAA,CADA,eJXJ,CIeI,aANF,mBAOI,aJZJ,CACF,CIeI,8BACE,aAAA,CAEA,QAAA,CACA,eAAA,CAFA,UJXN,CKnVI,0CD6WF,uBACE,iBJtBF,CIyBE,4BACE,eJvBJ,CACF,CMlhBE,uBAOE,kBAAA,CALA,aAAA,CACA,aAAA,CAEA,aAAA,CACA,eAAA,CALA,iBAAA,CAOA,sCACE,CALF,YNwhBJ,CM/gBI,2BACE,aNihBN,CM7gBI,6BAME,+CAAA,CAFA,yCAAA,CAHA,eAAA,CACA,eAAA,CACA,kBAAA,CAEA,iBNghBN,CM3gBI,6BAEE,aAAA,CADA,YN8gBN,CMxgBE,wBACE,kBN0gBJ,CMvgBI,4BAIE,kBAAA,CAHA,mCAAA,CAIA,uBNugBN,CMngBI,4DAEE,oBAAA,CADA,SNsgBN,CMlgBM,oEACE,mBNogBR,CO7jBA,WAGE,0CAAA,CADA,+BAAA,CADA,aPkkBF,CO7jBE,aANF,WAOI,YPgkBF,CACF,CO7jBE,oBAEE,2CAAA,CADA,gCPgkBJ,CO3jBE,kBAGE,eAAA,CADA,iBAAA,CADA,eP+jBJ,COzjBE,6BACE,WP8jBJ,CO/jBE,6BACE,UP8jBJ,CO/jBE,mBAEE,aAAA,CACA,cAAA,CACA,uBP2jBJ,COxjBI,0BACE,YP0jBN,COtjBI,yBACE,UPwjBN,CQ7lBA,KASE,cAAA,CARA,WAAA,CACA,iBRimBF,CK7bI,oCGtKJ,KAaI,gBR0lBF,CACF,CKlcI,oCGtKJ,KAkBI,cR0lBF,CACF,CQrlBA,KASE,2CAAA,CAPA,YAAA,CACA,qBAAA,CAKA,eAAA,CAHA,eAAA,CAJA,iBAAA,CAGA,UR2lBF,CQnlBE,aAZF,KAaI,aRslBF,CACF,CKncI,0CGhJF,yBAII,cRmlBJ,CACF,CQ1kBA,SAEE,gBAAA,CAAA,iBAAA,CADA,eR8kBF,CQzkBA,cACE,YAAA,CACA,qBAAA,CACA,WR4kBF,CQzkBE,aANF,cAOI,aR4kBF,CACF,CQxkBA,SACE,WR2kBF,CQxkBE,gBACE,YAAA,CACA,WAAA,CACA,iBR0kBJ,CQrkBA,aACE,eAAA,CACA,sBRwkBF,CQ/jBA,WACE,YRkkBF,CQ7jBA,WAGE,QAAA,CACA,SAAA,CAHA,iBAAA,CACA,ORkkBF,CQ7jBE,uCACE,aR+jBJ,CQ3jBE,+BAEE,uCAAA,CADA,kBR8jBJ,CQxjBA,SASE,2CAAA,CACA,mBAAA,CAFA,gCAAA,CADA,gBAAA,CADA,YAAA,CAMA,SAAA,CADA,uCAAA,CANA,mBAAA,CAJA,cAAA,CAYA,2BAAA,CATA,URkkBF,CQtjBE,eAEE,SAAA,CAIA,uBAAA,CAHA,oEACE,CAHF,UR2jBJ,CQ7iBA,MACE,WRgjBF,CSzsBA,MACE,+PT2sBF,CSrsBA,cASE,mBAAA,CAFA,0CAAA,CACA,cAAA,CAFA,YAAA,CAIA,uCAAA,CACA,oBAAA,CAVA,iBAAA,CAEA,UAAA,CADA,QAAA,CAUA,qBAAA,CAPA,WAAA,CADA,STgtBF,CSrsBE,aAfF,cAgBI,YTwsBF,CACF,CSrsBE,kCAEE,uCAAA,CADA,YTwsBJ,CSnsBE,qBACE,uCTqsBJ,CSjsBE,wCACE,+BTmsBJ,CS9rBE,oBAME,6BAAA,CADA,UAAA,CAJA,aAAA,CAEA,cAAA,CACA,aAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CARA,aTwsBJ,CS5rBE,sBACE,cT8rBJ,CS3rBI,2BACE,2CT6rBN,CSvrBI,kEAEE,uDAAA,CADA,+BT0rBN,CU5vBE,8BACE,YV+vBJ,CWpwBA,mBACE,GACE,SAAA,CACA,0BXuwBF,CWpwBA,GACE,SAAA,CACA,uBXswBF,CACF,CWlwBA,mBACE,GACE,SXowBF,CWjwBA,GACE,SXmwBF,CACF,CWxvBE,qBASE,2BAAA,CADA,mCAAA,CAAA,2BAAA,CAFA,0BAAA,CADA,WAAA,CAEA,SAAA,CANA,cAAA,CACA,KAAA,CAEA,UAAA,CADA,SXgwBJ,CWtvBE,mBAcE,mDAAA,CANA,2CAAA,CACA,QAAA,CACA,mBAAA,CARA,QAAA,CASA,kDACE,CAPF,eAAA,CAEA,aAAA,CADA,SAAA,CALA,cAAA,CAGA,UAAA,CADA,SXiwBJ,CWlvBE,kBACE,aXovBJ,CWhvBE,sBACE,YAAA,CACA,YXkvBJ,CW/uBI,oCACE,aXivBN,CW5uBE,sBACE,mBX8uBJ,CW3uBI,6CACE,cX6uBN,CKvoBI,0CMvGA,6CAKI,aAAA,CAEA,gBAAA,CACA,iBAAA,CAFA,UX+uBN,CACF,CWxuBE,kBACE,cX0uBJ,CY30BA,YACE,WAAA,CAIA,WZ20BF,CYx0BE,mBAEE,qBAAA,CADA,iBZ20BJ,CK9qBI,sCOtJE,4EACE,kBZu0BN,CYn0BI,0JACE,mBZq0BN,CYt0BI,8EACE,kBZq0BN,CACF,CYh0BI,0BAGE,UAAA,CAFA,aAAA,CACA,YZm0BN,CY9zBI,+BACE,eZg0BN,CY1zBE,8BACE,WZ+zBJ,CYh0BE,8BACE,UZ+zBJ,CYh0BE,8BAIE,iBZ4zBJ,CYh0BE,8BAIE,kBZ4zBJ,CYh0BE,oBAGE,cAAA,CADA,SZ8zBJ,CYzzBI,aAPF,oBAQI,YZ4zBJ,CACF,CYzzBI,gCACE,yCZ2zBN,CYvzBI,wBACE,cAAA,CACA,kBZyzBN,CYtzBM,kCACE,oBZwzBR,Caz3BA,qBAeE,Wb03BF,Caz4BA,qBAeE,Ub03BF,Caz4BA,WAOE,2CAAA,CACA,mBAAA,CANA,YAAA,CAOA,8BAAA,CALA,iBAAA,CAMA,SAAA,CALA,mBAAA,CACA,mBAAA,CALA,cAAA,CAaA,0BAAA,CAHA,wCACE,CATF,Sbs4BF,Cav3BE,aAlBF,WAmBI,Yb03BF,CACF,Cav3BE,mBAEE,SAAA,CADA,mBAAA,CAKA,uBAAA,CAHA,kEb03BJ,Can3BE,kBAEE,gCAAA,CADA,ebs3BJ,Ccx5BA,aACE,gBAAA,CACA,iBd25BF,Ccx5BE,sBAGE,WAAA,CADA,QAAA,CADA,Sd45BJ,Cct5BE,oBAEE,eAAA,CADA,edy5BJ,Ccp5BE,oBACE,iBds5BJ,Ccl5BE,mBAEE,YAAA,CACA,cAAA,CACA,6BAAA,CAHA,iBdu5BJ,Ccj5BI,iDACE,yCdm5BN,Cc/4BI,6BACE,iBdi5BN,Cc54BE,mBAGE,uCAAA,CACA,cAAA,CAHA,aAAA,CACA,cAAA,CAGA,sBd84BJ,Cc34BI,gDACE,+Bd64BN,Ccz4BI,4BACE,0CAAA,CACA,mBd24BN,Cct4BE,mBAEE,SAAA,CADA,iBAAA,CAKA,2BAAA,CAHA,8Ddy4BJ,Ccn4BI,qBAEE,aAAA,CADA,eds4BN,Ccj4BI,6BACE,SAAA,CACA,uBdm4BN,Cej9BA,WAEE,0CAAA,CADA,+Bfq9BF,Cej9BE,aALF,WAMI,Yfo9BF,CACF,Cej9BE,kBACE,6BAAA,CAEA,aAAA,CADA,afo9BJ,Ceh9BI,gCACE,Yfk9BN,Ce78BE,iBAOE,eAAA,CANA,YAAA,CAKA,cAAA,CAGA,mBAAA,CAAA,eAAA,CADA,cAAA,CAGA,uCAAA,CADA,eAAA,CAEA,uBf28BJ,Cex8BI,8CACE,Uf08BN,Cet8BI,+BACE,oBfw8BN,CK1zBI,0CUvIE,uBACE,afo8BN,Cej8BM,yCACE,Yfm8BR,CACF,Ce97BI,iCACE,gBfi8BN,Cel8BI,iCACE,iBfi8BN,Cel8BI,uBAEE,gBfg8BN,Ce77BM,iCACE,ef+7BR,Cez7BE,kBACE,WAAA,CAIA,eAAA,CADA,mBAAA,CAFA,6BAAA,CACA,cAAA,CAGA,kBf27BJ,Cev7BE,mBAEE,YAAA,CADA,af07BJ,Cer7BE,sBACE,gBAAA,CACA,Ufu7BJ,Cel7BA,gBACE,gDfq7BF,Cel7BE,uBACE,YAAA,CACA,cAAA,CACA,6BAAA,CACA,afo7BJ,Ceh7BE,kCACE,sCfk7BJ,Ce/6BI,gFACE,+Bfi7BN,Cez6BA,cAKE,wCAAA,CADA,gBAAA,CADA,iBAAA,CADA,eAAA,CADA,Ufg7BF,CKp4BI,mCU7CJ,cASI,Uf46BF,CACF,Cex6BE,yBACE,sCf06BJ,Cen6BA,WACE,mBAAA,CACA,SAAA,CAEA,cAAA,CADA,qBfu6BF,CKn5BI,mCUvBJ,WAQI,efs6BF,CACF,Cen6BE,iBACE,oBAAA,CAEA,aAAA,CACA,iBAAA,CAFA,Yfu6BJ,Cel6BI,wBACE,efo6BN,Ceh6BI,qBAGE,iBAAA,CAFA,gBAAA,CACA,mBfm6BN,CgBzkCE,uBAME,kBAAA,CACA,mBAAA,CAHA,gCAAA,CACA,cAAA,CAJA,oBAAA,CAEA,eAAA,CADA,kBAAA,CAMA,gEhB4kCJ,CgBtkCI,gCAEE,2CAAA,CACA,uCAAA,CAFA,gChB0kCN,CgBpkCI,0DAEE,0CAAA,CACA,sCAAA,CAFA,+BhBwkCN,CgBjkCE,gCAKE,4BhBskCJ,CgB3kCE,gEAME,6BhBqkCJ,CgB3kCE,gCAME,4BhBqkCJ,CgB3kCE,sBAIE,6DAAA,CAGA,8BAAA,CAJA,eAAA,CAFA,aAAA,CACA,eAAA,CAMA,sChBmkCJ,CgB9jCI,wDACE,6CAAA,CACA,8BhBgkCN,CgB5jCI,+BACE,UhB8jCN,CiBjnCA,WAOE,2CAAA,CAGA,8CACE,CALF,gCAAA,CADA,aAAA,CAHA,MAAA,CADA,eAAA,CACA,OAAA,CACA,KAAA,CACA,SjBwnCF,CiB7mCE,aAfF,WAgBI,YjBgnCF,CACF,CiB7mCE,mBAIE,2BAAA,CAHA,iEjBgnCJ,CiBzmCE,mBACE,kDACE,CAEF,kEjBymCJ,CiBnmCE,kBAEE,kBAAA,CADA,YAAA,CAEA,ejBqmCJ,CiBjmCE,mBAKE,kBAAA,CAEA,cAAA,CAHA,YAAA,CAIA,uCAAA,CALA,aAAA,CAFA,iBAAA,CAQA,uBAAA,CAHA,qBAAA,CAJA,SjB0mCJ,CiBhmCI,yBACE,UjBkmCN,CiB9lCI,iCACE,oBjBgmCN,CiB5lCI,uCAEE,uCAAA,CADA,YjB+lCN,CiB1lCI,2BAEE,YAAA,CADA,ajB6lCN,CK/+BI,0CY/GA,2BAMI,YjB4lCN,CACF,CiBzlCM,8DAIE,iBAAA,CAHA,aAAA,CAEA,aAAA,CADA,UjB6lCR,CK7gCI,mCYzEA,iCAII,YjBslCN,CACF,CiBnlCM,wCACE,YjBqlCR,CiBjlCM,+CACE,oBjBmlCR,CKxhCI,sCYtDA,iCAII,YjB8kCN,CACF,CiBzkCE,kBAEE,YAAA,CACA,cAAA,CAFA,iBAAA,CAIA,8DACE,CAFF,kBjB4kCJ,CiBtkCI,oCAGE,SAAA,CADA,mBAAA,CAKA,6BAAA,CAHA,8DACE,CAJF,UjB4kCN,CiBnkCM,8CACE,8BjBqkCR,CiBhkCI,8BACE,ejBkkCN,CiB7jCE,4BAGE,gBAAA,CAAA,kBjBikCJ,CiBpkCE,4BAGE,iBAAA,CAAA,iBjBikCJ,CiBpkCE,kBACE,WAAA,CAGA,eAAA,CAFA,aAAA,CAGA,kBjB+jCJ,CiB5jCI,4CAGE,SAAA,CADA,mBAAA,CAKA,8BAAA,CAHA,8DACE,CAJF,UjBkkCN,CiBzjCM,sDACE,6BjB2jCR,CiBvjCM,8DAGE,SAAA,CADA,mBAAA,CAKA,uBAAA,CAHA,8DACE,CAJF,SjB6jCR,CiBljCI,uCAGE,WAAA,CAFA,iBAAA,CACA,UjBqjCN,CiB/iCE,mBACE,YAAA,CACA,aAAA,CACA,cAAA,CAEA,+CACE,CAFF,kBjBkjCJ,CiB5iCI,8DACE,WAAA,CACA,SAAA,CACA,oCjB8iCN,CiBriCI,yBACE,QjBuiCN,CiBliCE,mBACE,YjBoiCJ,CKhmCI,mCY2DF,6BAQI,gBjBoiCJ,CiB5iCA,6BAQI,iBjBoiCJ,CiB5iCA,mBAKI,aAAA,CAEA,iBAAA,CADA,ajBsiCJ,CACF,CKxmCI,sCY2DF,6BAaI,kBjBoiCJ,CiBjjCA,6BAaI,mBjBoiCJ,CACF,CDnxCA,SAGE,uCAAA,CAFA,eAAA,CACA,eCuxCF,CDnxCE,eACE,mBAAA,CACA,cAAA,CAGA,eAAA,CADA,QAAA,CADA,SCuxCJ,CDjxCE,sCAEE,WAAA,CADA,iBAAA,CAAA,kBCoxCJ,CD/wCE,eACE,+BCixCJ,CD9wCI,0CACE,+BCgxCN,CD1wCA,UAKE,wBmBaa,CnBZb,oBAAA,CAFA,UAAA,CAHA,oBAAA,CAEA,eAAA,CADA,0BAAA,CAAA,2BCixCF,CmBnzCA,MACE,0MAAA,CACA,gMAAA,CACA,yNnBszCF,CmBhzCA,QACE,eAAA,CACA,enBmzCF,CmBhzCE,eAKE,uCAAA,CAJA,aAAA,CAGA,eAAA,CADA,eAAA,CADA,eAAA,CAIA,sBnBkzCJ,CmB/yCI,+BACE,YnBizCN,CmB9yCM,mCAEE,WAAA,CADA,UnBizCR,CmBzyCQ,sFAME,iBAAA,CALA,aAAA,CAGA,aAAA,CADA,cAAA,CAEA,kBAAA,CAHA,UnB+yCV,CmBpyCE,cAGE,eAAA,CADA,QAAA,CADA,SnBwyCJ,CmBlyCE,cAGE,sBAAA,CAFA,YAAA,CACA,SAAA,CAEA,iBAAA,CAEA,uBAAA,CADA,sBnBqyCJ,CmBjyCI,sBACE,uCnBmyCN,CmB5xCM,6EAEE,+BnB8xCR,CmBzxCI,2BAIE,iBnBwxCN,CmBpxCI,4CACE,gBnBsxCN,CmBvxCI,4CACE,iBnBsxCN,CmBlxCI,kBAME,iBAAA,CAFA,aAAA,CACA,YAAA,CAFA,iBnBqxCN,CmB9wCI,sGACE,+BAAA,CACA,cnBgxCN,CmB5wCI,4BACE,uCAAA,CACA,oBnB8wCN,CmB1wCI,0CACE,YnB4wCN,CmBzwCM,yDAKE,6BAAA,CAJA,aAAA,CAEA,WAAA,CACA,qCAAA,CAAA,6BAAA,CAFA,UnB8wCR,CmBvwCM,kDACE,YnBywCR,CmBnwCE,iCACE,YnBqwCJ,CmBlwCI,6CACE,WAAA,CAGA,WnBkwCN,CmB7vCE,cACE,anB+vCJ,CmB3vCE,gBACE,YnB6vCJ,CK9tCI,0CcxBA,0CASE,2CAAA,CAHA,YAAA,CACA,qBAAA,CACA,WAAA,CALA,MAAA,CADA,iBAAA,CACA,OAAA,CACA,KAAA,CACA,SnB4vCJ,CmBjvCI,+DACE,eAAA,CACA,enBmvCN,CmB/uCI,gCAQE,qDAAA,CAHA,uCAAA,CAEA,cAAA,CALA,aAAA,CAEA,kBAAA,CADA,wBAAA,CAFA,iBAAA,CAKA,kBnBmvCN,CmB9uCM,wDAGE,UnBovCR,CmBvvCM,wDAGE,WnBovCR,CmBvvCM,8CAIE,aAAA,CAEA,aAAA,CACA,YAAA,CANA,iBAAA,CACA,SAAA,CAGA,YnBkvCR,CmB7uCQ,oDAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UnBsvCV,CmB1uCM,8CAGE,2CAAA,CACA,gEACE,CAJF,eAAA,CAKA,4BAAA,CAJA,kBnB+uCR,CmBxuCQ,2DACE,YnB0uCV,CmBruCM,8CAGE,2CAAA,CADA,gCAAA,CADA,enByuCR,CmBnuCM,yCAIE,aAAA,CAFA,UAAA,CAIA,YAAA,CADA,aAAA,CAJA,iBAAA,CACA,WAAA,CACA,SnBwuCR,CmBhuCI,+BACE,MnBkuCN,CmB9tCI,+BACE,4DnBguCN,CmB7tCM,qDACE,+BnB+tCR,CmB5tCQ,sHACE,+BnB8tCV,CmBxtCI,+BAEE,YAAA,CADA,mBnB2tCN,CmBvtCM,mCACE,enBytCR,CmBrtCM,6CACE,SnButCR,CmBntCM,uDAGE,mBnBstCR,CmBztCM,uDAGE,kBnBstCR,CmBztCM,6CAIE,gBAAA,CAFA,aAAA,CADA,YnBwtCR,CmBltCQ,mDAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UnB2tCV,CmB3sCM,+CACE,mBnB6sCR,CmBrsCM,4CAEE,wBAAA,CADA,enBwsCR,CmBpsCQ,oEACE,mBnBssCV,CmBvsCQ,oEACE,oBnBssCV,CmBlsCQ,4EACE,iBnBosCV,CmBrsCQ,4EACE,kBnBosCV,CmBhsCQ,oFACE,mBnBksCV,CmBnsCQ,oFACE,oBnBksCV,CmB9rCQ,4FACE,mBnBgsCV,CmBjsCQ,4FACE,oBnBgsCV,CmBzrCE,mBACE,wBnB2rCJ,CmBvrCE,wBACE,YAAA,CACA,SAAA,CAIA,0BAAA,CAHA,oEnB0rCJ,CmBprCI,kCACE,2BnBsrCN,CmBjrCE,gCACE,SAAA,CAIA,uBAAA,CAHA,qEnBorCJ,CmB9qCI,8CAEE,kCAAA,CAAA,0BnB+qCN,CACF,CKj3CI,0Cc0MA,0CACE,YnB0qCJ,CmBvqCI,yDACE,UnByqCN,CmBrqCI,wDACE,YnBuqCN,CmBnqCI,kDACE,YnBqqCN,CmBhqCE,gBAIE,iDAAA,CADA,gCAAA,CAFA,aAAA,CACA,enBoqCJ,CACF,CK96CM,+DcmRF,6CACE,YnB8pCJ,CmB3pCI,4DACE,UnB6pCN,CmBzpCI,2DACE,YnB2pCN,CmBvpCI,qDACE,YnBypCN,CACF,CKt6CI,mCc7JJ,QAgbI,oBnBupCF,CmBjpCI,kCAME,qCAAA,CACA,qDAAA,CANA,eAAA,CACA,KAAA,CAGA,SnBmpCN,CmB9oCM,6CACE,uBnBgpCR,CmB5oCM,gDACE,YnB8oCR,CmBzoCI,2CACE,kBnB4oCN,CmB7oCI,2CACE,mBnB4oCN,CmB7oCI,iCAEE,oBnB2oCN,CmBpoCI,yDACE,kBnBsoCN,CmBvoCI,yDACE,iBnBsoCN,CACF,CK/7CI,sCc7JJ,QA4dI,oBAAA,CACA,oDnBooCF,CmB9nCI,gCAME,qCAAA,CACA,qDAAA,CANA,eAAA,CACA,KAAA,CAGA,SnBgoCN,CmB3nCM,8CACE,uBnB6nCR,CmBznCM,8CACE,YnB2nCR,CmBtnCI,yCACE,kBnBynCN,CmB1nCI,yCACE,mBnBynCN,CmB1nCI,+BAEE,oBnBwnCN,CmBjnCI,uDACE,kBnBmnCN,CmBpnCI,uDACE,iBnBmnCN,CmB9mCE,wBACE,YAAA,CACA,sBAAA,CAEA,SAAA,CACA,6FACE,CAHF,mBnBknCJ,CmB1mCI,sCACE,enB4mCN,CmBvmCE,iFACE,sBAAA,CAEA,SAAA,CACA,4FACE,CAHF,kBnB2mCJ,CmBlmCE,iDACE,enBomCJ,CmBhmCE,6CACE,YnBkmCJ,CmB9lCE,uBACE,aAAA,CACA,enBgmCJ,CmB7lCI,kCACE,enB+lCN,CmB3lCI,qCACE,enB6lCN,CmB1lCM,0CACE,uCnB4lCR,CmBxlCM,6DACE,mBnB0lCR,CmBtlCM,yFAEE,YnBwlCR,CmBnlCI,yCAEE,kBnBulCN,CmBzlCI,yCAEE,mBnBulCN,CmBzlCI,+BACE,aAAA,CAGA,SAAA,CADA,kBnBslCN,CmBllCM,2DACE,SnBolCR,CmB9kCE,cAGE,kBAAA,CADA,YAAA,CAEA,gCAAA,CAHA,WnBmlCJ,CmB7kCI,oBACE,uDnB+kCN,CmB3kCI,oBAME,6BAAA,CACA,kBAAA,CAFA,UAAA,CAJA,oBAAA,CAEA,WAAA,CAMA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAJA,yBAAA,CAJA,qBAAA,CAFA,UnBulCN,CmB1kCM,8BACE,wBnB4kCR,CmBxkCM,kKAEE,uBnBykCR,CmB3jCI,2EACE,YnBgkCN,CmB7jCM,oDACE,anB+jCR,CmB5jCQ,kEAKE,qCAAA,CACA,qDAAA,CAFA,YAAA,CAHA,eAAA,CACA,KAAA,CACA,SnBikCV,CmB3jCU,0FACE,mBnB6jCZ,CmBxjCQ,0EACE,QnB0jCV,CmBrjCM,sFACE,kBnBujCR,CmBxjCM,sFACE,mBnBujCR,CmBnjCM,kDACE,uCnBqjCR,CmB/iCI,2CACE,sBAAA,CAEA,SAAA,CADA,kBnBkjCN,CmBziCI,qFAIE,mDnB4iCN,CmBhjCI,qFAIE,oDnB4iCN,CmBhjCI,2EACE,aAAA,CACA,oBAAA,CAGA,SAAA,CAFA,kBnB6iCN,CmBxiCM,yFAEE,gBAAA,CADA,gBnB2iCR,CmBtiCM,0FACE,YnBwiCR,CACF,CoB/vDA,eAKE,eAAA,CACA,eAAA,CAJA,SpBswDF,CoB/vDE,gCANA,kBAAA,CAFA,YAAA,CAGA,sBpB6wDF,CoBxwDE,iBAOE,mBAAA,CAFA,aAAA,CADA,gBAAA,CAEA,iBpBkwDJ,CoB7vDE,wBAEE,qDAAA,CADA,uCpBgwDJ,CoB3vDE,qBACE,6CpB6vDJ,CoBxvDI,sDAEE,uDAAA,CADA,+BpB2vDN,CoBvvDM,8DACE,+BpByvDR,CoBpvDI,mCACE,uCAAA,CACA,oBpBsvDN,CoBlvDI,yBAKE,iBAAA,CADA,yCAAA,CAHA,aAAA,CAEA,eAAA,CADA,YpBuvDN,CqBvyDE,eAGE,+DAAA,CADA,oBAAA,CADA,qBrB4yDJ,CKvnDI,0CgBtLF,eAOI,YrB0yDJ,CACF,CqBpyDM,6BACE,oBrBsyDR,CqBhyDE,kBACE,YAAA,CACA,qBAAA,CACA,SAAA,CACA,qBrBkyDJ,CqB3xDI,0BACE,sBrB6xDN,CqB1xDM,gEACE,+BrB4xDR,CqBtxDE,gBAEE,uCAAA,CADA,erByxDJ,CqBpxDE,kBACE,oBrBsxDJ,CqBnxDI,mCAGE,kBAAA,CAFA,YAAA,CACA,SAAA,CAEA,iBrBqxDN,CqBjxDI,oCAIE,kBAAA,CAHA,mBAAA,CACA,kBAAA,CACA,SAAA,CAGA,QAAA,CADA,iBrBoxDN,CqB/wDI,0DACE,kBrBixDN,CqBlxDI,0DACE,iBrBixDN,CqB7wDI,iDACE,uBAAA,CAEA,YrB8wDN,CqBzwDE,4BACE,YrB2wDJ,CqBpwDA,YAGE,kBAAA,CAFA,YAAA,CAIA,eAAA,CAHA,SAAA,CAIA,eAAA,CAFA,UrBywDF,CqBpwDE,yBACE,WrBswDJ,CqB/vDA,kBACE,YrBkwDF,CK1rDI,0CgBzEJ,kBAKI,wBrBkwDF,CACF,CqB/vDE,qCACE,WrBiwDJ,CKrtDI,sCgB7CF,+CAKI,kBrBiwDJ,CqBtwDA,+CAKI,mBrBiwDJ,CACF,CKvsDI,0CgBrDJ,6BAMI,SAAA,CAFA,eAAA,CACA,UrB8vDF,CqB3vDE,qDACE,gBrB6vDJ,CqB1vDE,gDACE,SrB4vDJ,CqBzvDE,4CACE,iBAAA,CAAA,kBrB2vDJ,CqBxvDE,2CAEE,WAAA,CADA,crB2vDJ,CqBvvDE,2CACE,mBAAA,CACA,cAAA,CACA,SAAA,CACA,oBAAA,CAAA,iBrByvDJ,CqBtvDE,2CACE,SrBwvDJ,CqBrvDE,qCAEE,WAAA,CACA,eAAA,CAFA,erByvDJ,CACF,CsBn6DA,MACE,qBAAA,CACA,yBtBs6DF,CsBh6DA,aAME,qCAAA,CADA,cAAA,CAEA,0FACE,CAPF,cAAA,CACA,KAAA,CAaA,mDAAA,CACA,qBAAA,CAJA,wFACE,CATF,UAAA,CADA,StB06DF,CuBr7DA,MACE,igBvBw7DF,CuBl7DA,WACE,iBvBq7DF,CKvxDI,mCkB/JJ,WAKI,evBq7DF,CACF,CuBl7DE,kBACE,YvBo7DJ,CuBh7DE,oBAEE,SAAA,CADA,SvBm7DJ,CKhxDI,0CkBpKF,8BAkBI,YvBg7DJ,CuBl8DA,8BAkBI,avBg7DJ,CuBl8DA,oBAYI,2CAAA,CACA,kBAAA,CAJA,WAAA,CACA,eAAA,CACA,mBAAA,CALA,iBAAA,CACA,SAAA,CAUA,uBAAA,CAHA,4CACE,CAPF,UvB07DJ,CuB76DI,+DACE,SAAA,CACA,oCvB+6DN,CACF,CKtzDI,mCkBjJF,8BAyCI,MvBy6DJ,CuBl9DA,8BAyCI,OvBy6DJ,CuBl9DA,oBAoCI,0BAAA,CADA,cAAA,CADA,QAAA,CAHA,cAAA,CACA,KAAA,CAKA,sDACE,CALF,OvBi7DJ,CuBt6DI,+DAME,YAAA,CACA,SAAA,CACA,4CACE,CARF,UvB26DN,CACF,CKrzDI,0CkBxGA,+DAII,mBvB65DN,CACF,CKn2DM,+DkB/DF,+DASI,mBvB65DN,CACF,CKx2DM,+DkB/DF,+DAcI,mBvB65DN,CACF,CuBx5DE,kBAEE,kCAAA,CAAA,0BvBy5DJ,CKv0DI,0CkBpFF,4BAmBI,MvBq5DJ,CuBx6DA,4BAmBI,OvBq5DJ,CuBx6DA,kBAUI,QAAA,CAEA,SAAA,CADA,eAAA,CALA,cAAA,CACA,KAAA,CAWA,wBAAA,CALA,qGACE,CALF,OAAA,CADA,SvBg6DJ,CuBl5DI,4BACE,yBvBo5DN,CuBh5DI,6DAEE,WAAA,CACA,SAAA,CAMA,uBAAA,CALA,sGACE,CAJF,UvBs5DN,CACF,CKl3DI,mCkBjEF,4BA2CI,WvBg5DJ,CuB37DA,4BA2CI,UvBg5DJ,CuB37DA,kBA6CI,eAAA,CAHA,iBAAA,CAIA,8CAAA,CAFA,avB+4DJ,CACF,CKj5DM,+DkBOF,6DAII,avB04DN,CACF,CKh4DI,sCkBfA,6DASI,avB04DN,CACF,CuBr4DE,iBAIE,2CAAA,CACA,0BAAA,CAFA,aAAA,CAFA,iBAAA,CAKA,2CACE,CALF,SvB24DJ,CK74DI,mCkBAF,iBAaI,0BAAA,CACA,mBAAA,CAFA,avBu4DJ,CuBl4DI,uBACE,0BvBo4DN,CACF,CuBh4DI,4DAEE,2CAAA,CACA,6BAAA,CACA,8BAAA,CAHA,gCvBq4DN,CuB73DE,4BAKE,mBAAA,CAAA,oBvBk4DJ,CuBv4DE,4BAKE,mBAAA,CAAA,oBvBk4DJ,CuBv4DE,kBAQE,gBAAA,CAFA,eAAA,CAFA,WAAA,CAHA,iBAAA,CAMA,sBAAA,CAJA,UAAA,CADA,SvBq4DJ,CuB53DI,+BACE,qBvB83DN,CuB13DI,kEAEE,uCvB23DN,CuBv3DI,6BACE,YvBy3DN,CK75DI,0CkBaF,kBA8BI,eAAA,CADA,aAAA,CADA,UvB03DJ,CACF,CKv7DI,mCkBgCF,4BAmCI,mBvB03DJ,CuB75DA,4BAmCI,oBvB03DJ,CuB75DA,kBAqCI,aAAA,CADA,evBy3DJ,CuBr3DI,+BACE,uCvBu3DN,CuBn3DI,mCACE,gCvBq3DN,CuBj3DI,6DACE,kBvBm3DN,CuBh3DM,8EACE,uCvBk3DR,CuB92DM,0EACE,WvBg3DR,CACF,CuB12DE,iBAIE,cAAA,CAHA,oBAAA,CAEA,aAAA,CAEA,kCACE,CAJF,YvB+2DJ,CuBv2DI,uBACE,UvBy2DN,CuBr2DI,yCAGE,UvBw2DN,CuB32DI,yCAGE,WvBw2DN,CuB32DI,+BACE,iBAAA,CACA,SAAA,CAEA,SvBu2DN,CuBp2DM,6CACE,oBvBs2DR,CK78DI,0CkB+FA,yCAcI,UvBq2DN,CuBn3DE,yCAcI,WvBq2DN,CuBn3DE,+BAaI,SvBs2DN,CuBl2DM,+CACE,YvBo2DR,CACF,CKz+DI,mCkBkHA,+BAwBI,mBvBm2DN,CuBh2DM,8CACE,YvBk2DR,CACF,CuB51DE,8BAGE,WvBg2DJ,CuBn2DE,8BAGE,UvBg2DJ,CuBn2DE,oBAKE,mBAAA,CAJA,iBAAA,CACA,SAAA,CAEA,SvB+1DJ,CKr+DI,0CkBkIF,8BAUI,WvB81DJ,CuBx2DA,8BAUI,UvB81DJ,CuBx2DA,oBASI,SvB+1DJ,CACF,CuB31DI,uCACE,iBvBi2DN,CuBl2DI,uCACE,kBvBi2DN,CuBl2DI,6BAEE,uCAAA,CACA,SAAA,CAIA,oBAAA,CAHA,+DvB81DN,CuBx1DM,iDAEE,uCAAA,CADA,YvB21DR,CuBt1DM,gGAGE,SAAA,CADA,mBAAA,CAEA,kBvBu1DR,CuBp1DQ,sGACE,UvBs1DV,CuB/0DE,8BAOE,mBAAA,CAAA,oBvBs1DJ,CuB71DE,8BAOE,mBAAA,CAAA,oBvBs1DJ,CuB71DE,oBAIE,kBAAA,CAKA,yCAAA,CANA,YAAA,CAKA,eAAA,CAFA,WAAA,CAKA,SAAA,CAVA,iBAAA,CACA,KAAA,CAUA,uBAAA,CAFA,kBAAA,CALA,UvBw1DJ,CK/hEI,mCkBkMF,8BAgBI,mBvBk1DJ,CuBl2DA,8BAgBI,oBvBk1DJ,CuBl2DA,oBAiBI,evBi1DJ,CACF,CuB90DI,+DACE,SAAA,CACA,0BvBg1DN,CuB30DE,6BAKE,+BvB80DJ,CuBn1DE,0DAME,gCvB60DJ,CuBn1DE,6BAME,+BvB60DJ,CuBn1DE,mBAIE,eAAA,CAHA,iBAAA,CAEA,UAAA,CADA,SvBi1DJ,CK9hEI,0CkB2MF,mBAWI,QAAA,CADA,UvB80DJ,CACF,CKvjEI,mCkB8NF,mBAiBI,SAAA,CADA,UAAA,CAEA,sBvB60DJ,CuB10DI,8DACE,8BAAA,CACA,SvB40DN,CACF,CuBv0DE,uBASE,kCAAA,CAAA,0BAAA,CAFA,2CAAA,CANA,WAAA,CACA,eAAA,CAIA,kBvBw0DJ,CuBl0DI,iEAZF,uBAaI,uBvBq0DJ,CACF,CKpmEM,+DkBiRJ,uBAkBI,avBq0DJ,CACF,CKnlEI,sCkB2PF,uBAuBI,avBq0DJ,CACF,CKxlEI,mCkB2PF,uBA4BI,YAAA,CAEA,yDAAA,CADA,oBvBs0DJ,CuBl0DI,kEACE,evBo0DN,CuBh0DI,6BACE,+CvBk0DN,CuB9zDI,0CAEE,YAAA,CADA,WvBi0DN,CuB5zDI,gDACE,oDvB8zDN,CuB3zDM,sDACE,0CvB6zDR,CACF,CuBtzDA,kBACE,gCAAA,CACA,qBvByzDF,CuBtzDE,wBAKE,qDAAA,CADA,uCAAA,CAFA,gBAAA,CACA,kBAAA,CAFA,eAAA,CAKA,uBvBwzDJ,CK5nEI,mCkB8TF,kCAUI,mBvBwzDJ,CuBl0DA,kCAUI,oBvBwzDJ,CACF,CuBpzDE,wBAGE,eAAA,CADA,QAAA,CADA,SAAA,CAIA,wBAAA,CAAA,gBvBqzDJ,CuBjzDE,wBACE,yDvBmzDJ,CuBhzDI,oCACE,evBkzDN,CuB7yDE,wBACE,aAAA,CACA,YAAA,CAEA,uBAAA,CADA,gCvBgzDJ,CuB5yDI,4DACE,uDvB8yDN,CuB1yDI,gDACE,mBvB4yDN,CuBvyDE,gCAKE,cAAA,CADA,aAAA,CAEA,YAAA,CALA,eAAA,CAMA,uBAAA,CALA,KAAA,CACA,SvB6yDJ,CuBtyDI,wCACE,YvBwyDN,CuBnyDI,wDACE,YvBqyDN,CuBjyDI,oCAGE,+BAAA,CADA,gBAAA,CADA,mBAAA,CAGA,2CvBmyDN,CK9qEI,mCkBuYA,8CAUI,mBvBiyDN,CuB3yDE,8CAUI,oBvBiyDN,CACF,CuB7xDI,oFAEE,uDAAA,CADA,+BvBgyDN,CuB1xDE,sCACE,2CvB4xDJ,CuBvxDE,2BAGE,eAAA,CADA,eAAA,CADA,iBvB2xDJ,CK/rEI,mCkBmaF,qCAOI,mBvByxDJ,CuBhyDA,qCAOI,oBvByxDJ,CACF,CuBrxDE,kCAEE,MvB2xDJ,CuB7xDE,kCAEE,OvB2xDJ,CuB7xDE,wBAME,uCAAA,CAFA,aAAA,CACA,YAAA,CAJA,iBAAA,CAEA,YvB0xDJ,CKzrEI,0CkB4ZF,wBAUI,YvBuxDJ,CACF,CuBpxDI,8BAKE,6BAAA,CADA,UAAA,CAHA,oBAAA,CAEA,WAAA,CAGA,+CAAA,CAAA,uCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UvB6xDN,CuBnxDM,wCACE,oBvBqxDR,CuB/wDE,8BAGE,uCAAA,CAFA,gBAAA,CACA,evBkxDJ,CuB9wDI,iCAKE,gCAAA,CAHA,eAAA,CACA,eAAA,CACA,eAAA,CAHA,evBoxDN,CuB7wDM,sCACE,oBvB+wDR,CuB1wDI,iCAKE,gCAAA,CAHA,gBAAA,CACA,eAAA,CACA,eAAA,CAHA,avBgxDN,CuBzwDM,sCACE,oBvB2wDR,CuBrwDE,yBAKE,gCAAA,CAJA,aAAA,CAEA,gBAAA,CACA,iBAAA,CAFA,avB0wDJ,CuBnwDE,uBAGE,wBAAA,CAFA,+BAAA,CACA,yBvBswDJ,CwB16EA,WACE,iBAAA,CACA,SxB66EF,CwB16EE,kBAOE,2CAAA,CACA,mBAAA,CACA,8BAAA,CAHA,gCAAA,CAHA,QAAA,CAEA,gBAAA,CADA,YAAA,CAMA,SAAA,CATA,iBAAA,CACA,sBAAA,CAaA,mCAAA,CAJA,oExB66EJ,CwBt6EI,6EACE,gBAAA,CACA,SAAA,CAKA,+BAAA,CAJA,8ExBy6EN,CwBj6EI,wBAWE,+BAAA,CAAA,8CAAA,CAFA,6BAAA,CAAA,8BAAA,CACA,YAAA,CAFA,UAAA,CAHA,QAAA,CAFA,QAAA,CAIA,kBAAA,CADA,iBAAA,CALA,iBAAA,CACA,KAAA,CAEA,OxB06EN,CwB95EE,iBAOE,mBAAA,CAFA,eAAA,CACA,oBAAA,CAHA,QAAA,CAFA,kBAAA,CAGA,aAAA,CAFA,SxBq6EJ,CwB55EE,iBACE,kBxB85EJ,CwB15EE,2BAGE,kBAAA,CAAA,oBxBg6EJ,CwBn6EE,2BAGE,mBAAA,CAAA,mBxBg6EJ,CwBn6EE,iBAIE,cAAA,CAHA,aAAA,CAIA,YAAA,CAIA,uBAAA,CAHA,2CACE,CALF,UxBi6EJ,CwBv5EI,8CACE,+BxBy5EN,CwBr5EI,uBACE,qDxBu5EN,CyB3+EA,YAIE,qBAAA,CADA,aAAA,CAGA,gBAAA,CALA,eAAA,CACA,UAAA,CAGA,azB++EF,CyB3+EE,aATF,YAUI,YzB8+EF,CACF,CKh0EI,0CoB3KF,+BAeI,azBy+EJ,CyBx/EA,+BAeI,czBy+EJ,CyBx/EA,qBAUI,2CAAA,CAHA,aAAA,CAEA,WAAA,CALA,cAAA,CACA,KAAA,CASA,uBAAA,CAHA,iEACE,CAJF,aAAA,CAFA,SzBk/EJ,CyBt+EI,mEACE,8BAAA,CACA,6BzBw+EN,CyBr+EM,6EACE,8BzBu+ER,CyBl+EI,6CAEE,QAAA,CAAA,MAAA,CACA,QAAA,CAEA,eAAA,CAJA,iBAAA,CACA,OAAA,CAEA,qBAAA,CAFA,KzBu+EN,CACF,CK/2EI,sCoBtKJ,YAuDI,QzBk+EF,CyB/9EE,mBACE,WzBi+EJ,CyB79EE,6CACE,UzB+9EJ,CACF,CyB39EE,uBACE,YAAA,CACA,OzB69EJ,CK93EI,mCoBjGF,uBAMI,QzB69EJ,CyB19EI,8BACE,WzB49EN,CyBx9EI,qCACE,azB09EN,CyBt9EI,+CACE,kBzBw9EN,CACF,CyBn9EE,wBAUE,uBAAA,CANA,kCAAA,CAAA,0BAAA,CAHA,cAAA,CACA,eAAA,CASA,yDAAA,CAFA,oBzBk9EJ,CyB78EI,2CAEE,YAAA,CADA,WzBg9EN,CyB38EI,mEACE,+CzB68EN,CyB18EM,qHACE,oDzB48ER,CyBz8EQ,iIACE,0CzB28EV,CyB57EE,wCAGE,wBACE,qBzB47EJ,CyBx7EE,6BACE,kCzB07EJ,CyB37EE,6BACE,iCzB07EJ,CACF,CKt5EI,0CoB5BF,YAME,0BAAA,CADA,QAAA,CAEA,SAAA,CANA,cAAA,CACA,KAAA,CAMA,sDACE,CALF,OAAA,CADA,SzB27EF,CyBh7EE,4CAEE,WAAA,CACA,SAAA,CACA,4CACE,CAJF,UzBq7EJ,CACF,C0BlmFA,iBACE,GACE,Q1BomFF,C0BjmFA,GACE,a1BmmFF,CACF,C0B/lFA,gBACE,GACE,SAAA,CACA,0B1BimFF,C0B9lFA,IACE,S1BgmFF,C0B7lFA,GACE,SAAA,CACA,uB1B+lFF,CACF,C0BvlFA,MACE,+eAAA,CACA,ygBAAA,CACA,mmBAAA,CACA,sf1BylFF,C0BnlFA,WAOE,kCAAA,CAAA,0BAAA,CANA,aAAA,CACA,gBAAA,CACA,eAAA,CAEA,uCAAA,CAGA,uBAAA,CAJA,kB1BylFF,C0BllFE,iBACE,U1BolFJ,C0BhlFE,iBACE,oBAAA,CAEA,aAAA,CACA,qBAAA,CAFA,U1BolFJ,C0B/kFI,+BACE,iB1BklFN,C0BnlFI,+BACE,kB1BklFN,C0BnlFI,qBAEE,gB1BilFN,C0B7kFI,kDACE,iB1BglFN,C0BjlFI,kDACE,kB1BglFN,C0BjlFI,kDAEE,iB1B+kFN,C0BjlFI,kDAEE,kB1B+kFN,C0B1kFE,iCAGE,iB1B+kFJ,C0BllFE,iCAGE,kB1B+kFJ,C0BllFE,uBACE,oBAAA,CACA,6BAAA,CAEA,eAAA,CACA,sBAAA,CACA,qB1B4kFJ,C0BxkFE,kBACE,YAAA,CAMA,gBAAA,CALA,SAAA,CAMA,oBAAA,CAHA,gBAAA,CAIA,WAAA,CAHA,eAAA,CAFA,SAAA,CADA,U1BglFJ,C0BvkFI,iDACE,4B1BykFN,C0BpkFE,iBACE,eAAA,CACA,sB1BskFJ,C0BnkFI,gDACE,2B1BqkFN,C0BjkFI,kCAIE,kB1BykFN,C0B7kFI,kCAIE,iB1BykFN,C0B7kFI,wBAOE,6BAAA,CADA,UAAA,CALA,oBAAA,CAEA,YAAA,CAKA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CALA,uBAAA,CAHA,W1B2kFN,C0B/jFI,iCACE,a1BikFN,C0B7jFI,iCACE,gDAAA,CAAA,wC1B+jFN,C0B3jFI,+BACE,8CAAA,CAAA,sC1B6jFN,C0BzjFI,+BACE,8CAAA,CAAA,sC1B2jFN,C0BvjFI,sCACE,qDAAA,CAAA,6C1ByjFN,C0BnjFA,gBACE,Y1BsjFF,C0BnjFE,gCAIE,kB1BujFJ,C0B3jFE,gCAIE,iB1BujFJ,C0B3jFE,sBAGE,kBAAA,CAGA,uCAAA,CALA,mBAAA,CAIA,gBAAA,CAHA,S1ByjFJ,C0BljFI,+BACE,aAAA,CACA,oB1BojFN,C0BhjFI,2CACE,U1BmjFN,C0BpjFI,2CACE,W1BmjFN,C0BpjFI,iCAEE,kB1BkjFN,C0B9iFI,0BACE,W1BgjFN,C2BvuFA,MACE,mSAAA,CACA,oVAAA,CACA,mOAAA,CACA,qZ3B0uFF,C2BjuFE,iBAME,kDAAA,CADA,UAAA,CAJA,oBAAA,CAEA,cAAA,CAIA,mCAAA,CAAA,2BAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CANA,0BAAA,CAFA,a3B4uFJ,C2BhuFE,uBACE,6B3BkuFJ,C2B9tFE,sBACE,wCAAA,CAAA,gC3BguFJ,C2B5tFE,6BACE,+CAAA,CAAA,uC3B8tFJ,C2B1tFE,4BACE,8CAAA,CAAA,sC3B4tFJ,C4BvwFA,SASE,2CAAA,CADA,gCAAA,CAJA,aAAA,CAGA,eAAA,CADA,aAAA,CADA,UAAA,CAFA,S5B8wFF,C4BrwFE,aAZF,SAaI,Y5BwwFF,CACF,CK7lFI,0CuBzLJ,SAkBI,Y5BwwFF,CACF,C4BrwFE,iBACE,mB5BuwFJ,C4BnwFE,yBAIE,iB5B0wFJ,C4B9wFE,yBAIE,kB5B0wFJ,C4B9wFE,eAQE,eAAA,CAPA,YAAA,CAMA,eAAA,CAJA,QAAA,CAEA,aAAA,CAHA,SAAA,CAWA,oBAAA,CAPA,kB5BwwFJ,C4B9vFI,kCACE,Y5BgwFN,C4B3vFE,eACE,aAAA,CACA,kBAAA,CAAA,mB5B6vFJ,C4B1vFI,sCACE,aAAA,CACA,S5B4vFN,C4BtvFE,eAOE,kCAAA,CAAA,0BAAA,CANA,YAAA,CAEA,eAAA,CADA,gBAAA,CAMA,UAAA,CAJA,uCAAA,CACA,oBAAA,CAIA,8D5BuvFJ,C4BlvFI,0CACE,aAAA,CACA,S5BovFN,C4BhvFI,6BAEE,kB5BmvFN,C4BrvFI,6BAEE,iB5BmvFN,C4BrvFI,mBAGE,iBAAA,CAFA,Y5BovFN,C4B7uFM,2CACE,qB5B+uFR,C4BhvFM,2CACE,qB5BkvFR,C4BnvFM,2CACE,qB5BqvFR,C4BtvFM,2CACE,qB5BwvFR,C4BzvFM,2CACE,oB5B2vFR,C4B5vFM,2CACE,qB5B8vFR,C4B/vFM,2CACE,qB5BiwFR,C4BlwFM,2CACE,qB5BowFR,C4BrwFM,4CACE,qB5BuwFR,C4BxwFM,4CACE,oB5B0wFR,C4B3wFM,4CACE,qB5B6wFR,C4B9wFM,4CACE,qB5BgxFR,C4BjxFM,4CACE,qB5BmxFR,C4BpxFM,4CACE,qB5BsxFR,C4BvxFM,4CACE,oB5ByxFR,C4BnxFI,gCACE,SAAA,CAIA,yBAAA,CAHA,wC5BsxFN,C6Bz3FA,MACE,wS7B43FF,C6Bn3FE,mCACE,mBAAA,CACA,cAAA,CACA,QAAA,CAEA,mBAAA,CADA,kB7Bu3FJ,C6Bl3FE,oBAGE,kBAAA,CAOA,+CAAA,CACA,oBAAA,CAVA,mBAAA,CAIA,gBAAA,CACA,0BAAA,CACA,eAAA,CALA,QAAA,CAOA,qBAAA,CADA,eAAA,CAJA,wB7B23FJ,C6Bj3FI,0BAGE,uCAAA,CAFA,aAAA,CACA,YAAA,CAEA,6C7Bm3FN,C6B92FM,gEAEE,0CAAA,CADA,+B7Bi3FR,C6B32FI,yBACE,uB7B62FN,C6Br2FI,gCAME,oDAAA,CADA,UAAA,CAJA,oBAAA,CAEA,YAAA,CAKA,qCAAA,CAAA,6BAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAJA,iCAAA,CAHA,0BAAA,CAFA,W7Bg3FN,C6Bn2FI,wFACE,0C7Bq2FN,C8B/6FA,iBACE,GACE,oB9Bk7FF,C8B/6FA,IACE,kB9Bi7FF,C8B96FA,GACE,oB9Bg7FF,CACF,C8Bx6FA,MACE,0NAAA,CACA,uP9B26FF,C8Bp6FA,YA6BE,kCAAA,CAAA,0BAAA,CAVA,2CAAA,CACA,mBAAA,CACA,8BAAA,CAHA,gCAAA,CADA,sCAAA,CAdA,+IACE,CAYF,8BAAA,CAMA,SAAA,CArBA,iBAAA,CACA,uBAAA,CAyBA,4BAAA,CAJA,uDACE,CATF,6BAAA,CADA,S9Bw6FF,C8Bt5FE,oBAEE,SAAA,CAKA,uBAAA,CAJA,2EACE,CAHF,S9B25FJ,C8Bj5FE,oBAEE,eAAA,CACA,wBAAA,CAAA,gBAAA,CAFA,U9Bq5FJ,C8Bh5FI,6CACE,qC9Bk5FN,C8B94FI,uCAEE,eAAA,CADA,mB9Bi5FN,C8B34FI,6BACE,Y9B64FN,C8Bx4FE,8CACE,sC9B04FJ,C8Bt4FE,mBAEE,gBAAA,CADA,a9By4FJ,C8Br4FI,2CACE,Y9Bu4FN,C8Bn4FI,0CACE,e9Bq4FN,C8B73FA,eACE,iBAAA,CACA,eAAA,CAIA,YAAA,CAHA,kBAAA,CAEA,0BAAA,CADA,kB9Bk4FF,C8B73FE,yBACE,a9B+3FJ,C8B33FE,oBACE,sCAAA,CACA,iB9B63FJ,C8Bz3FE,6BACE,oBAAA,CAGA,gB9By3FJ,C8Br3FE,sBAYE,mBAAA,CANA,cAAA,CAHA,oBAAA,CACA,gBAAA,CAAA,iBAAA,CAIA,YAAA,CAGA,eAAA,CAVA,iBAAA,CAMA,wBAAA,CAAA,gBAAA,CAFA,uBAAA,CAHA,S9B+3FJ,C8Bj3FI,qCACE,uB9Bm3FN,C8B/2FI,cArBF,sBAsBI,W9Bk3FJ,C8B/2FI,wCACE,2B9Bi3FN,C8B72FI,6BAOE,qCAAA,CACA,+CAAA,CAAA,uC9Bk3FN,C8Bx2FI,yDAZE,UAAA,CADA,YAAA,CAIA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,SAAA,CAEA,WAAA,CADA,U9Bs4FN,C8Bv3FI,4BAOE,oDAAA,CAMA,4CAAA,CAAA,oCAAA,CADA,uBAAA,CAJA,+C9B+2FN,C8Bp2FM,gDACE,uB9Bs2FR,C8Bl2FM,mFACE,0C9Bo2FR,CACF,C8B/1FI,0CAGE,2BAAA,CADA,uBAAA,CADA,S9Bm2FN,C8B71FI,8CACE,oB9B+1FN,C8B51FM,aAJF,8CASI,8CAAA,CACA,iBAAA,CAHA,gCAAA,CADA,eAAA,CADA,cAAA,CAGA,kB9Bi2FN,C8B51FM,oDACE,mC9B81FR,CACF,C8Bl1FE,gCAEE,iBAAA,CADA,e9Bs1FJ,C8Bl1FI,mCACE,iB9Bo1FN,C8Bj1FM,oDAGE,a9B+1FR,C8Bl2FM,oDAGE,c9B+1FR,C8Bl2FM,0CAcE,8CAAA,CACA,iBAAA,CALA,gCAAA,CAEA,oBAAA,CACA,qBAAA,CANA,iBAAA,CACA,eAAA,CAHA,UAAA,CAIA,gBAAA,CALA,aAAA,CAEA,cAAA,CALA,iBAAA,CAUA,iBAAA,CATA,S9Bg2FR,C+B/mGA,MACE,wBAAA,CACA,wB/BknGF,C+B5mGA,aA+BE,kCAAA,CAAA,0BAAA,CAjBA,gCAAA,CADA,sCAAA,CAGA,SAAA,CADA,mBAAA,CAdA,iBAAA,CAGA,wDACE,CAgBF,4BAAA,CAGA,uEACE,CARF,uDACE,CATF,UAAA,CAGA,S/B+mGF,C+BzlGE,oBAuBE,8CAAA,CAAA,+CAAA,CADA,UAAA,CADA,aAAA,CAfA,gJACE,CANF,iBAAA,CAmBA,S/B6kGJ,C+BtkGE,yBAGE,kEAAA,CAFA,gDAAA,CACA,6C/BykGJ,C+BpkGE,4BAGE,qEAAA,CADA,8CAAA,CADA,6C/BwkGJ,C+BlkGE,qBAEE,SAAA,CAKA,uBAAA,CAJA,wEACE,CAHF,S/BukGJ,C+B7jGE,oBAyBE,uBAAA,CAJA,2CAAA,CACA,mBAAA,CACA,8BAAA,CAjBA,0FACE,CAaF,eAAA,CADA,8BAAA,CAlBA,iBAAA,CAuBA,oB/BgjGJ,C+B5iGI,uCAEE,YAAA,CADA,W/B+iGN,C+B1iGI,6CACE,oD/B4iGN,C+BziGM,mDACE,0C/B2iGR,C+BniGI,mCAwBE,eAAA,CACA,eAAA,CAxBA,oIACE,CAgBF,sCACE,CAIF,mBAAA,CAKA,wBAAA,CAAA,gBAAA,CAbA,sBAAA,CAAA,iB/B6hGN,C+B5gGI,4CACE,Y/B8gGN,C+B1gGI,2CACE,e/B4gGN,CgC/rGA,kBAME,ehC2sGF,CgCjtGA,kBAME,gBhC2sGF,CgCjtGA,QAUE,2CAAA,CACA,oBAAA,CAEA,8BAAA,CALA,uCAAA,CACA,cAAA,CALA,aAAA,CAGA,eAAA,CAKA,YAAA,CAPA,mBAAA,CAJA,cAAA,CACA,UAAA,CAiBA,yBAAA,CALA,mGACE,CAZF,ShC8sGF,CgC3rGE,aAtBF,QAuBI,YhC8rGF,CACF,CgC3rGE,kBACE,wBhC6rGJ,CgCzrGE,gBAEE,SAAA,CADA,mBAAA,CAGA,+BAAA,CADA,uBhC4rGJ,CgCxrGI,0BACE,8BhC0rGN,CgCrrGE,4BAEE,0CAAA,CADA,+BhCwrGJ,CgCnrGE,YACE,oBAAA,CACA,oBhCqrGJ,CiC1uGA,oBACE,GACE,mBjC6uGF,CACF,CiCruGA,MACE,wfjCuuGF,CiCjuGA,YACE,aAAA,CAEA,eAAA,CADA,ajCquGF,CiCjuGE,+BAOE,kBAAA,CAAA,kBjCkuGJ,CiCzuGE,+BAOE,iBAAA,CAAA,mBjCkuGJ,CiCzuGE,qBAQE,aAAA,CACA,cAAA,CACA,YAAA,CATA,iBAAA,CAKA,UjCmuGJ,CiC5tGI,qCAIE,iBjCouGN,CiCxuGI,qCAIE,kBjCouGN,CiCxuGI,2BAME,6BAAA,CADA,UAAA,CAJA,oBAAA,CAEA,YAAA,CAIA,yCAAA,CAAA,iCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CARA,WjCsuGN,CiCztGE,mBACE,iBAAA,CACA,UjC2tGJ,CiCvtGE,kBAUE,2CAAA,CACA,mBAAA,CACA,8BAAA,CAJA,gCAAA,CACA,oBAAA,CAHA,kBAAA,CAFA,YAAA,CASA,SAAA,CANA,aAAA,CAFA,SAAA,CAJA,iBAAA,CAgBA,4BAAA,CAfA,UAAA,CAYA,+CACE,CAZF,SjCquGJ,CiCptGI,+EACE,gBAAA,CACA,SAAA,CACA,sCjCstGN,CiChtGI,qCAEE,oCACE,gCjCitGN,CiC7sGI,2CACE,cjC+sGN,CACF,CiC1sGE,kBACE,kBjC4sGJ,CiCxsGE,4BAGE,kBAAA,CAAA,oBjC+sGJ,CiCltGE,4BAGE,mBAAA,CAAA,mBjC+sGJ,CiCltGE,kBAKE,cAAA,CAJA,aAAA,CAKA,YAAA,CAIA,uBAAA,CAHA,2CACE,CAJF,kBAAA,CAFA,UjCgtGJ,CiCrsGI,gDACE,+BjCusGN,CiCnsGI,wBACE,qDjCqsGN,CkC3yGA,MAEI,uWAAA,CAAA,8WAAA,CAAA,sPAAA,CAAA,8xBAAA,CAAA,0MAAA,CAAA,gbAAA,CAAA,gMAAA,CAAA,iQAAA,CAAA,0VAAA,CAAA,6aAAA,CAAA,8SAAA,CAAA,gMlCo0GJ,CkCxzGE,4CAME,8CAAA,CACA,4BAAA,CACA,mBAAA,CACA,8BAAA,CAJA,mCAAA,CAJA,iBAAA,CAGA,gBAAA,CADA,iBAAA,CADA,eAAA,CASA,uBAAA,CADA,2BlC4zGJ,CkCxzGI,aAdF,4CAeI,elC2zGJ,CACF,CkCxzGI,sEACE,gClC0zGN,CkCrzGI,gDACE,qBlCuzGN,CkCnzGI,gIAEE,iBAAA,CADA,clCszGN,CkCjzGI,4FACE,iBlCmzGN,CkC/yGI,kFACE,elCizGN,CkC7yGI,0FACE,YlC+yGN,CkC3yGI,8EACE,mBlC6yGN,CkCxyGE,sEAGE,iBAAA,CAAA,mBlCkzGJ,CkCrzGE,sEAGE,kBAAA,CAAA,kBlCkzGJ,CkCrzGE,sEASE,uBlC4yGJ,CkCrzGE,sEASE,wBlC4yGJ,CkCrzGE,sEAUE,4BlC2yGJ,CkCrzGE,4IAWE,6BlC0yGJ,CkCrzGE,sEAWE,4BlC0yGJ,CkCrzGE,kDAOE,0BAAA,CACA,WAAA,CAFA,eAAA,CADA,eAAA,CAHA,oBAAA,CAAA,iBAAA,CADA,iBlCozGJ,CkCvyGI,kFACE,elCyyGN,CkCryGI,oFAOE,UlC2yGN,CkClzGI,oFAOE,WlC2yGN,CkClzGI,gEAME,wBhBkIU,CgBnIV,UAAA,CADA,WAAA,CAIA,kDAAA,CAAA,0CAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,UAAA,CACA,UlC+yGN,CkCnyGI,4DACE,4DlCqyGN,CkCvxGE,sDACE,oBlC0xGJ,CkCvxGI,gFACE,gClCyxGN,CkCpxGE,8DACE,0BlCuxGJ,CkCpxGI,4EACE,wBAlBG,CAmBH,kDAAA,CAAA,0ClCsxGN,CkClxGI,0EACE,alCoxGN,CkCzyGE,8DACE,oBlC4yGJ,CkCzyGI,wFACE,gClC2yGN,CkCtyGE,sEACE,0BlCyyGJ,CkCtyGI,oFACE,wBAlBG,CAmBH,sDAAA,CAAA,8ClCwyGN,CkCpyGI,kFACE,alCsyGN,CkC3zGE,sDACE,oBlC8zGJ,CkC3zGI,gFACE,gClC6zGN,CkCxzGE,8DACE,0BlC2zGJ,CkCxzGI,4EACE,wBAlBG,CAmBH,kDAAA,CAAA,0ClC0zGN,CkCtzGI,0EACE,alCwzGN,CkC70GE,oDACE,oBlCg1GJ,CkC70GI,8EACE,gClC+0GN,CkC10GE,4DACE,0BlC60GJ,CkC10GI,0EACE,wBAlBG,CAmBH,iDAAA,CAAA,yClC40GN,CkCx0GI,wEACE,alC00GN,CkC/1GE,4DACE,oBlCk2GJ,CkC/1GI,sFACE,gClCi2GN,CkC51GE,oEACE,0BlC+1GJ,CkC51GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClC81GN,CkC11GI,gFACE,alC41GN,CkCj3GE,8DACE,oBlCo3GJ,CkCj3GI,wFACE,gClCm3GN,CkC92GE,sEACE,0BlCi3GJ,CkC92GI,oFACE,wBAlBG,CAmBH,sDAAA,CAAA,8ClCg3GN,CkC52GI,kFACE,alC82GN,CkCn4GE,4DACE,oBlCs4GJ,CkCn4GI,sFACE,gClCq4GN,CkCh4GE,oEACE,0BlCm4GJ,CkCh4GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClCk4GN,CkC93GI,gFACE,alCg4GN,CkCr5GE,4DACE,oBlCw5GJ,CkCr5GI,sFACE,gClCu5GN,CkCl5GE,oEACE,0BlCq5GJ,CkCl5GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClCo5GN,CkCh5GI,gFACE,alCk5GN,CkCv6GE,0DACE,oBlC06GJ,CkCv6GI,oFACE,gClCy6GN,CkCp6GE,kEACE,0BlCu6GJ,CkCp6GI,gFACE,wBAlBG,CAmBH,oDAAA,CAAA,4ClCs6GN,CkCl6GI,8EACE,alCo6GN,CkCz7GE,oDACE,oBlC47GJ,CkCz7GI,8EACE,gClC27GN,CkCt7GE,4DACE,0BlCy7GJ,CkCt7GI,0EACE,wBAlBG,CAmBH,iDAAA,CAAA,yClCw7GN,CkCp7GI,wEACE,alCs7GN,CkC38GE,4DACE,oBlC88GJ,CkC38GI,sFACE,gClC68GN,CkCx8GE,oEACE,0BlC28GJ,CkCx8GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClC08GN,CkCt8GI,gFACE,alCw8GN,CkC79GE,wDACE,oBlCg+GJ,CkC79GI,kFACE,gClC+9GN,CkC19GE,gEACE,0BlC69GJ,CkC19GI,8EACE,wBAlBG,CAmBH,mDAAA,CAAA,2ClC49GN,CkCx9GI,4EACE,alC09GN,CmC9nHA,MACE,wMnCioHF,CmCxnHE,sBAEE,uCAAA,CADA,gBnC4nHJ,CmCxnHI,mCACE,anC0nHN,CmC3nHI,mCACE,cnC0nHN,CmCtnHM,4BACE,sBnCwnHR,CmCrnHQ,mCACE,gCnCunHV,CmCnnHQ,2DACE,SAAA,CAEA,uBAAA,CADA,enCsnHV,CmCjnHQ,yGACE,SAAA,CACA,uBnCmnHV,CmC/mHQ,yCACE,YnCinHV,CmC1mHE,0BACE,eAAA,CACA,enC4mHJ,CmCzmHI,+BACE,oBnC2mHN,CmCtmHE,gDACE,YnCwmHJ,CmCpmHE,8BAIE,+BAAA,CAHA,oBAAA,CAEA,WAAA,CAGA,SAAA,CAKA,4BAAA,CAJA,4DACE,CAHF,0BnCwmHJ,CmC/lHI,aAdF,8BAeI,+BAAA,CACA,SAAA,CACA,uBnCkmHJ,CACF,CmC/lHI,wCACE,6BnCimHN,CmC7lHI,oCACE,+BnC+lHN,CmC3lHI,qCAKE,6BAAA,CADA,UAAA,CAHA,oBAAA,CAEA,YAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,WnComHN,CmCvlHQ,mDACE,oBnCylHV,CoCvsHE,kCAEE,iBpC6sHJ,CoC/sHE,kCAEE,kBpC6sHJ,CoC/sHE,wBAGE,yCAAA,CAFA,oBAAA,CAGA,SAAA,CACA,mCpC0sHJ,CoCrsHI,aAVF,wBAWI,YpCwsHJ,CACF,CoCpsHE,6FAEE,SAAA,CACA,mCpCssHJ,CoChsHE,4FAEE,+BpCksHJ,CoC9rHE,oBACE,yBAAA,CACA,uBAAA,CAGA,yEpC8rHJ,CK/jHI,sC+BrHE,qDACE,uBpCurHN,CACF,CoClrHE,kEACE,yBpCorHJ,CoChrHE,sBACE,0BpCkrHJ,CqC7uHE,2BACE,arCgvHJ,CK3jHI,0CgCtLF,2BAKI,erCgvHJ,CqC7uHI,6BACE,iBrC+uHN,CACF,CqC3uHI,6BAEE,0BAAA,CAAA,2BAAA,CADA,eAAA,CAEA,iBrC6uHN,CqC1uHM,2CACE,kBrC4uHR,CqCtuHI,6CACE,QrCwuHN,CsCpwHE,uBACE,4CtCwwHJ,CsCnwHE,8CAJE,kCAAA,CAAA,0BtC2wHJ,CsCvwHE,uBACE,4CtCswHJ,CsCjwHE,4BAEE,kCAAA,CAAA,0BAAA,CADA,qCtCowHJ,CsChwHI,mCACE,atCkwHN,CsC9vHI,kCACE,atCgwHN,CsC3vHE,0BAKE,eAAA,CAJA,aAAA,CAEA,YAAA,CACA,aAAA,CAFA,kBAAA,CAAA,mBtCgwHJ,CsC1vHI,uCACE,etC4vHN,CsCxvHI,sCACE,kBtC0vHN,CuCvyHA,MACE,8LvC0yHF,CuCjyHE,oBAGE,iBAAA,CAEA,gBAAA,CADA,avCmyHJ,CuC/xHI,wCACE,uBvCiyHN,CuC7xHI,gCAEE,eAAA,CADA,gBvCgyHN,CuCzxHM,wCACE,mBvC2xHR,CuCrxHE,8BAKE,oBvCyxHJ,CuC9xHE,8BAKE,mBvCyxHJ,CuC9xHE,8BAUE,4BvCoxHJ,CuC9xHE,4DAWE,6BvCmxHJ,CuC9xHE,8BAWE,4BvCmxHJ,CuC9xHE,oBASE,cAAA,CANA,aAAA,CACA,eAAA,CAIA,evCsxHJ,CuChxHI,kCACE,uCAAA,CACA,oBvCkxHN,CuC9wHI,wCAEE,uCAAA,CADA,YvCixHN,CuC5wHI,oCASE,WvCkxHN,CuC3xHI,oCASE,UvCkxHN,CuC3xHI,0BAME,6BAAA,CADA,UAAA,CADA,WAAA,CAMA,yCAAA,CAAA,iCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAZA,iBAAA,CACA,UAAA,CAMA,sBAAA,CADA,yBAAA,CAJA,UvCwxHN,CuC3wHM,oCACE,wBvC6wHR,CuCxwHI,4BACE,YvC0wHN,CuCrwHI,4CACE,YvCuwHN,CwCj2HE,+DACE,sBAAA,CAEA,mBAAA,CACA,0BAAA,CACA,uBxCm2HJ,CwCh2HI,2EAGE,iBAAA,CADA,eAAA,CADA,yBxCo2HN,CwC71HE,mEACE,0BxC+1HJ,CwC31HE,oBACE,qBxC61HJ,CwCz1HE,gBACE,oBxC21HJ,CwCv1HE,gBACE,qBxCy1HJ,CwCr1HE,iBACE,kBxCu1HJ,CwCn1HE,kBACE,kBxCq1HJ,CyC93HE,6BACE,sCzCi4HJ,CyC93HE,cACE,yCzCg4HJ,CyCp3HE,sIACE,oCzCs3HJ,CyC92HE,2EACE,qCzCg3HJ,CyCt2HE,wGACE,oCzCw2HJ,CyC/1HE,yFACE,qCzCi2HJ,CyC51HE,6BACE,kCzC81HJ,CyCx1HE,6CACE,sCzC01HJ,CyCn1HE,4DACE,sCzCq1HJ,CyC90HE,4DACE,qCzCg1HJ,CyCv0HE,yFACE,qCzCy0HJ,CyCj0HE,2EACE,sCzCm0HJ,CyCxzHE,wHACE,qCzC0zHJ,CyCrzHE,8BAGE,mBAAA,CADA,gBAAA,CADA,gBzCyzHJ,CyCpzHE,eACE,4CzCszHJ,CyCnzHE,eACE,4CzCqzHJ,CyCjzHE,gBAIE,+CAAA,CACA,kDAAA,CAJA,aAAA,CAEA,wBAAA,CADA,wBzCszHJ,CyC/yHE,yBAOE,wCAAA,CACA,+DAAA,CACA,4BAAA,CACA,6BAAA,CARA,iBAAA,CAGA,eAAA,CACA,eAAA,CAFA,cAAA,CADA,oCAAA,CAFA,iBzC0zHJ,CyC9yHI,6BACE,YzCgzHN,CyC7yHM,kCACE,wBAAA,CACA,yBzC+yHR,CyCzyHE,iCAaE,wCAAA,CACA,+DAAA,CAJA,uCAAA,CACA,0BAAA,CALA,UAAA,CAJA,oBAAA,CAOA,2BAAA,CADA,2BAAA,CADA,2BAAA,CANA,eAAA,CAWA,wBAAA,CAAA,gBAAA,CAPA,SzCkzHJ,CyChyHE,sBACE,iBAAA,CACA,iBzCkyHJ,CyC7xHE,iCAKE,ezC2xHJ,CyCxxHI,sCACE,gBzC0xHN,CyCtxHI,gDACE,YzCwxHN,CyC9wHA,gBACE,iBzCixHF,CyC7wHE,yCACE,aAAA,CACA,SzC+wHJ,CyC1wHE,mBACE,YzC4wHJ,CyCvwHE,oBACE,QzCywHJ,CyCrwHE,4BACE,WAAA,CACA,SAAA,CACA,ezCuwHJ,CyCpwHI,0CACE,YzCswHN,CyChwHE,yBAKE,wCAAA,CAEA,+BAAA,CADA,4BAAA,CAHA,eAAA,CADA,oDAAA,CAEA,wBAAA,CAAA,gBzCqwHJ,CyC9vHE,2BAEE,+DAAA,CADA,2BzCiwHJ,CyC7vHI,+BACE,uCAAA,CACA,gBzC+vHN,CyC1vHE,sBACE,MAAA,CACA,WzC4vHJ,CyCvvHA,aACE,azC0vHF,CyChvHE,4BAEE,aAAA,CADA,YzCovHJ,CyChvHI,wDAEE,2BAAA,CADA,wBzCmvHN,CyC7uHE,+BAKE,2CAAA,CAEA,+BAAA,CADA,gCAAA,CADA,sBAAA,CAHA,mBAAA,CACA,gBAAA,CAFA,azCqvHJ,CyC5uHI,qCAEE,UAAA,CACA,UAAA,CAFA,azCgvHN,CKv3HI,0CoCsJF,8BACE,iBzCquHF,CyC3tHE,wSAGE,ezCiuHJ,CyC7tHE,sCAEE,mBAAA,CACA,eAAA,CADA,oBAAA,CADA,kBAAA,CAAA,mBzCiuHJ,CACF,C0C9jII,yDAIE,+BAAA,CACA,8BAAA,CAFA,aAAA,CADA,QAAA,CADA,iB1CokIN,C0C5jII,uBAEE,uCAAA,CADA,c1C+jIN,C0C1gIM,iHAEE,WAlDkB,CAiDlB,kB1CqhIR,C0CthIM,6HAEE,WAlDkB,CAiDlB,kB1CiiIR,C0CliIM,6HAEE,WAlDkB,CAiDlB,kB1C6iIR,C0C9iIM,oHAEE,WAlDkB,CAiDlB,kB1CyjIR,C0C1jIM,0HAEE,WAlDkB,CAiDlB,kB1CqkIR,C0CtkIM,uHAEE,WAlDkB,CAiDlB,kB1CilIR,C0CllIM,uHAEE,WAlDkB,CAiDlB,kB1C6lIR,C0C9lIM,6HAEE,WAlDkB,CAiDlB,kB1CymIR,C0C1mIM,yCAEE,WAlDkB,CAiDlB,kB1C6mIR,C0C9mIM,yCAEE,WAlDkB,CAiDlB,kB1CinIR,C0ClnIM,0CAEE,WAlDkB,CAiDlB,kB1CqnIR,C0CtnIM,uCAEE,WAlDkB,CAiDlB,kB1CynIR,C0C1nIM,wCAEE,WAlDkB,CAiDlB,kB1C6nIR,C0C9nIM,sCAEE,WAlDkB,CAiDlB,kB1CioIR,C0CloIM,wCAEE,WAlDkB,CAiDlB,kB1CqoIR,C0CtoIM,oCAEE,WAlDkB,CAiDlB,kB1CyoIR,C0C1oIM,2CAEE,WAlDkB,CAiDlB,kB1C6oIR,C0C9oIM,qCAEE,WAlDkB,CAiDlB,kB1CipIR,C0ClpIM,oCAEE,WAlDkB,CAiDlB,kB1CqpIR,C0CtpIM,kCAEE,WAlDkB,CAiDlB,kB1CypIR,C0C1pIM,qCAEE,WAlDkB,CAiDlB,kB1C6pIR,C0C9pIM,mCAEE,WAlDkB,CAiDlB,kB1CiqIR,C0ClqIM,qCAEE,WAlDkB,CAiDlB,kB1CqqIR,C0CtqIM,wCAEE,WAlDkB,CAiDlB,kB1CyqIR,C0C1qIM,sCAEE,WAlDkB,CAiDlB,kB1C6qIR,C0C9qIM,2CAEE,WAlDkB,CAiDlB,kB1CirIR,C0CtqIM,iCAEE,WAPkB,CAMlB,iB1CyqIR,C0C1qIM,uCAEE,WAPkB,CAMlB,iB1C6qIR,C0C9qIM,mCAEE,WAPkB,CAMlB,iB1CirIR,C2CnwIA,MACE,qMAAA,CACA,mM3CswIF,C2C7vIE,wBAKE,mBAAA,CAHA,YAAA,CACA,qBAAA,CACA,YAAA,CAHA,iB3CowIJ,C2C1vII,8BAGE,QAAA,CACA,SAAA,CAHA,iBAAA,CACA,O3C8vIN,C2CzvIM,qCACE,0B3C2vIR,C2C9tIM,kEACE,0C3CguIR,C2C1tIE,2BAKE,uBAAA,CADA,+DAAA,CAHA,YAAA,CACA,cAAA,CACA,aAAA,CAGA,oB3C4tIJ,C2CztII,aATF,2BAUI,gB3C4tIJ,CACF,C2CztII,cAGE,+BACE,iB3CytIN,C2CttIM,sCAQE,qCAAA,CANA,QAAA,CAKA,UAAA,CAHA,aAAA,CAEA,UAAA,CAHA,MAAA,CAFA,iBAAA,CAaA,2CAAA,CALA,2DACE,CAGF,kDAAA,CARA,+B3C8tIR,CACF,C2ChtII,8CACE,Y3CktIN,C2C9sII,iCASE,+BAAA,CACA,6BAAA,CAJA,uCAAA,CAEA,cAAA,CAPA,aAAA,CAGA,gBAAA,CACA,eAAA,CAFA,8BAAA,CAWA,+BAAA,CAHA,2CACE,CALF,kBAAA,CALA,U3C0tIN,C2C3sIM,aAII,6CACE,O3C0sIV,C2C3sIQ,8CACE,O3C6sIV,C2C9sIQ,8CACE,O3CgtIV,C2CjtIQ,8CACE,O3CmtIV,C2CptIQ,8CACE,O3CstIV,C2CvtIQ,8CACE,O3CytIV,C2C1tIQ,8CACE,O3C4tIV,C2C7tIQ,8CACE,O3C+tIV,C2ChuIQ,8CACE,O3CkuIV,C2CnuIQ,+CACE,Q3CquIV,C2CtuIQ,+CACE,Q3CwuIV,C2CzuIQ,+CACE,Q3C2uIV,C2C5uIQ,+CACE,Q3C8uIV,C2C/uIQ,+CACE,Q3CivIV,C2ClvIQ,+CACE,Q3CovIV,C2CrvIQ,+CACE,Q3CuvIV,C2CxvIQ,+CACE,Q3C0vIV,C2C3vIQ,+CACE,Q3C6vIV,C2C9vIQ,+CACE,Q3CgwIV,C2CjwIQ,+CACE,Q3CmwIV,CACF,C2C9vIM,uCACE,gC3CgwIR,C2C5vIM,oDACE,a3C8vIR,C2CzvII,yCACE,S3C2vIN,C2CvvIM,2CACE,aAAA,CACA,8B3CyvIR,C2CnvIE,4BACE,U3CqvIJ,C2ClvII,aAJF,4BAKI,gB3CqvIJ,CACF,C2CjvIE,0BACE,Y3CmvIJ,C2ChvII,aAJF,0BAKI,a3CmvIJ,C2C/uIM,sCACE,O3CivIR,C2ClvIM,uCACE,O3CovIR,C2CrvIM,uCACE,O3CuvIR,C2CxvIM,uCACE,O3C0vIR,C2C3vIM,uCACE,O3C6vIR,C2C9vIM,uCACE,O3CgwIR,C2CjwIM,uCACE,O3CmwIR,C2CpwIM,uCACE,O3CswIR,C2CvwIM,uCACE,O3CywIR,C2C1wIM,wCACE,Q3C4wIR,C2C7wIM,wCACE,Q3C+wIR,C2ChxIM,wCACE,Q3CkxIR,C2CnxIM,wCACE,Q3CqxIR,C2CtxIM,wCACE,Q3CwxIR,C2CzxIM,wCACE,Q3C2xIR,C2C5xIM,wCACE,Q3C8xIR,C2C/xIM,wCACE,Q3CiyIR,C2ClyIM,wCACE,Q3CoyIR,C2CryIM,wCACE,Q3CuyIR,C2CxyIM,wCACE,Q3C0yIR,CACF,C2CpyII,+FAEE,Q3CsyIN,C2CnyIM,yGACE,wBAAA,CACA,yB3CsyIR,C2C7xIM,2DAEE,wBAAA,CACA,yBAAA,CAFA,Q3CiyIR,C2C1xIM,iEACE,Q3C4xIR,C2CzxIQ,qLAGE,wBAAA,CACA,yBAAA,CAFA,Q3C6xIV,C2CvxIQ,6FACE,wBAAA,CACA,yB3CyxIV,C2CpxIM,yDACE,kB3CsxIR,C2CjxII,sCACE,Q3CmxIN,C2C9wIE,2BAEE,iBAAA,CAOA,kBAAA,CAHA,uCAAA,CAEA,cAAA,CAPA,aAAA,CAGA,YAAA,CACA,gBAAA,CAEA,mBAAA,CAGA,gCAAA,CAPA,W3CuxIJ,C2C7wII,iCAEE,uDAAA,CADA,+B3CgxIN,C2C3wII,iCAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAMA,8CAAA,CAAA,sCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CANA,+CACE,CALF,U3CqxIN,C2CtwIE,4BAOE,yEACE,CANF,YAAA,CAGA,aAAA,CAFA,qBAAA,CAGA,mBAAA,CALA,iBAAA,CAYA,wBAAA,CATA,Y3C4wIJ,C2ChwII,sCACE,wB3CkwIN,C2C9vII,oCACE,S3CgwIN,C2C5vII,kCAGE,wEACE,CAFF,mBAAA,CADA,O3CgwIN,C2CtvIM,uDACE,8CAAA,CAAA,sC3CwvIR,CK/3II,0CsCqJF,wDAEE,kB3CgvIF,C2ClvIA,wDAEE,mB3CgvIF,C2ClvIA,8CAGE,eAAA,CAFA,eAAA,CAGA,iC3C8uIF,C2C1uIE,8DACE,mB3C6uIJ,C2C9uIE,8DACE,kB3C6uIJ,C2C9uIE,oDAEE,U3C4uIJ,C2CxuIE,8EAEE,kB3C2uIJ,C2C7uIE,8EAEE,mB3C2uIJ,C2C7uIE,8EAGE,kB3C0uIJ,C2C7uIE,8EAGE,mB3C0uIJ,C2C7uIE,oEACE,U3C4uIJ,C2CtuIE,8EAEE,mB3CyuIJ,C2C3uIE,8EAEE,kB3CyuIJ,C2C3uIE,8EAGE,mB3CwuIJ,C2C3uIE,8EAGE,kB3CwuIJ,C2C3uIE,oEACE,U3C0uIJ,CACF,C2C5tIE,cAHF,olDAII,gC3C+tIF,C2C5tIE,g8GACE,uC3C8tIJ,CACF,C2CztIA,4sDACE,+B3C4tIF,C2CxtIA,wmDACE,a3C2tIF,C4C/lJA,MACE,8WAAA,CACA,uX5CkmJF,C4CzlJE,4BAEE,oBAAA,CADA,iB5C6lJJ,C4CxlJI,sDAGE,S5C0lJN,C4C7lJI,sDAGE,U5C0lJN,C4C7lJI,4CACE,iBAAA,CACA,S5C2lJN,C4CrlJE,+CAEE,SAAA,CADA,U5CwlJJ,C4CnlJE,kDAOE,W5CylJJ,C4ChmJE,kDAOE,Y5CylJJ,C4ChmJE,wCAME,qDAAA,CADA,UAAA,CADA,aAAA,CAIA,0CAAA,CAAA,kCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,SAAA,CACA,Y5C6lJJ,C4CjlJE,gEACE,wB1B2Wa,C0B1Wb,mDAAA,CAAA,2C5CmlJJ,C6CnoJA,QACE,8DAAA,CAGA,+CAAA,CACA,iEAAA,CACA,oDAAA,CACA,sDAAA,CACA,mDAAA,CAGA,qEAAA,CACA,qEAAA,CACA,wEAAA,CACA,0EAAA,CACA,wEAAA,CACA,yEAAA,CACA,kEAAA,CACA,+DAAA,CACA,oEAAA,CACA,oEAAA,CACA,mEAAA,CACA,gEAAA,CACA,uEAAA,CACA,mEAAA,CACA,qEAAA,CACA,oEAAA,CACA,gEAAA,CACA,wEAAA,CACA,qEAAA,CACA,+D7CkoJF,C6C5nJA,SAEE,kBAAA,CADA,Y7CgoJF,C8ClqJE,kBAUE,cAAA,CATA,YAAA,CACA,kEACE,CAQF,Y9C8pJJ,C8C1pJI,sDACE,gB9C4pJN,C8CtpJI,oFAKE,wDAAA,CACA,mBAAA,CAJA,aAAA,CAEA,QAAA,CADA,aAAA,CAIA,sC9CwpJN,C8CnpJM,iOACE,kBAAA,CACA,8B9CspJR,C8ClpJM,6FACE,iBAAA,CAAA,c9CqpJR,C8CjpJM,2HACE,Y9CopJR,C8ChpJM,wHACE,e9CmpJR,C8CpoJI,yMAGE,eAAA,CAAA,Y9C4oJN,C8C9nJI,ybAOE,W9CooJN,C8ChoJI,8BACE,eAAA,CAAA,Y9CkoJN,CK9jJI,mC0ChKA,8BACE,U/CsuJJ,C+CvuJE,8BACE,W/CsuJJ,C+CvuJE,8BAGE,kB/CouJJ,C+CvuJE,8BAGE,iB/CouJJ,C+CvuJE,oBAKE,mBAAA,CADA,YAAA,CAFA,a/CquJJ,C+C/tJI,kCACE,W/CkuJN,C+CnuJI,kCACE,U/CkuJN,C+CnuJI,kCAEE,iBAAA,CAAA,c/CiuJN,C+CnuJI,kCAEE,aAAA,CAAA,kB/CiuJN,CACF","file":"main.css"} \ No newline at end of file diff --git a/assets/stylesheets/main.76a95c52.min.css b/assets/stylesheets/main.76a95c52.min.css deleted file mode 100644 index 120bca6f33..0000000000 --- a/assets/stylesheets/main.76a95c52.min.css +++ /dev/null @@ -1 +0,0 @@ -@charset "UTF-8";html{-webkit-text-size-adjust:none;-moz-text-size-adjust:none;text-size-adjust:none;box-sizing:border-box}*,:after,:before{box-sizing:inherit}@media (prefers-reduced-motion){*,:after,:before{transition:none!important}}body{margin:0}a,button,input,label{-webkit-tap-highlight-color:transparent}a{color:inherit;text-decoration:none}hr{border:0;box-sizing:initial;display:block;height:.05rem;overflow:visible;padding:0}small{font-size:80%}sub,sup{line-height:1em}img{border-style:none}table{border-collapse:initial;border-spacing:0}td,th{font-weight:400;vertical-align:top}button{background:#0000;border:0;font-family:inherit;font-size:inherit;margin:0;padding:0}input{border:0;outline:none}:root{--md-primary-fg-color:#4051b5;--md-primary-fg-color--light:#5d6cc0;--md-primary-fg-color--dark:#303fa1;--md-primary-bg-color:#fff;--md-primary-bg-color--light:#ffffffb3;--md-accent-fg-color:#526cfe;--md-accent-fg-color--transparent:#526cfe1a;--md-accent-bg-color:#fff;--md-accent-bg-color--light:#ffffffb3}[data-md-color-scheme=default]{color-scheme:light}[data-md-color-scheme=default] img[src$="#gh-dark-mode-only"],[data-md-color-scheme=default] img[src$="#only-dark"]{display:none}:root,[data-md-color-scheme=default]{--md-hue:225deg;--md-default-fg-color:#000000de;--md-default-fg-color--light:#0000008a;--md-default-fg-color--lighter:#00000052;--md-default-fg-color--lightest:#00000012;--md-default-bg-color:#fff;--md-default-bg-color--light:#ffffffb3;--md-default-bg-color--lighter:#ffffff4d;--md-default-bg-color--lightest:#ffffff1f;--md-code-fg-color:#36464e;--md-code-bg-color:#f5f5f5;--md-code-hl-color:#4287ff;--md-code-hl-color--light:#4287ff1a;--md-code-hl-number-color:#d52a2a;--md-code-hl-special-color:#db1457;--md-code-hl-function-color:#a846b9;--md-code-hl-constant-color:#6e59d9;--md-code-hl-keyword-color:#3f6ec6;--md-code-hl-string-color:#1c7d4d;--md-code-hl-name-color:var(--md-code-fg-color);--md-code-hl-operator-color:var(--md-default-fg-color--light);--md-code-hl-punctuation-color:var(--md-default-fg-color--light);--md-code-hl-comment-color:var(--md-default-fg-color--light);--md-code-hl-generic-color:var(--md-default-fg-color--light);--md-code-hl-variable-color:var(--md-default-fg-color--light);--md-typeset-color:var(--md-default-fg-color);--md-typeset-a-color:var(--md-primary-fg-color);--md-typeset-del-color:#f5503d26;--md-typeset-ins-color:#0bd57026;--md-typeset-kbd-color:#fafafa;--md-typeset-kbd-accent-color:#fff;--md-typeset-kbd-border-color:#b8b8b8;--md-typeset-mark-color:#ffff0080;--md-typeset-table-color:#0000001f;--md-typeset-table-color--light:rgba(0,0,0,.035);--md-admonition-fg-color:var(--md-default-fg-color);--md-admonition-bg-color:var(--md-default-bg-color);--md-warning-fg-color:#000000de;--md-warning-bg-color:#ff9;--md-footer-fg-color:#fff;--md-footer-fg-color--light:#ffffffb3;--md-footer-fg-color--lighter:#ffffff73;--md-footer-bg-color:#000000de;--md-footer-bg-color--dark:#00000052;--md-shadow-z1:0 0.2rem 0.5rem #0000000d,0 0 0.05rem #0000001a;--md-shadow-z2:0 0.2rem 0.5rem #0000001a,0 0 0.05rem #00000040;--md-shadow-z3:0 0.2rem 0.5rem #0003,0 0 0.05rem #00000059}.md-icon svg{fill:currentcolor;display:block;height:1.2rem;width:1.2rem}body{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;--md-text-font-family:var(--md-text-font,_),-apple-system,BlinkMacSystemFont,Helvetica,Arial,sans-serif;--md-code-font-family:var(--md-code-font,_),SFMono-Regular,Consolas,Menlo,monospace}aside,body,input{font-feature-settings:"kern","liga";color:var(--md-typeset-color);font-family:var(--md-text-font-family)}code,kbd,pre{font-feature-settings:"kern";font-family:var(--md-code-font-family)}:root{--md-typeset-table-sort-icon:url('data:image/svg+xml;charset=utf-8,');--md-typeset-table-sort-icon--asc:url('data:image/svg+xml;charset=utf-8,');--md-typeset-table-sort-icon--desc:url('data:image/svg+xml;charset=utf-8,')}.md-typeset{-webkit-print-color-adjust:exact;color-adjust:exact;font-size:.8rem;line-height:1.6}@media print{.md-typeset{font-size:.68rem}}.md-typeset blockquote,.md-typeset dl,.md-typeset figure,.md-typeset ol,.md-typeset pre,.md-typeset ul{margin-bottom:1em;margin-top:1em}.md-typeset h1{color:var(--md-default-fg-color--light);font-size:2em;line-height:1.3;margin:0 0 1.25em}.md-typeset h1,.md-typeset h2{font-weight:300;letter-spacing:-.01em}.md-typeset h2{font-size:1.5625em;line-height:1.4;margin:1.6em 0 .64em}.md-typeset h3{font-size:1.25em;font-weight:400;letter-spacing:-.01em;line-height:1.5;margin:1.6em 0 .8em}.md-typeset h2+h3{margin-top:.8em}.md-typeset h4{font-weight:700;letter-spacing:-.01em;margin:1em 0}.md-typeset h5,.md-typeset h6{color:var(--md-default-fg-color--light);font-size:.8em;font-weight:700;letter-spacing:-.01em;margin:1.25em 0}.md-typeset h5{text-transform:uppercase}.md-typeset hr{border-bottom:.05rem solid var(--md-default-fg-color--lightest);display:flow-root;margin:1.5em 0}.md-typeset a{color:var(--md-typeset-a-color);word-break:break-word}.md-typeset a,.md-typeset a:before{transition:color 125ms}.md-typeset a:focus,.md-typeset a:hover{color:var(--md-accent-fg-color)}.md-typeset a:focus code,.md-typeset a:hover code{background-color:var(--md-accent-fg-color--transparent)}.md-typeset a code{color:currentcolor;transition:background-color 125ms}.md-typeset a.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-typeset code,.md-typeset kbd,.md-typeset pre{color:var(--md-code-fg-color);direction:ltr;font-variant-ligatures:none}@media print{.md-typeset code,.md-typeset kbd,.md-typeset pre{white-space:pre-wrap}}.md-typeset code{background-color:var(--md-code-bg-color);border-radius:.1rem;-webkit-box-decoration-break:clone;box-decoration-break:clone;font-size:.85em;padding:0 .2941176471em;word-break:break-word}.md-typeset code:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}.md-typeset pre{display:flow-root;line-height:1.4;position:relative}.md-typeset pre>code{-webkit-box-decoration-break:slice;box-decoration-break:slice;box-shadow:none;display:block;margin:0;outline-color:var(--md-accent-fg-color);overflow:auto;padding:.7720588235em 1.1764705882em;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin;touch-action:auto;word-break:normal}.md-typeset pre>code:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-typeset pre>code::-webkit-scrollbar{height:.2rem;width:.2rem}.md-typeset pre>code::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-typeset pre>code::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}.md-typeset kbd{background-color:var(--md-typeset-kbd-color);border-radius:.1rem;box-shadow:0 .1rem 0 .05rem var(--md-typeset-kbd-border-color),0 .1rem 0 var(--md-typeset-kbd-border-color),0 -.1rem .2rem var(--md-typeset-kbd-accent-color) inset;color:var(--md-default-fg-color);display:inline-block;font-size:.75em;padding:0 .6666666667em;vertical-align:text-top;word-break:break-word}.md-typeset mark{background-color:var(--md-typeset-mark-color);-webkit-box-decoration-break:clone;box-decoration-break:clone;color:inherit;word-break:break-word}.md-typeset abbr{border-bottom:.05rem dotted var(--md-default-fg-color--light);cursor:help;text-decoration:none}.md-typeset small{opacity:.75}[dir=ltr] .md-typeset sub,[dir=ltr] .md-typeset sup{margin-left:.078125em}[dir=rtl] .md-typeset sub,[dir=rtl] .md-typeset sup{margin-right:.078125em}[dir=ltr] .md-typeset blockquote{padding-left:.6rem}[dir=rtl] .md-typeset blockquote{padding-right:.6rem}[dir=ltr] .md-typeset blockquote{border-left:.2rem solid var(--md-default-fg-color--lighter)}[dir=rtl] .md-typeset blockquote{border-right:.2rem solid var(--md-default-fg-color--lighter)}.md-typeset blockquote{color:var(--md-default-fg-color--light);margin-left:0;margin-right:0}.md-typeset ul{list-style-type:disc}[dir=ltr] .md-typeset ol,[dir=ltr] .md-typeset ul{margin-left:.625em}[dir=rtl] .md-typeset ol,[dir=rtl] .md-typeset ul{margin-right:.625em}.md-typeset ol,.md-typeset ul{padding:0}.md-typeset ol:not([hidden]),.md-typeset ul:not([hidden]){display:flow-root}.md-typeset ol ol,.md-typeset ul ol{list-style-type:lower-alpha}.md-typeset ol ol ol,.md-typeset ul ol ol{list-style-type:lower-roman}[dir=ltr] .md-typeset ol li,[dir=ltr] .md-typeset ul li{margin-left:1.25em}[dir=rtl] .md-typeset ol li,[dir=rtl] .md-typeset ul li{margin-right:1.25em}.md-typeset ol li,.md-typeset ul li{margin-bottom:.5em}.md-typeset ol li blockquote,.md-typeset ol li p,.md-typeset ul li blockquote,.md-typeset ul li p{margin:.5em 0}.md-typeset ol li:last-child,.md-typeset ul li:last-child{margin-bottom:0}[dir=ltr] .md-typeset ol li ol,[dir=ltr] .md-typeset ol li ul,[dir=ltr] .md-typeset ul li ol,[dir=ltr] .md-typeset ul li ul{margin-left:.625em}[dir=rtl] .md-typeset ol li ol,[dir=rtl] .md-typeset ol li ul,[dir=rtl] .md-typeset ul li ol,[dir=rtl] .md-typeset ul li ul{margin-right:.625em}.md-typeset ol li ol,.md-typeset ol li ul,.md-typeset ul li ol,.md-typeset ul li ul{margin-bottom:.5em;margin-top:.5em}[dir=ltr] .md-typeset dd{margin-left:1.875em}[dir=rtl] .md-typeset dd{margin-right:1.875em}.md-typeset dd{margin-bottom:1.5em;margin-top:1em}.md-typeset img,.md-typeset svg,.md-typeset video{height:auto;max-width:100%}.md-typeset img[align=left]{margin:1em 1em 1em 0}.md-typeset img[align=right]{margin:1em 0 1em 1em}.md-typeset img[align]:only-child{margin-top:0}.md-typeset figure{display:flow-root;margin:1em auto;max-width:100%;text-align:center;width:-moz-fit-content;width:fit-content}.md-typeset figure img{display:block;margin:0 auto}.md-typeset figcaption{font-style:italic;margin:1em auto;max-width:24rem}.md-typeset iframe{max-width:100%}.md-typeset table:not([class]){background-color:var(--md-default-bg-color);border:.05rem solid var(--md-typeset-table-color);border-radius:.1rem;display:inline-block;font-size:.64rem;max-width:100%;overflow:auto;touch-action:auto}@media print{.md-typeset table:not([class]){display:table}}.md-typeset table:not([class])+*{margin-top:1.5em}.md-typeset table:not([class]) td>:first-child,.md-typeset table:not([class]) th>:first-child{margin-top:0}.md-typeset table:not([class]) td>:last-child,.md-typeset table:not([class]) th>:last-child{margin-bottom:0}.md-typeset table:not([class]) td:not([align]),.md-typeset table:not([class]) th:not([align]){text-align:left}[dir=rtl] .md-typeset table:not([class]) td:not([align]),[dir=rtl] .md-typeset table:not([class]) th:not([align]){text-align:right}.md-typeset table:not([class]) th{font-weight:700;min-width:5rem;padding:.9375em 1.25em;vertical-align:top}.md-typeset table:not([class]) td{border-top:.05rem solid var(--md-typeset-table-color);padding:.9375em 1.25em;vertical-align:top}.md-typeset table:not([class]) tbody tr{transition:background-color 125ms}.md-typeset table:not([class]) tbody tr:hover{background-color:var(--md-typeset-table-color--light);box-shadow:0 .05rem 0 var(--md-default-bg-color) inset}.md-typeset table:not([class]) a{word-break:normal}.md-typeset table th[role=columnheader]{cursor:pointer}[dir=ltr] .md-typeset table th[role=columnheader]:after{margin-left:.5em}[dir=rtl] .md-typeset table th[role=columnheader]:after{margin-right:.5em}.md-typeset table th[role=columnheader]:after{content:"";display:inline-block;height:1.2em;-webkit-mask-image:var(--md-typeset-table-sort-icon);mask-image:var(--md-typeset-table-sort-icon);-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color 125ms;vertical-align:text-bottom;width:1.2em}.md-typeset table th[role=columnheader]:hover:after{background-color:var(--md-default-fg-color--lighter)}.md-typeset table th[role=columnheader][aria-sort=ascending]:after{background-color:var(--md-default-fg-color--light);-webkit-mask-image:var(--md-typeset-table-sort-icon--asc);mask-image:var(--md-typeset-table-sort-icon--asc)}.md-typeset table th[role=columnheader][aria-sort=descending]:after{background-color:var(--md-default-fg-color--light);-webkit-mask-image:var(--md-typeset-table-sort-icon--desc);mask-image:var(--md-typeset-table-sort-icon--desc)}.md-typeset__scrollwrap{margin:1em -.8rem;overflow-x:auto;touch-action:auto}.md-typeset__table{display:inline-block;margin-bottom:.5em;padding:0 .8rem}@media print{.md-typeset__table{display:block}}html .md-typeset__table table{display:table;margin:0;overflow:hidden;width:100%}@media screen and (max-width:44.984375em){.md-content__inner>pre{margin:1em -.8rem}.md-content__inner>pre code{border-radius:0}}.md-typeset .md-author{border-radius:100%;display:block;flex-shrink:0;height:1.6rem;overflow:hidden;position:relative;transition:color 125ms,transform 125ms;width:1.6rem}.md-typeset .md-author img{display:block}.md-typeset .md-author--more{background:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--lighter);font-size:.6rem;font-weight:700;line-height:1.6rem;text-align:center}.md-typeset .md-author--long{height:2.4rem;width:2.4rem}.md-typeset a.md-author{transform:scale(1)}.md-typeset a.md-author img{border-radius:100%;filter:grayscale(100%) opacity(75%);transition:filter 125ms}.md-typeset a.md-author:focus,.md-typeset a.md-author:hover{transform:scale(1.1);z-index:1}.md-typeset a.md-author:focus img,.md-typeset a.md-author:hover img{filter:grayscale(0)}.md-banner{background-color:var(--md-footer-bg-color);color:var(--md-footer-fg-color);overflow:auto}@media print{.md-banner{display:none}}.md-banner--warning{background-color:var(--md-warning-bg-color);color:var(--md-warning-fg-color)}.md-banner__inner{font-size:.7rem;margin:.6rem auto;padding:0 .8rem}[dir=ltr] .md-banner__button{float:right}[dir=rtl] .md-banner__button{float:left}.md-banner__button{color:inherit;cursor:pointer;transition:opacity .25s}.no-js .md-banner__button{display:none}.md-banner__button:hover{opacity:.7}html{font-size:125%;height:100%;overflow-x:hidden}@media screen and (min-width:100em){html{font-size:137.5%}}@media screen and (min-width:125em){html{font-size:150%}}body{background-color:var(--md-default-bg-color);display:flex;flex-direction:column;font-size:.5rem;min-height:100%;position:relative;width:100%}@media print{body{display:block}}@media screen and (max-width:59.984375em){body[data-md-scrolllock]{position:fixed}}.md-grid{margin-left:auto;margin-right:auto;max-width:61rem}.md-container{display:flex;flex-direction:column;flex-grow:1}@media print{.md-container{display:block}}.md-main{flex-grow:1}.md-main__inner{display:flex;height:100%;margin-top:1.5rem}.md-ellipsis{overflow:hidden;text-overflow:ellipsis}.md-toggle{display:none}.md-option{height:0;opacity:0;position:absolute;width:0}.md-option:checked+label:not([hidden]){display:block}.md-option.focus-visible+label{outline-color:var(--md-accent-fg-color);outline-style:auto}.md-skip{background-color:var(--md-default-fg-color);border-radius:.1rem;color:var(--md-default-bg-color);font-size:.64rem;margin:.5rem;opacity:0;outline-color:var(--md-accent-fg-color);padding:.3rem .5rem;position:fixed;transform:translateY(.4rem);z-index:-1}.md-skip:focus{opacity:1;transform:translateY(0);transition:transform .25s cubic-bezier(.4,0,.2,1),opacity 175ms 75ms;z-index:10}@page{margin:25mm}:root{--md-clipboard-icon:url('data:image/svg+xml;charset=utf-8,')}.md-clipboard{border-radius:.1rem;color:var(--md-default-fg-color--lightest);cursor:pointer;height:1.5em;outline-color:var(--md-accent-fg-color);outline-offset:.1rem;position:absolute;right:.5em;top:.5em;transition:color .25s;width:1.5em;z-index:1}@media print{.md-clipboard{display:none}}.md-clipboard:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}:hover>.md-clipboard{color:var(--md-default-fg-color--light)}.md-clipboard:focus,.md-clipboard:hover{color:var(--md-accent-fg-color)}.md-clipboard:after{background-color:currentcolor;content:"";display:block;height:1.125em;margin:0 auto;-webkit-mask-image:var(--md-clipboard-icon);mask-image:var(--md-clipboard-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:1.125em}.md-clipboard--inline{cursor:pointer}.md-clipboard--inline code{transition:color .25s,background-color .25s}.md-clipboard--inline:focus code,.md-clipboard--inline:hover code{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-typeset .md-code__content{display:grid}@keyframes consent{0%{opacity:0;transform:translateY(100%)}to{opacity:1;transform:translateY(0)}}@keyframes overlay{0%{opacity:0}to{opacity:1}}.md-consent__overlay{animation:overlay .25s both;-webkit-backdrop-filter:blur(.1rem);backdrop-filter:blur(.1rem);background-color:#0000008a;height:100%;opacity:1;position:fixed;top:0;width:100%;z-index:5}.md-consent__inner{animation:consent .5s cubic-bezier(.1,.7,.1,1) both;background-color:var(--md-default-bg-color);border:0;border-radius:.1rem;bottom:0;box-shadow:0 0 .2rem #0000001a,0 .2rem .4rem #0003;max-height:100%;overflow:auto;padding:0;position:fixed;width:100%;z-index:5}.md-consent__form{padding:.8rem}.md-consent__settings{display:none;margin:1em 0}input:checked+.md-consent__settings{display:block}.md-consent__controls{margin-bottom:.8rem}.md-typeset .md-consent__controls .md-button{display:inline}@media screen and (max-width:44.984375em){.md-typeset .md-consent__controls .md-button{display:block;margin-top:.4rem;text-align:center;width:100%}}.md-consent label{cursor:pointer}.md-content{flex-grow:1;min-width:0}.md-content__inner{margin:0 .8rem 1.2rem;padding-top:.6rem}@media screen and (min-width:76.25em){[dir=ltr] .md-sidebar--primary:not([hidden])~.md-content>.md-content__inner{margin-left:1.2rem}[dir=ltr] .md-sidebar--secondary:not([hidden])~.md-content>.md-content__inner,[dir=rtl] .md-sidebar--primary:not([hidden])~.md-content>.md-content__inner{margin-right:1.2rem}[dir=rtl] .md-sidebar--secondary:not([hidden])~.md-content>.md-content__inner{margin-left:1.2rem}}.md-content__inner:before{content:"";display:block;height:.4rem}.md-content__inner>:last-child{margin-bottom:0}[dir=ltr] .md-content__button{float:right}[dir=rtl] .md-content__button{float:left}[dir=ltr] .md-content__button{margin-left:.4rem}[dir=rtl] .md-content__button{margin-right:.4rem}.md-content__button{margin:.4rem 0;padding:0}@media print{.md-content__button{display:none}}.md-typeset .md-content__button{color:var(--md-default-fg-color--lighter)}.md-content__button svg{display:inline;vertical-align:top}[dir=rtl] .md-content__button svg{transform:scaleX(-1)}[dir=ltr] .md-dialog{right:.8rem}[dir=rtl] .md-dialog{left:.8rem}.md-dialog{background-color:var(--md-default-fg-color);border-radius:.1rem;bottom:.8rem;box-shadow:var(--md-shadow-z3);min-width:11.1rem;opacity:0;padding:.4rem .6rem;pointer-events:none;position:fixed;transform:translateY(100%);transition:transform 0ms .4s,opacity .4s;z-index:4}@media print{.md-dialog{display:none}}.md-dialog--active{opacity:1;pointer-events:auto;transform:translateY(0);transition:transform .4s cubic-bezier(.075,.85,.175,1),opacity .4s}.md-dialog__inner{color:var(--md-default-bg-color);font-size:.7rem}.md-feedback{margin:2em 0 1em;text-align:center}.md-feedback fieldset{border:none;margin:0;padding:0}.md-feedback__title{font-weight:700;margin:1em auto}.md-feedback__inner{position:relative}.md-feedback__list{display:flex;flex-wrap:wrap;place-content:baseline center;position:relative}.md-feedback__list:hover .md-icon:not(:disabled){color:var(--md-default-fg-color--lighter)}:disabled .md-feedback__list{min-height:1.8rem}.md-feedback__icon{color:var(--md-default-fg-color--light);cursor:pointer;flex-shrink:0;margin:0 .1rem;transition:color 125ms}.md-feedback__icon:not(:disabled).md-icon:hover{color:var(--md-accent-fg-color)}.md-feedback__icon:disabled{color:var(--md-default-fg-color--lightest);pointer-events:none}.md-feedback__note{opacity:0;position:relative;transform:translateY(.4rem);transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s}.md-feedback__note>*{margin:0 auto;max-width:16rem}:disabled .md-feedback__note{opacity:1;transform:translateY(0)}.md-footer{background-color:var(--md-footer-bg-color);color:var(--md-footer-fg-color)}@media print{.md-footer{display:none}}.md-footer__inner{justify-content:space-between;overflow:auto;padding:.2rem}.md-footer__inner:not([hidden]){display:flex}.md-footer__link{align-items:end;display:flex;flex-grow:0.01;margin-bottom:.4rem;margin-top:1rem;max-width:100%;outline-color:var(--md-accent-fg-color);overflow:hidden;transition:opacity .25s}.md-footer__link:focus,.md-footer__link:hover{opacity:.7}[dir=rtl] .md-footer__link svg{transform:scaleX(-1)}@media screen and (max-width:44.984375em){.md-footer__link--prev{flex-shrink:0}.md-footer__link--prev .md-footer__title{display:none}}[dir=ltr] .md-footer__link--next{margin-left:auto}[dir=rtl] .md-footer__link--next{margin-right:auto}.md-footer__link--next{text-align:right}[dir=rtl] .md-footer__link--next{text-align:left}.md-footer__title{flex-grow:1;font-size:.9rem;margin-bottom:.7rem;max-width:calc(100% - 2.4rem);padding:0 1rem;white-space:nowrap}.md-footer__button{margin:.2rem;padding:.4rem}.md-footer__direction{font-size:.64rem;opacity:.7}.md-footer-meta{background-color:var(--md-footer-bg-color--dark)}.md-footer-meta__inner{display:flex;flex-wrap:wrap;justify-content:space-between;padding:.2rem}html .md-footer-meta.md-typeset a{color:var(--md-footer-fg-color--light)}html .md-footer-meta.md-typeset a:focus,html .md-footer-meta.md-typeset a:hover{color:var(--md-footer-fg-color)}.md-copyright{color:var(--md-footer-fg-color--lighter);font-size:.64rem;margin:auto .6rem;padding:.4rem 0;width:100%}@media screen and (min-width:45em){.md-copyright{width:auto}}.md-copyright__highlight{color:var(--md-footer-fg-color--light)}.md-social{display:inline-flex;gap:.2rem;margin:0 .4rem;padding:.2rem 0 .6rem}@media screen and (min-width:45em){.md-social{padding:.6rem 0}}.md-social__link{display:inline-block;height:1.6rem;text-align:center;width:1.6rem}.md-social__link:before{line-height:1.9}.md-social__link svg{fill:currentcolor;max-height:.8rem;vertical-align:-25%}.md-typeset .md-button{border:.1rem solid;border-radius:.1rem;color:var(--md-primary-fg-color);cursor:pointer;display:inline-block;font-weight:700;padding:.625em 2em;transition:color 125ms,background-color 125ms,border-color 125ms}.md-typeset .md-button--primary{background-color:var(--md-primary-fg-color);border-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color)}.md-typeset .md-button:focus,.md-typeset .md-button:hover{background-color:var(--md-accent-fg-color);border-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}[dir=ltr] .md-typeset .md-input{border-top-left-radius:.1rem}[dir=ltr] .md-typeset .md-input,[dir=rtl] .md-typeset .md-input{border-top-right-radius:.1rem}[dir=rtl] .md-typeset .md-input{border-top-left-radius:.1rem}.md-typeset .md-input{border-bottom:.1rem solid var(--md-default-fg-color--lighter);box-shadow:var(--md-shadow-z1);font-size:.8rem;height:1.8rem;padding:0 .6rem;transition:border .25s,box-shadow .25s}.md-typeset .md-input:focus,.md-typeset .md-input:hover{border-bottom-color:var(--md-accent-fg-color);box-shadow:var(--md-shadow-z2)}.md-typeset .md-input--stretch{width:100%}.md-header{background-color:var(--md-primary-fg-color);box-shadow:0 0 .2rem #0000,0 .2rem .4rem #0000;color:var(--md-primary-bg-color);display:block;left:0;position:sticky;right:0;top:0;z-index:4}@media print{.md-header{display:none}}.md-header[hidden]{transform:translateY(-100%);transition:transform .25s cubic-bezier(.8,0,.6,1),box-shadow .25s}.md-header--shadow{box-shadow:0 0 .2rem #0000001a,0 .2rem .4rem #0003;transition:transform .25s cubic-bezier(.1,.7,.1,1),box-shadow .25s}.md-header__inner{align-items:center;display:flex;padding:0 .2rem}.md-header__button{color:currentcolor;cursor:pointer;margin:.2rem;outline-color:var(--md-accent-fg-color);padding:.4rem;position:relative;transition:opacity .25s;vertical-align:middle;z-index:1}.md-header__button:hover{opacity:.7}.md-header__button:not([hidden]){display:inline-block}.md-header__button:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}.md-header__button.md-logo{margin:.2rem;padding:.4rem}@media screen and (max-width:76.234375em){.md-header__button.md-logo{display:none}}.md-header__button.md-logo img,.md-header__button.md-logo svg{fill:currentcolor;display:block;height:1.2rem;width:auto}@media screen and (min-width:60em){.md-header__button[for=__search]{display:none}}.no-js .md-header__button[for=__search]{display:none}[dir=rtl] .md-header__button[for=__search] svg{transform:scaleX(-1)}@media screen and (min-width:76.25em){.md-header__button[for=__drawer]{display:none}}.md-header__topic{display:flex;max-width:100%;position:absolute;transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s;white-space:nowrap}.md-header__topic+.md-header__topic{opacity:0;pointer-events:none;transform:translateX(1.25rem);transition:transform .4s cubic-bezier(1,.7,.1,.1),opacity .15s;z-index:-1}[dir=rtl] .md-header__topic+.md-header__topic{transform:translateX(-1.25rem)}.md-header__topic:first-child{font-weight:700}[dir=ltr] .md-header__title{margin-left:1rem;margin-right:.4rem}[dir=rtl] .md-header__title{margin-left:.4rem;margin-right:1rem}.md-header__title{flex-grow:1;font-size:.9rem;height:2.4rem;line-height:2.4rem}.md-header__title--active .md-header__topic{opacity:0;pointer-events:none;transform:translateX(-1.25rem);transition:transform .4s cubic-bezier(1,.7,.1,.1),opacity .15s;z-index:-1}[dir=rtl] .md-header__title--active .md-header__topic{transform:translateX(1.25rem)}.md-header__title--active .md-header__topic+.md-header__topic{opacity:1;pointer-events:auto;transform:translateX(0);transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .15s;z-index:0}.md-header__title>.md-header__ellipsis{height:100%;position:relative;width:100%}.md-header__option{display:flex;flex-shrink:0;max-width:100%;transition:max-width 0ms .25s,opacity .25s .25s;white-space:nowrap}[data-md-toggle=search]:checked~.md-header .md-header__option{max-width:0;opacity:0;transition:max-width 0ms,opacity 0ms}.md-header__option>input{bottom:0}.md-header__source{display:none}@media screen and (min-width:60em){[dir=ltr] .md-header__source{margin-left:1rem}[dir=rtl] .md-header__source{margin-right:1rem}.md-header__source{display:block;max-width:11.7rem;width:11.7rem}}@media screen and (min-width:76.25em){[dir=ltr] .md-header__source{margin-left:1.4rem}[dir=rtl] .md-header__source{margin-right:1.4rem}}.md-meta{color:var(--md-default-fg-color--light);font-size:.7rem;line-height:1.3}.md-meta__list{display:inline-flex;flex-wrap:wrap;list-style:none;margin:0;padding:0}.md-meta__item:not(:last-child):after{content:"·";margin-left:.2rem;margin-right:.2rem}.md-meta__link{color:var(--md-typeset-a-color)}.md-meta__link:focus,.md-meta__link:hover{color:var(--md-accent-fg-color)}.md-draft{background-color:#ff1744;border-radius:.125em;color:#fff;display:inline-block;font-weight:700;padding-left:.5714285714em;padding-right:.5714285714em}:root{--md-nav-icon--prev:url('data:image/svg+xml;charset=utf-8,');--md-nav-icon--next:url('data:image/svg+xml;charset=utf-8,');--md-toc-icon:url('data:image/svg+xml;charset=utf-8,')}.md-nav{font-size:.7rem;line-height:1.3}.md-nav__title{color:var(--md-default-fg-color--light);display:block;font-weight:700;overflow:hidden;padding:0 .6rem;text-overflow:ellipsis}.md-nav__title .md-nav__button{display:none}.md-nav__title .md-nav__button img{height:100%;width:auto}.md-nav__title .md-nav__button.md-logo img,.md-nav__title .md-nav__button.md-logo svg{fill:currentcolor;display:block;height:2.4rem;max-width:100%;object-fit:contain;width:auto}.md-nav__list{list-style:none;margin:0;padding:0}.md-nav__link{align-items:flex-start;display:flex;gap:.4rem;margin-top:.625em;scroll-snap-align:start;transition:color 125ms}.md-nav__link--passed{color:var(--md-default-fg-color--light)}.md-nav__item .md-nav__link--active,.md-nav__item .md-nav__link--active code{color:var(--md-typeset-a-color)}.md-nav__link .md-ellipsis{position:relative}[dir=ltr] .md-nav__link .md-icon:last-child{margin-left:auto}[dir=rtl] .md-nav__link .md-icon:last-child{margin-right:auto}.md-nav__link svg{fill:currentcolor;flex-shrink:0;height:1.3em}.md-nav__link[for]:focus,.md-nav__link[for]:hover,.md-nav__link[href]:focus,.md-nav__link[href]:hover{color:var(--md-accent-fg-color);cursor:pointer}.md-nav__link.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-nav--primary .md-nav__link[for=__toc]{display:none}.md-nav--primary .md-nav__link[for=__toc] .md-icon:after{background-color:currentcolor;display:block;height:100%;-webkit-mask-image:var(--md-toc-icon);mask-image:var(--md-toc-icon);width:100%}.md-nav--primary .md-nav__link[for=__toc]~.md-nav{display:none}.md-nav__container>.md-nav__link{margin-top:0}.md-nav__container>.md-nav__link:first-child{flex-grow:1;min-width:0}.md-nav__icon{flex-shrink:0}.md-nav__source{display:none}@media screen and (max-width:76.234375em){.md-nav--primary,.md-nav--primary .md-nav{background-color:var(--md-default-bg-color);display:flex;flex-direction:column;height:100%;left:0;position:absolute;right:0;top:0;z-index:1}.md-nav--primary .md-nav__item,.md-nav--primary .md-nav__title{font-size:.8rem;line-height:1.5}.md-nav--primary .md-nav__title{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light);cursor:pointer;height:5.6rem;line-height:2.4rem;padding:3rem .8rem .2rem;position:relative;white-space:nowrap}[dir=ltr] .md-nav--primary .md-nav__title .md-nav__icon{left:.4rem}[dir=rtl] .md-nav--primary .md-nav__title .md-nav__icon{right:.4rem}.md-nav--primary .md-nav__title .md-nav__icon{display:block;height:1.2rem;margin:.2rem;position:absolute;top:.4rem;width:1.2rem}.md-nav--primary .md-nav__title .md-nav__icon:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-nav-icon--prev);mask-image:var(--md-nav-icon--prev);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}.md-nav--primary .md-nav__title~.md-nav__list{background-color:var(--md-default-bg-color);box-shadow:0 .05rem 0 var(--md-default-fg-color--lightest) inset;overflow-y:auto;scroll-snap-type:y mandatory;touch-action:pan-y}.md-nav--primary .md-nav__title~.md-nav__list>:first-child{border-top:0}.md-nav--primary .md-nav__title[for=__drawer]{background-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color);font-weight:700}.md-nav--primary .md-nav__title .md-logo{display:block;left:.2rem;margin:.2rem;padding:.4rem;position:absolute;right:.2rem;top:.2rem}.md-nav--primary .md-nav__list{flex:1}.md-nav--primary .md-nav__item{border-top:.05rem solid var(--md-default-fg-color--lightest)}.md-nav--primary .md-nav__item--active>.md-nav__link{color:var(--md-typeset-a-color)}.md-nav--primary .md-nav__item--active>.md-nav__link:focus,.md-nav--primary .md-nav__item--active>.md-nav__link:hover{color:var(--md-accent-fg-color)}.md-nav--primary .md-nav__link{margin-top:0;padding:.6rem .8rem}.md-nav--primary .md-nav__link svg{margin-top:.1em}.md-nav--primary .md-nav__link>.md-nav__link{padding:0}[dir=ltr] .md-nav--primary .md-nav__link .md-nav__icon{margin-right:-.2rem}[dir=rtl] .md-nav--primary .md-nav__link .md-nav__icon{margin-left:-.2rem}.md-nav--primary .md-nav__link .md-nav__icon{font-size:1.2rem;height:1.2rem;width:1.2rem}.md-nav--primary .md-nav__link .md-nav__icon:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-nav-icon--next);mask-image:var(--md-nav-icon--next);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}[dir=rtl] .md-nav--primary .md-nav__icon:after{transform:scale(-1)}.md-nav--primary .md-nav--secondary .md-nav{background-color:initial;position:static}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav__link{padding-left:1.4rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav__link{padding-right:1.4rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav__link{padding-left:2rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav__link{padding-right:2rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav__link{padding-left:2.6rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav__link{padding-right:2.6rem}[dir=ltr] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav .md-nav__link{padding-left:3.2rem}[dir=rtl] .md-nav--primary .md-nav--secondary .md-nav .md-nav .md-nav .md-nav .md-nav__link{padding-right:3.2rem}.md-nav--secondary{background-color:initial}.md-nav__toggle~.md-nav{display:flex;opacity:0;transform:translateX(100%);transition:transform .25s cubic-bezier(.8,0,.6,1),opacity 125ms 50ms}[dir=rtl] .md-nav__toggle~.md-nav{transform:translateX(-100%)}.md-nav__toggle:checked~.md-nav{opacity:1;transform:translateX(0);transition:transform .25s cubic-bezier(.4,0,.2,1),opacity 125ms 125ms}.md-nav__toggle:checked~.md-nav>.md-nav__list{-webkit-backface-visibility:hidden;backface-visibility:hidden}}@media screen and (max-width:59.984375em){.md-nav--primary .md-nav__link[for=__toc]{display:flex}.md-nav--primary .md-nav__link[for=__toc] .md-icon:after{content:""}.md-nav--primary .md-nav__link[for=__toc]+.md-nav__link{display:none}.md-nav--primary .md-nav__link[for=__toc]~.md-nav{display:flex}.md-nav__source{background-color:var(--md-primary-fg-color--dark);color:var(--md-primary-bg-color);display:block;padding:0 .2rem}}@media screen and (min-width:60em) and (max-width:76.234375em){.md-nav--integrated .md-nav__link[for=__toc]{display:flex}.md-nav--integrated .md-nav__link[for=__toc] .md-icon:after{content:""}.md-nav--integrated .md-nav__link[for=__toc]+.md-nav__link{display:none}.md-nav--integrated .md-nav__link[for=__toc]~.md-nav{display:flex}}@media screen and (min-width:60em){.md-nav{margin-bottom:-.4rem}.md-nav--secondary .md-nav__title{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);position:sticky;top:0;z-index:1}.md-nav--secondary .md-nav__title[for=__toc]{scroll-snap-align:start}.md-nav--secondary .md-nav__title .md-nav__icon{display:none}[dir=ltr] .md-nav--secondary .md-nav__list{padding-left:.6rem}[dir=rtl] .md-nav--secondary .md-nav__list{padding-right:.6rem}.md-nav--secondary .md-nav__list{padding-bottom:.4rem}[dir=ltr] .md-nav--secondary .md-nav__item>.md-nav__link{margin-right:.4rem}[dir=rtl] .md-nav--secondary .md-nav__item>.md-nav__link{margin-left:.4rem}}@media screen and (min-width:76.25em){.md-nav{margin-bottom:-.4rem;transition:max-height .25s cubic-bezier(.86,0,.07,1)}.md-nav--primary .md-nav__title{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);position:sticky;top:0;z-index:1}.md-nav--primary .md-nav__title[for=__drawer]{scroll-snap-align:start}.md-nav--primary .md-nav__title .md-nav__icon{display:none}[dir=ltr] .md-nav--primary .md-nav__list{padding-left:.6rem}[dir=rtl] .md-nav--primary .md-nav__list{padding-right:.6rem}.md-nav--primary .md-nav__list{padding-bottom:.4rem}[dir=ltr] .md-nav--primary .md-nav__item>.md-nav__link{margin-right:.4rem}[dir=rtl] .md-nav--primary .md-nav__item>.md-nav__link{margin-left:.4rem}.md-nav__toggle~.md-nav{display:grid;grid-template-rows:0fr;opacity:0;transition:grid-template-rows .25s cubic-bezier(.86,0,.07,1),opacity .25s,visibility 0ms .25s;visibility:collapse}.md-nav__toggle~.md-nav>.md-nav__list{overflow:hidden}.md-nav__toggle.md-toggle--indeterminate~.md-nav,.md-nav__toggle:checked~.md-nav{grid-template-rows:1fr;opacity:1;transition:grid-template-rows .25s cubic-bezier(.86,0,.07,1),opacity .15s .1s,visibility 0ms;visibility:visible}.md-nav__toggle.md-toggle--indeterminate~.md-nav{transition:none}.md-nav__item--nested>.md-nav>.md-nav__title{display:none}.md-nav__item--section{display:block;margin:1.25em 0}.md-nav__item--section:last-child{margin-bottom:0}.md-nav__item--section>.md-nav__link{font-weight:700}.md-nav__item--section>.md-nav__link[for]{color:var(--md-default-fg-color--light)}.md-nav__item--section>.md-nav__link:not(.md-nav__container){pointer-events:none}.md-nav__item--section>.md-nav__link .md-icon,.md-nav__item--section>.md-nav__link>[for]{display:none}[dir=ltr] .md-nav__item--section>.md-nav{margin-left:-.6rem}[dir=rtl] .md-nav__item--section>.md-nav{margin-right:-.6rem}.md-nav__item--section>.md-nav{display:block;opacity:1;visibility:visible}.md-nav__item--section>.md-nav>.md-nav__list>.md-nav__item{padding:0}.md-nav__icon{border-radius:100%;height:.9rem;transition:background-color .25s;width:.9rem}.md-nav__icon:hover{background-color:var(--md-accent-fg-color--transparent)}.md-nav__icon:after{background-color:currentcolor;border-radius:100%;content:"";display:inline-block;height:100%;-webkit-mask-image:var(--md-nav-icon--next);mask-image:var(--md-nav-icon--next);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:transform .25s;vertical-align:-.1rem;width:100%}[dir=rtl] .md-nav__icon:after{transform:rotate(180deg)}.md-nav__item--nested .md-nav__toggle:checked~.md-nav__link .md-nav__icon:after,.md-nav__item--nested .md-toggle--indeterminate~.md-nav__link .md-nav__icon:after{transform:rotate(90deg)}.md-nav--lifted>.md-nav__list>.md-nav__item,.md-nav--lifted>.md-nav__title{display:none}.md-nav--lifted>.md-nav__list>.md-nav__item--active{display:block}.md-nav--lifted>.md-nav__list>.md-nav__item--active>.md-nav__link{background:var(--md-default-bg-color);box-shadow:0 0 .4rem .4rem var(--md-default-bg-color);margin-top:0;position:sticky;top:0;z-index:1}.md-nav--lifted>.md-nav__list>.md-nav__item--active>.md-nav__link:not(.md-nav__container){pointer-events:none}.md-nav--lifted>.md-nav__list>.md-nav__item--active.md-nav__item--section{margin:0}[dir=ltr] .md-nav--lifted>.md-nav__list>.md-nav__item>.md-nav:not(.md-nav--secondary){margin-left:-.6rem}[dir=rtl] .md-nav--lifted>.md-nav__list>.md-nav__item>.md-nav:not(.md-nav--secondary){margin-right:-.6rem}.md-nav--lifted>.md-nav__list>.md-nav__item>[for]{color:var(--md-default-fg-color--light)}.md-nav--lifted .md-nav[data-md-level="1"]{grid-template-rows:1fr;opacity:1;visibility:visible}[dir=ltr] .md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{border-left:.05rem solid var(--md-primary-fg-color)}[dir=rtl] .md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{border-right:.05rem solid var(--md-primary-fg-color)}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary{display:block;margin-bottom:1.25em;opacity:1;visibility:visible}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary>.md-nav__list{overflow:visible;padding-bottom:0}.md-nav--integrated>.md-nav__list>.md-nav__item--active .md-nav--secondary>.md-nav__title{display:none}}.md-pagination{font-size:.8rem;font-weight:700;gap:.4rem}.md-pagination,.md-pagination>*{align-items:center;display:flex;justify-content:center}.md-pagination>*{border-radius:.2rem;height:1.8rem;min-width:1.8rem;text-align:center}.md-pagination__current{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light)}.md-pagination__link{transition:color 125ms,background-color 125ms}.md-pagination__link:focus,.md-pagination__link:hover{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-pagination__link:focus svg,.md-pagination__link:hover svg{color:var(--md-accent-fg-color)}.md-pagination__link.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-pagination__link svg{fill:currentcolor;color:var(--md-default-fg-color--lighter);display:block;max-height:100%;width:1.2rem}.md-post__back{border-bottom:.05rem solid var(--md-default-fg-color--lightest);margin-bottom:1.2rem;padding-bottom:1.2rem}@media screen and (max-width:76.234375em){.md-post__back{display:none}}[dir=rtl] .md-post__back svg{transform:scaleX(-1)}.md-post__authors{display:flex;flex-direction:column;gap:.6rem;margin:0 .6rem 1.2rem}.md-post .md-post__meta a{transition:color 125ms}.md-post .md-post__meta a:focus,.md-post .md-post__meta a:hover{color:var(--md-accent-fg-color)}.md-post__title{color:var(--md-default-fg-color--light);font-weight:700}.md-post--excerpt{margin-bottom:3.2rem}.md-post--excerpt .md-post__header{align-items:center;display:flex;gap:.6rem;min-height:1.6rem}.md-post--excerpt .md-post__authors{align-items:center;display:inline-flex;flex-direction:row;gap:.2rem;margin:0;min-height:2.4rem}[dir=ltr] .md-post--excerpt .md-post__meta .md-meta__list{margin-right:.4rem}[dir=rtl] .md-post--excerpt .md-post__meta .md-meta__list{margin-left:.4rem}.md-post--excerpt .md-post__content>:first-child{--md-scroll-margin:6rem;margin-top:0}.md-post>.md-nav--secondary{margin:1em 0}.md-profile{align-items:center;display:flex;font-size:.7rem;gap:.6rem;line-height:1.4;width:100%}.md-profile__description{flex-grow:1}.md-content--post{display:flex}@media screen and (max-width:76.234375em){.md-content--post{flex-flow:column-reverse}}.md-content--post>.md-content__inner{min-width:0}@media screen and (min-width:76.25em){[dir=ltr] .md-content--post>.md-content__inner{margin-left:1.2rem}[dir=rtl] .md-content--post>.md-content__inner{margin-right:1.2rem}}@media screen and (max-width:76.234375em){.md-sidebar.md-sidebar--post{padding:0;position:static;width:100%}.md-sidebar.md-sidebar--post .md-sidebar__scrollwrap{overflow:visible}.md-sidebar.md-sidebar--post .md-sidebar__inner{padding:0}.md-sidebar.md-sidebar--post .md-post__meta{margin-left:.6rem;margin-right:.6rem}.md-sidebar.md-sidebar--post .md-nav__item{border:none;display:inline}.md-sidebar.md-sidebar--post .md-nav__list{display:inline-flex;flex-wrap:wrap;gap:.6rem;padding-bottom:.6rem;padding-top:.6rem}.md-sidebar.md-sidebar--post .md-nav__link{padding:0}.md-sidebar.md-sidebar--post .md-nav{height:auto;margin-bottom:0;position:static}}:root{--md-progress-value:0;--md-progress-delay:400ms}.md-progress{background:var(--md-primary-bg-color);height:.075rem;opacity:min(clamp(0,var(--md-progress-value),1),clamp(0,100 - var(--md-progress-value),1));position:fixed;top:0;transform:scaleX(calc(var(--md-progress-value)*1%));transform-origin:left;transition:transform .5s cubic-bezier(.19,1,.22,1),opacity .25s var(--md-progress-delay);width:100%;z-index:4}:root{--md-search-result-icon:url('data:image/svg+xml;charset=utf-8,')}.md-search{position:relative}@media screen and (min-width:60em){.md-search{padding:.2rem 0}}.no-js .md-search{display:none}.md-search__overlay{opacity:0;z-index:1}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__overlay{left:-2.2rem}[dir=rtl] .md-search__overlay{right:-2.2rem}.md-search__overlay{background-color:var(--md-default-bg-color);border-radius:1rem;height:2rem;overflow:hidden;pointer-events:none;position:absolute;top:-1rem;transform-origin:center;transition:transform .3s .1s,opacity .2s .2s;width:2rem}[data-md-toggle=search]:checked~.md-header .md-search__overlay{opacity:1;transition:transform .4s,opacity .1s}}@media screen and (min-width:60em){[dir=ltr] .md-search__overlay{left:0}[dir=rtl] .md-search__overlay{right:0}.md-search__overlay{background-color:#0000008a;cursor:pointer;height:0;position:fixed;top:0;transition:width 0ms .25s,height 0ms .25s,opacity .25s;width:0}[data-md-toggle=search]:checked~.md-header .md-search__overlay{height:200vh;opacity:1;transition:width 0ms,height 0ms,opacity .25s;width:100%}}@media screen and (max-width:29.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(45)}}@media screen and (min-width:30em) and (max-width:44.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(60)}}@media screen and (min-width:45em) and (max-width:59.984375em){[data-md-toggle=search]:checked~.md-header .md-search__overlay{transform:scale(75)}}.md-search__inner{-webkit-backface-visibility:hidden;backface-visibility:hidden}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__inner{left:0}[dir=rtl] .md-search__inner{right:0}.md-search__inner{height:0;opacity:0;overflow:hidden;position:fixed;top:0;transform:translateX(5%);transition:width 0ms .3s,height 0ms .3s,transform .15s cubic-bezier(.4,0,.2,1) .15s,opacity .15s .15s;width:0;z-index:2}[dir=rtl] .md-search__inner{transform:translateX(-5%)}[data-md-toggle=search]:checked~.md-header .md-search__inner{height:100%;opacity:1;transform:translateX(0);transition:width 0ms 0ms,height 0ms 0ms,transform .15s cubic-bezier(.1,.7,.1,1) .15s,opacity .15s .15s;width:100%}}@media screen and (min-width:60em){[dir=ltr] .md-search__inner{float:right}[dir=rtl] .md-search__inner{float:left}.md-search__inner{padding:.1rem 0;position:relative;transition:width .25s cubic-bezier(.1,.7,.1,1);width:11.7rem}}@media screen and (min-width:60em) and (max-width:76.234375em){[data-md-toggle=search]:checked~.md-header .md-search__inner{width:23.4rem}}@media screen and (min-width:76.25em){[data-md-toggle=search]:checked~.md-header .md-search__inner{width:34.4rem}}.md-search__form{background-color:var(--md-default-bg-color);box-shadow:0 0 .6rem #0000;height:2.4rem;position:relative;transition:color .25s,background-color .25s;z-index:2}@media screen and (min-width:60em){.md-search__form{background-color:#00000042;border-radius:.1rem;height:1.8rem}.md-search__form:hover{background-color:#ffffff1f}}[data-md-toggle=search]:checked~.md-header .md-search__form{background-color:var(--md-default-bg-color);border-radius:.1rem .1rem 0 0;box-shadow:0 0 .6rem #00000012;color:var(--md-default-fg-color)}[dir=ltr] .md-search__input{padding-left:3.6rem;padding-right:2.2rem}[dir=rtl] .md-search__input{padding-left:2.2rem;padding-right:3.6rem}.md-search__input{background:#0000;font-size:.9rem;height:100%;position:relative;text-overflow:ellipsis;width:100%;z-index:2}.md-search__input::placeholder{transition:color .25s}.md-search__input::placeholder,.md-search__input~.md-search__icon{color:var(--md-default-fg-color--light)}.md-search__input::-ms-clear{display:none}@media screen and (max-width:59.984375em){.md-search__input{font-size:.9rem;height:2.4rem;width:100%}}@media screen and (min-width:60em){[dir=ltr] .md-search__input{padding-left:2.2rem}[dir=rtl] .md-search__input{padding-right:2.2rem}.md-search__input{color:inherit;font-size:.8rem}.md-search__input::placeholder{color:var(--md-primary-bg-color--light)}.md-search__input+.md-search__icon{color:var(--md-primary-bg-color)}[data-md-toggle=search]:checked~.md-header .md-search__input{text-overflow:clip}[data-md-toggle=search]:checked~.md-header .md-search__input+.md-search__icon{color:var(--md-default-fg-color--light)}[data-md-toggle=search]:checked~.md-header .md-search__input::placeholder{color:#0000}}.md-search__icon{cursor:pointer;display:inline-block;height:1.2rem;transition:color .25s,opacity .25s;width:1.2rem}.md-search__icon:hover{opacity:.7}[dir=ltr] .md-search__icon[for=__search]{left:.5rem}[dir=rtl] .md-search__icon[for=__search]{right:.5rem}.md-search__icon[for=__search]{position:absolute;top:.3rem;z-index:2}[dir=rtl] .md-search__icon[for=__search] svg{transform:scaleX(-1)}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__icon[for=__search]{left:.8rem}[dir=rtl] .md-search__icon[for=__search]{right:.8rem}.md-search__icon[for=__search]{top:.6rem}.md-search__icon[for=__search] svg:first-child{display:none}}@media screen and (min-width:60em){.md-search__icon[for=__search]{pointer-events:none}.md-search__icon[for=__search] svg:last-child{display:none}}[dir=ltr] .md-search__options{right:.5rem}[dir=rtl] .md-search__options{left:.5rem}.md-search__options{pointer-events:none;position:absolute;top:.3rem;z-index:2}@media screen and (max-width:59.984375em){[dir=ltr] .md-search__options{right:.8rem}[dir=rtl] .md-search__options{left:.8rem}.md-search__options{top:.6rem}}[dir=ltr] .md-search__options>.md-icon{margin-left:.2rem}[dir=rtl] .md-search__options>.md-icon{margin-right:.2rem}.md-search__options>.md-icon{color:var(--md-default-fg-color--light);opacity:0;transform:scale(.75);transition:transform .15s cubic-bezier(.1,.7,.1,1),opacity .15s}.md-search__options>.md-icon:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}[data-md-toggle=search]:checked~.md-header .md-search__input:valid~.md-search__options>.md-icon{opacity:1;pointer-events:auto;transform:scale(1)}[data-md-toggle=search]:checked~.md-header .md-search__input:valid~.md-search__options>.md-icon:hover{opacity:.7}[dir=ltr] .md-search__suggest{padding-left:3.6rem;padding-right:2.2rem}[dir=rtl] .md-search__suggest{padding-left:2.2rem;padding-right:3.6rem}.md-search__suggest{align-items:center;color:var(--md-default-fg-color--lighter);display:flex;font-size:.9rem;height:100%;opacity:0;position:absolute;top:0;transition:opacity 50ms;white-space:nowrap;width:100%}@media screen and (min-width:60em){[dir=ltr] .md-search__suggest{padding-left:2.2rem}[dir=rtl] .md-search__suggest{padding-right:2.2rem}.md-search__suggest{font-size:.8rem}}[data-md-toggle=search]:checked~.md-header .md-search__suggest{opacity:1;transition:opacity .3s .1s}[dir=ltr] .md-search__output{border-bottom-left-radius:.1rem}[dir=ltr] .md-search__output,[dir=rtl] .md-search__output{border-bottom-right-radius:.1rem}[dir=rtl] .md-search__output{border-bottom-left-radius:.1rem}.md-search__output{overflow:hidden;position:absolute;width:100%;z-index:1}@media screen and (max-width:59.984375em){.md-search__output{bottom:0;top:2.4rem}}@media screen and (min-width:60em){.md-search__output{opacity:0;top:1.9rem;transition:opacity .4s}[data-md-toggle=search]:checked~.md-header .md-search__output{box-shadow:var(--md-shadow-z3);opacity:1}}.md-search__scrollwrap{-webkit-backface-visibility:hidden;backface-visibility:hidden;background-color:var(--md-default-bg-color);height:100%;overflow-y:auto;touch-action:pan-y}@media (-webkit-max-device-pixel-ratio:1),(max-resolution:1dppx){.md-search__scrollwrap{transform:translateZ(0)}}@media screen and (min-width:60em) and (max-width:76.234375em){.md-search__scrollwrap{width:23.4rem}}@media screen and (min-width:76.25em){.md-search__scrollwrap{width:34.4rem}}@media screen and (min-width:60em){.md-search__scrollwrap{max-height:0;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin}[data-md-toggle=search]:checked~.md-header .md-search__scrollwrap{max-height:75vh}.md-search__scrollwrap:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-search__scrollwrap::-webkit-scrollbar{height:.2rem;width:.2rem}.md-search__scrollwrap::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-search__scrollwrap::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}}.md-search-result{color:var(--md-default-fg-color);word-break:break-word}.md-search-result__meta{background-color:var(--md-default-fg-color--lightest);color:var(--md-default-fg-color--light);font-size:.64rem;line-height:1.8rem;padding:0 .8rem;scroll-snap-align:start}@media screen and (min-width:60em){[dir=ltr] .md-search-result__meta{padding-left:2.2rem}[dir=rtl] .md-search-result__meta{padding-right:2.2rem}}.md-search-result__list{list-style:none;margin:0;padding:0;-webkit-user-select:none;user-select:none}.md-search-result__item{box-shadow:0 -.05rem var(--md-default-fg-color--lightest)}.md-search-result__item:first-child{box-shadow:none}.md-search-result__link{display:block;outline:none;scroll-snap-align:start;transition:background-color .25s}.md-search-result__link:focus,.md-search-result__link:hover{background-color:var(--md-accent-fg-color--transparent)}.md-search-result__link:last-child p:last-child{margin-bottom:.6rem}.md-search-result__more>summary{cursor:pointer;display:block;outline:none;position:sticky;scroll-snap-align:start;top:0;z-index:1}.md-search-result__more>summary::marker{display:none}.md-search-result__more>summary::-webkit-details-marker{display:none}.md-search-result__more>summary>div{color:var(--md-typeset-a-color);font-size:.64rem;padding:.75em .8rem;transition:color .25s,background-color .25s}@media screen and (min-width:60em){[dir=ltr] .md-search-result__more>summary>div{padding-left:2.2rem}[dir=rtl] .md-search-result__more>summary>div{padding-right:2.2rem}}.md-search-result__more>summary:focus>div,.md-search-result__more>summary:hover>div{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-search-result__more[open]>summary{background-color:var(--md-default-bg-color)}.md-search-result__article{overflow:hidden;padding:0 .8rem;position:relative}@media screen and (min-width:60em){[dir=ltr] .md-search-result__article{padding-left:2.2rem}[dir=rtl] .md-search-result__article{padding-right:2.2rem}}[dir=ltr] .md-search-result__icon{left:0}[dir=rtl] .md-search-result__icon{right:0}.md-search-result__icon{color:var(--md-default-fg-color--light);height:1.2rem;margin:.5rem;position:absolute;width:1.2rem}@media screen and (max-width:59.984375em){.md-search-result__icon{display:none}}.md-search-result__icon:after{background-color:currentcolor;content:"";display:inline-block;height:100%;-webkit-mask-image:var(--md-search-result-icon);mask-image:var(--md-search-result-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:100%}[dir=rtl] .md-search-result__icon:after{transform:scaleX(-1)}.md-search-result .md-typeset{color:var(--md-default-fg-color--light);font-size:.64rem;line-height:1.6}.md-search-result .md-typeset h1{color:var(--md-default-fg-color);font-size:.8rem;font-weight:400;line-height:1.4;margin:.55rem 0}.md-search-result .md-typeset h1 mark{text-decoration:none}.md-search-result .md-typeset h2{color:var(--md-default-fg-color);font-size:.64rem;font-weight:700;line-height:1.6;margin:.5em 0}.md-search-result .md-typeset h2 mark{text-decoration:none}.md-search-result__terms{color:var(--md-default-fg-color);display:block;font-size:.64rem;font-style:italic;margin:.5em 0}.md-search-result mark{background-color:initial;color:var(--md-accent-fg-color);text-decoration:underline}.md-select{position:relative;z-index:1}.md-select__inner{background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);left:50%;margin-top:.2rem;max-height:0;opacity:0;position:absolute;top:calc(100% - .2rem);transform:translate3d(-50%,.3rem,0);transition:transform .25s 375ms,opacity .25s .25s,max-height 0ms .5s}.md-select:focus-within .md-select__inner,.md-select:hover .md-select__inner{max-height:10rem;opacity:1;transform:translate3d(-50%,0,0);transition:transform .25s cubic-bezier(.1,.7,.1,1),opacity .25s,max-height 0ms}.md-select__inner:after{border-bottom:.2rem solid #0000;border-bottom-color:var(--md-default-bg-color);border-left:.2rem solid #0000;border-right:.2rem solid #0000;border-top:0;content:"";height:0;left:50%;margin-left:-.2rem;margin-top:-.2rem;position:absolute;top:0;width:0}.md-select__list{border-radius:.1rem;font-size:.8rem;list-style-type:none;margin:0;max-height:inherit;overflow:auto;padding:0}.md-select__item{line-height:1.8rem}[dir=ltr] .md-select__link{padding-left:.6rem;padding-right:1.2rem}[dir=rtl] .md-select__link{padding-left:1.2rem;padding-right:.6rem}.md-select__link{cursor:pointer;display:block;outline:none;scroll-snap-align:start;transition:background-color .25s,color .25s;width:100%}.md-select__link:focus,.md-select__link:hover{color:var(--md-accent-fg-color)}.md-select__link:focus{background-color:var(--md-default-fg-color--lightest)}.md-sidebar{align-self:flex-start;flex-shrink:0;padding:1.2rem 0;position:sticky;top:2.4rem;width:12.1rem}@media print{.md-sidebar{display:none}}@media screen and (max-width:76.234375em){[dir=ltr] .md-sidebar--primary{left:-12.1rem}[dir=rtl] .md-sidebar--primary{right:-12.1rem}.md-sidebar--primary{background-color:var(--md-default-bg-color);display:block;height:100%;position:fixed;top:0;transform:translateX(0);transition:transform .25s cubic-bezier(.4,0,.2,1),box-shadow .25s;width:12.1rem;z-index:5}[data-md-toggle=drawer]:checked~.md-container .md-sidebar--primary{box-shadow:var(--md-shadow-z3);transform:translateX(12.1rem)}[dir=rtl] [data-md-toggle=drawer]:checked~.md-container .md-sidebar--primary{transform:translateX(-12.1rem)}.md-sidebar--primary .md-sidebar__scrollwrap{bottom:0;left:0;margin:0;overflow:hidden;position:absolute;right:0;scroll-snap-type:none;top:0}}@media screen and (min-width:76.25em){.md-sidebar{height:0}.no-js .md-sidebar{height:auto}.md-header--lifted~.md-container .md-sidebar{top:4.8rem}}.md-sidebar--secondary{display:none;order:2}@media screen and (min-width:60em){.md-sidebar--secondary{height:0}.no-js .md-sidebar--secondary{height:auto}.md-sidebar--secondary:not([hidden]){display:block}.md-sidebar--secondary .md-sidebar__scrollwrap{touch-action:pan-y}}.md-sidebar__scrollwrap{scrollbar-gutter:stable;-webkit-backface-visibility:hidden;backface-visibility:hidden;margin:0 .2rem;overflow-y:auto;scrollbar-color:var(--md-default-fg-color--lighter) #0000;scrollbar-width:thin}.md-sidebar__scrollwrap::-webkit-scrollbar{height:.2rem;width:.2rem}.md-sidebar__scrollwrap:focus-within,.md-sidebar__scrollwrap:hover{scrollbar-color:var(--md-accent-fg-color) #0000}.md-sidebar__scrollwrap:focus-within::-webkit-scrollbar-thumb,.md-sidebar__scrollwrap:hover::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-sidebar__scrollwrap:focus-within::-webkit-scrollbar-thumb:hover,.md-sidebar__scrollwrap:hover::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}@supports selector(::-webkit-scrollbar){.md-sidebar__scrollwrap{scrollbar-gutter:auto}[dir=ltr] .md-sidebar__inner{padding-right:calc(100% - 11.5rem)}[dir=rtl] .md-sidebar__inner{padding-left:calc(100% - 11.5rem)}}@media screen and (max-width:76.234375em){.md-overlay{background-color:#0000008a;height:0;opacity:0;position:fixed;top:0;transition:width 0ms .25s,height 0ms .25s,opacity .25s;width:0;z-index:5}[data-md-toggle=drawer]:checked~.md-overlay{height:100%;opacity:1;transition:width 0ms,height 0ms,opacity .25s;width:100%}}@keyframes facts{0%{height:0}to{height:.65rem}}@keyframes fact{0%{opacity:0;transform:translateY(100%)}50%{opacity:0}to{opacity:1;transform:translateY(0)}}:root{--md-source-forks-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-repositories-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-stars-icon:url('data:image/svg+xml;charset=utf-8,');--md-source-version-icon:url('data:image/svg+xml;charset=utf-8,')}.md-source{-webkit-backface-visibility:hidden;backface-visibility:hidden;display:block;font-size:.65rem;line-height:1.2;outline-color:var(--md-accent-fg-color);transition:opacity .25s;white-space:nowrap}.md-source:hover{opacity:.7}.md-source__icon{display:inline-block;height:2.4rem;vertical-align:middle;width:2rem}[dir=ltr] .md-source__icon svg{margin-left:.6rem}[dir=rtl] .md-source__icon svg{margin-right:.6rem}.md-source__icon svg{margin-top:.6rem}[dir=ltr] .md-source__icon+.md-source__repository{padding-left:2rem}[dir=rtl] .md-source__icon+.md-source__repository{padding-right:2rem}[dir=ltr] .md-source__icon+.md-source__repository{margin-left:-2rem}[dir=rtl] .md-source__icon+.md-source__repository{margin-right:-2rem}[dir=ltr] .md-source__repository{margin-left:.6rem}[dir=rtl] .md-source__repository{margin-right:.6rem}.md-source__repository{display:inline-block;max-width:calc(100% - 1.2rem);overflow:hidden;text-overflow:ellipsis;vertical-align:middle}.md-source__facts{display:flex;font-size:.55rem;gap:.4rem;list-style-type:none;margin:.1rem 0 0;opacity:.75;overflow:hidden;padding:0;width:100%}.md-source__repository--active .md-source__facts{animation:facts .25s ease-in}.md-source__fact{overflow:hidden;text-overflow:ellipsis}.md-source__repository--active .md-source__fact{animation:fact .4s ease-out}[dir=ltr] .md-source__fact:before{margin-right:.1rem}[dir=rtl] .md-source__fact:before{margin-left:.1rem}.md-source__fact:before{background-color:currentcolor;content:"";display:inline-block;height:.6rem;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;vertical-align:text-top;width:.6rem}.md-source__fact:nth-child(1n+2){flex-shrink:0}.md-source__fact--version:before{-webkit-mask-image:var(--md-source-version-icon);mask-image:var(--md-source-version-icon)}.md-source__fact--stars:before{-webkit-mask-image:var(--md-source-stars-icon);mask-image:var(--md-source-stars-icon)}.md-source__fact--forks:before{-webkit-mask-image:var(--md-source-forks-icon);mask-image:var(--md-source-forks-icon)}.md-source__fact--repositories:before{-webkit-mask-image:var(--md-source-repositories-icon);mask-image:var(--md-source-repositories-icon)}.md-source-file{margin:1em 0}[dir=ltr] .md-source-file__fact{margin-right:.6rem}[dir=rtl] .md-source-file__fact{margin-left:.6rem}.md-source-file__fact{align-items:center;color:var(--md-default-fg-color--light);display:inline-flex;font-size:.68rem;gap:.3rem}.md-source-file__fact .md-icon{flex-shrink:0;margin-bottom:.05rem}[dir=ltr] .md-source-file__fact .md-author{float:left}[dir=rtl] .md-source-file__fact .md-author{float:right}.md-source-file__fact .md-author{margin-right:.2rem}.md-source-file__fact svg{width:.9rem}:root{--md-status:url('data:image/svg+xml;charset=utf-8,');--md-status--new:url('data:image/svg+xml;charset=utf-8,');--md-status--deprecated:url('data:image/svg+xml;charset=utf-8,');--md-status--encrypted:url('data:image/svg+xml;charset=utf-8,')}.md-status:after{background-color:var(--md-default-fg-color--light);content:"";display:inline-block;height:1.125em;-webkit-mask-image:var(--md-status);mask-image:var(--md-status);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;vertical-align:text-bottom;width:1.125em}.md-status:hover:after{background-color:currentcolor}.md-status--new:after{-webkit-mask-image:var(--md-status--new);mask-image:var(--md-status--new)}.md-status--deprecated:after{-webkit-mask-image:var(--md-status--deprecated);mask-image:var(--md-status--deprecated)}.md-status--encrypted:after{-webkit-mask-image:var(--md-status--encrypted);mask-image:var(--md-status--encrypted)}.md-tabs{background-color:var(--md-primary-fg-color);color:var(--md-primary-bg-color);display:block;line-height:1.3;overflow:auto;width:100%;z-index:3}@media print{.md-tabs{display:none}}@media screen and (max-width:76.234375em){.md-tabs{display:none}}.md-tabs[hidden]{pointer-events:none}[dir=ltr] .md-tabs__list{margin-left:.2rem}[dir=rtl] .md-tabs__list{margin-right:.2rem}.md-tabs__list{contain:content;display:flex;list-style:none;margin:0;overflow:auto;padding:0;scrollbar-width:none;white-space:nowrap}.md-tabs__list::-webkit-scrollbar{display:none}.md-tabs__item{height:2.4rem;padding-left:.6rem;padding-right:.6rem}.md-tabs__item--active .md-tabs__link{color:inherit;opacity:1}.md-tabs__link{-webkit-backface-visibility:hidden;backface-visibility:hidden;display:flex;font-size:.7rem;margin-top:.8rem;opacity:.7;outline-color:var(--md-accent-fg-color);outline-offset:.2rem;transition:transform .4s cubic-bezier(.1,.7,.1,1),opacity .25s}.md-tabs__link:focus,.md-tabs__link:hover{color:inherit;opacity:1}[dir=ltr] .md-tabs__link svg{margin-right:.4rem}[dir=rtl] .md-tabs__link svg{margin-left:.4rem}.md-tabs__link svg{fill:currentcolor;height:1.3em}.md-tabs__item:nth-child(2) .md-tabs__link{transition-delay:20ms}.md-tabs__item:nth-child(3) .md-tabs__link{transition-delay:40ms}.md-tabs__item:nth-child(4) .md-tabs__link{transition-delay:60ms}.md-tabs__item:nth-child(5) .md-tabs__link{transition-delay:80ms}.md-tabs__item:nth-child(6) .md-tabs__link{transition-delay:.1s}.md-tabs__item:nth-child(7) .md-tabs__link{transition-delay:.12s}.md-tabs__item:nth-child(8) .md-tabs__link{transition-delay:.14s}.md-tabs__item:nth-child(9) .md-tabs__link{transition-delay:.16s}.md-tabs__item:nth-child(10) .md-tabs__link{transition-delay:.18s}.md-tabs__item:nth-child(11) .md-tabs__link{transition-delay:.2s}.md-tabs__item:nth-child(12) .md-tabs__link{transition-delay:.22s}.md-tabs__item:nth-child(13) .md-tabs__link{transition-delay:.24s}.md-tabs__item:nth-child(14) .md-tabs__link{transition-delay:.26s}.md-tabs__item:nth-child(15) .md-tabs__link{transition-delay:.28s}.md-tabs__item:nth-child(16) .md-tabs__link{transition-delay:.3s}.md-tabs[hidden] .md-tabs__link{opacity:0;transform:translateY(50%);transition:transform 0ms .1s,opacity .1s}:root{--md-tag-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .md-tags:not([hidden]){display:inline-flex;flex-wrap:wrap;gap:.5em;margin-bottom:.75em;margin-top:-.125em}.md-typeset .md-tag{align-items:center;background:var(--md-default-fg-color--lightest);border-radius:2.4rem;display:inline-flex;font-size:.64rem;font-size:min(.8em,.64rem);font-weight:700;gap:.5em;letter-spacing:normal;line-height:1.6;padding:.3125em .78125em}.md-typeset .md-tag[href]{-webkit-tap-highlight-color:transparent;color:inherit;outline:none;transition:color 125ms,background-color 125ms}.md-typeset .md-tag[href]:focus,.md-typeset .md-tag[href]:hover{background-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}[id]>.md-typeset .md-tag{vertical-align:text-top}.md-typeset .md-tag-icon:before{background-color:var(--md-default-fg-color--lighter);content:"";display:inline-block;height:1.2em;-webkit-mask-image:var(--md-tag-icon);mask-image:var(--md-tag-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color 125ms;vertical-align:text-bottom;width:1.2em}.md-typeset .md-tag-icon[href]:focus:before,.md-typeset .md-tag-icon[href]:hover:before{background-color:var(--md-accent-bg-color)}@keyframes pulse{0%{transform:scale(.95)}75%{transform:scale(1)}to{transform:scale(.95)}}:root{--md-annotation-bg-icon:url('data:image/svg+xml;charset=utf-8,');--md-annotation-icon:url('data:image/svg+xml;charset=utf-8,')}.md-tooltip{-webkit-backface-visibility:hidden;backface-visibility:hidden;background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);font-family:var(--md-text-font-family);left:clamp(var(--md-tooltip-0,0rem) + .8rem,var(--md-tooltip-x),100vw + var(--md-tooltip-0,0rem) + .8rem - var(--md-tooltip-width) - 2 * .8rem);max-width:calc(100vw - 1.6rem);opacity:0;position:absolute;top:var(--md-tooltip-y);transform:translateY(-.4rem);transition:transform 0ms .25s,opacity .25s,z-index .25s;width:var(--md-tooltip-width);z-index:0}.md-tooltip--active{opacity:1;transform:translateY(0);transition:transform .25s cubic-bezier(.1,.7,.1,1),opacity .25s,z-index 0ms;z-index:2}.md-tooltip--inline{font-weight:700;-webkit-user-select:none;user-select:none;width:auto}.md-tooltip--inline:not(.md-tooltip--active){transform:translateY(.2rem) scale(.9)}.md-tooltip--inline .md-tooltip__inner{font-size:.5rem;padding:.2rem .4rem}[hidden]+.md-tooltip--inline{display:none}.focus-visible>.md-tooltip,.md-tooltip:target{outline:var(--md-accent-fg-color) auto}.md-tooltip__inner{font-size:.64rem;padding:.8rem}.md-tooltip__inner.md-typeset>:first-child{margin-top:0}.md-tooltip__inner.md-typeset>:last-child{margin-bottom:0}.md-annotation{font-style:normal;font-weight:400;outline:none;text-align:initial;vertical-align:text-bottom;white-space:normal}[dir=rtl] .md-annotation{direction:rtl}code .md-annotation{font-family:var(--md-code-font-family);font-size:inherit}.md-annotation:not([hidden]){display:inline-block;line-height:1.25}.md-annotation__index{border-radius:.01px;cursor:pointer;display:inline-block;margin-left:.4ch;margin-right:.4ch;outline:none;overflow:hidden;position:relative;-webkit-user-select:none;user-select:none;vertical-align:text-top;z-index:0}.md-annotation .md-annotation__index{transition:z-index .25s}@media screen{.md-annotation__index{width:2.2ch}[data-md-visible]>.md-annotation__index{animation:pulse 2s infinite}.md-annotation__index:before{background:var(--md-default-bg-color);-webkit-mask-image:var(--md-annotation-bg-icon);mask-image:var(--md-annotation-bg-icon)}.md-annotation__index:after,.md-annotation__index:before{content:"";height:2.2ch;-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:-.1ch;width:2.2ch;z-index:-1}.md-annotation__index:after{background-color:var(--md-default-fg-color--lighter);-webkit-mask-image:var(--md-annotation-icon);mask-image:var(--md-annotation-icon);transform:scale(1.0001);transition:background-color .25s,transform .25s}.md-tooltip--active+.md-annotation__index:after{transform:rotate(45deg)}.md-tooltip--active+.md-annotation__index:after,:hover>.md-annotation__index:after{background-color:var(--md-accent-fg-color)}}.md-tooltip--active+.md-annotation__index{animation-play-state:paused;transition-duration:0ms;z-index:2}.md-annotation__index [data-md-annotation-id]{display:inline-block}@media print{.md-annotation__index [data-md-annotation-id]{background:var(--md-default-fg-color--lighter);border-radius:2ch;color:var(--md-default-bg-color);font-weight:700;padding:0 .6ch;white-space:nowrap}.md-annotation__index [data-md-annotation-id]:after{content:attr(data-md-annotation-id)}}.md-typeset .md-annotation-list{counter-reset:xxx;list-style:none}.md-typeset .md-annotation-list li{position:relative}[dir=ltr] .md-typeset .md-annotation-list li:before{left:-2.125em}[dir=rtl] .md-typeset .md-annotation-list li:before{right:-2.125em}.md-typeset .md-annotation-list li:before{background:var(--md-default-fg-color--lighter);border-radius:2ch;color:var(--md-default-bg-color);content:counter(xxx);counter-increment:xxx;font-size:.8875em;font-weight:700;height:2ch;line-height:1.25;min-width:2ch;padding:0 .6ch;position:absolute;text-align:center;top:.25em}:root{--md-tooltip-width:20rem;--md-tooltip-tail:0.3rem}.md-tooltip2{-webkit-backface-visibility:hidden;backface-visibility:hidden;color:var(--md-default-fg-color);font-family:var(--md-text-font-family);opacity:0;pointer-events:none;position:absolute;top:calc(var(--md-tooltip-host-y) + var(--md-tooltip-y));transform:translateY(-.4rem);transform-origin:calc(var(--md-tooltip-host-x) + var(--md-tooltip-x)) 0;transition:transform 0ms .25s,opacity .25s,z-index .25s;width:100%;z-index:0}.md-tooltip2:before{border-left:var(--md-tooltip-tail) solid #0000;border-right:var(--md-tooltip-tail) solid #0000;content:"";display:block;left:clamp(1.5 * .8rem,var(--md-tooltip-host-x) + var(--md-tooltip-x) - var(--md-tooltip-tail),100vw - 2 * var(--md-tooltip-tail) - 1.5 * .8rem);position:absolute;z-index:1}.md-tooltip2--top:before{border-top:var(--md-tooltip-tail) solid var(--md-default-bg-color);bottom:calc(var(--md-tooltip-tail)*-1 + .025rem);filter:drop-shadow(0 1px 0 hsla(0,0%,0%,.05))}.md-tooltip2--bottom:before{border-bottom:var(--md-tooltip-tail) solid var(--md-default-bg-color);filter:drop-shadow(0 -1px 0 hsla(0,0%,0%,.05));top:calc(var(--md-tooltip-tail)*-1 + .025rem)}.md-tooltip2--active{opacity:1;transform:translateY(0);transition:transform .4s cubic-bezier(0,1,.5,1),opacity .25s,z-index 0ms;z-index:2}.md-tooltip2__inner{scrollbar-gutter:stable;background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);left:clamp(.8rem,var(--md-tooltip-host-x) - .8rem,100vw - var(--md-tooltip-width) - .8rem);max-height:40vh;max-width:calc(100vw - 1.6rem);position:relative;scrollbar-width:thin}.md-tooltip2__inner::-webkit-scrollbar{height:.2rem;width:.2rem}.md-tooltip2__inner::-webkit-scrollbar-thumb{background-color:var(--md-default-fg-color--lighter)}.md-tooltip2__inner::-webkit-scrollbar-thumb:hover{background-color:var(--md-accent-fg-color)}[role=tooltip]>.md-tooltip2__inner{font-size:.5rem;font-weight:700;left:clamp(.8rem,var(--md-tooltip-host-x) + var(--md-tooltip-x) - var(--md-tooltip-width)/2,100vw - var(--md-tooltip-width) - .8rem);max-width:min(100vw - 2 * .8rem,400px);padding:.2rem .4rem;-webkit-user-select:none;user-select:none;width:-moz-fit-content;width:fit-content}.md-tooltip2__inner.md-typeset>:first-child{margin-top:0}.md-tooltip2__inner.md-typeset>:last-child{margin-bottom:0}[dir=ltr] .md-top{margin-left:50%}[dir=rtl] .md-top{margin-right:50%}.md-top{background-color:var(--md-default-bg-color);border-radius:1.6rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color--light);cursor:pointer;display:block;font-size:.7rem;outline:none;padding:.4rem .8rem;position:fixed;top:3.2rem;transform:translate(-50%);transition:color 125ms,background-color 125ms,transform 125ms cubic-bezier(.4,0,.2,1),opacity 125ms;z-index:2}@media print{.md-top{display:none}}[dir=rtl] .md-top{transform:translate(50%)}.md-top[hidden]{opacity:0;pointer-events:none;transform:translate(-50%,.2rem);transition-duration:0ms}[dir=rtl] .md-top[hidden]{transform:translate(50%,.2rem)}.md-top:focus,.md-top:hover{background-color:var(--md-accent-fg-color);color:var(--md-accent-bg-color)}.md-top svg{display:inline-block;vertical-align:-.5em}@keyframes hoverfix{0%{pointer-events:none}}:root{--md-version-icon:url('data:image/svg+xml;charset=utf-8,')}.md-version{flex-shrink:0;font-size:.8rem;height:2.4rem}[dir=ltr] .md-version__current{margin-left:1.4rem;margin-right:.4rem}[dir=rtl] .md-version__current{margin-left:.4rem;margin-right:1.4rem}.md-version__current{color:inherit;cursor:pointer;outline:none;position:relative;top:.05rem}[dir=ltr] .md-version__current:after{margin-left:.4rem}[dir=rtl] .md-version__current:after{margin-right:.4rem}.md-version__current:after{background-color:currentcolor;content:"";display:inline-block;height:.6rem;-webkit-mask-image:var(--md-version-icon);mask-image:var(--md-version-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:.4rem}.md-version__alias{margin-left:.3rem;opacity:.7}.md-version__list{background-color:var(--md-default-bg-color);border-radius:.1rem;box-shadow:var(--md-shadow-z2);color:var(--md-default-fg-color);list-style-type:none;margin:.2rem .8rem;max-height:0;opacity:0;overflow:auto;padding:0;position:absolute;scroll-snap-type:y mandatory;top:.15rem;transition:max-height 0ms .5s,opacity .25s .25s;z-index:3}.md-version:focus-within .md-version__list,.md-version:hover .md-version__list{max-height:10rem;opacity:1;transition:max-height 0ms,opacity .25s}@media (hover:none),(pointer:coarse){.md-version:hover .md-version__list{animation:hoverfix .25s forwards}.md-version:focus-within .md-version__list{animation:none}}.md-version__item{line-height:1.8rem}[dir=ltr] .md-version__link{padding-left:.6rem;padding-right:1.2rem}[dir=rtl] .md-version__link{padding-left:1.2rem;padding-right:.6rem}.md-version__link{cursor:pointer;display:block;outline:none;scroll-snap-align:start;transition:color .25s,background-color .25s;white-space:nowrap;width:100%}.md-version__link:focus,.md-version__link:hover{color:var(--md-accent-fg-color)}.md-version__link:focus{background-color:var(--md-default-fg-color--lightest)}:root{--md-admonition-icon--note:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--abstract:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--info:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--tip:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--success:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--question:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--warning:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--failure:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--danger:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--bug:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--example:url('data:image/svg+xml;charset=utf-8,');--md-admonition-icon--quote:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .admonition,.md-typeset details{background-color:var(--md-admonition-bg-color);border:.075rem solid #448aff;border-radius:.2rem;box-shadow:var(--md-shadow-z1);color:var(--md-admonition-fg-color);display:flow-root;font-size:.64rem;margin:1.5625em 0;padding:0 .6rem;page-break-inside:avoid;transition:box-shadow 125ms}@media print{.md-typeset .admonition,.md-typeset details{box-shadow:none}}.md-typeset .admonition:focus-within,.md-typeset details:focus-within{box-shadow:0 0 0 .2rem #448aff1a}.md-typeset .admonition>*,.md-typeset details>*{box-sizing:border-box}.md-typeset .admonition .admonition,.md-typeset .admonition details,.md-typeset details .admonition,.md-typeset details details{margin-bottom:1em;margin-top:1em}.md-typeset .admonition .md-typeset__scrollwrap,.md-typeset details .md-typeset__scrollwrap{margin:1em -.6rem}.md-typeset .admonition .md-typeset__table,.md-typeset details .md-typeset__table{padding:0 .6rem}.md-typeset .admonition>.tabbed-set:only-child,.md-typeset details>.tabbed-set:only-child{margin-top:0}html .md-typeset .admonition>:last-child,html .md-typeset details>:last-child{margin-bottom:.6rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{padding-left:2rem;padding-right:.6rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{padding-left:.6rem;padding-right:2rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{border-left-width:.2rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-right-width:.2rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary{border-top-left-radius:.1rem}[dir=ltr] .md-typeset .admonition-title,[dir=ltr] .md-typeset summary,[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-top-right-radius:.1rem}[dir=rtl] .md-typeset .admonition-title,[dir=rtl] .md-typeset summary{border-top-left-radius:.1rem}.md-typeset .admonition-title,.md-typeset summary{background-color:#448aff1a;border:none;font-weight:700;margin:0 -.6rem;padding-bottom:.4rem;padding-top:.4rem;position:relative}html .md-typeset .admonition-title:last-child,html .md-typeset summary:last-child{margin-bottom:0}[dir=ltr] .md-typeset .admonition-title:before,[dir=ltr] .md-typeset summary:before{left:.6rem}[dir=rtl] .md-typeset .admonition-title:before,[dir=rtl] .md-typeset summary:before{right:.6rem}.md-typeset .admonition-title:before,.md-typeset summary:before{background-color:#448aff;content:"";height:1rem;-webkit-mask-image:var(--md-admonition-icon--note);mask-image:var(--md-admonition-icon--note);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.625em;width:1rem}.md-typeset .admonition-title code,.md-typeset summary code{box-shadow:0 0 0 .05rem var(--md-default-fg-color--lightest)}.md-typeset .admonition.note,.md-typeset details.note{border-color:#448aff}.md-typeset .admonition.note:focus-within,.md-typeset details.note:focus-within{box-shadow:0 0 0 .2rem #448aff1a}.md-typeset .note>.admonition-title,.md-typeset .note>summary{background-color:#448aff1a}.md-typeset .note>.admonition-title:before,.md-typeset .note>summary:before{background-color:#448aff;-webkit-mask-image:var(--md-admonition-icon--note);mask-image:var(--md-admonition-icon--note)}.md-typeset .note>.admonition-title:after,.md-typeset .note>summary:after{color:#448aff}.md-typeset .admonition.abstract,.md-typeset details.abstract{border-color:#00b0ff}.md-typeset .admonition.abstract:focus-within,.md-typeset details.abstract:focus-within{box-shadow:0 0 0 .2rem #00b0ff1a}.md-typeset .abstract>.admonition-title,.md-typeset .abstract>summary{background-color:#00b0ff1a}.md-typeset .abstract>.admonition-title:before,.md-typeset .abstract>summary:before{background-color:#00b0ff;-webkit-mask-image:var(--md-admonition-icon--abstract);mask-image:var(--md-admonition-icon--abstract)}.md-typeset .abstract>.admonition-title:after,.md-typeset .abstract>summary:after{color:#00b0ff}.md-typeset .admonition.info,.md-typeset details.info{border-color:#00b8d4}.md-typeset .admonition.info:focus-within,.md-typeset details.info:focus-within{box-shadow:0 0 0 .2rem #00b8d41a}.md-typeset .info>.admonition-title,.md-typeset .info>summary{background-color:#00b8d41a}.md-typeset .info>.admonition-title:before,.md-typeset .info>summary:before{background-color:#00b8d4;-webkit-mask-image:var(--md-admonition-icon--info);mask-image:var(--md-admonition-icon--info)}.md-typeset .info>.admonition-title:after,.md-typeset .info>summary:after{color:#00b8d4}.md-typeset .admonition.tip,.md-typeset details.tip{border-color:#00bfa5}.md-typeset .admonition.tip:focus-within,.md-typeset details.tip:focus-within{box-shadow:0 0 0 .2rem #00bfa51a}.md-typeset .tip>.admonition-title,.md-typeset .tip>summary{background-color:#00bfa51a}.md-typeset .tip>.admonition-title:before,.md-typeset .tip>summary:before{background-color:#00bfa5;-webkit-mask-image:var(--md-admonition-icon--tip);mask-image:var(--md-admonition-icon--tip)}.md-typeset .tip>.admonition-title:after,.md-typeset .tip>summary:after{color:#00bfa5}.md-typeset .admonition.success,.md-typeset details.success{border-color:#00c853}.md-typeset .admonition.success:focus-within,.md-typeset details.success:focus-within{box-shadow:0 0 0 .2rem #00c8531a}.md-typeset .success>.admonition-title,.md-typeset .success>summary{background-color:#00c8531a}.md-typeset .success>.admonition-title:before,.md-typeset .success>summary:before{background-color:#00c853;-webkit-mask-image:var(--md-admonition-icon--success);mask-image:var(--md-admonition-icon--success)}.md-typeset .success>.admonition-title:after,.md-typeset .success>summary:after{color:#00c853}.md-typeset .admonition.question,.md-typeset details.question{border-color:#64dd17}.md-typeset .admonition.question:focus-within,.md-typeset details.question:focus-within{box-shadow:0 0 0 .2rem #64dd171a}.md-typeset .question>.admonition-title,.md-typeset .question>summary{background-color:#64dd171a}.md-typeset .question>.admonition-title:before,.md-typeset .question>summary:before{background-color:#64dd17;-webkit-mask-image:var(--md-admonition-icon--question);mask-image:var(--md-admonition-icon--question)}.md-typeset .question>.admonition-title:after,.md-typeset .question>summary:after{color:#64dd17}.md-typeset .admonition.warning,.md-typeset details.warning{border-color:#ff9100}.md-typeset .admonition.warning:focus-within,.md-typeset details.warning:focus-within{box-shadow:0 0 0 .2rem #ff91001a}.md-typeset .warning>.admonition-title,.md-typeset .warning>summary{background-color:#ff91001a}.md-typeset .warning>.admonition-title:before,.md-typeset .warning>summary:before{background-color:#ff9100;-webkit-mask-image:var(--md-admonition-icon--warning);mask-image:var(--md-admonition-icon--warning)}.md-typeset .warning>.admonition-title:after,.md-typeset .warning>summary:after{color:#ff9100}.md-typeset .admonition.failure,.md-typeset details.failure{border-color:#ff5252}.md-typeset .admonition.failure:focus-within,.md-typeset details.failure:focus-within{box-shadow:0 0 0 .2rem #ff52521a}.md-typeset .failure>.admonition-title,.md-typeset .failure>summary{background-color:#ff52521a}.md-typeset .failure>.admonition-title:before,.md-typeset .failure>summary:before{background-color:#ff5252;-webkit-mask-image:var(--md-admonition-icon--failure);mask-image:var(--md-admonition-icon--failure)}.md-typeset .failure>.admonition-title:after,.md-typeset .failure>summary:after{color:#ff5252}.md-typeset .admonition.danger,.md-typeset details.danger{border-color:#ff1744}.md-typeset .admonition.danger:focus-within,.md-typeset details.danger:focus-within{box-shadow:0 0 0 .2rem #ff17441a}.md-typeset .danger>.admonition-title,.md-typeset .danger>summary{background-color:#ff17441a}.md-typeset .danger>.admonition-title:before,.md-typeset .danger>summary:before{background-color:#ff1744;-webkit-mask-image:var(--md-admonition-icon--danger);mask-image:var(--md-admonition-icon--danger)}.md-typeset .danger>.admonition-title:after,.md-typeset .danger>summary:after{color:#ff1744}.md-typeset .admonition.bug,.md-typeset details.bug{border-color:#f50057}.md-typeset .admonition.bug:focus-within,.md-typeset details.bug:focus-within{box-shadow:0 0 0 .2rem #f500571a}.md-typeset .bug>.admonition-title,.md-typeset .bug>summary{background-color:#f500571a}.md-typeset .bug>.admonition-title:before,.md-typeset .bug>summary:before{background-color:#f50057;-webkit-mask-image:var(--md-admonition-icon--bug);mask-image:var(--md-admonition-icon--bug)}.md-typeset .bug>.admonition-title:after,.md-typeset .bug>summary:after{color:#f50057}.md-typeset .admonition.example,.md-typeset details.example{border-color:#7c4dff}.md-typeset .admonition.example:focus-within,.md-typeset details.example:focus-within{box-shadow:0 0 0 .2rem #7c4dff1a}.md-typeset .example>.admonition-title,.md-typeset .example>summary{background-color:#7c4dff1a}.md-typeset .example>.admonition-title:before,.md-typeset .example>summary:before{background-color:#7c4dff;-webkit-mask-image:var(--md-admonition-icon--example);mask-image:var(--md-admonition-icon--example)}.md-typeset .example>.admonition-title:after,.md-typeset .example>summary:after{color:#7c4dff}.md-typeset .admonition.quote,.md-typeset details.quote{border-color:#9e9e9e}.md-typeset .admonition.quote:focus-within,.md-typeset details.quote:focus-within{box-shadow:0 0 0 .2rem #9e9e9e1a}.md-typeset .quote>.admonition-title,.md-typeset .quote>summary{background-color:#9e9e9e1a}.md-typeset .quote>.admonition-title:before,.md-typeset .quote>summary:before{background-color:#9e9e9e;-webkit-mask-image:var(--md-admonition-icon--quote);mask-image:var(--md-admonition-icon--quote)}.md-typeset .quote>.admonition-title:after,.md-typeset .quote>summary:after{color:#9e9e9e}:root{--md-footnotes-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .footnote{color:var(--md-default-fg-color--light);font-size:.64rem}[dir=ltr] .md-typeset .footnote>ol{margin-left:0}[dir=rtl] .md-typeset .footnote>ol{margin-right:0}.md-typeset .footnote>ol>li{transition:color 125ms}.md-typeset .footnote>ol>li:target{color:var(--md-default-fg-color)}.md-typeset .footnote>ol>li:focus-within .footnote-backref{opacity:1;transform:translateX(0);transition:none}.md-typeset .footnote>ol>li:hover .footnote-backref,.md-typeset .footnote>ol>li:target .footnote-backref{opacity:1;transform:translateX(0)}.md-typeset .footnote>ol>li>:first-child{margin-top:0}.md-typeset .footnote-ref{font-size:.75em;font-weight:700}html .md-typeset .footnote-ref{outline-offset:.1rem}.md-typeset [id^="fnref:"]:target>.footnote-ref{outline:auto}.md-typeset .footnote-backref{color:var(--md-typeset-a-color);display:inline-block;font-size:0;opacity:0;transform:translateX(.25rem);transition:color .25s,transform .25s .25s,opacity 125ms .25s;vertical-align:text-bottom}@media print{.md-typeset .footnote-backref{color:var(--md-typeset-a-color);opacity:1;transform:translateX(0)}}[dir=rtl] .md-typeset .footnote-backref{transform:translateX(-.25rem)}.md-typeset .footnote-backref:hover{color:var(--md-accent-fg-color)}.md-typeset .footnote-backref:before{background-color:currentcolor;content:"";display:inline-block;height:.8rem;-webkit-mask-image:var(--md-footnotes-icon);mask-image:var(--md-footnotes-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;width:.8rem}[dir=rtl] .md-typeset .footnote-backref:before svg{transform:scaleX(-1)}[dir=ltr] .md-typeset .headerlink{margin-left:.5rem}[dir=rtl] .md-typeset .headerlink{margin-right:.5rem}.md-typeset .headerlink{color:var(--md-default-fg-color--lighter);display:inline-block;opacity:0;transition:color .25s,opacity 125ms}@media print{.md-typeset .headerlink{display:none}}.md-typeset .headerlink:focus,.md-typeset :hover>.headerlink,.md-typeset :target>.headerlink{opacity:1;transition:color .25s,opacity 125ms}.md-typeset .headerlink:focus,.md-typeset .headerlink:hover,.md-typeset :target>.headerlink{color:var(--md-accent-fg-color)}.md-typeset :target{--md-scroll-margin:3.6rem;--md-scroll-offset:0rem;scroll-margin-top:calc(var(--md-scroll-margin) - var(--md-scroll-offset))}@media screen and (min-width:76.25em){.md-header--lifted~.md-container .md-typeset :target{--md-scroll-margin:6rem}}.md-typeset h1:target,.md-typeset h2:target,.md-typeset h3:target{--md-scroll-offset:0.2rem}.md-typeset h4:target{--md-scroll-offset:0.15rem}.md-typeset div.arithmatex{overflow:auto}@media screen and (max-width:44.984375em){.md-typeset div.arithmatex{margin:0 -.8rem}.md-typeset div.arithmatex>*{width:min-content}}.md-typeset div.arithmatex>*{margin-left:auto!important;margin-right:auto!important;padding:0 .8rem;touch-action:auto}.md-typeset div.arithmatex>* mjx-container{margin:0!important}.md-typeset div.arithmatex mjx-assistive-mml{height:0}.md-typeset del.critic{background-color:var(--md-typeset-del-color)}.md-typeset del.critic,.md-typeset ins.critic{-webkit-box-decoration-break:clone;box-decoration-break:clone}.md-typeset ins.critic{background-color:var(--md-typeset-ins-color)}.md-typeset .critic.comment{-webkit-box-decoration-break:clone;box-decoration-break:clone;color:var(--md-code-hl-comment-color)}.md-typeset .critic.comment:before{content:"/* "}.md-typeset .critic.comment:after{content:" */"}.md-typeset .critic.block{box-shadow:none;display:block;margin:1em 0;overflow:auto;padding-left:.8rem;padding-right:.8rem}.md-typeset .critic.block>:first-child{margin-top:.5em}.md-typeset .critic.block>:last-child{margin-bottom:.5em}:root{--md-details-icon:url('data:image/svg+xml;charset=utf-8,')}.md-typeset details{display:flow-root;overflow:visible;padding-top:0}.md-typeset details[open]>summary:after{transform:rotate(90deg)}.md-typeset details:not([open]){box-shadow:none;padding-bottom:0}.md-typeset details:not([open])>summary{border-radius:.1rem}[dir=ltr] .md-typeset summary{padding-right:1.8rem}[dir=rtl] .md-typeset summary{padding-left:1.8rem}[dir=ltr] .md-typeset summary{border-top-left-radius:.1rem}[dir=ltr] .md-typeset summary,[dir=rtl] .md-typeset summary{border-top-right-radius:.1rem}[dir=rtl] .md-typeset summary{border-top-left-radius:.1rem}.md-typeset summary{cursor:pointer;display:block;min-height:1rem;overflow:hidden}.md-typeset summary.focus-visible{outline-color:var(--md-accent-fg-color);outline-offset:.2rem}.md-typeset summary:not(.focus-visible){-webkit-tap-highlight-color:transparent;outline:none}[dir=ltr] .md-typeset summary:after{right:.4rem}[dir=rtl] .md-typeset summary:after{left:.4rem}.md-typeset summary:after{background-color:currentcolor;content:"";height:1rem;-webkit-mask-image:var(--md-details-icon);mask-image:var(--md-details-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.625em;transform:rotate(0deg);transition:transform .25s;width:1rem}[dir=rtl] .md-typeset summary:after{transform:rotate(180deg)}.md-typeset summary::marker{display:none}.md-typeset summary::-webkit-details-marker{display:none}.md-typeset .emojione,.md-typeset .gemoji,.md-typeset .twemoji{--md-icon-size:1.125em;display:inline-flex;height:var(--md-icon-size);vertical-align:text-top}.md-typeset .emojione svg,.md-typeset .gemoji svg,.md-typeset .twemoji svg{fill:currentcolor;max-height:100%;width:var(--md-icon-size)}.md-typeset .lg,.md-typeset .xl,.md-typeset .xxl,.md-typeset .xxxl{vertical-align:text-bottom}.md-typeset .middle{vertical-align:middle}.md-typeset .lg{--md-icon-size:1.5em}.md-typeset .xl{--md-icon-size:2.25em}.md-typeset .xxl{--md-icon-size:3em}.md-typeset .xxxl{--md-icon-size:4em}.highlight .o,.highlight .ow{color:var(--md-code-hl-operator-color)}.highlight .p{color:var(--md-code-hl-punctuation-color)}.highlight .cpf,.highlight .l,.highlight .s,.highlight .s1,.highlight .s2,.highlight .sb,.highlight .sc,.highlight .si,.highlight .ss{color:var(--md-code-hl-string-color)}.highlight .cp,.highlight .se,.highlight .sh,.highlight .sr,.highlight .sx{color:var(--md-code-hl-special-color)}.highlight .il,.highlight .m,.highlight .mb,.highlight .mf,.highlight .mh,.highlight .mi,.highlight .mo{color:var(--md-code-hl-number-color)}.highlight .k,.highlight .kd,.highlight .kn,.highlight .kp,.highlight .kr,.highlight .kt{color:var(--md-code-hl-keyword-color)}.highlight .kc,.highlight .n{color:var(--md-code-hl-name-color)}.highlight .bp,.highlight .nb,.highlight .no{color:var(--md-code-hl-constant-color)}.highlight .nc,.highlight .ne,.highlight .nf,.highlight .nn{color:var(--md-code-hl-function-color)}.highlight .nd,.highlight .ni,.highlight .nl,.highlight .nt{color:var(--md-code-hl-keyword-color)}.highlight .c,.highlight .c1,.highlight .ch,.highlight .cm,.highlight .cs,.highlight .sd{color:var(--md-code-hl-comment-color)}.highlight .na,.highlight .nv,.highlight .vc,.highlight .vg,.highlight .vi{color:var(--md-code-hl-variable-color)}.highlight .ge,.highlight .gh,.highlight .go,.highlight .gp,.highlight .gr,.highlight .gs,.highlight .gt,.highlight .gu{color:var(--md-code-hl-generic-color)}.highlight .gd,.highlight .gi{border-radius:.1rem;margin:0 -.125em;padding:0 .125em}.highlight .gd{background-color:var(--md-typeset-del-color)}.highlight .gi{background-color:var(--md-typeset-ins-color)}.highlight .hll{background-color:var(--md-code-hl-color--light);box-shadow:2px 0 0 0 var(--md-code-hl-color) inset;display:block;margin:0 -1.1764705882em;padding:0 1.1764705882em}.highlight span.filename{background-color:var(--md-code-bg-color);border-bottom:.05rem solid var(--md-default-fg-color--lightest);border-top-left-radius:.1rem;border-top-right-radius:.1rem;display:flow-root;font-size:.85em;font-weight:700;margin-top:1em;padding:.6617647059em 1.1764705882em;position:relative}.highlight span.filename+pre{margin-top:0}.highlight span.filename+pre>code{border-top-left-radius:0;border-top-right-radius:0}.highlight [data-linenos]:before{background-color:var(--md-code-bg-color);box-shadow:-.05rem 0 var(--md-default-fg-color--lightest) inset;color:var(--md-default-fg-color--light);content:attr(data-linenos);float:left;left:-1.1764705882em;margin-left:-1.1764705882em;margin-right:1.1764705882em;padding-left:1.1764705882em;position:sticky;-webkit-user-select:none;user-select:none;z-index:3}.highlight code a[id]{position:absolute;visibility:hidden}.highlight code[data-md-copying]{display:initial}.highlight code[data-md-copying] .hll{display:contents}.highlight code[data-md-copying] .md-annotation{display:none}.highlighttable{display:flow-root}.highlighttable tbody,.highlighttable td{display:block;padding:0}.highlighttable tr{display:flex}.highlighttable pre{margin:0}.highlighttable th.filename{flex-grow:1;padding:0;text-align:left}.highlighttable th.filename span.filename{margin-top:0}.highlighttable .linenos{background-color:var(--md-code-bg-color);border-bottom-left-radius:.1rem;border-top-left-radius:.1rem;font-size:.85em;padding:.7720588235em 0 .7720588235em 1.1764705882em;-webkit-user-select:none;user-select:none}.highlighttable .linenodiv{box-shadow:-.05rem 0 var(--md-default-fg-color--lightest) inset;padding-right:.5882352941em}.highlighttable .linenodiv pre{color:var(--md-default-fg-color--light);text-align:right}.highlighttable .code{flex:1;min-width:0}.linenodiv a{color:inherit}.md-typeset .highlighttable{direction:ltr;margin:1em 0}.md-typeset .highlighttable>tbody>tr>.code>div>pre>code{border-bottom-left-radius:0;border-top-left-radius:0}.md-typeset .highlight+.result{border:.05rem solid var(--md-code-bg-color);border-bottom-left-radius:.1rem;border-bottom-right-radius:.1rem;border-top-width:.1rem;margin-top:-1.125em;overflow:visible;padding:0 1em}.md-typeset .highlight+.result:after{clear:both;content:"";display:block}@media screen and (max-width:44.984375em){.md-content__inner>.highlight{margin:1em -.8rem}.md-content__inner>.highlight>.filename,.md-content__inner>.highlight>.highlighttable>tbody>tr>.code>div>pre>code,.md-content__inner>.highlight>.highlighttable>tbody>tr>.filename span.filename,.md-content__inner>.highlight>.highlighttable>tbody>tr>.linenos,.md-content__inner>.highlight>pre>code{border-radius:0}.md-content__inner>.highlight+.result{border-left-width:0;border-radius:0;border-right-width:0;margin-left:-.8rem;margin-right:-.8rem}}.md-typeset .keys kbd:after,.md-typeset .keys kbd:before{-moz-osx-font-smoothing:initial;-webkit-font-smoothing:initial;color:inherit;margin:0;position:relative}.md-typeset .keys span{color:var(--md-default-fg-color--light);padding:0 .2em}.md-typeset .keys .key-alt:before,.md-typeset .keys .key-left-alt:before,.md-typeset .keys .key-right-alt:before{content:"⎇";padding-right:.4em}.md-typeset .keys .key-command:before,.md-typeset .keys .key-left-command:before,.md-typeset .keys .key-right-command:before{content:"⌘";padding-right:.4em}.md-typeset .keys .key-control:before,.md-typeset .keys .key-left-control:before,.md-typeset .keys .key-right-control:before{content:"⌃";padding-right:.4em}.md-typeset .keys .key-left-meta:before,.md-typeset .keys .key-meta:before,.md-typeset .keys .key-right-meta:before{content:"◆";padding-right:.4em}.md-typeset .keys .key-left-option:before,.md-typeset .keys .key-option:before,.md-typeset .keys .key-right-option:before{content:"⌥";padding-right:.4em}.md-typeset .keys .key-left-shift:before,.md-typeset .keys .key-right-shift:before,.md-typeset .keys .key-shift:before{content:"⇧";padding-right:.4em}.md-typeset .keys .key-left-super:before,.md-typeset .keys .key-right-super:before,.md-typeset .keys .key-super:before{content:"❖";padding-right:.4em}.md-typeset .keys .key-left-windows:before,.md-typeset .keys .key-right-windows:before,.md-typeset .keys .key-windows:before{content:"⊞";padding-right:.4em}.md-typeset .keys .key-arrow-down:before{content:"↓";padding-right:.4em}.md-typeset .keys .key-arrow-left:before{content:"←";padding-right:.4em}.md-typeset .keys .key-arrow-right:before{content:"→";padding-right:.4em}.md-typeset .keys .key-arrow-up:before{content:"↑";padding-right:.4em}.md-typeset .keys .key-backspace:before{content:"⌫";padding-right:.4em}.md-typeset .keys .key-backtab:before{content:"⇤";padding-right:.4em}.md-typeset .keys .key-caps-lock:before{content:"⇪";padding-right:.4em}.md-typeset .keys .key-clear:before{content:"⌧";padding-right:.4em}.md-typeset .keys .key-context-menu:before{content:"☰";padding-right:.4em}.md-typeset .keys .key-delete:before{content:"⌦";padding-right:.4em}.md-typeset .keys .key-eject:before{content:"⏏";padding-right:.4em}.md-typeset .keys .key-end:before{content:"⤓";padding-right:.4em}.md-typeset .keys .key-escape:before{content:"⎋";padding-right:.4em}.md-typeset .keys .key-home:before{content:"⤒";padding-right:.4em}.md-typeset .keys .key-insert:before{content:"⎀";padding-right:.4em}.md-typeset .keys .key-page-down:before{content:"⇟";padding-right:.4em}.md-typeset .keys .key-page-up:before{content:"⇞";padding-right:.4em}.md-typeset .keys .key-print-screen:before{content:"⎙";padding-right:.4em}.md-typeset .keys .key-tab:after{content:"⇥";padding-left:.4em}.md-typeset .keys .key-num-enter:after{content:"⌤";padding-left:.4em}.md-typeset .keys .key-enter:after{content:"⏎";padding-left:.4em}:root{--md-tabbed-icon--prev:url('data:image/svg+xml;charset=utf-8,');--md-tabbed-icon--next:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .tabbed-set{border-radius:.1rem;display:flex;flex-flow:column wrap;margin:1em 0;position:relative}.md-typeset .tabbed-set>input{height:0;opacity:0;position:absolute;width:0}.md-typeset .tabbed-set>input:target{--md-scroll-offset:0.625em}.md-typeset .tabbed-set>input.focus-visible~.tabbed-labels:before{background-color:var(--md-accent-fg-color)}.md-typeset .tabbed-labels{-ms-overflow-style:none;box-shadow:0 -.05rem var(--md-default-fg-color--lightest) inset;display:flex;max-width:100%;overflow:auto;scrollbar-width:none}@media print{.md-typeset .tabbed-labels{display:contents}}@media screen{.js .md-typeset .tabbed-labels{position:relative}.js .md-typeset .tabbed-labels:before{background:var(--md-default-fg-color);bottom:0;content:"";display:block;height:2px;left:0;position:absolute;transform:translateX(var(--md-indicator-x));transition:width 225ms,background-color .25s,transform .25s;transition-timing-function:cubic-bezier(.4,0,.2,1);width:var(--md-indicator-width)}}.md-typeset .tabbed-labels::-webkit-scrollbar{display:none}.md-typeset .tabbed-labels>label{border-bottom:.1rem solid #0000;border-radius:.1rem .1rem 0 0;color:var(--md-default-fg-color--light);cursor:pointer;flex-shrink:0;font-size:.64rem;font-weight:700;padding:.78125em 1.25em .625em;scroll-margin-inline-start:1rem;transition:background-color .25s,color .25s;white-space:nowrap;width:auto}@media print{.md-typeset .tabbed-labels>label:first-child{order:1}.md-typeset .tabbed-labels>label:nth-child(2){order:2}.md-typeset .tabbed-labels>label:nth-child(3){order:3}.md-typeset .tabbed-labels>label:nth-child(4){order:4}.md-typeset .tabbed-labels>label:nth-child(5){order:5}.md-typeset .tabbed-labels>label:nth-child(6){order:6}.md-typeset .tabbed-labels>label:nth-child(7){order:7}.md-typeset .tabbed-labels>label:nth-child(8){order:8}.md-typeset .tabbed-labels>label:nth-child(9){order:9}.md-typeset .tabbed-labels>label:nth-child(10){order:10}.md-typeset .tabbed-labels>label:nth-child(11){order:11}.md-typeset .tabbed-labels>label:nth-child(12){order:12}.md-typeset .tabbed-labels>label:nth-child(13){order:13}.md-typeset .tabbed-labels>label:nth-child(14){order:14}.md-typeset .tabbed-labels>label:nth-child(15){order:15}.md-typeset .tabbed-labels>label:nth-child(16){order:16}.md-typeset .tabbed-labels>label:nth-child(17){order:17}.md-typeset .tabbed-labels>label:nth-child(18){order:18}.md-typeset .tabbed-labels>label:nth-child(19){order:19}.md-typeset .tabbed-labels>label:nth-child(20){order:20}}.md-typeset .tabbed-labels>label:hover{color:var(--md-default-fg-color)}.md-typeset .tabbed-labels>label>[href]:first-child{color:inherit}.md-typeset .tabbed-labels--linked>label{padding:0}.md-typeset .tabbed-labels--linked>label>a{display:block;padding:.78125em 1.25em .625em}.md-typeset .tabbed-content{width:100%}@media print{.md-typeset .tabbed-content{display:contents}}.md-typeset .tabbed-block{display:none}@media print{.md-typeset .tabbed-block{display:block}.md-typeset .tabbed-block:first-child{order:1}.md-typeset .tabbed-block:nth-child(2){order:2}.md-typeset .tabbed-block:nth-child(3){order:3}.md-typeset .tabbed-block:nth-child(4){order:4}.md-typeset .tabbed-block:nth-child(5){order:5}.md-typeset .tabbed-block:nth-child(6){order:6}.md-typeset .tabbed-block:nth-child(7){order:7}.md-typeset .tabbed-block:nth-child(8){order:8}.md-typeset .tabbed-block:nth-child(9){order:9}.md-typeset .tabbed-block:nth-child(10){order:10}.md-typeset .tabbed-block:nth-child(11){order:11}.md-typeset .tabbed-block:nth-child(12){order:12}.md-typeset .tabbed-block:nth-child(13){order:13}.md-typeset .tabbed-block:nth-child(14){order:14}.md-typeset .tabbed-block:nth-child(15){order:15}.md-typeset .tabbed-block:nth-child(16){order:16}.md-typeset .tabbed-block:nth-child(17){order:17}.md-typeset .tabbed-block:nth-child(18){order:18}.md-typeset .tabbed-block:nth-child(19){order:19}.md-typeset .tabbed-block:nth-child(20){order:20}}.md-typeset .tabbed-block>.highlight:first-child>pre,.md-typeset .tabbed-block>pre:first-child{margin:0}.md-typeset .tabbed-block>.highlight:first-child>pre>code,.md-typeset .tabbed-block>pre:first-child>code{border-top-left-radius:0;border-top-right-radius:0}.md-typeset .tabbed-block>.highlight:first-child>.filename{border-top-left-radius:0;border-top-right-radius:0;margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable{margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.filename span.filename,.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.linenos{border-top-left-radius:0;border-top-right-radius:0;margin:0}.md-typeset .tabbed-block>.highlight:first-child>.highlighttable>tbody>tr>.code>div>pre>code{border-top-left-radius:0;border-top-right-radius:0}.md-typeset .tabbed-block>.highlight:first-child+.result{margin-top:-.125em}.md-typeset .tabbed-block>.tabbed-set{margin:0}.md-typeset .tabbed-button{align-self:center;border-radius:100%;color:var(--md-default-fg-color--light);cursor:pointer;display:block;height:.9rem;margin-top:.1rem;pointer-events:auto;transition:background-color .25s;width:.9rem}.md-typeset .tabbed-button:hover{background-color:var(--md-accent-fg-color--transparent);color:var(--md-accent-fg-color)}.md-typeset .tabbed-button:after{background-color:currentcolor;content:"";display:block;height:100%;-webkit-mask-image:var(--md-tabbed-icon--prev);mask-image:var(--md-tabbed-icon--prev);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;transition:background-color .25s,transform .25s;width:100%}.md-typeset .tabbed-control{background:linear-gradient(to right,var(--md-default-bg-color) 60%,#0000);display:flex;height:1.9rem;justify-content:start;pointer-events:none;position:absolute;transition:opacity 125ms;width:1.2rem}[dir=rtl] .md-typeset .tabbed-control{transform:rotate(180deg)}.md-typeset .tabbed-control[hidden]{opacity:0}.md-typeset .tabbed-control--next{background:linear-gradient(to left,var(--md-default-bg-color) 60%,#0000);justify-content:end;right:0}.md-typeset .tabbed-control--next .tabbed-button:after{-webkit-mask-image:var(--md-tabbed-icon--next);mask-image:var(--md-tabbed-icon--next)}@media screen and (max-width:44.984375em){[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels{padding-left:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels{padding-right:.8rem}.md-content__inner>.tabbed-set .tabbed-labels{margin:0 -.8rem;max-width:100vw;scroll-padding-inline-start:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels:after{padding-right:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels:after{padding-left:.8rem}.md-content__inner>.tabbed-set .tabbed-labels:after{content:""}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{padding-left:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{padding-right:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{margin-left:-.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{margin-right:-.8rem}.md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--prev{width:2rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{padding-right:.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{padding-left:.8rem}[dir=ltr] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{margin-right:-.8rem}[dir=rtl] .md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{margin-left:-.8rem}.md-content__inner>.tabbed-set .tabbed-labels~.tabbed-control--next{width:2rem}}@media screen{.md-typeset .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9){color:var(--md-default-fg-color)}.md-typeset .no-js .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.md-typeset .no-js .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.md-typeset .no-js .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.md-typeset .no-js .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.md-typeset .no-js .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.md-typeset .no-js .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.md-typeset .no-js .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.md-typeset .no-js .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.md-typeset .no-js .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.md-typeset .no-js .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.md-typeset .no-js .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.md-typeset .no-js .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.md-typeset .no-js .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.md-typeset .no-js .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.md-typeset .no-js .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.md-typeset .no-js .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.md-typeset .no-js .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.md-typeset .no-js .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.md-typeset .no-js .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.md-typeset .no-js .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9),.no-js .md-typeset .tabbed-set>input:first-child:checked~.tabbed-labels>:first-child,.no-js .md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-labels>:nth-child(10),.no-js .md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-labels>:nth-child(11),.no-js .md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-labels>:nth-child(12),.no-js .md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-labels>:nth-child(13),.no-js .md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-labels>:nth-child(14),.no-js .md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-labels>:nth-child(15),.no-js .md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-labels>:nth-child(16),.no-js .md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-labels>:nth-child(17),.no-js .md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-labels>:nth-child(18),.no-js .md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-labels>:nth-child(19),.no-js .md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-labels>:nth-child(2),.no-js .md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-labels>:nth-child(20),.no-js .md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-labels>:nth-child(3),.no-js .md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-labels>:nth-child(4),.no-js .md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-labels>:nth-child(5),.no-js .md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-labels>:nth-child(6),.no-js .md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-labels>:nth-child(7),.no-js .md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-labels>:nth-child(8),.no-js .md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-labels>:nth-child(9){border-color:var(--md-default-fg-color)}}.md-typeset .tabbed-set>input:first-child.focus-visible~.tabbed-labels>:first-child,.md-typeset .tabbed-set>input:nth-child(10).focus-visible~.tabbed-labels>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11).focus-visible~.tabbed-labels>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12).focus-visible~.tabbed-labels>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13).focus-visible~.tabbed-labels>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14).focus-visible~.tabbed-labels>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15).focus-visible~.tabbed-labels>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16).focus-visible~.tabbed-labels>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17).focus-visible~.tabbed-labels>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18).focus-visible~.tabbed-labels>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19).focus-visible~.tabbed-labels>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2).focus-visible~.tabbed-labels>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20).focus-visible~.tabbed-labels>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3).focus-visible~.tabbed-labels>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4).focus-visible~.tabbed-labels>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5).focus-visible~.tabbed-labels>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6).focus-visible~.tabbed-labels>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7).focus-visible~.tabbed-labels>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8).focus-visible~.tabbed-labels>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9).focus-visible~.tabbed-labels>:nth-child(9){color:var(--md-accent-fg-color)}.md-typeset .tabbed-set>input:first-child:checked~.tabbed-content>:first-child,.md-typeset .tabbed-set>input:nth-child(10):checked~.tabbed-content>:nth-child(10),.md-typeset .tabbed-set>input:nth-child(11):checked~.tabbed-content>:nth-child(11),.md-typeset .tabbed-set>input:nth-child(12):checked~.tabbed-content>:nth-child(12),.md-typeset .tabbed-set>input:nth-child(13):checked~.tabbed-content>:nth-child(13),.md-typeset .tabbed-set>input:nth-child(14):checked~.tabbed-content>:nth-child(14),.md-typeset .tabbed-set>input:nth-child(15):checked~.tabbed-content>:nth-child(15),.md-typeset .tabbed-set>input:nth-child(16):checked~.tabbed-content>:nth-child(16),.md-typeset .tabbed-set>input:nth-child(17):checked~.tabbed-content>:nth-child(17),.md-typeset .tabbed-set>input:nth-child(18):checked~.tabbed-content>:nth-child(18),.md-typeset .tabbed-set>input:nth-child(19):checked~.tabbed-content>:nth-child(19),.md-typeset .tabbed-set>input:nth-child(2):checked~.tabbed-content>:nth-child(2),.md-typeset .tabbed-set>input:nth-child(20):checked~.tabbed-content>:nth-child(20),.md-typeset .tabbed-set>input:nth-child(3):checked~.tabbed-content>:nth-child(3),.md-typeset .tabbed-set>input:nth-child(4):checked~.tabbed-content>:nth-child(4),.md-typeset .tabbed-set>input:nth-child(5):checked~.tabbed-content>:nth-child(5),.md-typeset .tabbed-set>input:nth-child(6):checked~.tabbed-content>:nth-child(6),.md-typeset .tabbed-set>input:nth-child(7):checked~.tabbed-content>:nth-child(7),.md-typeset .tabbed-set>input:nth-child(8):checked~.tabbed-content>:nth-child(8),.md-typeset .tabbed-set>input:nth-child(9):checked~.tabbed-content>:nth-child(9){display:block}:root{--md-tasklist-icon:url('data:image/svg+xml;charset=utf-8,');--md-tasklist-icon--checked:url('data:image/svg+xml;charset=utf-8,')}.md-typeset .task-list-item{list-style-type:none;position:relative}[dir=ltr] .md-typeset .task-list-item [type=checkbox]{left:-2em}[dir=rtl] .md-typeset .task-list-item [type=checkbox]{right:-2em}.md-typeset .task-list-item [type=checkbox]{position:absolute;top:.45em}.md-typeset .task-list-control [type=checkbox]{opacity:0;z-index:-1}[dir=ltr] .md-typeset .task-list-indicator:before{left:-1.5em}[dir=rtl] .md-typeset .task-list-indicator:before{right:-1.5em}.md-typeset .task-list-indicator:before{background-color:var(--md-default-fg-color--lightest);content:"";height:1.25em;-webkit-mask-image:var(--md-tasklist-icon);mask-image:var(--md-tasklist-icon);-webkit-mask-position:center;mask-position:center;-webkit-mask-repeat:no-repeat;mask-repeat:no-repeat;-webkit-mask-size:contain;mask-size:contain;position:absolute;top:.15em;width:1.25em}.md-typeset [type=checkbox]:checked+.task-list-indicator:before{background-color:#00e676;-webkit-mask-image:var(--md-tasklist-icon--checked);mask-image:var(--md-tasklist-icon--checked)}:root>*{--md-mermaid-font-family:var(--md-text-font-family),sans-serif;--md-mermaid-edge-color:var(--md-code-fg-color);--md-mermaid-node-bg-color:var(--md-accent-fg-color--transparent);--md-mermaid-node-fg-color:var(--md-accent-fg-color);--md-mermaid-label-bg-color:var(--md-default-bg-color);--md-mermaid-label-fg-color:var(--md-code-fg-color);--md-mermaid-sequence-actor-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-actor-fg-color:var(--md-mermaid-label-fg-color);--md-mermaid-sequence-actor-border-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-actor-line-color:var(--md-default-fg-color--lighter);--md-mermaid-sequence-actorman-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-actorman-line-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-box-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-box-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-label-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-label-fg-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-loop-bg-color:var(--md-mermaid-node-bg-color);--md-mermaid-sequence-loop-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-loop-border-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-message-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-message-line-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-note-bg-color:var(--md-mermaid-label-bg-color);--md-mermaid-sequence-note-fg-color:var(--md-mermaid-edge-color);--md-mermaid-sequence-note-border-color:var(--md-mermaid-label-fg-color);--md-mermaid-sequence-number-bg-color:var(--md-mermaid-node-fg-color);--md-mermaid-sequence-number-fg-color:var(--md-accent-bg-color)}.mermaid{line-height:normal;margin:1em 0}.md-typeset .grid{grid-gap:.4rem;display:grid;grid-template-columns:repeat(auto-fit,minmax(min(100%,16rem),1fr));margin:1em 0}.md-typeset .grid.cards>ol,.md-typeset .grid.cards>ul{display:contents}.md-typeset .grid.cards>ol>li,.md-typeset .grid.cards>ul>li,.md-typeset .grid>.card{border:.05rem solid var(--md-default-fg-color--lightest);border-radius:.1rem;display:block;margin:0;padding:.8rem;transition:border .25s,box-shadow .25s}.md-typeset .grid.cards>ol>li:focus-within,.md-typeset .grid.cards>ol>li:hover,.md-typeset .grid.cards>ul>li:focus-within,.md-typeset .grid.cards>ul>li:hover,.md-typeset .grid>.card:focus-within,.md-typeset .grid>.card:hover{border-color:#0000;box-shadow:var(--md-shadow-z2)}.md-typeset .grid.cards>ol>li>hr,.md-typeset .grid.cards>ul>li>hr,.md-typeset .grid>.card>hr{margin-bottom:1em;margin-top:1em}.md-typeset .grid.cards>ol>li>:first-child,.md-typeset .grid.cards>ul>li>:first-child,.md-typeset .grid>.card>:first-child{margin-top:0}.md-typeset .grid.cards>ol>li>:last-child,.md-typeset .grid.cards>ul>li>:last-child,.md-typeset .grid>.card>:last-child{margin-bottom:0}.md-typeset .grid>*,.md-typeset .grid>.admonition,.md-typeset .grid>.highlight>*,.md-typeset .grid>.highlighttable,.md-typeset .grid>.md-typeset details,.md-typeset .grid>details,.md-typeset .grid>pre{margin-bottom:0;margin-top:0}.md-typeset .grid>.highlight>pre:only-child,.md-typeset .grid>.highlight>pre>code,.md-typeset .grid>.highlighttable,.md-typeset .grid>.highlighttable>tbody,.md-typeset .grid>.highlighttable>tbody>tr,.md-typeset .grid>.highlighttable>tbody>tr>.code,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight>pre,.md-typeset .grid>.highlighttable>tbody>tr>.code>.highlight>pre>code{height:100%}.md-typeset .grid>.tabbed-set{margin-bottom:0;margin-top:0}@media screen and (min-width:45em){[dir=ltr] .md-typeset .inline{float:left}[dir=rtl] .md-typeset .inline{float:right}[dir=ltr] .md-typeset .inline{margin-right:.8rem}[dir=rtl] .md-typeset .inline{margin-left:.8rem}.md-typeset .inline{margin-bottom:.8rem;margin-top:0;width:11.7rem}[dir=ltr] .md-typeset .inline.end{float:right}[dir=rtl] .md-typeset .inline.end{float:left}[dir=ltr] .md-typeset .inline.end{margin-left:.8rem;margin-right:0}[dir=rtl] .md-typeset .inline.end{margin-left:0;margin-right:.8rem}} \ No newline at end of file diff --git a/assets/stylesheets/main.76a95c52.min.css.map b/assets/stylesheets/main.76a95c52.min.css.map deleted file mode 100644 index ee35967f09..0000000000 --- a/assets/stylesheets/main.76a95c52.min.css.map +++ /dev/null @@ -1 +0,0 @@ -{"version":3,"sources":["src/templates/assets/stylesheets/main/components/_meta.scss","../../../../src/templates/assets/stylesheets/main.scss","src/templates/assets/stylesheets/main/_resets.scss","src/templates/assets/stylesheets/main/_colors.scss","src/templates/assets/stylesheets/main/_icons.scss","src/templates/assets/stylesheets/main/_typeset.scss","src/templates/assets/stylesheets/utilities/_break.scss","src/templates/assets/stylesheets/main/components/_author.scss","src/templates/assets/stylesheets/main/components/_banner.scss","src/templates/assets/stylesheets/main/components/_base.scss","src/templates/assets/stylesheets/main/components/_clipboard.scss","src/templates/assets/stylesheets/main/components/_code.scss","src/templates/assets/stylesheets/main/components/_consent.scss","src/templates/assets/stylesheets/main/components/_content.scss","src/templates/assets/stylesheets/main/components/_dialog.scss","src/templates/assets/stylesheets/main/components/_feedback.scss","src/templates/assets/stylesheets/main/components/_footer.scss","src/templates/assets/stylesheets/main/components/_form.scss","src/templates/assets/stylesheets/main/components/_header.scss","node_modules/material-design-color/material-color.scss","src/templates/assets/stylesheets/main/components/_nav.scss","src/templates/assets/stylesheets/main/components/_pagination.scss","src/templates/assets/stylesheets/main/components/_post.scss","src/templates/assets/stylesheets/main/components/_progress.scss","src/templates/assets/stylesheets/main/components/_search.scss","src/templates/assets/stylesheets/main/components/_select.scss","src/templates/assets/stylesheets/main/components/_sidebar.scss","src/templates/assets/stylesheets/main/components/_source.scss","src/templates/assets/stylesheets/main/components/_status.scss","src/templates/assets/stylesheets/main/components/_tabs.scss","src/templates/assets/stylesheets/main/components/_tag.scss","src/templates/assets/stylesheets/main/components/_tooltip.scss","src/templates/assets/stylesheets/main/components/_tooltip2.scss","src/templates/assets/stylesheets/main/components/_top.scss","src/templates/assets/stylesheets/main/components/_version.scss","src/templates/assets/stylesheets/main/extensions/markdown/_admonition.scss","src/templates/assets/stylesheets/main/extensions/markdown/_footnotes.scss","src/templates/assets/stylesheets/main/extensions/markdown/_toc.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_arithmatex.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_critic.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_details.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_emoji.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_highlight.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_keys.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_tabbed.scss","src/templates/assets/stylesheets/main/extensions/pymdownx/_tasklist.scss","src/templates/assets/stylesheets/main/integrations/_mermaid.scss","src/templates/assets/stylesheets/main/modifiers/_grid.scss","src/templates/assets/stylesheets/main/modifiers/_inline.scss"],"names":[],"mappings":"AA0CE,gBCqxCF,CCnyCA,KAEE,6BAAA,CAAA,0BAAA,CAAA,qBAAA,CADA,qBDzBF,CC8BA,iBAGE,kBD3BF,CC8BE,gCANF,iBAOI,yBDzBF,CACF,CC6BA,KACE,QD1BF,CC8BA,qBAIE,uCD3BF,CC+BA,EACE,aAAA,CACA,oBD5BF,CCgCA,GAME,QAAA,CALA,kBAAA,CACA,aAAA,CACA,aAAA,CAEA,gBAAA,CADA,SD3BF,CCiCA,MACE,aD9BF,CCkCA,QAEE,eD/BF,CCmCA,IACE,iBDhCF,CCoCA,MAEE,uBAAA,CADA,gBDhCF,CCqCA,MAEE,eAAA,CACA,kBDlCF,CCsCA,OAKE,gBAAA,CACA,QAAA,CAHA,mBAAA,CACA,iBAAA,CAFA,QAAA,CADA,SD9BF,CCuCA,MACE,QAAA,CACA,YDpCF,CErDA,MAIE,6BAAA,CACA,oCAAA,CACA,mCAAA,CACA,0BAAA,CACA,sCAAA,CAGA,4BAAA,CACA,2CAAA,CACA,yBAAA,CACA,qCFmDF,CE7CA,+BAIE,kBF6CF,CE1CE,oHAEE,YF4CJ,CEnCA,qCAIE,eAAA,CAGA,+BAAA,CACA,sCAAA,CACA,wCAAA,CACA,yCAAA,CACA,0BAAA,CACA,sCAAA,CACA,wCAAA,CACA,yCAAA,CAGA,0BAAA,CACA,0BAAA,CAGA,0BAAA,CACA,mCAAA,CAGA,iCAAA,CACA,kCAAA,CACA,mCAAA,CACA,mCAAA,CACA,kCAAA,CACA,iCAAA,CACA,+CAAA,CACA,6DAAA,CACA,gEAAA,CACA,4DAAA,CACA,4DAAA,CACA,6DAAA,CAGA,6CAAA,CAGA,+CAAA,CAGA,gCAAA,CACA,gCAAA,CAGA,8BAAA,CACA,kCAAA,CACA,qCAAA,CAGA,iCAAA,CAGA,kCAAA,CACA,gDAAA,CAGA,mDAAA,CACA,mDAAA,CAGA,+BAAA,CACA,0BAAA,CAGA,yBAAA,CACA,qCAAA,CACA,uCAAA,CACA,8BAAA,CACA,oCAAA,CAGA,8DAAA,CAKA,8DAAA,CAKA,0DFKF,CG9HE,aAIE,iBAAA,CAHA,aAAA,CAEA,aAAA,CADA,YHmIJ,CIxIA,KACE,kCAAA,CACA,iCAAA,CAGA,uGAAA,CAKA,mFJyIF,CInIA,iBAIE,mCAAA,CACA,6BAAA,CAFA,sCJwIF,CIlIA,aAIE,4BAAA,CADA,sCJsIF,CI7HA,MACE,0NAAA,CACA,mNAAA,CACA,oNJgIF,CIzHA,YAGE,gCAAA,CAAA,kBAAA,CAFA,eAAA,CACA,eJ6HF,CIxHE,aAPF,YAQI,gBJ2HF,CACF,CIxHE,uGAME,iBAAA,CAAA,cJ0HJ,CItHE,eAKE,uCAAA,CAHA,aAAA,CAEA,eAAA,CAHA,iBJ6HJ,CIpHE,8BAPE,eAAA,CAGA,qBJ+HJ,CI3HE,eAEE,kBAAA,CAEA,eAAA,CAHA,oBJ0HJ,CIlHE,eAEE,gBAAA,CACA,eAAA,CAEA,qBAAA,CADA,eAAA,CAHA,mBJwHJ,CIhHE,kBACE,eJkHJ,CI9GE,eAEE,eAAA,CACA,qBAAA,CAFA,YJkHJ,CI5GE,8BAKE,uCAAA,CAFA,cAAA,CACA,eAAA,CAEA,qBAAA,CAJA,eJkHJ,CI1GE,eACE,wBJ4GJ,CIxGE,eAGE,+DAAA,CAFA,iBAAA,CACA,cJ2GJ,CItGE,cACE,+BAAA,CACA,qBJwGJ,CIrGI,mCAEE,sBJsGN,CIlGI,wCACE,+BJoGN,CIjGM,kDACE,uDJmGR,CI9FI,mBACE,kBAAA,CACA,iCJgGN,CI5FI,4BACE,uCAAA,CACA,oBJ8FN,CIzFE,iDAIE,6BAAA,CACA,aAAA,CAFA,2BJ6FJ,CIxFI,aARF,iDASI,oBJ6FJ,CACF,CIzFE,iBAIE,wCAAA,CACA,mBAAA,CACA,kCAAA,CAAA,0BAAA,CAJA,eAAA,CADA,uBAAA,CAEA,qBJ8FJ,CIxFI,qCAEE,uCAAA,CADA,YJ2FN,CIrFE,gBAEE,iBAAA,CACA,eAAA,CAFA,iBJyFJ,CIpFI,qBASE,kCAAA,CAAA,0BAAA,CADA,eAAA,CAPA,aAAA,CAEA,QAAA,CAIA,uCAAA,CAHA,aAAA,CAFA,oCAAA,CASA,yDAAA,CADA,oBAAA,CAJA,iBAAA,CADA,iBJ4FN,CInFM,2BACE,+CJqFR,CIjFM,wCAEE,YAAA,CADA,WJoFR,CI/EM,8CACE,oDJiFR,CI9EQ,oDACE,0CJgFV,CIzEE,gBAOE,4CAAA,CACA,mBAAA,CACA,mKACE,CANF,gCAAA,CAHA,oBAAA,CAEA,eAAA,CADA,uBAAA,CAIA,uBAAA,CADA,qBJ+EJ,CIpEE,iBAGE,6CAAA,CACA,kCAAA,CAAA,0BAAA,CAHA,aAAA,CACA,qBJwEJ,CIlEE,iBAGE,6DAAA,CADA,WAAA,CADA,oBJsEJ,CIhEE,kBACE,WJkEJ,CI9DE,oDAEE,qBJgEJ,CIlEE,oDAEE,sBJgEJ,CI5DE,iCACE,kBJiEJ,CIlEE,iCACE,mBJiEJ,CIlEE,iCAIE,2DJ8DJ,CIlEE,iCAIE,4DJ8DJ,CIlEE,uBAGE,uCAAA,CADA,aAAA,CAAA,cJgEJ,CI1DE,eACE,oBJ4DJ,CIxDE,kDAGE,kBJ0DJ,CI7DE,kDAGE,mBJ0DJ,CI7DE,8BAEE,SJ2DJ,CIvDI,0DACE,iBJ0DN,CItDI,oCACE,2BJyDN,CItDM,0CACE,2BJyDR,CIpDI,wDACE,kBJwDN,CIzDI,wDACE,mBJwDN,CIzDI,oCAEE,kBJuDN,CIpDM,kGAEE,aJwDR,CIpDM,0DACE,eJuDR,CInDM,4HAEE,kBJsDR,CIxDM,4HAEE,mBJsDR,CIxDM,oFACE,kBAAA,CAAA,eJuDR,CIhDE,yBAEE,mBJkDJ,CIpDE,yBAEE,oBJkDJ,CIpDE,eACE,mBAAA,CAAA,cJmDJ,CI9CE,kDAIE,WAAA,CADA,cJiDJ,CIzCI,4BAEE,oBJ2CN,CIvCI,6BAEE,oBJyCN,CIrCI,kCACE,YJuCN,CIlCE,mBACE,iBAAA,CAGA,eAAA,CADA,cAAA,CAEA,iBAAA,CAHA,sBAAA,CAAA,iBJuCJ,CIjCI,uBACE,aAAA,CACA,aJmCN,CI9BE,uBAGE,iBAAA,CADA,eAAA,CADA,eJkCJ,CI5BE,mBACE,cJ8BJ,CI1BE,+BAME,2CAAA,CACA,iDAAA,CACA,mBAAA,CAPA,oBAAA,CAGA,gBAAA,CAFA,cAAA,CACA,aAAA,CAEA,iBJ+BJ,CIzBI,aAXF,+BAYI,aJ4BJ,CACF,CIvBI,iCACE,gBJyBN,CIlBM,8FACE,YJoBR,CIhBM,4FACE,eJkBR,CIbI,8FACE,eJeN,CIZM,kHACE,gBJcR,CITI,kCAGE,eAAA,CAFA,cAAA,CACA,sBAAA,CAEA,kBJWN,CIPI,kCAGE,qDAAA,CAFA,sBAAA,CACA,kBJUN,CILI,wCACE,iCJON,CIJM,8CACE,qDAAA,CACA,sDJMR,CIDI,iCACE,iBJGN,CIEE,wCACE,cJAJ,CIGI,wDAIE,gBJKN,CITI,wDAIE,iBJKN,CITI,8CAME,UAAA,CALA,oBAAA,CAEA,YAAA,CAKA,oDAAA,CAAA,4CAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAHA,iCAAA,CAFA,0BAAA,CAHA,WJON,CIKI,oDACE,oDJHN,CIOI,mEACE,kDAAA,CACA,yDAAA,CAAA,iDJLN,CISI,oEACE,kDAAA,CACA,0DAAA,CAAA,kDJPN,CIYE,wBACE,iBAAA,CACA,eAAA,CACA,iBJVJ,CIcE,mBACE,oBAAA,CAEA,kBAAA,CADA,eJXJ,CIeI,aANF,mBAOI,aJZJ,CACF,CIeI,8BACE,aAAA,CAEA,QAAA,CACA,eAAA,CAFA,UJXN,CKnVI,0CD6WF,uBACE,iBJtBF,CIyBE,4BACE,eJvBJ,CACF,CMlhBE,uBAOE,kBAAA,CALA,aAAA,CACA,aAAA,CAEA,aAAA,CACA,eAAA,CALA,iBAAA,CAOA,sCACE,CALF,YNwhBJ,CM/gBI,2BACE,aNihBN,CM7gBI,6BAME,+CAAA,CAFA,yCAAA,CAHA,eAAA,CACA,eAAA,CACA,kBAAA,CAEA,iBNghBN,CM3gBI,6BAEE,aAAA,CADA,YN8gBN,CMxgBE,wBACE,kBN0gBJ,CMvgBI,4BAIE,kBAAA,CAHA,mCAAA,CAIA,uBNugBN,CMngBI,4DAEE,oBAAA,CADA,SNsgBN,CMlgBM,oEACE,mBNogBR,CO7jBA,WAGE,0CAAA,CADA,+BAAA,CADA,aPkkBF,CO7jBE,aANF,WAOI,YPgkBF,CACF,CO7jBE,oBAEE,2CAAA,CADA,gCPgkBJ,CO3jBE,kBAGE,eAAA,CADA,iBAAA,CADA,eP+jBJ,COzjBE,6BACE,WP8jBJ,CO/jBE,6BACE,UP8jBJ,CO/jBE,mBAEE,aAAA,CACA,cAAA,CACA,uBP2jBJ,COxjBI,0BACE,YP0jBN,COtjBI,yBACE,UPwjBN,CQ7lBA,KASE,cAAA,CARA,WAAA,CACA,iBRimBF,CK7bI,oCGtKJ,KAaI,gBR0lBF,CACF,CKlcI,oCGtKJ,KAkBI,cR0lBF,CACF,CQrlBA,KASE,2CAAA,CAPA,YAAA,CACA,qBAAA,CAKA,eAAA,CAHA,eAAA,CAJA,iBAAA,CAGA,UR2lBF,CQnlBE,aAZF,KAaI,aRslBF,CACF,CKncI,0CGhJF,yBAII,cRmlBJ,CACF,CQ1kBA,SAEE,gBAAA,CAAA,iBAAA,CADA,eR8kBF,CQzkBA,cACE,YAAA,CACA,qBAAA,CACA,WR4kBF,CQzkBE,aANF,cAOI,aR4kBF,CACF,CQxkBA,SACE,WR2kBF,CQxkBE,gBACE,YAAA,CACA,WAAA,CACA,iBR0kBJ,CQrkBA,aACE,eAAA,CACA,sBRwkBF,CQ/jBA,WACE,YRkkBF,CQ7jBA,WAGE,QAAA,CACA,SAAA,CAHA,iBAAA,CACA,ORkkBF,CQ7jBE,uCACE,aR+jBJ,CQ3jBE,+BAEE,uCAAA,CADA,kBR8jBJ,CQxjBA,SASE,2CAAA,CACA,mBAAA,CAFA,gCAAA,CADA,gBAAA,CADA,YAAA,CAMA,SAAA,CADA,uCAAA,CANA,mBAAA,CAJA,cAAA,CAYA,2BAAA,CATA,URkkBF,CQtjBE,eAEE,SAAA,CAIA,uBAAA,CAHA,oEACE,CAHF,UR2jBJ,CQ7iBA,MACE,WRgjBF,CSzsBA,MACE,+PT2sBF,CSrsBA,cASE,mBAAA,CAFA,0CAAA,CACA,cAAA,CAFA,YAAA,CAIA,uCAAA,CACA,oBAAA,CAVA,iBAAA,CAEA,UAAA,CADA,QAAA,CAUA,qBAAA,CAPA,WAAA,CADA,STgtBF,CSrsBE,aAfF,cAgBI,YTwsBF,CACF,CSrsBE,kCAEE,uCAAA,CADA,YTwsBJ,CSnsBE,qBACE,uCTqsBJ,CSjsBE,wCACE,+BTmsBJ,CS9rBE,oBAME,6BAAA,CADA,UAAA,CAJA,aAAA,CAEA,cAAA,CACA,aAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CARA,aTwsBJ,CS5rBE,sBACE,cT8rBJ,CS3rBI,2BACE,2CT6rBN,CSvrBI,kEAEE,uDAAA,CADA,+BT0rBN,CU5vBE,8BACE,YV+vBJ,CWpwBA,mBACE,GACE,SAAA,CACA,0BXuwBF,CWpwBA,GACE,SAAA,CACA,uBXswBF,CACF,CWlwBA,mBACE,GACE,SXowBF,CWjwBA,GACE,SXmwBF,CACF,CWxvBE,qBASE,2BAAA,CADA,mCAAA,CAAA,2BAAA,CAFA,0BAAA,CADA,WAAA,CAEA,SAAA,CANA,cAAA,CACA,KAAA,CAEA,UAAA,CADA,SXgwBJ,CWtvBE,mBAcE,mDAAA,CANA,2CAAA,CACA,QAAA,CACA,mBAAA,CARA,QAAA,CASA,kDACE,CAPF,eAAA,CAEA,aAAA,CADA,SAAA,CALA,cAAA,CAGA,UAAA,CADA,SXiwBJ,CWlvBE,kBACE,aXovBJ,CWhvBE,sBACE,YAAA,CACA,YXkvBJ,CW/uBI,oCACE,aXivBN,CW5uBE,sBACE,mBX8uBJ,CW3uBI,6CACE,cX6uBN,CKvoBI,0CMvGA,6CAKI,aAAA,CAEA,gBAAA,CACA,iBAAA,CAFA,UX+uBN,CACF,CWxuBE,kBACE,cX0uBJ,CY30BA,YACE,WAAA,CAIA,WZ20BF,CYx0BE,mBAEE,qBAAA,CADA,iBZ20BJ,CK9qBI,sCOtJE,4EACE,kBZu0BN,CYn0BI,0JACE,mBZq0BN,CYt0BI,8EACE,kBZq0BN,CACF,CYh0BI,0BAGE,UAAA,CAFA,aAAA,CACA,YZm0BN,CY9zBI,+BACE,eZg0BN,CY1zBE,8BACE,WZ+zBJ,CYh0BE,8BACE,UZ+zBJ,CYh0BE,8BAIE,iBZ4zBJ,CYh0BE,8BAIE,kBZ4zBJ,CYh0BE,oBAGE,cAAA,CADA,SZ8zBJ,CYzzBI,aAPF,oBAQI,YZ4zBJ,CACF,CYzzBI,gCACE,yCZ2zBN,CYvzBI,wBACE,cAAA,CACA,kBZyzBN,CYtzBM,kCACE,oBZwzBR,Caz3BA,qBAeE,Wb03BF,Caz4BA,qBAeE,Ub03BF,Caz4BA,WAOE,2CAAA,CACA,mBAAA,CANA,YAAA,CAOA,8BAAA,CALA,iBAAA,CAMA,SAAA,CALA,mBAAA,CACA,mBAAA,CALA,cAAA,CAaA,0BAAA,CAHA,wCACE,CATF,Sbs4BF,Cav3BE,aAlBF,WAmBI,Yb03BF,CACF,Cav3BE,mBAEE,SAAA,CADA,mBAAA,CAKA,uBAAA,CAHA,kEb03BJ,Can3BE,kBAEE,gCAAA,CADA,ebs3BJ,Ccx5BA,aACE,gBAAA,CACA,iBd25BF,Ccx5BE,sBAGE,WAAA,CADA,QAAA,CADA,Sd45BJ,Cct5BE,oBAEE,eAAA,CADA,edy5BJ,Ccp5BE,oBACE,iBds5BJ,Ccl5BE,mBAEE,YAAA,CACA,cAAA,CACA,6BAAA,CAHA,iBdu5BJ,Ccj5BI,iDACE,yCdm5BN,Cc/4BI,6BACE,iBdi5BN,Cc54BE,mBAGE,uCAAA,CACA,cAAA,CAHA,aAAA,CACA,cAAA,CAGA,sBd84BJ,Cc34BI,gDACE,+Bd64BN,Ccz4BI,4BACE,0CAAA,CACA,mBd24BN,Cct4BE,mBAEE,SAAA,CADA,iBAAA,CAKA,2BAAA,CAHA,8Ddy4BJ,Ccn4BI,qBAEE,aAAA,CADA,eds4BN,Ccj4BI,6BACE,SAAA,CACA,uBdm4BN,Cej9BA,WAEE,0CAAA,CADA,+Bfq9BF,Cej9BE,aALF,WAMI,Yfo9BF,CACF,Cej9BE,kBACE,6BAAA,CAEA,aAAA,CADA,afo9BJ,Ceh9BI,gCACE,Yfk9BN,Ce78BE,iBAOE,eAAA,CANA,YAAA,CAKA,cAAA,CAGA,mBAAA,CAAA,eAAA,CADA,cAAA,CAGA,uCAAA,CADA,eAAA,CAEA,uBf28BJ,Cex8BI,8CACE,Uf08BN,Cet8BI,+BACE,oBfw8BN,CK1zBI,0CUvIE,uBACE,afo8BN,Cej8BM,yCACE,Yfm8BR,CACF,Ce97BI,iCACE,gBfi8BN,Cel8BI,iCACE,iBfi8BN,Cel8BI,uBAEE,gBfg8BN,Ce77BM,iCACE,ef+7BR,Cez7BE,kBACE,WAAA,CAIA,eAAA,CADA,mBAAA,CAFA,6BAAA,CACA,cAAA,CAGA,kBf27BJ,Cev7BE,mBAEE,YAAA,CADA,af07BJ,Cer7BE,sBACE,gBAAA,CACA,Ufu7BJ,Cel7BA,gBACE,gDfq7BF,Cel7BE,uBACE,YAAA,CACA,cAAA,CACA,6BAAA,CACA,afo7BJ,Ceh7BE,kCACE,sCfk7BJ,Ce/6BI,gFACE,+Bfi7BN,Cez6BA,cAKE,wCAAA,CADA,gBAAA,CADA,iBAAA,CADA,eAAA,CADA,Ufg7BF,CKp4BI,mCU7CJ,cASI,Uf46BF,CACF,Cex6BE,yBACE,sCf06BJ,Cen6BA,WACE,mBAAA,CACA,SAAA,CAEA,cAAA,CADA,qBfu6BF,CKn5BI,mCUvBJ,WAQI,efs6BF,CACF,Cen6BE,iBACE,oBAAA,CAEA,aAAA,CACA,iBAAA,CAFA,Yfu6BJ,Cel6BI,wBACE,efo6BN,Ceh6BI,qBAGE,iBAAA,CAFA,gBAAA,CACA,mBfm6BN,CgBzkCE,uBAME,kBAAA,CACA,mBAAA,CAHA,gCAAA,CACA,cAAA,CAJA,oBAAA,CAEA,eAAA,CADA,kBAAA,CAMA,gEhB4kCJ,CgBtkCI,gCAEE,2CAAA,CACA,uCAAA,CAFA,gChB0kCN,CgBpkCI,0DAEE,0CAAA,CACA,sCAAA,CAFA,+BhBwkCN,CgBjkCE,gCAKE,4BhBskCJ,CgB3kCE,gEAME,6BhBqkCJ,CgB3kCE,gCAME,4BhBqkCJ,CgB3kCE,sBAIE,6DAAA,CAGA,8BAAA,CAJA,eAAA,CAFA,aAAA,CACA,eAAA,CAMA,sChBmkCJ,CgB9jCI,wDACE,6CAAA,CACA,8BhBgkCN,CgB5jCI,+BACE,UhB8jCN,CiBjnCA,WAOE,2CAAA,CAGA,8CACE,CALF,gCAAA,CADA,aAAA,CAHA,MAAA,CADA,eAAA,CACA,OAAA,CACA,KAAA,CACA,SjBwnCF,CiB7mCE,aAfF,WAgBI,YjBgnCF,CACF,CiB7mCE,mBAIE,2BAAA,CAHA,iEjBgnCJ,CiBzmCE,mBACE,kDACE,CAEF,kEjBymCJ,CiBnmCE,kBAEE,kBAAA,CADA,YAAA,CAEA,ejBqmCJ,CiBjmCE,mBAKE,kBAAA,CAEA,cAAA,CAHA,YAAA,CAIA,uCAAA,CALA,aAAA,CAFA,iBAAA,CAQA,uBAAA,CAHA,qBAAA,CAJA,SjB0mCJ,CiBhmCI,yBACE,UjBkmCN,CiB9lCI,iCACE,oBjBgmCN,CiB5lCI,uCAEE,uCAAA,CADA,YjB+lCN,CiB1lCI,2BAEE,YAAA,CADA,ajB6lCN,CK/+BI,0CY/GA,2BAMI,YjB4lCN,CACF,CiBzlCM,8DAIE,iBAAA,CAHA,aAAA,CAEA,aAAA,CADA,UjB6lCR,CK7gCI,mCYzEA,iCAII,YjBslCN,CACF,CiBnlCM,wCACE,YjBqlCR,CiBjlCM,+CACE,oBjBmlCR,CKxhCI,sCYtDA,iCAII,YjB8kCN,CACF,CiBzkCE,kBAEE,YAAA,CACA,cAAA,CAFA,iBAAA,CAIA,8DACE,CAFF,kBjB4kCJ,CiBtkCI,oCAGE,SAAA,CADA,mBAAA,CAKA,6BAAA,CAHA,8DACE,CAJF,UjB4kCN,CiBnkCM,8CACE,8BjBqkCR,CiBhkCI,8BACE,ejBkkCN,CiB7jCE,4BAGE,gBAAA,CAAA,kBjBikCJ,CiBpkCE,4BAGE,iBAAA,CAAA,iBjBikCJ,CiBpkCE,kBACE,WAAA,CAGA,eAAA,CAFA,aAAA,CAGA,kBjB+jCJ,CiB5jCI,4CAGE,SAAA,CADA,mBAAA,CAKA,8BAAA,CAHA,8DACE,CAJF,UjBkkCN,CiBzjCM,sDACE,6BjB2jCR,CiBvjCM,8DAGE,SAAA,CADA,mBAAA,CAKA,uBAAA,CAHA,8DACE,CAJF,SjB6jCR,CiBljCI,uCAGE,WAAA,CAFA,iBAAA,CACA,UjBqjCN,CiB/iCE,mBACE,YAAA,CACA,aAAA,CACA,cAAA,CAEA,+CACE,CAFF,kBjBkjCJ,CiB5iCI,8DACE,WAAA,CACA,SAAA,CACA,oCjB8iCN,CiBriCI,yBACE,QjBuiCN,CiBliCE,mBACE,YjBoiCJ,CKhmCI,mCY2DF,6BAQI,gBjBoiCJ,CiB5iCA,6BAQI,iBjBoiCJ,CiB5iCA,mBAKI,aAAA,CAEA,iBAAA,CADA,ajBsiCJ,CACF,CKxmCI,sCY2DF,6BAaI,kBjBoiCJ,CiBjjCA,6BAaI,mBjBoiCJ,CACF,CDnxCA,SAGE,uCAAA,CAFA,eAAA,CACA,eCuxCF,CDnxCE,eACE,mBAAA,CACA,cAAA,CAGA,eAAA,CADA,QAAA,CADA,SCuxCJ,CDjxCE,sCAEE,WAAA,CADA,iBAAA,CAAA,kBCoxCJ,CD/wCE,eACE,+BCixCJ,CD9wCI,0CACE,+BCgxCN,CD1wCA,UAKE,wBmBaa,CnBZb,oBAAA,CAFA,UAAA,CAHA,oBAAA,CAEA,eAAA,CADA,0BAAA,CAAA,2BCixCF,CmBnzCA,MACE,0MAAA,CACA,gMAAA,CACA,yNnBszCF,CmBhzCA,QACE,eAAA,CACA,enBmzCF,CmBhzCE,eAKE,uCAAA,CAJA,aAAA,CAGA,eAAA,CADA,eAAA,CADA,eAAA,CAIA,sBnBkzCJ,CmB/yCI,+BACE,YnBizCN,CmB9yCM,mCAEE,WAAA,CADA,UnBizCR,CmBzyCQ,sFAME,iBAAA,CALA,aAAA,CAGA,aAAA,CADA,cAAA,CAEA,kBAAA,CAHA,UnB+yCV,CmBpyCE,cAGE,eAAA,CADA,QAAA,CADA,SnBwyCJ,CmBlyCE,cAGE,sBAAA,CAFA,YAAA,CACA,SAAA,CAEA,iBAAA,CAEA,uBAAA,CADA,sBnBqyCJ,CmBjyCI,sBACE,uCnBmyCN,CmB5xCM,6EAEE,+BnB8xCR,CmBzxCI,2BAIE,iBnBwxCN,CmBpxCI,4CACE,gBnBsxCN,CmBvxCI,4CACE,iBnBsxCN,CmBlxCI,kBAGE,iBAAA,CAFA,aAAA,CACA,YnBqxCN,CmBhxCI,sGACE,+BAAA,CACA,cnBkxCN,CmB9wCI,4BACE,uCAAA,CACA,oBnBgxCN,CmB5wCI,0CACE,YnB8wCN,CmB3wCM,yDAKE,6BAAA,CAJA,aAAA,CAEA,WAAA,CACA,qCAAA,CAAA,6BAAA,CAFA,UnBgxCR,CmBzwCM,kDACE,YnB2wCR,CmBrwCE,iCACE,YnBuwCJ,CmBpwCI,6CACE,WAAA,CAGA,WnBowCN,CmB/vCE,cACE,anBiwCJ,CmB7vCE,gBACE,YnB+vCJ,CK7tCI,0Cc3BA,0CASE,2CAAA,CAHA,YAAA,CACA,qBAAA,CACA,WAAA,CALA,MAAA,CADA,iBAAA,CACA,OAAA,CACA,KAAA,CACA,SnB8vCJ,CmBnvCI,+DACE,eAAA,CACA,enBqvCN,CmBjvCI,gCAQE,qDAAA,CAHA,uCAAA,CAEA,cAAA,CALA,aAAA,CAEA,kBAAA,CADA,wBAAA,CAFA,iBAAA,CAKA,kBnBqvCN,CmBhvCM,wDAGE,UnBsvCR,CmBzvCM,wDAGE,WnBsvCR,CmBzvCM,8CAIE,aAAA,CAEA,aAAA,CACA,YAAA,CANA,iBAAA,CACA,SAAA,CAGA,YnBovCR,CmB/uCQ,oDAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UnBwvCV,CmB5uCM,8CAGE,2CAAA,CACA,gEACE,CAJF,eAAA,CAKA,4BAAA,CAJA,kBnBivCR,CmB1uCQ,2DACE,YnB4uCV,CmBvuCM,8CAGE,2CAAA,CADA,gCAAA,CADA,enB2uCR,CmBruCM,yCAIE,aAAA,CAFA,UAAA,CAIA,YAAA,CADA,aAAA,CAJA,iBAAA,CACA,WAAA,CACA,SnB0uCR,CmBluCI,+BACE,MnBouCN,CmBhuCI,+BACE,4DnBkuCN,CmB/tCM,qDACE,+BnBiuCR,CmB9tCQ,sHACE,+BnBguCV,CmB1tCI,+BAEE,YAAA,CADA,mBnB6tCN,CmBztCM,mCACE,enB2tCR,CmBvtCM,6CACE,SnBytCR,CmBrtCM,uDAGE,mBnBwtCR,CmB3tCM,uDAGE,kBnBwtCR,CmB3tCM,6CAIE,gBAAA,CAFA,aAAA,CADA,YnB0tCR,CmBptCQ,mDAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UnB6tCV,CmB7sCM,+CACE,mBnB+sCR,CmBvsCM,4CAEE,wBAAA,CADA,enB0sCR,CmBtsCQ,oEACE,mBnBwsCV,CmBzsCQ,oEACE,oBnBwsCV,CmBpsCQ,4EACE,iBnBssCV,CmBvsCQ,4EACE,kBnBssCV,CmBlsCQ,oFACE,mBnBosCV,CmBrsCQ,oFACE,oBnBosCV,CmBhsCQ,4FACE,mBnBksCV,CmBnsCQ,4FACE,oBnBksCV,CmB3rCE,mBACE,wBnB6rCJ,CmBzrCE,wBACE,YAAA,CACA,SAAA,CAIA,0BAAA,CAHA,oEnB4rCJ,CmBtrCI,kCACE,2BnBwrCN,CmBnrCE,gCACE,SAAA,CAIA,uBAAA,CAHA,qEnBsrCJ,CmBhrCI,8CAEE,kCAAA,CAAA,0BnBirCN,CACF,CKh3CI,0CcuMA,0CACE,YnB4qCJ,CmBzqCI,yDACE,UnB2qCN,CmBvqCI,wDACE,YnByqCN,CmBrqCI,kDACE,YnBuqCN,CmBlqCE,gBAIE,iDAAA,CADA,gCAAA,CAFA,aAAA,CACA,enBsqCJ,CACF,CK76CM,+DcgRF,6CACE,YnBgqCJ,CmB7pCI,4DACE,UnB+pCN,CmB3pCI,2DACE,YnB6pCN,CmBzpCI,qDACE,YnB2pCN,CACF,CKr6CI,mCc7JJ,QA6aI,oBnBypCF,CmBnpCI,kCAME,qCAAA,CACA,qDAAA,CANA,eAAA,CACA,KAAA,CAGA,SnBqpCN,CmBhpCM,6CACE,uBnBkpCR,CmB9oCM,gDACE,YnBgpCR,CmB3oCI,2CACE,kBnB8oCN,CmB/oCI,2CACE,mBnB8oCN,CmB/oCI,iCAEE,oBnB6oCN,CmBtoCI,yDACE,kBnBwoCN,CmBzoCI,yDACE,iBnBwoCN,CACF,CK97CI,sCc7JJ,QAydI,oBAAA,CACA,oDnBsoCF,CmBhoCI,gCAME,qCAAA,CACA,qDAAA,CANA,eAAA,CACA,KAAA,CAGA,SnBkoCN,CmB7nCM,8CACE,uBnB+nCR,CmB3nCM,8CACE,YnB6nCR,CmBxnCI,yCACE,kBnB2nCN,CmB5nCI,yCACE,mBnB2nCN,CmB5nCI,+BAEE,oBnB0nCN,CmBnnCI,uDACE,kBnBqnCN,CmBtnCI,uDACE,iBnBqnCN,CmBhnCE,wBACE,YAAA,CACA,sBAAA,CAEA,SAAA,CACA,6FACE,CAHF,mBnBonCJ,CmB5mCI,sCACE,enB8mCN,CmBzmCE,iFACE,sBAAA,CAEA,SAAA,CACA,4FACE,CAHF,kBnB6mCJ,CmBpmCE,iDACE,enBsmCJ,CmBlmCE,6CACE,YnBomCJ,CmBhmCE,uBACE,aAAA,CACA,enBkmCJ,CmB/lCI,kCACE,enBimCN,CmB7lCI,qCACE,enB+lCN,CmB5lCM,0CACE,uCnB8lCR,CmB1lCM,6DACE,mBnB4lCR,CmBxlCM,yFAEE,YnB0lCR,CmBrlCI,yCAEE,kBnBylCN,CmB3lCI,yCAEE,mBnBylCN,CmB3lCI,+BACE,aAAA,CAGA,SAAA,CADA,kBnBwlCN,CmBplCM,2DACE,SnBslCR,CmBhlCE,cAGE,kBAAA,CADA,YAAA,CAEA,gCAAA,CAHA,WnBqlCJ,CmB/kCI,oBACE,uDnBilCN,CmB7kCI,oBAME,6BAAA,CACA,kBAAA,CAFA,UAAA,CAJA,oBAAA,CAEA,WAAA,CAMA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAJA,yBAAA,CAJA,qBAAA,CAFA,UnBylCN,CmB5kCM,8BACE,wBnB8kCR,CmB1kCM,kKAEE,uBnB2kCR,CmB7jCI,2EACE,YnBkkCN,CmB/jCM,oDACE,anBikCR,CmB9jCQ,kEAKE,qCAAA,CACA,qDAAA,CAFA,YAAA,CAHA,eAAA,CACA,KAAA,CACA,SnBmkCV,CmB7jCU,0FACE,mBnB+jCZ,CmB1jCQ,0EACE,QnB4jCV,CmBvjCM,sFACE,kBnByjCR,CmB1jCM,sFACE,mBnByjCR,CmBrjCM,kDACE,uCnBujCR,CmBjjCI,2CACE,sBAAA,CAEA,SAAA,CADA,kBnBojCN,CmB3iCI,qFAIE,mDnB8iCN,CmBljCI,qFAIE,oDnB8iCN,CmBljCI,2EACE,aAAA,CACA,oBAAA,CAGA,SAAA,CAFA,kBnB+iCN,CmB1iCM,yFAEE,gBAAA,CADA,gBnB6iCR,CmBxiCM,0FACE,YnB0iCR,CACF,CoB9vDA,eAKE,eAAA,CACA,eAAA,CAJA,SpBqwDF,CoB9vDE,gCANA,kBAAA,CAFA,YAAA,CAGA,sBpB4wDF,CoBvwDE,iBAOE,mBAAA,CAFA,aAAA,CADA,gBAAA,CAEA,iBpBiwDJ,CoB5vDE,wBAEE,qDAAA,CADA,uCpB+vDJ,CoB1vDE,qBACE,6CpB4vDJ,CoBvvDI,sDAEE,uDAAA,CADA,+BpB0vDN,CoBtvDM,8DACE,+BpBwvDR,CoBnvDI,mCACE,uCAAA,CACA,oBpBqvDN,CoBjvDI,yBAKE,iBAAA,CADA,yCAAA,CAHA,aAAA,CAEA,eAAA,CADA,YpBsvDN,CqBtyDE,eAGE,+DAAA,CADA,oBAAA,CADA,qBrB2yDJ,CKtnDI,0CgBtLF,eAOI,YrByyDJ,CACF,CqBnyDM,6BACE,oBrBqyDR,CqB/xDE,kBACE,YAAA,CACA,qBAAA,CACA,SAAA,CACA,qBrBiyDJ,CqB1xDI,0BACE,sBrB4xDN,CqBzxDM,gEACE,+BrB2xDR,CqBrxDE,gBAEE,uCAAA,CADA,erBwxDJ,CqBnxDE,kBACE,oBrBqxDJ,CqBlxDI,mCAGE,kBAAA,CAFA,YAAA,CACA,SAAA,CAEA,iBrBoxDN,CqBhxDI,oCAIE,kBAAA,CAHA,mBAAA,CACA,kBAAA,CACA,SAAA,CAGA,QAAA,CADA,iBrBmxDN,CqB9wDI,0DACE,kBrBgxDN,CqBjxDI,0DACE,iBrBgxDN,CqB5wDI,iDACE,uBAAA,CAEA,YrB6wDN,CqBxwDE,4BACE,YrB0wDJ,CqBnwDA,YAGE,kBAAA,CAFA,YAAA,CAIA,eAAA,CAHA,SAAA,CAIA,eAAA,CAFA,UrBwwDF,CqBnwDE,yBACE,WrBqwDJ,CqB9vDA,kBACE,YrBiwDF,CKzrDI,0CgBzEJ,kBAKI,wBrBiwDF,CACF,CqB9vDE,qCACE,WrBgwDJ,CKptDI,sCgB7CF,+CAKI,kBrBgwDJ,CqBrwDA,+CAKI,mBrBgwDJ,CACF,CKtsDI,0CgBrDJ,6BAMI,SAAA,CAFA,eAAA,CACA,UrB6vDF,CqB1vDE,qDACE,gBrB4vDJ,CqBzvDE,gDACE,SrB2vDJ,CqBxvDE,4CACE,iBAAA,CAAA,kBrB0vDJ,CqBvvDE,2CAEE,WAAA,CADA,crB0vDJ,CqBtvDE,2CACE,mBAAA,CACA,cAAA,CACA,SAAA,CACA,oBAAA,CAAA,iBrBwvDJ,CqBrvDE,2CACE,SrBuvDJ,CqBpvDE,qCAEE,WAAA,CACA,eAAA,CAFA,erBwvDJ,CACF,CsBl6DA,MACE,qBAAA,CACA,yBtBq6DF,CsB/5DA,aAME,qCAAA,CADA,cAAA,CAEA,0FACE,CAPF,cAAA,CACA,KAAA,CAaA,mDAAA,CACA,qBAAA,CAJA,wFACE,CATF,UAAA,CADA,StBy6DF,CuBp7DA,MACE,igBvBu7DF,CuBj7DA,WACE,iBvBo7DF,CKtxDI,mCkB/JJ,WAKI,evBo7DF,CACF,CuBj7DE,kBACE,YvBm7DJ,CuB/6DE,oBAEE,SAAA,CADA,SvBk7DJ,CK/wDI,0CkBpKF,8BAkBI,YvB+6DJ,CuBj8DA,8BAkBI,avB+6DJ,CuBj8DA,oBAYI,2CAAA,CACA,kBAAA,CAJA,WAAA,CACA,eAAA,CACA,mBAAA,CALA,iBAAA,CACA,SAAA,CAUA,uBAAA,CAHA,4CACE,CAPF,UvBy7DJ,CuB56DI,+DACE,SAAA,CACA,oCvB86DN,CACF,CKrzDI,mCkBjJF,8BAyCI,MvBw6DJ,CuBj9DA,8BAyCI,OvBw6DJ,CuBj9DA,oBAoCI,0BAAA,CADA,cAAA,CADA,QAAA,CAHA,cAAA,CACA,KAAA,CAKA,sDACE,CALF,OvBg7DJ,CuBr6DI,+DAME,YAAA,CACA,SAAA,CACA,4CACE,CARF,UvB06DN,CACF,CKpzDI,0CkBxGA,+DAII,mBvB45DN,CACF,CKl2DM,+DkB/DF,+DASI,mBvB45DN,CACF,CKv2DM,+DkB/DF,+DAcI,mBvB45DN,CACF,CuBv5DE,kBAEE,kCAAA,CAAA,0BvBw5DJ,CKt0DI,0CkBpFF,4BAmBI,MvBo5DJ,CuBv6DA,4BAmBI,OvBo5DJ,CuBv6DA,kBAUI,QAAA,CAEA,SAAA,CADA,eAAA,CALA,cAAA,CACA,KAAA,CAWA,wBAAA,CALA,qGACE,CALF,OAAA,CADA,SvB+5DJ,CuBj5DI,4BACE,yBvBm5DN,CuB/4DI,6DAEE,WAAA,CACA,SAAA,CAMA,uBAAA,CALA,sGACE,CAJF,UvBq5DN,CACF,CKj3DI,mCkBjEF,4BA2CI,WvB+4DJ,CuB17DA,4BA2CI,UvB+4DJ,CuB17DA,kBA6CI,eAAA,CAHA,iBAAA,CAIA,8CAAA,CAFA,avB84DJ,CACF,CKh5DM,+DkBOF,6DAII,avBy4DN,CACF,CK/3DI,sCkBfA,6DASI,avBy4DN,CACF,CuBp4DE,iBAIE,2CAAA,CACA,0BAAA,CAFA,aAAA,CAFA,iBAAA,CAKA,2CACE,CALF,SvB04DJ,CK54DI,mCkBAF,iBAaI,0BAAA,CACA,mBAAA,CAFA,avBs4DJ,CuBj4DI,uBACE,0BvBm4DN,CACF,CuB/3DI,4DAEE,2CAAA,CACA,6BAAA,CACA,8BAAA,CAHA,gCvBo4DN,CuB53DE,4BAKE,mBAAA,CAAA,oBvBi4DJ,CuBt4DE,4BAKE,mBAAA,CAAA,oBvBi4DJ,CuBt4DE,kBAQE,gBAAA,CAFA,eAAA,CAFA,WAAA,CAHA,iBAAA,CAMA,sBAAA,CAJA,UAAA,CADA,SvBo4DJ,CuB33DI,+BACE,qBvB63DN,CuBz3DI,kEAEE,uCvB03DN,CuBt3DI,6BACE,YvBw3DN,CK55DI,0CkBaF,kBA8BI,eAAA,CADA,aAAA,CADA,UvBy3DJ,CACF,CKt7DI,mCkBgCF,4BAmCI,mBvBy3DJ,CuB55DA,4BAmCI,oBvBy3DJ,CuB55DA,kBAqCI,aAAA,CADA,evBw3DJ,CuBp3DI,+BACE,uCvBs3DN,CuBl3DI,mCACE,gCvBo3DN,CuBh3DI,6DACE,kBvBk3DN,CuB/2DM,8EACE,uCvBi3DR,CuB72DM,0EACE,WvB+2DR,CACF,CuBz2DE,iBAIE,cAAA,CAHA,oBAAA,CAEA,aAAA,CAEA,kCACE,CAJF,YvB82DJ,CuBt2DI,uBACE,UvBw2DN,CuBp2DI,yCAGE,UvBu2DN,CuB12DI,yCAGE,WvBu2DN,CuB12DI,+BACE,iBAAA,CACA,SAAA,CAEA,SvBs2DN,CuBn2DM,6CACE,oBvBq2DR,CK58DI,0CkB+FA,yCAcI,UvBo2DN,CuBl3DE,yCAcI,WvBo2DN,CuBl3DE,+BAaI,SvBq2DN,CuBj2DM,+CACE,YvBm2DR,CACF,CKx+DI,mCkBkHA,+BAwBI,mBvBk2DN,CuB/1DM,8CACE,YvBi2DR,CACF,CuB31DE,8BAGE,WvB+1DJ,CuBl2DE,8BAGE,UvB+1DJ,CuBl2DE,oBAKE,mBAAA,CAJA,iBAAA,CACA,SAAA,CAEA,SvB81DJ,CKp+DI,0CkBkIF,8BAUI,WvB61DJ,CuBv2DA,8BAUI,UvB61DJ,CuBv2DA,oBASI,SvB81DJ,CACF,CuB11DI,uCACE,iBvBg2DN,CuBj2DI,uCACE,kBvBg2DN,CuBj2DI,6BAEE,uCAAA,CACA,SAAA,CAIA,oBAAA,CAHA,+DvB61DN,CuBv1DM,iDAEE,uCAAA,CADA,YvB01DR,CuBr1DM,gGAGE,SAAA,CADA,mBAAA,CAEA,kBvBs1DR,CuBn1DQ,sGACE,UvBq1DV,CuB90DE,8BAOE,mBAAA,CAAA,oBvBq1DJ,CuB51DE,8BAOE,mBAAA,CAAA,oBvBq1DJ,CuB51DE,oBAIE,kBAAA,CAKA,yCAAA,CANA,YAAA,CAKA,eAAA,CAFA,WAAA,CAKA,SAAA,CAVA,iBAAA,CACA,KAAA,CAUA,uBAAA,CAFA,kBAAA,CALA,UvBu1DJ,CK9hEI,mCkBkMF,8BAgBI,mBvBi1DJ,CuBj2DA,8BAgBI,oBvBi1DJ,CuBj2DA,oBAiBI,evBg1DJ,CACF,CuB70DI,+DACE,SAAA,CACA,0BvB+0DN,CuB10DE,6BAKE,+BvB60DJ,CuBl1DE,0DAME,gCvB40DJ,CuBl1DE,6BAME,+BvB40DJ,CuBl1DE,mBAIE,eAAA,CAHA,iBAAA,CAEA,UAAA,CADA,SvBg1DJ,CK7hEI,0CkB2MF,mBAWI,QAAA,CADA,UvB60DJ,CACF,CKtjEI,mCkB8NF,mBAiBI,SAAA,CADA,UAAA,CAEA,sBvB40DJ,CuBz0DI,8DACE,8BAAA,CACA,SvB20DN,CACF,CuBt0DE,uBASE,kCAAA,CAAA,0BAAA,CAFA,2CAAA,CANA,WAAA,CACA,eAAA,CAIA,kBvBu0DJ,CuBj0DI,iEAZF,uBAaI,uBvBo0DJ,CACF,CKnmEM,+DkBiRJ,uBAkBI,avBo0DJ,CACF,CKllEI,sCkB2PF,uBAuBI,avBo0DJ,CACF,CKvlEI,mCkB2PF,uBA4BI,YAAA,CAEA,yDAAA,CADA,oBvBq0DJ,CuBj0DI,kEACE,evBm0DN,CuB/zDI,6BACE,+CvBi0DN,CuB7zDI,0CAEE,YAAA,CADA,WvBg0DN,CuB3zDI,gDACE,oDvB6zDN,CuB1zDM,sDACE,0CvB4zDR,CACF,CuBrzDA,kBACE,gCAAA,CACA,qBvBwzDF,CuBrzDE,wBAKE,qDAAA,CADA,uCAAA,CAFA,gBAAA,CACA,kBAAA,CAFA,eAAA,CAKA,uBvBuzDJ,CK3nEI,mCkB8TF,kCAUI,mBvBuzDJ,CuBj0DA,kCAUI,oBvBuzDJ,CACF,CuBnzDE,wBAGE,eAAA,CADA,QAAA,CADA,SAAA,CAIA,wBAAA,CAAA,gBvBozDJ,CuBhzDE,wBACE,yDvBkzDJ,CuB/yDI,oCACE,evBizDN,CuB5yDE,wBACE,aAAA,CACA,YAAA,CAEA,uBAAA,CADA,gCvB+yDJ,CuB3yDI,4DACE,uDvB6yDN,CuBzyDI,gDACE,mBvB2yDN,CuBtyDE,gCAKE,cAAA,CADA,aAAA,CAEA,YAAA,CALA,eAAA,CAMA,uBAAA,CALA,KAAA,CACA,SvB4yDJ,CuBryDI,wCACE,YvBuyDN,CuBlyDI,wDACE,YvBoyDN,CuBhyDI,oCAGE,+BAAA,CADA,gBAAA,CADA,mBAAA,CAGA,2CvBkyDN,CK7qEI,mCkBuYA,8CAUI,mBvBgyDN,CuB1yDE,8CAUI,oBvBgyDN,CACF,CuB5xDI,oFAEE,uDAAA,CADA,+BvB+xDN,CuBzxDE,sCACE,2CvB2xDJ,CuBtxDE,2BAGE,eAAA,CADA,eAAA,CADA,iBvB0xDJ,CK9rEI,mCkBmaF,qCAOI,mBvBwxDJ,CuB/xDA,qCAOI,oBvBwxDJ,CACF,CuBpxDE,kCAEE,MvB0xDJ,CuB5xDE,kCAEE,OvB0xDJ,CuB5xDE,wBAME,uCAAA,CAFA,aAAA,CACA,YAAA,CAJA,iBAAA,CAEA,YvByxDJ,CKxrEI,0CkB4ZF,wBAUI,YvBsxDJ,CACF,CuBnxDI,8BAKE,6BAAA,CADA,UAAA,CAHA,oBAAA,CAEA,WAAA,CAGA,+CAAA,CAAA,uCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,UvB4xDN,CuBlxDM,wCACE,oBvBoxDR,CuB9wDE,8BAGE,uCAAA,CAFA,gBAAA,CACA,evBixDJ,CuB7wDI,iCAKE,gCAAA,CAHA,eAAA,CACA,eAAA,CACA,eAAA,CAHA,evBmxDN,CuB5wDM,sCACE,oBvB8wDR,CuBzwDI,iCAKE,gCAAA,CAHA,gBAAA,CACA,eAAA,CACA,eAAA,CAHA,avB+wDN,CuBxwDM,sCACE,oBvB0wDR,CuBpwDE,yBAKE,gCAAA,CAJA,aAAA,CAEA,gBAAA,CACA,iBAAA,CAFA,avBywDJ,CuBlwDE,uBAGE,wBAAA,CAFA,+BAAA,CACA,yBvBqwDJ,CwBz6EA,WACE,iBAAA,CACA,SxB46EF,CwBz6EE,kBAOE,2CAAA,CACA,mBAAA,CACA,8BAAA,CAHA,gCAAA,CAHA,QAAA,CAEA,gBAAA,CADA,YAAA,CAMA,SAAA,CATA,iBAAA,CACA,sBAAA,CAaA,mCAAA,CAJA,oExB46EJ,CwBr6EI,6EACE,gBAAA,CACA,SAAA,CAKA,+BAAA,CAJA,8ExBw6EN,CwBh6EI,wBAWE,+BAAA,CAAA,8CAAA,CAFA,6BAAA,CAAA,8BAAA,CACA,YAAA,CAFA,UAAA,CAHA,QAAA,CAFA,QAAA,CAIA,kBAAA,CADA,iBAAA,CALA,iBAAA,CACA,KAAA,CAEA,OxBy6EN,CwB75EE,iBAOE,mBAAA,CAFA,eAAA,CACA,oBAAA,CAHA,QAAA,CAFA,kBAAA,CAGA,aAAA,CAFA,SxBo6EJ,CwB35EE,iBACE,kBxB65EJ,CwBz5EE,2BAGE,kBAAA,CAAA,oBxB+5EJ,CwBl6EE,2BAGE,mBAAA,CAAA,mBxB+5EJ,CwBl6EE,iBAIE,cAAA,CAHA,aAAA,CAIA,YAAA,CAIA,uBAAA,CAHA,2CACE,CALF,UxBg6EJ,CwBt5EI,8CACE,+BxBw5EN,CwBp5EI,uBACE,qDxBs5EN,CyB1+EA,YAIE,qBAAA,CADA,aAAA,CAGA,gBAAA,CALA,eAAA,CACA,UAAA,CAGA,azB8+EF,CyB1+EE,aATF,YAUI,YzB6+EF,CACF,CK/zEI,0CoB3KF,+BAeI,azBw+EJ,CyBv/EA,+BAeI,czBw+EJ,CyBv/EA,qBAUI,2CAAA,CAHA,aAAA,CAEA,WAAA,CALA,cAAA,CACA,KAAA,CASA,uBAAA,CAHA,iEACE,CAJF,aAAA,CAFA,SzBi/EJ,CyBr+EI,mEACE,8BAAA,CACA,6BzBu+EN,CyBp+EM,6EACE,8BzBs+ER,CyBj+EI,6CAEE,QAAA,CAAA,MAAA,CACA,QAAA,CAEA,eAAA,CAJA,iBAAA,CACA,OAAA,CAEA,qBAAA,CAFA,KzBs+EN,CACF,CK92EI,sCoBtKJ,YAuDI,QzBi+EF,CyB99EE,mBACE,WzBg+EJ,CyB59EE,6CACE,UzB89EJ,CACF,CyB19EE,uBACE,YAAA,CACA,OzB49EJ,CK73EI,mCoBjGF,uBAMI,QzB49EJ,CyBz9EI,8BACE,WzB29EN,CyBv9EI,qCACE,azBy9EN,CyBr9EI,+CACE,kBzBu9EN,CACF,CyBl9EE,wBAUE,uBAAA,CANA,kCAAA,CAAA,0BAAA,CAHA,cAAA,CACA,eAAA,CASA,yDAAA,CAFA,oBzBi9EJ,CyB58EI,2CAEE,YAAA,CADA,WzB+8EN,CyB18EI,mEACE,+CzB48EN,CyBz8EM,qHACE,oDzB28ER,CyBx8EQ,iIACE,0CzB08EV,CyB37EE,wCAGE,wBACE,qBzB27EJ,CyBv7EE,6BACE,kCzBy7EJ,CyB17EE,6BACE,iCzBy7EJ,CACF,CKr5EI,0CoB5BF,YAME,0BAAA,CADA,QAAA,CAEA,SAAA,CANA,cAAA,CACA,KAAA,CAMA,sDACE,CALF,OAAA,CADA,SzB07EF,CyB/6EE,4CAEE,WAAA,CACA,SAAA,CACA,4CACE,CAJF,UzBo7EJ,CACF,C0BjmFA,iBACE,GACE,Q1BmmFF,C0BhmFA,GACE,a1BkmFF,CACF,C0B9lFA,gBACE,GACE,SAAA,CACA,0B1BgmFF,C0B7lFA,IACE,S1B+lFF,C0B5lFA,GACE,SAAA,CACA,uB1B8lFF,CACF,C0BtlFA,MACE,+eAAA,CACA,ygBAAA,CACA,mmBAAA,CACA,sf1BwlFF,C0BllFA,WAOE,kCAAA,CAAA,0BAAA,CANA,aAAA,CACA,gBAAA,CACA,eAAA,CAEA,uCAAA,CAGA,uBAAA,CAJA,kB1BwlFF,C0BjlFE,iBACE,U1BmlFJ,C0B/kFE,iBACE,oBAAA,CAEA,aAAA,CACA,qBAAA,CAFA,U1BmlFJ,C0B9kFI,+BACE,iB1BilFN,C0BllFI,+BACE,kB1BilFN,C0BllFI,qBAEE,gB1BglFN,C0B5kFI,kDACE,iB1B+kFN,C0BhlFI,kDACE,kB1B+kFN,C0BhlFI,kDAEE,iB1B8kFN,C0BhlFI,kDAEE,kB1B8kFN,C0BzkFE,iCAGE,iB1B8kFJ,C0BjlFE,iCAGE,kB1B8kFJ,C0BjlFE,uBACE,oBAAA,CACA,6BAAA,CAEA,eAAA,CACA,sBAAA,CACA,qB1B2kFJ,C0BvkFE,kBACE,YAAA,CAMA,gBAAA,CALA,SAAA,CAMA,oBAAA,CAHA,gBAAA,CAIA,WAAA,CAHA,eAAA,CAFA,SAAA,CADA,U1B+kFJ,C0BtkFI,iDACE,4B1BwkFN,C0BnkFE,iBACE,eAAA,CACA,sB1BqkFJ,C0BlkFI,gDACE,2B1BokFN,C0BhkFI,kCAIE,kB1BwkFN,C0B5kFI,kCAIE,iB1BwkFN,C0B5kFI,wBAOE,6BAAA,CADA,UAAA,CALA,oBAAA,CAEA,YAAA,CAKA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CALA,uBAAA,CAHA,W1B0kFN,C0B9jFI,iCACE,a1BgkFN,C0B5jFI,iCACE,gDAAA,CAAA,wC1B8jFN,C0B1jFI,+BACE,8CAAA,CAAA,sC1B4jFN,C0BxjFI,+BACE,8CAAA,CAAA,sC1B0jFN,C0BtjFI,sCACE,qDAAA,CAAA,6C1BwjFN,C0BljFA,gBACE,Y1BqjFF,C0BljFE,gCAIE,kB1BsjFJ,C0B1jFE,gCAIE,iB1BsjFJ,C0B1jFE,sBAGE,kBAAA,CAGA,uCAAA,CALA,mBAAA,CAIA,gBAAA,CAHA,S1BwjFJ,C0BjjFI,+BACE,aAAA,CACA,oB1BmjFN,C0B/iFI,2CACE,U1BkjFN,C0BnjFI,2CACE,W1BkjFN,C0BnjFI,iCAEE,kB1BijFN,C0B7iFI,0BACE,W1B+iFN,C2BtuFA,MACE,mSAAA,CACA,oVAAA,CACA,mOAAA,CACA,qZ3ByuFF,C2BhuFE,iBAME,kDAAA,CADA,UAAA,CAJA,oBAAA,CAEA,cAAA,CAIA,mCAAA,CAAA,2BAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CANA,0BAAA,CAFA,a3B2uFJ,C2B/tFE,uBACE,6B3BiuFJ,C2B7tFE,sBACE,wCAAA,CAAA,gC3B+tFJ,C2B3tFE,6BACE,+CAAA,CAAA,uC3B6tFJ,C2BztFE,4BACE,8CAAA,CAAA,sC3B2tFJ,C4BtwFA,SASE,2CAAA,CADA,gCAAA,CAJA,aAAA,CAGA,eAAA,CADA,aAAA,CADA,UAAA,CAFA,S5B6wFF,C4BpwFE,aAZF,SAaI,Y5BuwFF,CACF,CK5lFI,0CuBzLJ,SAkBI,Y5BuwFF,CACF,C4BpwFE,iBACE,mB5BswFJ,C4BlwFE,yBAIE,iB5BywFJ,C4B7wFE,yBAIE,kB5BywFJ,C4B7wFE,eAQE,eAAA,CAPA,YAAA,CAMA,eAAA,CAJA,QAAA,CAEA,aAAA,CAHA,SAAA,CAWA,oBAAA,CAPA,kB5BuwFJ,C4B7vFI,kCACE,Y5B+vFN,C4B1vFE,eACE,aAAA,CACA,kBAAA,CAAA,mB5B4vFJ,C4BzvFI,sCACE,aAAA,CACA,S5B2vFN,C4BrvFE,eAOE,kCAAA,CAAA,0BAAA,CANA,YAAA,CAEA,eAAA,CADA,gBAAA,CAMA,UAAA,CAJA,uCAAA,CACA,oBAAA,CAIA,8D5BsvFJ,C4BjvFI,0CACE,aAAA,CACA,S5BmvFN,C4B/uFI,6BAEE,kB5BkvFN,C4BpvFI,6BAEE,iB5BkvFN,C4BpvFI,mBAGE,iBAAA,CAFA,Y5BmvFN,C4B5uFM,2CACE,qB5B8uFR,C4B/uFM,2CACE,qB5BivFR,C4BlvFM,2CACE,qB5BovFR,C4BrvFM,2CACE,qB5BuvFR,C4BxvFM,2CACE,oB5B0vFR,C4B3vFM,2CACE,qB5B6vFR,C4B9vFM,2CACE,qB5BgwFR,C4BjwFM,2CACE,qB5BmwFR,C4BpwFM,4CACE,qB5BswFR,C4BvwFM,4CACE,oB5BywFR,C4B1wFM,4CACE,qB5B4wFR,C4B7wFM,4CACE,qB5B+wFR,C4BhxFM,4CACE,qB5BkxFR,C4BnxFM,4CACE,qB5BqxFR,C4BtxFM,4CACE,oB5BwxFR,C4BlxFI,gCACE,SAAA,CAIA,yBAAA,CAHA,wC5BqxFN,C6Bx3FA,MACE,wS7B23FF,C6Bl3FE,mCACE,mBAAA,CACA,cAAA,CACA,QAAA,CAEA,mBAAA,CADA,kB7Bs3FJ,C6Bj3FE,oBAGE,kBAAA,CAOA,+CAAA,CACA,oBAAA,CAVA,mBAAA,CAIA,gBAAA,CACA,0BAAA,CACA,eAAA,CALA,QAAA,CAOA,qBAAA,CADA,eAAA,CAJA,wB7B03FJ,C6Bh3FI,0BAGE,uCAAA,CAFA,aAAA,CACA,YAAA,CAEA,6C7Bk3FN,C6B72FM,gEAEE,0CAAA,CADA,+B7Bg3FR,C6B12FI,yBACE,uB7B42FN,C6Bp2FI,gCAME,oDAAA,CADA,UAAA,CAJA,oBAAA,CAEA,YAAA,CAKA,qCAAA,CAAA,6BAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAJA,iCAAA,CAHA,0BAAA,CAFA,W7B+2FN,C6Bl2FI,wFACE,0C7Bo2FN,C8B96FA,iBACE,GACE,oB9Bi7FF,C8B96FA,IACE,kB9Bg7FF,C8B76FA,GACE,oB9B+6FF,CACF,C8Bv6FA,MACE,0NAAA,CACA,uP9B06FF,C8Bn6FA,YA6BE,kCAAA,CAAA,0BAAA,CAVA,2CAAA,CACA,mBAAA,CACA,8BAAA,CAHA,gCAAA,CADA,sCAAA,CAdA,+IACE,CAYF,8BAAA,CAMA,SAAA,CArBA,iBAAA,CACA,uBAAA,CAyBA,4BAAA,CAJA,uDACE,CATF,6BAAA,CADA,S9Bu6FF,C8Br5FE,oBAEE,SAAA,CAKA,uBAAA,CAJA,2EACE,CAHF,S9B05FJ,C8Bh5FE,oBAEE,eAAA,CACA,wBAAA,CAAA,gBAAA,CAFA,U9Bo5FJ,C8B/4FI,6CACE,qC9Bi5FN,C8B74FI,uCAEE,eAAA,CADA,mB9Bg5FN,C8B14FI,6BACE,Y9B44FN,C8Bv4FE,8CACE,sC9By4FJ,C8Br4FE,mBAEE,gBAAA,CADA,a9Bw4FJ,C8Bp4FI,2CACE,Y9Bs4FN,C8Bl4FI,0CACE,e9Bo4FN,C8B53FA,eACE,iBAAA,CACA,eAAA,CAIA,YAAA,CAHA,kBAAA,CAEA,0BAAA,CADA,kB9Bi4FF,C8B53FE,yBACE,a9B83FJ,C8B13FE,oBACE,sCAAA,CACA,iB9B43FJ,C8Bx3FE,6BACE,oBAAA,CAGA,gB9Bw3FJ,C8Bp3FE,sBAYE,mBAAA,CANA,cAAA,CAHA,oBAAA,CACA,gBAAA,CAAA,iBAAA,CAIA,YAAA,CAGA,eAAA,CAVA,iBAAA,CAMA,wBAAA,CAAA,gBAAA,CAFA,uBAAA,CAHA,S9B83FJ,C8Bh3FI,qCACE,uB9Bk3FN,C8B92FI,cArBF,sBAsBI,W9Bi3FJ,C8B92FI,wCACE,2B9Bg3FN,C8B52FI,6BAOE,qCAAA,CACA,+CAAA,CAAA,uC9Bi3FN,C8Bv2FI,yDAZE,UAAA,CADA,YAAA,CAIA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,SAAA,CAEA,WAAA,CADA,U9Bq4FN,C8Bt3FI,4BAOE,oDAAA,CAMA,4CAAA,CAAA,oCAAA,CADA,uBAAA,CAJA,+C9B82FN,C8Bn2FM,gDACE,uB9Bq2FR,C8Bj2FM,mFACE,0C9Bm2FR,CACF,C8B91FI,0CAGE,2BAAA,CADA,uBAAA,CADA,S9Bk2FN,C8B51FI,8CACE,oB9B81FN,C8B31FM,aAJF,8CASI,8CAAA,CACA,iBAAA,CAHA,gCAAA,CADA,eAAA,CADA,cAAA,CAGA,kB9Bg2FN,C8B31FM,oDACE,mC9B61FR,CACF,C8Bj1FE,gCAEE,iBAAA,CADA,e9Bq1FJ,C8Bj1FI,mCACE,iB9Bm1FN,C8Bh1FM,oDAGE,a9B81FR,C8Bj2FM,oDAGE,c9B81FR,C8Bj2FM,0CAcE,8CAAA,CACA,iBAAA,CALA,gCAAA,CAEA,oBAAA,CACA,qBAAA,CANA,iBAAA,CACA,eAAA,CAHA,UAAA,CAIA,gBAAA,CALA,aAAA,CAEA,cAAA,CALA,iBAAA,CAUA,iBAAA,CATA,S9B+1FR,C+B9mGA,MACE,wBAAA,CACA,wB/BinGF,C+B3mGA,aA+BE,kCAAA,CAAA,0BAAA,CAjBA,gCAAA,CADA,sCAAA,CAGA,SAAA,CADA,mBAAA,CAdA,iBAAA,CAGA,wDACE,CAgBF,4BAAA,CAGA,uEACE,CARF,uDACE,CATF,UAAA,CAGA,S/B8mGF,C+BxlGE,oBAuBE,8CAAA,CAAA,+CAAA,CADA,UAAA,CADA,aAAA,CAfA,gJACE,CANF,iBAAA,CAmBA,S/B4kGJ,C+BrkGE,yBAGE,kEAAA,CAFA,gDAAA,CACA,6C/BwkGJ,C+BnkGE,4BAGE,qEAAA,CADA,8CAAA,CADA,6C/BukGJ,C+BjkGE,qBAEE,SAAA,CAKA,uBAAA,CAJA,wEACE,CAHF,S/BskGJ,C+B5jGE,oBAyBE,uBAAA,CAJA,2CAAA,CACA,mBAAA,CACA,8BAAA,CAjBA,0FACE,CAaF,eAAA,CADA,8BAAA,CAlBA,iBAAA,CAuBA,oB/B+iGJ,C+B3iGI,uCAEE,YAAA,CADA,W/B8iGN,C+BziGI,6CACE,oD/B2iGN,C+BxiGM,mDACE,0C/B0iGR,C+BliGI,mCAwBE,eAAA,CACA,eAAA,CAxBA,oIACE,CAgBF,sCACE,CAIF,mBAAA,CAKA,wBAAA,CAAA,gBAAA,CAbA,sBAAA,CAAA,iB/B4hGN,C+B3gGI,4CACE,Y/B6gGN,C+BzgGI,2CACE,e/B2gGN,CgC9rGA,kBAME,ehC0sGF,CgChtGA,kBAME,gBhC0sGF,CgChtGA,QAUE,2CAAA,CACA,oBAAA,CAEA,8BAAA,CALA,uCAAA,CACA,cAAA,CALA,aAAA,CAGA,eAAA,CAKA,YAAA,CAPA,mBAAA,CAJA,cAAA,CACA,UAAA,CAiBA,yBAAA,CALA,mGACE,CAZF,ShC6sGF,CgC1rGE,aAtBF,QAuBI,YhC6rGF,CACF,CgC1rGE,kBACE,wBhC4rGJ,CgCxrGE,gBAEE,SAAA,CADA,mBAAA,CAGA,+BAAA,CADA,uBhC2rGJ,CgCvrGI,0BACE,8BhCyrGN,CgCprGE,4BAEE,0CAAA,CADA,+BhCurGJ,CgClrGE,YACE,oBAAA,CACA,oBhCorGJ,CiCzuGA,oBACE,GACE,mBjC4uGF,CACF,CiCpuGA,MACE,wfjCsuGF,CiChuGA,YACE,aAAA,CAEA,eAAA,CADA,ajCouGF,CiChuGE,+BAOE,kBAAA,CAAA,kBjCiuGJ,CiCxuGE,+BAOE,iBAAA,CAAA,mBjCiuGJ,CiCxuGE,qBAQE,aAAA,CACA,cAAA,CACA,YAAA,CATA,iBAAA,CAKA,UjCkuGJ,CiC3tGI,qCAIE,iBjCmuGN,CiCvuGI,qCAIE,kBjCmuGN,CiCvuGI,2BAME,6BAAA,CADA,UAAA,CAJA,oBAAA,CAEA,YAAA,CAIA,yCAAA,CAAA,iCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CARA,WjCquGN,CiCxtGE,mBACE,iBAAA,CACA,UjC0tGJ,CiCttGE,kBAUE,2CAAA,CACA,mBAAA,CACA,8BAAA,CAJA,gCAAA,CACA,oBAAA,CAHA,kBAAA,CAFA,YAAA,CASA,SAAA,CANA,aAAA,CAFA,SAAA,CAJA,iBAAA,CAgBA,4BAAA,CAfA,UAAA,CAYA,+CACE,CAZF,SjCouGJ,CiCntGI,+EACE,gBAAA,CACA,SAAA,CACA,sCjCqtGN,CiC/sGI,qCAEE,oCACE,gCjCgtGN,CiC5sGI,2CACE,cjC8sGN,CACF,CiCzsGE,kBACE,kBjC2sGJ,CiCvsGE,4BAGE,kBAAA,CAAA,oBjC8sGJ,CiCjtGE,4BAGE,mBAAA,CAAA,mBjC8sGJ,CiCjtGE,kBAKE,cAAA,CAJA,aAAA,CAKA,YAAA,CAIA,uBAAA,CAHA,2CACE,CAJF,kBAAA,CAFA,UjC+sGJ,CiCpsGI,gDACE,+BjCssGN,CiClsGI,wBACE,qDjCosGN,CkC1yGA,MAEI,uWAAA,CAAA,8WAAA,CAAA,sPAAA,CAAA,8xBAAA,CAAA,0MAAA,CAAA,gbAAA,CAAA,gMAAA,CAAA,iQAAA,CAAA,0VAAA,CAAA,6aAAA,CAAA,8SAAA,CAAA,gMlCm0GJ,CkCvzGE,4CAME,8CAAA,CACA,4BAAA,CACA,mBAAA,CACA,8BAAA,CAJA,mCAAA,CAJA,iBAAA,CAGA,gBAAA,CADA,iBAAA,CADA,eAAA,CASA,uBAAA,CADA,2BlC2zGJ,CkCvzGI,aAdF,4CAeI,elC0zGJ,CACF,CkCvzGI,sEACE,gClCyzGN,CkCpzGI,gDACE,qBlCszGN,CkClzGI,gIAEE,iBAAA,CADA,clCqzGN,CkChzGI,4FACE,iBlCkzGN,CkC9yGI,kFACE,elCgzGN,CkC5yGI,0FACE,YlC8yGN,CkC1yGI,8EACE,mBlC4yGN,CkCvyGE,sEAGE,iBAAA,CAAA,mBlCizGJ,CkCpzGE,sEAGE,kBAAA,CAAA,kBlCizGJ,CkCpzGE,sEASE,uBlC2yGJ,CkCpzGE,sEASE,wBlC2yGJ,CkCpzGE,sEAUE,4BlC0yGJ,CkCpzGE,4IAWE,6BlCyyGJ,CkCpzGE,sEAWE,4BlCyyGJ,CkCpzGE,kDAOE,0BAAA,CACA,WAAA,CAFA,eAAA,CADA,eAAA,CAHA,oBAAA,CAAA,iBAAA,CADA,iBlCmzGJ,CkCtyGI,kFACE,elCwyGN,CkCpyGI,oFAOE,UlC0yGN,CkCjzGI,oFAOE,WlC0yGN,CkCjzGI,gEAME,wBhBkIU,CgBnIV,UAAA,CADA,WAAA,CAIA,kDAAA,CAAA,0CAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,UAAA,CACA,UlC8yGN,CkClyGI,4DACE,4DlCoyGN,CkCtxGE,sDACE,oBlCyxGJ,CkCtxGI,gFACE,gClCwxGN,CkCnxGE,8DACE,0BlCsxGJ,CkCnxGI,4EACE,wBAlBG,CAmBH,kDAAA,CAAA,0ClCqxGN,CkCjxGI,0EACE,alCmxGN,CkCxyGE,8DACE,oBlC2yGJ,CkCxyGI,wFACE,gClC0yGN,CkCryGE,sEACE,0BlCwyGJ,CkCryGI,oFACE,wBAlBG,CAmBH,sDAAA,CAAA,8ClCuyGN,CkCnyGI,kFACE,alCqyGN,CkC1zGE,sDACE,oBlC6zGJ,CkC1zGI,gFACE,gClC4zGN,CkCvzGE,8DACE,0BlC0zGJ,CkCvzGI,4EACE,wBAlBG,CAmBH,kDAAA,CAAA,0ClCyzGN,CkCrzGI,0EACE,alCuzGN,CkC50GE,oDACE,oBlC+0GJ,CkC50GI,8EACE,gClC80GN,CkCz0GE,4DACE,0BlC40GJ,CkCz0GI,0EACE,wBAlBG,CAmBH,iDAAA,CAAA,yClC20GN,CkCv0GI,wEACE,alCy0GN,CkC91GE,4DACE,oBlCi2GJ,CkC91GI,sFACE,gClCg2GN,CkC31GE,oEACE,0BlC81GJ,CkC31GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClC61GN,CkCz1GI,gFACE,alC21GN,CkCh3GE,8DACE,oBlCm3GJ,CkCh3GI,wFACE,gClCk3GN,CkC72GE,sEACE,0BlCg3GJ,CkC72GI,oFACE,wBAlBG,CAmBH,sDAAA,CAAA,8ClC+2GN,CkC32GI,kFACE,alC62GN,CkCl4GE,4DACE,oBlCq4GJ,CkCl4GI,sFACE,gClCo4GN,CkC/3GE,oEACE,0BlCk4GJ,CkC/3GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClCi4GN,CkC73GI,gFACE,alC+3GN,CkCp5GE,4DACE,oBlCu5GJ,CkCp5GI,sFACE,gClCs5GN,CkCj5GE,oEACE,0BlCo5GJ,CkCj5GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClCm5GN,CkC/4GI,gFACE,alCi5GN,CkCt6GE,0DACE,oBlCy6GJ,CkCt6GI,oFACE,gClCw6GN,CkCn6GE,kEACE,0BlCs6GJ,CkCn6GI,gFACE,wBAlBG,CAmBH,oDAAA,CAAA,4ClCq6GN,CkCj6GI,8EACE,alCm6GN,CkCx7GE,oDACE,oBlC27GJ,CkCx7GI,8EACE,gClC07GN,CkCr7GE,4DACE,0BlCw7GJ,CkCr7GI,0EACE,wBAlBG,CAmBH,iDAAA,CAAA,yClCu7GN,CkCn7GI,wEACE,alCq7GN,CkC18GE,4DACE,oBlC68GJ,CkC18GI,sFACE,gClC48GN,CkCv8GE,oEACE,0BlC08GJ,CkCv8GI,kFACE,wBAlBG,CAmBH,qDAAA,CAAA,6ClCy8GN,CkCr8GI,gFACE,alCu8GN,CkC59GE,wDACE,oBlC+9GJ,CkC59GI,kFACE,gClC89GN,CkCz9GE,gEACE,0BlC49GJ,CkCz9GI,8EACE,wBAlBG,CAmBH,mDAAA,CAAA,2ClC29GN,CkCv9GI,4EACE,alCy9GN,CmC7nHA,MACE,wMnCgoHF,CmCvnHE,sBAEE,uCAAA,CADA,gBnC2nHJ,CmCvnHI,mCACE,anCynHN,CmC1nHI,mCACE,cnCynHN,CmCrnHM,4BACE,sBnCunHR,CmCpnHQ,mCACE,gCnCsnHV,CmClnHQ,2DACE,SAAA,CAEA,uBAAA,CADA,enCqnHV,CmChnHQ,yGACE,SAAA,CACA,uBnCknHV,CmC9mHQ,yCACE,YnCgnHV,CmCzmHE,0BACE,eAAA,CACA,enC2mHJ,CmCxmHI,+BACE,oBnC0mHN,CmCrmHE,gDACE,YnCumHJ,CmCnmHE,8BAIE,+BAAA,CAHA,oBAAA,CAEA,WAAA,CAGA,SAAA,CAKA,4BAAA,CAJA,4DACE,CAHF,0BnCumHJ,CmC9lHI,aAdF,8BAeI,+BAAA,CACA,SAAA,CACA,uBnCimHJ,CACF,CmC9lHI,wCACE,6BnCgmHN,CmC5lHI,oCACE,+BnC8lHN,CmC1lHI,qCAKE,6BAAA,CADA,UAAA,CAHA,oBAAA,CAEA,YAAA,CAGA,2CAAA,CAAA,mCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAPA,WnCmmHN,CmCtlHQ,mDACE,oBnCwlHV,CoCtsHE,kCAEE,iBpC4sHJ,CoC9sHE,kCAEE,kBpC4sHJ,CoC9sHE,wBAGE,yCAAA,CAFA,oBAAA,CAGA,SAAA,CACA,mCpCysHJ,CoCpsHI,aAVF,wBAWI,YpCusHJ,CACF,CoCnsHE,6FAEE,SAAA,CACA,mCpCqsHJ,CoC/rHE,4FAEE,+BpCisHJ,CoC7rHE,oBACE,yBAAA,CACA,uBAAA,CAGA,yEpC6rHJ,CK9jHI,sC+BrHE,qDACE,uBpCsrHN,CACF,CoCjrHE,kEACE,yBpCmrHJ,CoC/qHE,sBACE,0BpCirHJ,CqC5uHE,2BACE,arC+uHJ,CK1jHI,0CgCtLF,2BAKI,erC+uHJ,CqC5uHI,6BACE,iBrC8uHN,CACF,CqC1uHI,6BAEE,0BAAA,CAAA,2BAAA,CADA,eAAA,CAEA,iBrC4uHN,CqCzuHM,2CACE,kBrC2uHR,CqCruHI,6CACE,QrCuuHN,CsCnwHE,uBACE,4CtCuwHJ,CsClwHE,8CAJE,kCAAA,CAAA,0BtC0wHJ,CsCtwHE,uBACE,4CtCqwHJ,CsChwHE,4BAEE,kCAAA,CAAA,0BAAA,CADA,qCtCmwHJ,CsC/vHI,mCACE,atCiwHN,CsC7vHI,kCACE,atC+vHN,CsC1vHE,0BAKE,eAAA,CAJA,aAAA,CAEA,YAAA,CACA,aAAA,CAFA,kBAAA,CAAA,mBtC+vHJ,CsCzvHI,uCACE,etC2vHN,CsCvvHI,sCACE,kBtCyvHN,CuCtyHA,MACE,8LvCyyHF,CuChyHE,oBAGE,iBAAA,CAEA,gBAAA,CADA,avCkyHJ,CuC9xHI,wCACE,uBvCgyHN,CuC5xHI,gCAEE,eAAA,CADA,gBvC+xHN,CuCxxHM,wCACE,mBvC0xHR,CuCpxHE,8BAKE,oBvCwxHJ,CuC7xHE,8BAKE,mBvCwxHJ,CuC7xHE,8BAUE,4BvCmxHJ,CuC7xHE,4DAWE,6BvCkxHJ,CuC7xHE,8BAWE,4BvCkxHJ,CuC7xHE,oBASE,cAAA,CANA,aAAA,CACA,eAAA,CAIA,evCqxHJ,CuC/wHI,kCACE,uCAAA,CACA,oBvCixHN,CuC7wHI,wCAEE,uCAAA,CADA,YvCgxHN,CuC3wHI,oCASE,WvCixHN,CuC1xHI,oCASE,UvCixHN,CuC1xHI,0BAME,6BAAA,CADA,UAAA,CADA,WAAA,CAMA,yCAAA,CAAA,iCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAZA,iBAAA,CACA,UAAA,CAMA,sBAAA,CADA,yBAAA,CAJA,UvCuxHN,CuC1wHM,oCACE,wBvC4wHR,CuCvwHI,4BACE,YvCywHN,CuCpwHI,4CACE,YvCswHN,CwCh2HE,+DACE,sBAAA,CAEA,mBAAA,CACA,0BAAA,CACA,uBxCk2HJ,CwC/1HI,2EAGE,iBAAA,CADA,eAAA,CADA,yBxCm2HN,CwC51HE,mEACE,0BxC81HJ,CwC11HE,oBACE,qBxC41HJ,CwCx1HE,gBACE,oBxC01HJ,CwCt1HE,gBACE,qBxCw1HJ,CwCp1HE,iBACE,kBxCs1HJ,CwCl1HE,kBACE,kBxCo1HJ,CyC73HE,6BACE,sCzCg4HJ,CyC73HE,cACE,yCzC+3HJ,CyCn3HE,sIACE,oCzCq3HJ,CyC72HE,2EACE,qCzC+2HJ,CyCr2HE,wGACE,oCzCu2HJ,CyC91HE,yFACE,qCzCg2HJ,CyC31HE,6BACE,kCzC61HJ,CyCv1HE,6CACE,sCzCy1HJ,CyCl1HE,4DACE,sCzCo1HJ,CyC70HE,4DACE,qCzC+0HJ,CyCt0HE,yFACE,qCzCw0HJ,CyCh0HE,2EACE,sCzCk0HJ,CyCvzHE,wHACE,qCzCyzHJ,CyCpzHE,8BAGE,mBAAA,CADA,gBAAA,CADA,gBzCwzHJ,CyCnzHE,eACE,4CzCqzHJ,CyClzHE,eACE,4CzCozHJ,CyChzHE,gBAIE,+CAAA,CACA,kDAAA,CAJA,aAAA,CAEA,wBAAA,CADA,wBzCqzHJ,CyC9yHE,yBAOE,wCAAA,CACA,+DAAA,CACA,4BAAA,CACA,6BAAA,CARA,iBAAA,CAGA,eAAA,CACA,eAAA,CAFA,cAAA,CADA,oCAAA,CAFA,iBzCyzHJ,CyC7yHI,6BACE,YzC+yHN,CyC5yHM,kCACE,wBAAA,CACA,yBzC8yHR,CyCxyHE,iCAaE,wCAAA,CACA,+DAAA,CAJA,uCAAA,CACA,0BAAA,CALA,UAAA,CAJA,oBAAA,CAOA,2BAAA,CADA,2BAAA,CADA,2BAAA,CANA,eAAA,CAWA,wBAAA,CAAA,gBAAA,CAPA,SzCizHJ,CyC/xHE,sBACE,iBAAA,CACA,iBzCiyHJ,CyC5xHE,iCAKE,ezC0xHJ,CyCvxHI,sCACE,gBzCyxHN,CyCrxHI,gDACE,YzCuxHN,CyC7wHA,gBACE,iBzCgxHF,CyC5wHE,yCACE,aAAA,CACA,SzC8wHJ,CyCzwHE,mBACE,YzC2wHJ,CyCtwHE,oBACE,QzCwwHJ,CyCpwHE,4BACE,WAAA,CACA,SAAA,CACA,ezCswHJ,CyCnwHI,0CACE,YzCqwHN,CyC/vHE,yBAKE,wCAAA,CAEA,+BAAA,CADA,4BAAA,CAHA,eAAA,CADA,oDAAA,CAEA,wBAAA,CAAA,gBzCowHJ,CyC7vHE,2BAEE,+DAAA,CADA,2BzCgwHJ,CyC5vHI,+BACE,uCAAA,CACA,gBzC8vHN,CyCzvHE,sBACE,MAAA,CACA,WzC2vHJ,CyCtvHA,aACE,azCyvHF,CyC/uHE,4BAEE,aAAA,CADA,YzCmvHJ,CyC/uHI,wDAEE,2BAAA,CADA,wBzCkvHN,CyC5uHE,+BAKE,2CAAA,CAEA,+BAAA,CADA,gCAAA,CADA,sBAAA,CAHA,mBAAA,CACA,gBAAA,CAFA,azCovHJ,CyC3uHI,qCAEE,UAAA,CACA,UAAA,CAFA,azC+uHN,CKt3HI,0CoCsJF,8BACE,iBzCouHF,CyC1tHE,wSAGE,ezCguHJ,CyC5tHE,sCAEE,mBAAA,CACA,eAAA,CADA,oBAAA,CADA,kBAAA,CAAA,mBzCguHJ,CACF,C0C7jII,yDAIE,+BAAA,CACA,8BAAA,CAFA,aAAA,CADA,QAAA,CADA,iB1CmkIN,C0C3jII,uBAEE,uCAAA,CADA,c1C8jIN,C0CzgIM,iHAEE,WAlDkB,CAiDlB,kB1CohIR,C0CrhIM,6HAEE,WAlDkB,CAiDlB,kB1CgiIR,C0CjiIM,6HAEE,WAlDkB,CAiDlB,kB1C4iIR,C0C7iIM,oHAEE,WAlDkB,CAiDlB,kB1CwjIR,C0CzjIM,0HAEE,WAlDkB,CAiDlB,kB1CokIR,C0CrkIM,uHAEE,WAlDkB,CAiDlB,kB1CglIR,C0CjlIM,uHAEE,WAlDkB,CAiDlB,kB1C4lIR,C0C7lIM,6HAEE,WAlDkB,CAiDlB,kB1CwmIR,C0CzmIM,yCAEE,WAlDkB,CAiDlB,kB1C4mIR,C0C7mIM,yCAEE,WAlDkB,CAiDlB,kB1CgnIR,C0CjnIM,0CAEE,WAlDkB,CAiDlB,kB1ConIR,C0CrnIM,uCAEE,WAlDkB,CAiDlB,kB1CwnIR,C0CznIM,wCAEE,WAlDkB,CAiDlB,kB1C4nIR,C0C7nIM,sCAEE,WAlDkB,CAiDlB,kB1CgoIR,C0CjoIM,wCAEE,WAlDkB,CAiDlB,kB1CooIR,C0CroIM,oCAEE,WAlDkB,CAiDlB,kB1CwoIR,C0CzoIM,2CAEE,WAlDkB,CAiDlB,kB1C4oIR,C0C7oIM,qCAEE,WAlDkB,CAiDlB,kB1CgpIR,C0CjpIM,oCAEE,WAlDkB,CAiDlB,kB1CopIR,C0CrpIM,kCAEE,WAlDkB,CAiDlB,kB1CwpIR,C0CzpIM,qCAEE,WAlDkB,CAiDlB,kB1C4pIR,C0C7pIM,mCAEE,WAlDkB,CAiDlB,kB1CgqIR,C0CjqIM,qCAEE,WAlDkB,CAiDlB,kB1CoqIR,C0CrqIM,wCAEE,WAlDkB,CAiDlB,kB1CwqIR,C0CzqIM,sCAEE,WAlDkB,CAiDlB,kB1C4qIR,C0C7qIM,2CAEE,WAlDkB,CAiDlB,kB1CgrIR,C0CrqIM,iCAEE,WAPkB,CAMlB,iB1CwqIR,C0CzqIM,uCAEE,WAPkB,CAMlB,iB1C4qIR,C0C7qIM,mCAEE,WAPkB,CAMlB,iB1CgrIR,C2ClwIA,MACE,qMAAA,CACA,mM3CqwIF,C2C5vIE,wBAKE,mBAAA,CAHA,YAAA,CACA,qBAAA,CACA,YAAA,CAHA,iB3CmwIJ,C2CzvII,8BAGE,QAAA,CACA,SAAA,CAHA,iBAAA,CACA,O3C6vIN,C2CxvIM,qCACE,0B3C0vIR,C2C7tIM,kEACE,0C3C+tIR,C2CztIE,2BAKE,uBAAA,CADA,+DAAA,CAHA,YAAA,CACA,cAAA,CACA,aAAA,CAGA,oB3C2tIJ,C2CxtII,aATF,2BAUI,gB3C2tIJ,CACF,C2CxtII,cAGE,+BACE,iB3CwtIN,C2CrtIM,sCAQE,qCAAA,CANA,QAAA,CAKA,UAAA,CAHA,aAAA,CAEA,UAAA,CAHA,MAAA,CAFA,iBAAA,CAaA,2CAAA,CALA,2DACE,CAGF,kDAAA,CARA,+B3C6tIR,CACF,C2C/sII,8CACE,Y3CitIN,C2C7sII,iCASE,+BAAA,CACA,6BAAA,CAJA,uCAAA,CAEA,cAAA,CAPA,aAAA,CAGA,gBAAA,CACA,eAAA,CAFA,8BAAA,CAWA,+BAAA,CAHA,2CACE,CALF,kBAAA,CALA,U3CytIN,C2C1sIM,aAII,6CACE,O3CysIV,C2C1sIQ,8CACE,O3C4sIV,C2C7sIQ,8CACE,O3C+sIV,C2ChtIQ,8CACE,O3CktIV,C2CntIQ,8CACE,O3CqtIV,C2CttIQ,8CACE,O3CwtIV,C2CztIQ,8CACE,O3C2tIV,C2C5tIQ,8CACE,O3C8tIV,C2C/tIQ,8CACE,O3CiuIV,C2CluIQ,+CACE,Q3CouIV,C2CruIQ,+CACE,Q3CuuIV,C2CxuIQ,+CACE,Q3C0uIV,C2C3uIQ,+CACE,Q3C6uIV,C2C9uIQ,+CACE,Q3CgvIV,C2CjvIQ,+CACE,Q3CmvIV,C2CpvIQ,+CACE,Q3CsvIV,C2CvvIQ,+CACE,Q3CyvIV,C2C1vIQ,+CACE,Q3C4vIV,C2C7vIQ,+CACE,Q3C+vIV,C2ChwIQ,+CACE,Q3CkwIV,CACF,C2C7vIM,uCACE,gC3C+vIR,C2C3vIM,oDACE,a3C6vIR,C2CxvII,yCACE,S3C0vIN,C2CtvIM,2CACE,aAAA,CACA,8B3CwvIR,C2ClvIE,4BACE,U3CovIJ,C2CjvII,aAJF,4BAKI,gB3CovIJ,CACF,C2ChvIE,0BACE,Y3CkvIJ,C2C/uII,aAJF,0BAKI,a3CkvIJ,C2C9uIM,sCACE,O3CgvIR,C2CjvIM,uCACE,O3CmvIR,C2CpvIM,uCACE,O3CsvIR,C2CvvIM,uCACE,O3CyvIR,C2C1vIM,uCACE,O3C4vIR,C2C7vIM,uCACE,O3C+vIR,C2ChwIM,uCACE,O3CkwIR,C2CnwIM,uCACE,O3CqwIR,C2CtwIM,uCACE,O3CwwIR,C2CzwIM,wCACE,Q3C2wIR,C2C5wIM,wCACE,Q3C8wIR,C2C/wIM,wCACE,Q3CixIR,C2ClxIM,wCACE,Q3CoxIR,C2CrxIM,wCACE,Q3CuxIR,C2CxxIM,wCACE,Q3C0xIR,C2C3xIM,wCACE,Q3C6xIR,C2C9xIM,wCACE,Q3CgyIR,C2CjyIM,wCACE,Q3CmyIR,C2CpyIM,wCACE,Q3CsyIR,C2CvyIM,wCACE,Q3CyyIR,CACF,C2CnyII,+FAEE,Q3CqyIN,C2ClyIM,yGACE,wBAAA,CACA,yB3CqyIR,C2C5xIM,2DAEE,wBAAA,CACA,yBAAA,CAFA,Q3CgyIR,C2CzxIM,iEACE,Q3C2xIR,C2CxxIQ,qLAGE,wBAAA,CACA,yBAAA,CAFA,Q3C4xIV,C2CtxIQ,6FACE,wBAAA,CACA,yB3CwxIV,C2CnxIM,yDACE,kB3CqxIR,C2ChxII,sCACE,Q3CkxIN,C2C7wIE,2BAEE,iBAAA,CAOA,kBAAA,CAHA,uCAAA,CAEA,cAAA,CAPA,aAAA,CAGA,YAAA,CACA,gBAAA,CAEA,mBAAA,CAGA,gCAAA,CAPA,W3CsxIJ,C2C5wII,iCAEE,uDAAA,CADA,+B3C+wIN,C2C1wII,iCAKE,6BAAA,CADA,UAAA,CAHA,aAAA,CAEA,WAAA,CAMA,8CAAA,CAAA,sCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CANA,+CACE,CALF,U3CoxIN,C2CrwIE,4BAOE,yEACE,CANF,YAAA,CAGA,aAAA,CAFA,qBAAA,CAGA,mBAAA,CALA,iBAAA,CAYA,wBAAA,CATA,Y3C2wIJ,C2C/vII,sCACE,wB3CiwIN,C2C7vII,oCACE,S3C+vIN,C2C3vII,kCAGE,wEACE,CAFF,mBAAA,CADA,O3C+vIN,C2CrvIM,uDACE,8CAAA,CAAA,sC3CuvIR,CK93II,0CsCqJF,wDAEE,kB3C+uIF,C2CjvIA,wDAEE,mB3C+uIF,C2CjvIA,8CAGE,eAAA,CAFA,eAAA,CAGA,iC3C6uIF,C2CzuIE,8DACE,mB3C4uIJ,C2C7uIE,8DACE,kB3C4uIJ,C2C7uIE,oDAEE,U3C2uIJ,C2CvuIE,8EAEE,kB3C0uIJ,C2C5uIE,8EAEE,mB3C0uIJ,C2C5uIE,8EAGE,kB3CyuIJ,C2C5uIE,8EAGE,mB3CyuIJ,C2C5uIE,oEACE,U3C2uIJ,C2CruIE,8EAEE,mB3CwuIJ,C2C1uIE,8EAEE,kB3CwuIJ,C2C1uIE,8EAGE,mB3CuuIJ,C2C1uIE,8EAGE,kB3CuuIJ,C2C1uIE,oEACE,U3CyuIJ,CACF,C2C3tIE,cAHF,olDAII,gC3C8tIF,C2C3tIE,g8GACE,uC3C6tIJ,CACF,C2CxtIA,4sDACE,+B3C2tIF,C2CvtIA,wmDACE,a3C0tIF,C4C9lJA,MACE,8WAAA,CACA,uX5CimJF,C4CxlJE,4BAEE,oBAAA,CADA,iB5C4lJJ,C4CvlJI,sDAGE,S5CylJN,C4C5lJI,sDAGE,U5CylJN,C4C5lJI,4CACE,iBAAA,CACA,S5C0lJN,C4CplJE,+CAEE,SAAA,CADA,U5CulJJ,C4CllJE,kDAOE,W5CwlJJ,C4C/lJE,kDAOE,Y5CwlJJ,C4C/lJE,wCAME,qDAAA,CADA,UAAA,CADA,aAAA,CAIA,0CAAA,CAAA,kCAAA,CACA,4BAAA,CAAA,oBAAA,CACA,6BAAA,CAAA,qBAAA,CACA,yBAAA,CAAA,iBAAA,CAVA,iBAAA,CACA,SAAA,CACA,Y5C4lJJ,C4ChlJE,gEACE,wB1B2Wa,C0B1Wb,mDAAA,CAAA,2C5CklJJ,C6CloJA,QACE,8DAAA,CAGA,+CAAA,CACA,iEAAA,CACA,oDAAA,CACA,sDAAA,CACA,mDAAA,CAGA,qEAAA,CACA,qEAAA,CACA,wEAAA,CACA,0EAAA,CACA,wEAAA,CACA,yEAAA,CACA,kEAAA,CACA,+DAAA,CACA,oEAAA,CACA,oEAAA,CACA,mEAAA,CACA,gEAAA,CACA,uEAAA,CACA,mEAAA,CACA,qEAAA,CACA,oEAAA,CACA,gEAAA,CACA,wEAAA,CACA,qEAAA,CACA,+D7CioJF,C6C3nJA,SAEE,kBAAA,CADA,Y7C+nJF,C8CjqJE,kBAUE,cAAA,CATA,YAAA,CACA,kEACE,CAQF,Y9C6pJJ,C8CzpJI,sDACE,gB9C2pJN,C8CrpJI,oFAKE,wDAAA,CACA,mBAAA,CAJA,aAAA,CAEA,QAAA,CADA,aAAA,CAIA,sC9CupJN,C8ClpJM,iOACE,kBAAA,CACA,8B9CqpJR,C8CjpJM,6FACE,iBAAA,CAAA,c9CopJR,C8ChpJM,2HACE,Y9CmpJR,C8C/oJM,wHACE,e9CkpJR,C8CnoJI,yMAGE,eAAA,CAAA,Y9C2oJN,C8C7nJI,ybAOE,W9CmoJN,C8C/nJI,8BACE,eAAA,CAAA,Y9CioJN,CK7jJI,mC0ChKA,8BACE,U/CquJJ,C+CtuJE,8BACE,W/CquJJ,C+CtuJE,8BAGE,kB/CmuJJ,C+CtuJE,8BAGE,iB/CmuJJ,C+CtuJE,oBAKE,mBAAA,CADA,YAAA,CAFA,a/CouJJ,C+C9tJI,kCACE,W/CiuJN,C+CluJI,kCACE,U/CiuJN,C+CluJI,kCAEE,iBAAA,CAAA,c/CguJN,C+CluJI,kCAEE,aAAA,CAAA,kB/CguJN,CACF","file":"main.css"} \ No newline at end of file diff --git a/index.html b/index.html index 8c4a964d43..0f4063d6f0 100644 --- a/index.html +++ b/index.html @@ -14,7 +14,7 @@ - + @@ -22,7 +22,7 @@ - + @@ -169,7 +169,7 @@
- +
GitHub @@ -214,7 +214,7 @@
- +
GitHub diff --git a/search/search_index.json b/search/search_index.json index 0ecb56fdb5..f5c0cf7d5e 100644 --- a/search/search_index.json +++ b/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Microsoft Exchange Server Support Scripts","text":"

This project contains scripts for supporting and troubleshooting Microsoft Exchange Server.

"},{"location":"#popular-scripts","title":"Popular Scripts","text":"Script Docs Download HealthChecker.ps1 Docs Download ExchangeExtendedProtectionManagement.ps1 Docs Download SetupAssist.ps1 Docs Download SourceSideValidations.ps1 Docs Download Test-AMSI.ps1 Docs Download"},{"location":"Emerging-Issues/","title":"Emerging Issues for Exchange On-Premises","text":"

This page lists emerging issues for Exchange On-Premises deployments, possible root cause and solution/workaround to fix the issues. The page will be consistently updated with new issues found and reflect current status of the issues mentioned.

Updated on Update causing the issue Issue Workaround/Solution 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Search in Outlook (cached mode) may show \"We're having trouble fetching results from the server...\". The search works fine in OWA or Outlook online mode. Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the Security Update, add-ins may stop working with following error \"Add-in Error Something went wrong and we couldn't start this add-in. Please try again later or contact your system administrator Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Unread envelope icon is not getting updated after applying March 2024 SU Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, preview of Office documents in OWA may fail with error \"Sorry, there was a problem and we can't open this document.\" Please install April 2024 Hotfix Update 2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details 2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details 2/19/2024 CU 14 for Exchange 2019 Exchange 2019 CU14 RecoverServer fails while creating \"New-PushNotificationsVirtualDirectory\" with following error: Exception setting \"ExtendedProtectionTokenChecking\": \"Cannot convert null to type \"Microsoft.Exchange.Data.Directory.SystemConfiguration.ExtendedProtectionTokenCheckingMode\" due to enumeration values that are not valid. Please follow the steps from this KB to resolve the issue 11/23/2023 November 2023 Security Update for Exchange 2016, Exchange 2019 Some customers may find queue viewer crashing with error \"Failed to enable constraints. One or more rows contain values violating non-null, unique, or foreign-key constraints\" The error can occur if the Exchange server auth certificate has expired. Solution is to renew the Exchange server auth certificate manually or by using this script 10/12/2023 All versions of August 2023 Security Update for Exchange 2016, Exchange 2019 Users in account forest can't change expired password in OWA in multi-forest Exchange deployments after installing any version of August 2023 Security Update for Exchange servers Note The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don't use multiple forests. ** Update on 10/12/2023 ** Follow steps on this article 8/15/2023 Non-English August 2023 Security Update for Exchange 2016, Exchange 2019 When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out this KB. 6/15/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message: [ERROR] The operation couldn't be performed because object '' couldn't be found on ''. Install Exchange Security Update June 2023 or higher to resolve the issue. Check this KB for more details 6/15/2023 Extended protection enabled on Exchange server Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed. Install Exchange Security Update June 2023 or higher Security Update and create the setting override mentioned in this KB 3/16/2023 Outlook client update for CVE-2023-23397 released These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).Awareness: Outlook client update for CVE-2023-23397 releasedThere is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). Please check this page for FAQs about the Outlook CVE-2023-23397 3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 After installing February 2023 security update, customers are seeing EWS application pool crash with Event ID 4999 with following error E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021. The issue is causing connectivity issues to EWS based clients (Outlook for Mac) Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers Please follow the steps in this KB 3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 Some customers are reporting issues with Outlook/OWA add-ins, like add-in not listing in EAC or with the Get-App command. Additionally, they may notice EWS application pool crash with Event ID 4999 in the application log of the Exchange server. Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers 3/14/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 The Exchange toolbox may start crashing on launch after certificate Serialization for PowerShell is enabled. The error noticed is \"Deserialization fails: System.Reflection.TargetInvocationException\". The issue happens only on Exchange 2016 and Exchange 2019 Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers - - - - 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 After installing January 2023 security update and enabling certificate signing for serialization of PowerShell, you may find various Exchange commands and scripts (example: RedistributeActiveDatabases.ps1) that use deserialization failing with the error similar to : Error: \"Cannot convert the value of type.....to type\" Use this script to update the auth certificate 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 RecoverServer will fail at pre-requisites check with following error: \"Exchange Server version Version 15.1 (Build 2507.17) or later must be used to perform a recovery of this server.\" Update on 02/23/2023 The issue has been fixed in February 2023 Security Update for Exchange servers, however, the following workaround still needs to be used for servers that are on January 2023 Security Update Workaround Use the steps in this article 1/24/2023 January 2023 Security Update for Exchange 2016 installed on Windows 2012 R2, other versions are not affected The Exchange services in Automatic start-up mode will not start after reboot of the server. The services start successfully if started manually Update on 02/23/2023The issue has been fixed in February 2023 Security Update for Exchange servers 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 Transport header shows the older version of server once January 2023 SU is installed (the build shown seems to be the build of the last CU) The issue will be addressed in upcoming security update

Updated on 11/8/2022

Issue Possible reason Workaround/Solution Zero-day vulnerabilities reported in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082 N/A Install November 2022 Exchange Server Security Updates to address the vulnerability

Updated on 5/11/2022

Issue Possible reason Workaround/Solution After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Install May 2022 Exchange Server Security Updates to resolve the issue

Updated on 3/16/2022

Issue Possible reason Workaround/Solution After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Update 3/16/2022 Follow the steps from KB 5013118 to resolve the issue"},{"location":"Emerging-Issues/#old-issues","title":"Old Issues","text":""},{"location":"Emerging-Issues/#email-stuck-in-transport-queues","title":"Email Stuck in Transport Queues","text":"Issue Possible reason Workaround/Solution You may observe emails building up in the transport queues of Exchange Server 2016 and Exchange Server 2019. The issue does not impact Exchange 2013 servers.Following events may be noticed in the application log: Log Name: ApplicationSource: FIPFSLogged: 1/1/2022 1:03:42 AM Event ID: 5300 Level: Error Computer: server1.contoso.comDescription: The FIP-FS \"Microsoft\" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005.Error Description: Can't convert \"2201010001\" to long. Log Name: Application Source: FIPFS Logged: 1/1/2022 11:47:16 AM Event ID: 1106 Level: Error Computer: server1.contoso.com Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. Run this script on each Exchange server in your organization. You can run this script on multiple servers in parallel. Check this article for detailed steps."},{"location":"Emerging-Issues/#november-2021-security-update","title":"November 2021 Security Update","text":"

Following are the known issues after installing November 2021 Security Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution Hybrid OWA Redirect is broken after application of November SU for Exchange 2013/2016 and 2019. Users using Exchange 2016 and 2019 server will see error \":-( Something went wrong. We can't get that information right now. Please try again later. Exchange 2013 users will see error \"External component has thrown an exception.\" Some On-Premises environments, that are not using FBA, may also see cross-site OWA redirection fail with similar errors. After installing November SU, the OWA redirection URL for hybrid users is providing an encoded URL for &., causing the redirect to fail Update 1/12/2022 The OWA redirection issue is fixed in January 2022 security updates. Please install the relevant update to fix the issue. Alternatively, you can also use the workarounds provided in KB article 5008997"},{"location":"Emerging-Issues/#september-cumulative-updates","title":"September Cumulative Updates","text":"

Following are the known issues after installing September 2021 Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution After installing the September 2021 CU, the Microsoft Exchange Transport Services will continue to crash. You can see the following message for the 4999 crash event Watson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005. Having a Wild Card Only (*) Accepted Domain Set on an Internal Relay. This is an open relay and is very bad to have set. Remove the Accepted Domain that is set to * and properly configure an anonymous relay on a receive connector or change to an External Relay. More Information: Allow anonymous relay on Exchange servers"},{"location":"Emerging-Issues/#july-2021-security-updatecumulative-updates","title":"July 2021 Security Update/Cumulative Updates","text":"

Following are the known issues after installing July 2021 Security Updates/Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution OWA/ECP stops working after installing July Security Update with following error: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 The issue occurs if OAuth certificate is missing or expired Follow steps on this article to re-publish the Oauth certificate. Do note it takes up to an hour for certificate to change place OWA/ECP stops working when accessed from load balanced URL, but works if directly accessed from the server URL The root cause for the issue is under investigation Follow steps in this article to fix the issue PrepareAD with Exchange 2016 CU21/Exchange 2019 CU10 error: Used domain controller dc1.contoso.com to read object CN=AdminSDHolder,CN=System,DC=Contoso,DC=COM. [ERROR] Object reference not set to an instance of an object. The issue is under investigation Follow steps in this article to fix the issue PrepareSchema in environments that have empty root AD domain July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. Option 1 Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server. Install the July security fix, perform Schema update. Option 2 PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU's have the changes. However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well. The Schema Version number for Exchange 2013 environment remains on 15312, even after installing SU and performing PrepareSchema This is expected behavior. The schema version is going to remain 15312 after installing Security Update and performing PrepareSchema After installing Exchange 2016 CU21/Exchange 2019 CU10, the values added to custom attributes using EAC are not retained. The scenario works fine in Exchange 2016 CU20/Exchange 2019 CU9 The issue is under investigation Workaround 1: Use EAC from Internet Explorer Workaround 2: Add the values using Exchange Management Shell"},{"location":"Admin/Clear-MailboxPermission/","title":"Clear-MailboxPermission","text":"

Download the latest release: Clear-MailboxPermission.ps1

Attempting to Add-MailboxPermission or Remove-MailboxPermission sometimes fails with the following message:

The ACL for object is not in canonical order (Deny/Allow/Inherited) and will be ignored.

This indicates that the ACEs that make up the ACL do not follow canonical ordering, which generally means denies before allows, and explicit before inherited. When the mailbox security descriptor is in this state, the cmdlets can no longer modify it.

This script can be used to return it to a working state. The script does this by clearing all permissions and resetting it to the default permissions that a brand new mailbox would have.

"},{"location":"Admin/Clear-MailboxPermission/#common-usage","title":"Common Usage","text":"

The easiest way to use the script is to pipe the affected mailboxes to it:

Get-Mailbox joe@contoso.com | .\\Clear-MailboxPermission.ps1

Note the script also supports -WhatIf and -Confirm. It will prompt for confirmation by default.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/","title":"CrossTenantMailboxMigrationValidation","text":"

Download the latest release: CrossTenantMailboxMigrationValidation.ps1

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#description","title":"DESCRIPTION","text":"

This script offers the ability to validate users and org settings related to the Cross-tenant mailbox migration before creating a migration batch and have a better experience.

It will help you on:

  • Making sure the source mailbox object is a member of the Mail-Enabled Security Group defined on the MailboxMovePublishedScopes of the source organization relationship
  • Making sure the source mailbox object ExchangeGuid attribute value matches the one from the target MailUser object, and give you the option to set it
  • Making sure the source mailbox object ArchiveGuid attribute (if there's an Archive enabled) value matches the one from the target MailUser object, and give you the option to set it
  • Making sure the source mailbox object has no more than 12 auxArchives
  • Making sure the source mailbox object has no hold applied
  • Making sure the source mailbox object TotalDeletedItemsSize is not bigger than Target MailUser recoverable items size
  • Making sure the source mailbox object LegacyExchangeDN attribute value is present on the target MailUser object as an X500 proxyAddress, and give you the option to set it, as long as the Target MailUser is not DirSynced
  • Making sure the source mailbox object X500 addresses are also present on the target MailUser object.
  • Checking if the source mailbox object has an Archive enabled, and if so, check if there's any content on the SubstrateHolds folder of the archive mailbox.
  • Making sure the target MailUser object PrimarySMTPAddress attribute value is part of the target tenant accepted domains and give you the option to set it to be like the UPN if not true, as long as the Target MailUser is not DirSynced
  • Making sure the target MailUser object EmailAddresses are all part of the target tenant accepted domains and give you the option to remove them if any doesn't belong to are found, as long as the Target MailUser is not DirSynced
  • Making sure the target MailUser object ExternalEmailAddress attribute value points to the source Mailbox object PrimarySMTPAddress and give you the option to set it if not true, as long as the Target MailUser is not DirSynced
  • Verifying if there's a T2T license assigned on either the source or target objects.
  • Checking if there's an AAD app as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-destination-tenant-by-creating-the-migration-application-and-secret
  • Checking if the AAD app on Target has been consented in Source tenant as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-source-current-mailbox-location-tenant-by-accepting-the-migration-application-and-configuring-the-organization-relationship
  • Checking if the target tenant has an Organization Relationship as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-tenant-by-creating-the-exchange-online-migration-endpoint-and-organization-relationship
  • Checking if the target tenant has a Migration Endpoint as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-tenant-by-creating-the-exchange-online-migration-endpoint-and-organization-relationship
  • Checking if the source tenant has an Organization Relationship as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-source-current-mailbox-location-tenant-by-accepting-the-migration-application-and-configuring-the-organization-relationship including a Mail-Enabled security group defined on the MailboxMovePublishedScopes property.
  • Gather all the necessary information for troubleshooting and send it to Microsoft Support if needed
  • Because not all scenarios allow access to both tenants by the same person, this will also allow you to collect the source tenant and mailbox information and wrap it into a zip file so the target tenant admin can use it as a source to validate against.

The script will prompt you to connect to your source and target tenants for EXO and AAD as needed You can decide to run the checks for the source mailbox and target MailUser (individually or by providing a CSV file), for the organization settings described above, collect the source information and compress it to a zip file that can be used by the target tenant admins, or use the collected zip file as a source to validate the target objects and configurations against it.

Additionally, the script provides a version check feature that will check if there's a newer version available on CSS-Exchange repository and will download it if so. If for some reason the version cannot be checked, the build check will be skipped and the existing file will be used.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#pre-requisites","title":"PRE-REQUISITES:","text":"
  • Please make sure you have at least the Exchange Online V2 Powershell module (https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module)
  • You would need the Microsoft Graph Module (https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0)
"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#parameters","title":"PARAMETERS","text":""},{"location":"Admin/CrossTenantMailboxMigrationValidation/#skipversioncheck","title":"SkipVersionCheck","text":"

This will allow you to skip the version check and run the existing local version of the script. This parameter is optional.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#scriptupdateonly","title":"ScriptUpdateOnly","text":"

This will allow you to check if there's a newer version available on CSS-Exchange repository without performing any additional checks, and will download it if so. This parameter is optional.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#checkobjects","title":"CheckObjects","text":"

This will allow you to perform the checks for the Source Mailbox and Target MailUser objects you provide. If used without the \"-CSV\" parameter, you will be prompted to type the identities.. If used with the '-SourceIsOffline' you also need to specify the '-PathForCollectedData' parameter

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#csv","title":"CSV","text":"

This will allow you to specify a path for a CSV file you have with a list of users that contain the \"SourceUser, TargetUser\" columns. An example of the CSV file content would be:

SourceUser, TargetUser\nJdoe@contoso.com, Jdoe@fabrikam.com\nBSmith@contoso.com, BSmith@fabrikam.com\n

If Used along with the 'CollectSourceOnly' parameter, you only need the 'SourceUser' column.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#checkorgs","title":"CheckOrgs","text":"

This will allow you to perform the checks for the source and target organizations. More specifically the organization relationship on both tenants, the migration endpoint on target tenant and the existence of the AAD application needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#sdp","title":"SDP","text":"

This will collect all the relevant information for troubleshooting from both tenants and be able to send it to Microsoft Support in case of needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#logpath","title":"LogPath","text":"

This will allow you to specify a log path to transcript all the script execution and it's results. This parameter is mandatory.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#collectsourceonly","title":"CollectSourceOnly","text":"

This will allow you to specify a CSV file so we can export all necessary data of the source tenant and mailboxes to migrate, compress the files as a zip file to be used by the target tenant admin as a source for validation against the target. This parameter is mandatory and also requires the '-CSV' parameter to be specified containing the SourceUser column.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#pathforcollecteddata","title":"PathForCollectedData","text":"

This will allow you to specify a path to store the exported data from the source tenant when used along with the 'CollectSourceOnly' and 'SDP' parameters transcript all the script execution and it's results. This parameter is mandatory.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#sourceisoffline","title":"SourceIsOffline","text":"

With this parameter, the script will only connect to target tenant and not source, instead it will rely on the zip file gathered when running this script along with the 'CollectSourceOnly' parameter. When used, you also need to specify the 'PathForCollectedData' parameter pointing to the collected zip file.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#examples","title":"EXAMPLES","text":""},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-1","title":"EXAMPLE 1","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckObjects -LogPath C:\\Temp\\LogFile.txt\n

This will prompt you to type the source mailbox identity and the target identity, will establish 2 EXO remote powershell sessions (one to the source tenant and another one to the target tenant), and will check the objects.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-2","title":"EXAMPLE 2","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckObjects -CSV C:\\Temp\\UsersToMigrateValidationList.CSV -LogPath C:\\Temp\\LogFile.txt\n

This will establish 2 EXO remote powershell sessions (one to the source tenant and another one to the target tenant), will import the CSV file contents and will check the objects one by one.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-3","title":"EXAMPLE 3","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckOrgs -LogPath C:\\Temp\\LogFile.txt\n

This will establish 4 remote powershell sessions (source and target EXO tenants, and source and target AAD tenants), and will validate the migration endpoint on the target tenant, AAD applicationId on target tenant and the Organization relationship on both tenants.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-4","title":"EXAMPLE 4","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SDP -LogPath C:\\Temp\\LogFile.txt -PathForCollectedData C:\\temp\n

This will establish 4 remote powershell sessions (source and target EXO tenants, and source and target AAD tenants), and will collect all the relevant information (config-wise) so it can be used for troubleshooting and send it to Microsoft Support if needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-5","title":"EXAMPLE 5","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SourceIsOffline -PathForCollectedData C:\\temp\\CTMMCollectedSourceData.zip -CheckObjects -LogPath C:\\temp\\CTMMTarget.log\n

This will expand the CTMMCollectedSourceData.zip file contents into a folder with the same name within the zip location, will establish the EXO remote powershell session and also with AAD against the Target tenant and will check the objects contained on the UsersToProcess.CSV file.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-6","title":"EXAMPLE 6","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SourceIsOffline -PathForCollectedData C:\\temp\\CTMMCollectedSourceData.zip -CheckOrgs -LogPath C:\\temp\\CTMMTarget.log\n

This will expand the CTMMCollectedSourceData.zip file contents into a folder with the same name within the zip location, will establish the EXO remote powershell session and also with AAD against the Target tenant, and will validate the migration endpoint on the target tenant, AAD applicationId on target tenant and the Organization relationship on both tenants.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-7","title":"EXAMPLE 7","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CollectSourceOnly -PathForCollectedData c:\\temp -LogPath C:\\temp\\CTMMCollectSource.log -CSV C:\\temp\\UsersToMigrate.csv\n

This will connect to the Source tenant against AAD and EXO, and will collect all the relevant information (config and user wise) so it can be used passed to the Target tenant admin for the Target validation to be done without the need to connect to the source tenant at the same time.

"},{"location":"Admin/Find-AmbiguousSids/","title":"Find-AmbiguousSids","text":"

Download the latest release: Find-AmbiguousSids.ps1

Useful when Exchange throws NonUniqueRecipientException, but doesn't log the objects causing it.

"},{"location":"Admin/Find-AmbiguousSids/#syntax","title":"Syntax","text":"
Find-AmbiguousSids.ps1\n  [-GCName <string>]\n  [-IgnoreWellKnown <bool>]\n  [-Verbose]\n
"},{"location":"Admin/Find-AmbiguousSids/#examples","title":"Examples","text":"

Find all ambiguous SIDs: 

.\\Find-AmbiguousSids.ps1\n

Find all ambiguous SIDs while not ignoring the well-known ones, such as Everyone and other SIDs that always appear in multiple places: 

.\\Find-AmbiguousSids.ps1 -IgnoreWellKnown $false\n

Show each object being checked: 

.\\Find-AmbiguousSids.ps1 -Verbose\n

"},{"location":"Admin/Get-EASMailboxLogs/","title":"Get-EASMailboxLogs","text":"

Download the latest release: Get-EASMailboxLogs.ps1

Used for when you need to get EAS Mailbox Logging over a long period of time. It will collect the logs and re-enable the Active Sync Logging enabled to avoid it being disabled after 72 hours.

"},{"location":"Admin/Get-EASMailboxLogs/#syntax","title":"Syntax","text":"
Get-EASMailboxLogs.ps1\n  [-Mailbox <string[]>]\n  [-OutputPath <string>]\n  [-Interval <int>]\n  [-EnableMailboxLoggingVerboseMode <bool>]\n
"},{"location":"Admin/Get-EASMailboxLogs/#examples","title":"Examples","text":"

The following example collects logs for two mailbox every hour:

.\\Get-EASMailboxLogs.ps1 -mailbox @(\"jim\",\"zeke\") -OutputPath C:\\EASLogs -interval 60\n

The following example collects logs for a mailbox: 

.\\Get-EASMailboxLogs.ps1 -Mailbox \"jim\" -OutputPath c:\\EASLogs\n

The following example enables Verbose Logging on the current on premise server and collects logs for a mailbox: 

.\\Get-EASMailboxLogs.ps1 -Mailbox \"jim\" -OutputPath c:\\EASLogs -EnableMailboxLoggingVerboseMode $true\n

"},{"location":"Admin/Get-SimpleAuditLogReport/","title":"Get-SimpleAuditLogReport","text":"

Download the latest release: Get-SimpleAuditLogReport.ps1

Exchange admin audit logs are not readily human readable. All of the data needed to understand what Cmdlet has been run is in the data but it is not very easy to read. Get-SimpleAuditLogReport will take the results of an audit log search and provide a significantly more human readable version of the data.

It will parse the audit log and attempt to reconstruct the actual Cmdlet that was run.

"},{"location":"Admin/Get-SimpleAuditLogReport/#common-usage","title":"Common Usage","text":"

$Search = Search-AdminAuditLog

$search | C:\\Scripts\\Get-SimpleAuditLogReport.ps1

"},{"location":"Admin/Get-SimpleAuditLogReport/#how-to-use","title":"How to use","text":"
  1. Gather admin audit log results using Search-AdminAuditLog.
  2. Pipe the results into the Get-SimpleAuditLogReport script.
  3. Open the CSV file created in the same directory with the script.
"},{"location":"Admin/MonitorExchangeAuthCertificate/","title":"MonitorExchangeAuthCertificate","text":"

Download the latest release: MonitorExchangeAuthCertificate.ps1

The MonitorExchangeAuthCertificate.ps1 PowerShell script can help you to manage the Auth Certificate used by multiple security features in Exchange Server. The script can be used to renew an already expired Auth Certificate or repair an invalid Auth Configuration in which the current Auth Certificate isn't available on all Exchange Servers running the Mailbox or Client Access Server (CAS) role. It can also manage rotation of the Auth Certificate to ensure a smooth transition to a new Auth Certificate.

The script comes with a manual execution mode and an automation mode that works using the Windows Task Scheduler.

"},{"location":"Admin/MonitorExchangeAuthCertificate/#requirements","title":"Requirements","text":"

To run the script, you must be a member of the Organization Management role group. The script must be run from an elevated Exchange Management Shell (EMS) command prompt on an Exchange Server running the Mailbox role. The script cannot be run on an Exchange Management Tools-only machine.

"},{"location":"Admin/MonitorExchangeAuthCertificate/#logging","title":"Logging","text":"

Each run of the script is logged to the following directory: <ExchangeInstallPath>\\Logging\\AuthCertificateMonitoring

The naming syntax of the log file is: <AuthCertificateMonitoringLog>_<Timestamp>.txt

NOTE: If the <ExchangeInstallPath> directory doesn't exists, the log file will be written to the following directory: <$env:TEMP>\\Logging\\AuthCertificateMonitoring

"},{"location":"Admin/MonitorExchangeAuthCertificate/#how-to-run","title":"How To Run","text":""},{"location":"Admin/MonitorExchangeAuthCertificate/#examples","title":"Examples:","text":"

The following syntax runs the script in validation-only mode. It will show you the required Auth Certificate renewal action that would be performed if the script is executed in renewal mode.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1\n

The following syntax executes the script in renewal mode with user interaction. The required Auth Certificate renewal action will be performed, and the administrator might see prompts that need to be confirmed before the script continues:

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true\n

If you respond with 'Y', then the script will run in unattended mode and will not prompt you again.

It's recommended to recycle the WebApp Pools when the active Auth Certificate is replaced. You should respond with 'Y'.

It's not recommended to replace the internal transport certificate with the newly created Auth Certificate. You should respond with 'N'.

The following syntax executes the script in renewal mode without user interaction. The required Auth Certificate renewal action will be performed. In unattended mode the internal SMTP certificate is replaced with the new Auth Certificate and then set back to the previous one. The script also restarts the MSExchangeServiceHost service and the MSExchangeOWAAppPool and MSExchangeECPAppPool WebApp Pools when the primary Auth Certificate has been replaced.

NOTE: The script creates a new internal transport certificate if the previously configured one wasn't found on the machine where the script is run.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -Confirm:$false\n

The following syntax runs the script in renewal mode without user interaction. We only take the Exchange servers into account if they are reachable and will perform the renewal action if required.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreUnreachableServers $true -Confirm:$false\n

The following syntax executes the script in renewal mode without user interaction. The renewal action will be performed even when an Exchange hybrid configuration is detected.

NOTE: You must re-run the Hybrid Configuration Wizard (HCW) after the active Auth Certificate has been replaced.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false\n

The following syntax executes the script in scheduled task mode. In this mode, the script performs the following steps:

NOTE: It doesn't matter what you type into the Username box, so you can enter, for example abc. Make sure to use a password that complies with the password guidelines of your organization.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ConfigureScriptToRunViaScheduledTask -Password (Get-Credential).Password\n

NOTE: The ConfigureScriptToRunViaScheduledTask parameter can be combined with the IgnoreHybridConfig and IgnoreUnreachableServers parameter.

  1. It creates a new Exchange Role Group, Auth Certificate Management, which has the following roles assigned: View-Only Configuration, View-Only Recipients, Exchange Server Certificates, Organization Client Access
  2. It creates a new user account with the following User Principal Name (UPN): SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local
  3. The user account is mail-enabled and hidden from address lists
  4. The user account is added to the local Administrators group on the Exchange Server where the script is executed
  5. The user account is added to the Auth Certificate Management Exchange Role Group
  6. The script is copied to <ExchangeInstallPath>\\Scripts
  7. A new scheduled task is registered to run the script in context of the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local user

The following syntax runs the script in Active Directory (AD) account creation mode which can be useful when Exchange runs in AD Split Permissions mode. An AD administrator with sufficient permissions to create a user in AD (e.g., a Domain Admin) can run the script in this mode to create the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local account. The account can then be passed by the Exchange administrator via AutomationAccountCredential parameter as outlined in the next example.

In this mode, the script can be executed from an elevated PowerShell command prompt (no EMS required) running on a non-Exchange Server machine with the ActiveDirectory PowerShell module installed, as it only uses cmdlets which are coming with this module.

NOTE: We recommend creating a user account in the same domain where Exchange was installed. You can specify the domain by using the ADAccountDomain parameter.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -PrepareADForAutomationOnly -ADAccountDomain \"root.local\"\n

The following syntax executes the script in scheduled task mode, but it doesn't create the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local user account. Instead, the account passed via AutomationAccountCredential parameter is used. Should a renewal action be performed, then email notifications will be sent to John.Doe@contoso.com\".

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ConfigureScriptToRunViaScheduledTask -AutomationAccountCredential (Get-Credential) -SendEmailNotificationTo \"John.Doe@contoso.com\"\n

The following syntax runs the script in Auth Certificate export mode. In this mode, the script exports the current and (if configured) the next Auth Certificate as DER (Distinguished Encoding Rules) binary encoded PKCS #12 files, using the .pfx file name extension.

The naming syntax for the exported .pfx file is: <CertificateThumbprint>-<Timestamp>.pfx

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ExportAuthCertificatesAsPfx\n

The following syntax executes the script in update-only mode. In this mode, the script only checks for a more current version of the script and downloads it if found.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ScriptUpdateOnly\n
"},{"location":"Admin/MonitorExchangeAuthCertificate/#parameters","title":"Parameters","text":"Parameter Description ValidateAndRenewAuthCertificate This optional parameter enables the validation and renewal mode which will perform the required actions to replace an invalid/expired Auth Certificate or configures a new next Auth Certificate if the current Auth Certificate expires in < 60 days or the certificate configured as next Auth Certificate expires in < 120 days. IgnoreUnreachableServers This optional parameter can be used to ignore if some of the Exchange servers within the organization cannot be reached. If this parameter is used, the script only validates the servers that can be reached and will perform Auth Certificate renewal actions based on the result. Parameter can be combined with the IgnoreHybridConfig parameter and can also be used with the ConfigureScriptToRunViaScheduledTask parameter to configure the script to run via scheduled task. IgnoreHybridConfig This optional parameter allows you to explicitly perform Auth Certificate renewal actions (if required) even if an Exchange hybrid configuration was detected. You need to run the HCW after the renewed Auth Certificate becomes the one in use. Parameter can be combined with the IgnoreUnreachableServers parameter and can also be used with the ConfigureScriptToRunViaScheduledTask parameter to configure the script to run via scheduled task. PrepareADForAutomationOnly This optional parameter can be used in AD Split Permission scenarios. It allows you to create the AD account which can then be used to run the Exchange Auth Certificate Monitoring script automatically via Task Scheduler. ADAccountDomain This optional parameter allows you to specify the domain which is then used by the script to generate the AD account used for automation. Parameter can be combined with the PrepareADForAutomationOnly parameter. ConfigureScriptToRunViaScheduledTask This optional parameter can be used to automatically prepare the requirements in AD (user account), Exchange (email enable the account, hide the account from address book, create a new role group with limited permissions) and finally it creates the scheduled task on the computer on which the script was executed (it has to be an Exchange server running the mailbox role). AutomationAccountCredential This optional parameter can be used to provide a different user under whose context the script is then executed via scheduled task. SendEmailNotificationTo This optional parameter can be used to specify recipients which will then be notified in case that an Exchange Auth Certificate renewal action was performed. The script uses the EWS API to send out email notifications. Make sure that the user in whose context the script is running is allowed to use EWS. TrustAllCertificates This optional parameter can be used to trust all certificates when connecting to the EWS service to send out email notifications. TestEmailNotification This optional parameter can be used to test the email notification feature of the script. Password Parameter to provide a password to the script which is required in some scenarios. ExportAuthCertificatesAsPfx This optional parameter can be used to export all on the system available Auth Certificates as password protected .pfx file. ScriptUpdateOnly This optional parameter allows you to only update the script without performing any other actions. SkipVersionCheck This optional parameter can be used to skip the Auto Update feature to download the latest version of the script."},{"location":"Admin/Remove-CertExpiryNotifications/","title":"Remove-CertExpiryNotifications","text":"

Download the latest release: Remove-CertExpiryNotifications.ps1

This script deletes all AsyncOperationNotification items from the Exchange SystemMailbox that contains them. This corrects the BlockedDeserializeTypeException error described in KB5013118.

NOTE: This script only supports Exchange 2016 and Exchange 2019. It will not work on Exchange 2013.

"},{"location":"Admin/Remove-CertExpiryNotifications/#syntax","title":"Syntax","text":"
Remove-CertExpiryNotifications.ps1\n  [-Server <string>]\n  [[-Credential] <PsCredential>]\n  [-WhatIf]\n  [-Confirm]\n
"},{"location":"Admin/Remove-CertExpiryNotifications/#usage","title":"Usage","text":"

NOTE: If an error occurs please see Common Errors.

The user running the script must be granted full access to the arbitration mailbox prior to running the script. That can be accomplished with this command:

Get-Mailbox -Arbitration \"SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\" | Add-MailboxPermission -User SomeAdmin -AccessRights FullAccess\n

Next, the same user that was granted access should run the script from Exchange Management Shell. Start by running the script with -WhatIf. Optionally, the -Credential switch can be provided. Otherwise, the current user will be used.

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com -WhatIf\n

If this succeeds, it will list all the messages that would be deleted. The output should look something like this:

To remove the messages, the script can be run without -WhatIf:

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com\n

This syntax will cause it to prompt for each message:

Or, the script can be run with -Confirm:$false to skip the prompts:

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com -Confirm:$false\n

After the script has run successfully, it should report that there are no messages present in the folder:

Finally, remember to remove the permission that was granted to the user:

Get-Mailbox -Arbitration \"SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\" | Remove-MailboxPermission -User SomeAdmin -AccessRights FullAccess\n
"},{"location":"Admin/Remove-CertExpiryNotifications/#common-errors","title":"Common errors","text":"
Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.\n

\"Unexpected error occurred on a send\" usually means that the name in the certificate on the target server does not match what was specified in the -Server parameter. In other words, navigating to https://the.server.you.specified/owa must not return a certificate error. If it does, the script will fail. The specified server must be the name in the certificate bound to IIS.

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.\n

This can occur if the user running the script does not have full access to the mailbox. Be sure the Add-MailboxPermission command was successful.

This can also occur if the server name specified is the local server, due to the loopback check. This can be resolved by passing a different name.

"},{"location":"Admin/Reset-ScanEngineVersion/","title":"Reset-ScanEngineVersion","text":"

Download the latest release: Reset-ScanEngineVersion.ps1

"},{"location":"Admin/Reset-ScanEngineVersion/#syntax","title":"Syntax","text":"
Reset-ScanEngineVersion.ps1\n  [-Force <switch>]\n  [-EngineUpdatePath <string>]\n
"},{"location":"Admin/Reset-ScanEngineVersion/#usage","title":"Usage","text":"

Copy the script to an affected Exchange server and run it with no parameters. It can be run from EMS or plain PowerShell.

In scenarios where centralized distribution of scan engines is used, add the -EngineUpdatePath switch to point to the share containing the engines. For example:

.\\Reset-ScanEngineVersion.ps1 -EngineUpdatePath \\\\FileServer1\\ScanEngineUpdates\n
"},{"location":"Admin/SetUnifiedContentPath/","title":"SetUnifiedContentPath","text":"

Download the latest release: SetUnifiedContentPath.ps1

Sets the CleanupFolderREsponderFolderPaths in the AntiMalware.xml file that is responsible for having Exchange automatically clean up the Unified Content that is left behind.

If this isn't properly set, you can have large amount of files left on the computer that is just using up space and can cause issues with Exchange.

The script will keep the default values of D:\\ExchangeTemp\\TransportCts\\UnifiedContent, C:\\Windows\\Temp\\UnifiedContent, and $ExInstall\\TransportRoles\\data\\Temp\\UnifiedContent within the value and will include TemporaryStoragePath from the EdgeTransport.exe.config if different from the install path.

In order for the new settings to take effect right away, use the -RestartService switch to have the MSExchangeHM service take in the new changes right away.

"},{"location":"Admin/SetUnifiedContentPath/#common-usage","title":"Common Usage","text":"

The easiest way to run the script is against all the servers and restart the service.

Get-ExchangeServer | .\\SetUnifiedContentPath.ps1 -RestartService\n

If you don't want to change anything just yet, use the -WhatIf switch to see what servers will have something changed.

Get-ExchangeServer | .\\SetUnifiedContentPath.ps1 -WhatIf\n

Or you can just run it locally on the server

.\\SetUnifiedContentPath.ps1 -RestartService\n

NOTE: The switch -RestartService is only going to restart the service if a change has been detected and done. Otherwise, it will not restart the service.

"},{"location":"Admin/Test-AMSI/","title":"Test-AMSI","text":"

The Windows AntiMalware Scan Interface (AMSI) is a versatile standard that allows applications and services to integrate with any AntiMalware product present on a machine. Seeing that Exchange administrators might not be familiar with AMSI, we wanted to provide a script that would make life a bit easier to test, enable, disable, or Check your AMSI Providers.

"},{"location":"Admin/Test-AMSI/#download","title":"Download","text":"

Download the latest release: Test-AMSI.ps1

"},{"location":"Admin/Test-AMSI/#parameters","title":"Parameters","text":"Parameter Description TestAMSI If you want to test to see if AMSI integration is working. You can use a server, server list or FQDN of load balanced array of Client Access servers. IgnoreSSL If you need to test and ignoring the certificate check. CheckAMSIConfig If you want to see what AMSI Providers are installed. You can combine with ServerList, AllServers or Sites. EnableAMSI If you want to enable AMSI. Without any additional parameter it will apply at Organization Level. If combine with ServerList, AllServers or Sites it will apply at server level. DisableAMSI If you want to disable AMSI. Without any additional parameter it will apply at Organization Level. If combine with ServerList, AllServers or Sites it will apply at server level. RestartIIS If you want to restart the Internet Information Services (IIS). You can combine with ServerList, AllServers or Sites. Force If you want to restart the Internet Information Services (IIS) without confirmation. ServerList If you want to apply to some specific servers. AllServers If you want to apply to all server. Sites If you want to apply to all server on a sites or list of sites."},{"location":"Admin/Test-AMSI/#common-usage","title":"Common Usage","text":"

After you download the script, you will need to run it within an elevated Exchange Management Shell Session

If you want to test to see if AMSI integration is working in a LB Array, you can run: .\\Test-AMSI.ps1 mail.contoso.com

If you want to test to see if AMSI integration is working in list of servers, you can run: .\\Test-AMSI.ps1 -ServerList server1, server2

If you want to test to see if AMSI integration is working in all server, you can run: .\\Test-AMSI.ps1 -AllServers

If you want to test to see if AMSI integration is working in all server in a list of sites, you can run: .\\Test-AMSI.ps1 -AllServers -Sites Site1, Site2

If you need to test and ignoring the certificate check, you can run: .\\Test-AMSI.ps1 -IgnoreSSL

If you want to see what AMSI Providers are installed on the local machine you can run: .\\Test-AMSI.ps1 -CheckAMSIConfig

If you want to enable AMSI at organization level, you can run: .\\Test-AMSI.ps1 -EnableAMSI

If you want to enable AMSI in an Exchange Server or Server List at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -ServerList Exch1, Exch2

If you want to enable AMSI in all Exchange Server at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -AllServers

If you want to enable AMSI in all Exchange Server in a site or sites at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -AllServers -Sites Site1, Site2

If you want to disable AMSI on the Exchange Server, you can run: .\\Test-AMSI.ps1 -DisableAMSI

If you want to disable AMSI in an Exchange Server or Server List at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -ServerList Exch1, Exch2

If you want to disable AMSI in all Exchange Server at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -AllServers

If you want to disable AMSI in all Exchange Server in a site or sites at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -AllServers -Sites Site1, Site2

If you want to restart the Internet Information Services (IIS), you can run: .\\Test-AMSI.ps1 -RestartIIS

If you want to restart the Internet Information Services (IIS) without confirmation, you can run: .\\Test-AMSI.ps1 -RestartIIS -Force

"},{"location":"Admin/Test-ExchangePropertyPermissions/","title":"Test-ExchangePropertyPermissions","text":"

Download the latest release: Test-ExchangePropertyPermissions.ps1

"},{"location":"Admin/Test-ExchangePropertyPermissions/#syntax","title":"Syntax","text":"
Test-ExchangePropertyPermissions.ps1\n    [-TargetObjectDN] <string>\n    [-ComputerAccountDN] <string>\n    [[-DomainController] <string>]\n    [-OutputDebugInfo]\n    [<CommonParameters>]\n
"},{"location":"Admin/Test-ExchangePropertyPermissions/#example","title":"Example","text":"

.\\Test-ExchangePropertyPermissions.ps1 -TargetObjectDN \"CN=SomeRecipient,OU=Users,DC=contoso,DC=com\" -ComputerAccountDN \"CN=SomeServerName,OU=Computers,DC=contoso,DC=com\"

This example retrieves the group memberships of the SomeServerName computer account and then examines the ACL of SomeRecipient to determine if that computer account can write to all expected attributes of that recipient.

"},{"location":"Admin/Test-ExchangePropertyPermissions/#description","title":"Description","text":"

Test-ExchangePropertyPermissions is designed to detect certain schema issues which can manifest as permissions problems and can be challenging to identify manually, including:

  • Scenarios where a property set does not include all the expected properties.
  • Scenarios where an objectClass definition is missing expected properties.

Note that the script does not perform an exhaustive check for all possible schema issues. It is only designed to identify a specific subset of issues which we have encountered. For example, using AD Schema Analyzer as described here is one such scenario:

https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd547839(v=msdn.10)

As noted in that article, this is known to corrupt the Exchange attributes. This script is able to detect that scenario, and other similar scenarios.

Further, note that such issues cannot be fixed by the script. Using AD Schema Analyzer as described results in an unsupported forest that should be torn down.

"},{"location":"Admin/Update-Engines/","title":"Update-Engines","text":"

Download the latest release: Update-Engines.ps1

The UpdateEngines script can be used to download the engine packages to be used by the Forefront Protection engine on Exchange Server and Sharepoint Server products.

"},{"location":"Admin/Update-Engines/#description","title":"Description","text":"

Follow the steps given below to manually update the scan engines in Exchange Server. You may need to do so if you experience issues with accessing anti-malware updates online and want to download those definitions to a central location.

The manual update involves running the Update-Engines.ps1 PowerShell script. This script can be changed according to your needs.

The update path, list of engines, and list of platforms can be passed as parameters when the script is executed.

Note:

The script will default the engine update path to https://forefrontdl.microsoft.com/server/scanengineupdate/. If this endpoint isn't available, you can change the script to use the failover endpoint https://amupdatedl.microsoft.com/server/scanengineupdate/. If the previous endpoints aren't available, you can use http://amupdatedl.microsoft.com/server/amupdate/ as an alternative download location. By default, all engines will be downloaded for the 64-bit (amd64) platform.

"},{"location":"Admin/Update-Engines/#syntax","title":"Syntax","text":"
Update-Engines.ps1\n  [-EngineDirPath <string>]\n  [-UpdatePathUrl <string>]\n  [-FailoverPathUrl <string>]\n  [-EngineDownloadUrlV2 <string>]\n  [-Engines <string[]>]\n  [-Platforms <string[]>]\n  [-ScriptUpdateOnly <switch>]\n  [-SkipVersionCheck <switch>]\n
"},{"location":"Admin/Update-Engines/#steps-to-update-scan-engines","title":"Steps to update scan engines","text":"

  1. Create a local directory structure on the computer on which you want to download the scan engine updates.

    a. Create a directory. For example, create a directory named ScanEngineUpdates. This directory must be passed via -EngineDirPath parameter to the script.

    b. Set the NTFS file system and share permissions on the directory so that the target Exchange servers have access to it.

  2. Download the latest version of the script from here

  3. Execute the Update-Engines.ps1 PowerShell script, providing any necessary parameters.

  4. You can now configure the servers to download updates from the directory created in step 1) by using the UNC path of a share name, such as \\\\server_name\\share_name.

"},{"location":"Admin/Update-Engines/#examples","title":"Examples","text":"

The following syntax uses the directory C:\\ScanEngineUpdates\\ as the root engine's directory to store the update pattern.

Update-Engines.ps1 -EngineDirPath C:\\ScanEngineUpdates\\\n

The following syntax uses the directory C:\\ScanEngineUpdates\\ as the root engine's directory. It also tries to download the latest updates for the Microsoft engine using the amd64 platform from http://forefrontdl.microsoft.com/server/scanengineupdate/.

Update-Engines.ps1 -EngineDirPath C:\\ScanEngineUpdates\\ -UpdatePathUrl http://forefrontdl.microsoft.com/server/scanengineupdate/ -Engines Microsoft -Platforms amd64\n
"},{"location":"Admin/Update-Engines/#found-a-bug-or-want-to-update-the-script","title":"Found a bug or want to update the script?","text":"

Please open a new work item here or reach out to us via: ExToolsFeedback@microsoft.com

"},{"location":"Calendar/Check-SharingStatus/","title":"Check-SharingStatus","text":"

Download the latest release: Check-SharingStatus.ps1

This script runs a variety of PowerShell cmdlets to validate the sharing relationship between two users.

"},{"location":"Calendar/Check-SharingStatus/#terminology","title":"Terminology:","text":"
  • Owner - this is the mailbox that owns the Calendar being shared.
  • Receiver - this is the mailbox 'viewing' the owner calendar.

Sample Execution: 

Check-SharingStatus.ps1 -Owner Owner@contoso.com -Receiver Receiver@contoso.com\n

"},{"location":"Calendar/Check-SharingStatus/#general-overview-of-looking-at-sharing-issues","title":"General Overview of looking at Sharing Issues:","text":"
  1. The first thing to determine is what kind of sharing relationship the users have.
    • Modern Sharing (New Model Sharing / REST) - Recipient gets a replicated copy of the Owners Calendar in their Mailbox.
    • Old Model Sharing \u2013 Recipient is granted rights but has to connect to the Owners server to get Calendar information.
    • External Sharing \u2013 Can be New or Old Model sharing, but outside of the Exchange Online Tenant / Organization.
    • Publishing (ICS) \u2013 Owner publishes a link to their calendar, which clients can pull.

  2. Next you need to determine if the relationship is healthy. Look at the output from the script.

  3. Last, you need to look at how it is working. Generally, you will get Calendar Logs from Owner and Receiver for a copied meeting and check replication times, etc.

  4. See CalLogSummaryScript for collecting CalLogs.
"},{"location":"Calendar/Get-CalendarDiagnosticObjectsSummary/","title":"Get-CalendarDiagnosticObjectsSummary","text":"

Download the latest release: Get-CalendarDiagnosticObjectsSummary.ps1

This script runs the Get-CalendarDiagnosticObjects cmdlet and returns a summarized timeline of actions into clear English. It will also output an easier to read version of the CalLogs (enhanced) as well as a Raw copy of the logs for Developers.

To run the script, you will need a valid SMTP Address for a user and a meeting Subject or MeetingID.

The script will display summarized timeline of actions and save the logs returned in csv format in the current directory. New -ExportToExcel highly recommended for ease of use (all logs in one file, color coding, etc.). First time use will request installing the ImportExcel module. See https://github.com/dfinke/ImportExcel for more information on the ImportExcel module.

Parameters: Explanation: -Identity One (or more) SMTP Address of EXO User Mailbox to query. -Subject Subject of the meeting to query, only valid if Identity is a single user. -MeetingID MeetingID of the meeting to query. - Preferred way to get CalLogs. -TrackingLogs Populate attendee tracking columns in the output. - Only useable with the MeetingID parameter. -Exceptions Include Exception objects in the output. - Only useable with the MeetingID parameter. -ExportToExcel - [NEW Feature] Export the output to an Excel file with formatting. - Running the script for multiple users will create three tabs in the Excel file for each user. If you want to add more users to the Excel file, close the file and rerun with new user. - one tab for Enhanced CalLog - one tab for the TimeLine - Tab one for Raw CalLog -CaseNumber Case Number to include in the Filename of the output. - PrePend <CaseNumber>_ to filename. -ShortLogs Limit Logs to 500 instead of the default 2000, in case the server has trouble responding with the full logs. ---"},{"location":"Calendar/Get-CalendarDiagnosticObjectsSummary/#syntax","title":"Syntax:","text":"

Example to return timeline for a user with MeetingID: 

.\\Get-CalendarDiagnosticObjectsSummary.ps1 -Identity user@contoso.com -MeetingID 040000008200E00074C5B7101A82E0080000000010E4301F9312D801000000000000000010000000996102014F1D484A8123C16DDBF8603E\n

Example to return timeline for a user with Subject:

.\\Get-CalendarDiagnosticObjectsSummary.ps1 -Identity user@contoso.com -Subject Test_OneTime_Meeting_Subject\n
Get CalLogs for 3 users: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity User1, User2, Delegate -MeetingID $MeetingID\n
Add Tracking Logs and Exceptions: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity $Users -MeetingID $MeetingID -TrackingLogs -Exceptions\n
Export CalLogs to Excel: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity $Users -MeetingID $MeetingID -TrackingLogs -Exceptions -ExportToExcel -CaseNumber 123456\n
Will create file like .\\123456_CalLogSummary_<MeetingID>.xlsx in current directory.

"},{"location":"Calendar/Get-RBASummary/","title":"Get-RBASummary","text":"

Download the latest release: Get-RBASummary.ps1

This script runs the Get-CalendarProcessing cmdlet and returns the output with more details in clear English, highlighting the key settings that affect RBA and some of the common errors in configuration.

The script will also validate the mailbox is the correct type for RBA to interact with (via the Get-Mailbox cmdlet) as well as check for any Delegate rules that would interfere with RBA functionality (via the Get-InboxRules cmdlet).

"},{"location":"Calendar/Get-RBASummary/#syntax","title":"Syntax:","text":"

Example to display the setting of room mailbox. 

.\\Get-RBASummary.ps1 -Identity Room1@Contoso.com\n\n.\\Get-RBASummary.ps1 -Identity Room1 -Verbose\n

"},{"location":"Calendar/Get-RBASummary/#high-level-steps-for-rba-processing","title":"High-level steps for RBA processing:","text":"
  1. Determine if the Meeting Request is in policy or out of policy.
  2. If the meeting request is Out of Policy, see if the user has rights to create an Out of Policy request and if so, forward it to the Delegates.
  3. If it is In Policy, then either book it or forward it to the delegate based on the settings.
  4. Lastly the RBA does the configured Post Processing steps to format the meeting (delete attachments, rename meeting, etc.)

When the RBA receives a Meeting Request, the first thing that it will do is to determine if the meeting is in or out of policy. How does the RBA do this? The RBA compares the Meeting properties to the Policy Configuration. If all the checks 'pass', then the meeting request is In Policy, otherwise it is Out of Policy.

Whether the meeting is in or out of policy, the RBA will look up the configuration that will tell it what to do with the meeting. By default, all out of policy meetings are rejected, and all in policy meetings are accepted, but there is a larger range of customization that you can do to get the RBA to treat this resource the way you want it to.

If the meeting is accepted, the RBA will Post Process it based on the Post Processing configuration.

"},{"location":"Databases/Analyze-SpaceDump/","title":"Analyze-SpaceDump","text":"

Download the latest release: Analyze-SpaceDump.ps1

This script reports the space taken up by various tables based on a database space dump.

"},{"location":"Databases/Analyze-SpaceDump/#usage","title":"Usage","text":"

The space dump must be obtained while the database is dismounted, or on a suspended copy if the issue is happening there. To obtain the space dump, use the following syntax:

eseUtil /ms /v > C:\\SpaceDump.txt

Then, feed that file to this script as follows:

.\\Analyze-SpaceDump.ps1 -File C:\\SpaceDump.txt

This script will only work with Exchange 2013 and later space dumps.

"},{"location":"Databases/Compare-MailboxStatistics/","title":"Compare-MailboxStatistics","text":"

Download the latest release: Compare-MailboxStatistics.ps1

"},{"location":"Databases/Compare-MailboxStatistics/#usage","title":"Usage","text":"

This script compares two sets of mailbox statistics from the same database and highlights mailbox growth that occurred between the two snapshots.

For a growing database, a typical approach would be to start by exporting the statistics for the database:

Get-MailboxStatistics -Database DB1 | Export-CliXML C:\\stats-before.xml\n

After the initial export is obtained, wait until significant growth is observed. That could mean waiting an hour, or a day, depending on the scenario. At that point, compare the stats-before.xml with the live data by using this script as follows:

.\\Compare-MailboxStatistics.ps1 -Before (Import-CliXml C:\\stats-before.xml) -After (Get-MailboxStatistics -Database DB1)\n

This makes it easy to see which mailboxes grew the most.

"},{"location":"Databases/VSSTester/","title":"VSSTester","text":"

Download the latest release: VSSTester.ps1

"},{"location":"Databases/VSSTester/#usage","title":"Usage","text":""},{"location":"Databases/VSSTester/#trace-while-using-a-third-party-backup-solution","title":"Trace while using a third-party backup solution","text":"

.\\VSSTester -TraceOnly -DatabaseName \"Mailbox Database 1637196748\"

Enables tracing of the specified database. The user may then attempt a backup of that database and use Ctrl-C to stop data collection after the backup attempt completes.

"},{"location":"Databases/VSSTester/#trace-a-snapshot-using-the-diskshadow-tool","title":"Trace a snapshot using the DiskShadow tool","text":"

.\\VSSTester -DiskShadow -DatabaseName \"Mailbox Database 1637196748\" -ExposeSnapshotsOnDriveLetters M, N

Enables tracing and then uses DiskShadow to snapshot the specified database. If the database and logs are on the same drive, the snapshot is exposed as M: drive. If they are on separate drives, the snapshots are exposed as M: and N:. The user is prompted to stop data collection and should typically wait until log truncation has occurred before doing so, so that the truncation is traced.

"},{"location":"Databases/VSSTester/#trace-a-snapshot-using-the-diskshadow-tool-by-volume-instead-of-by-database","title":"Trace a snapshot using the DiskShadow tool by volume instead of by Database","text":"

.\\VSSTester -DiskShadow -VolumesToBackup D:\\, E:\\ -ExposeSnapshotsOnDriveLetters M, N

Enables tracing and then uses DiskShadow to snapshot the specified volumes. To see a list of available volumes, including mount points, pass an invalid volume name, such as -VolumesToBackup foo. The error will show the available volumes. Volume names must be typed exactly as shown in that output.

"},{"location":"Databases/VSSTester/#trace-in-circular-mode-until-the-microsoft-exchange-writer-fails","title":"Trace in circular mode until the Microsoft Exchange Writer fails","text":"

.\\VSSTester -WaitForWriterFailure -DatabaseName \"Mailbox Database 1637196748\"

Enables circular tracing of the specified database, and then polls \"vssadmin list writers\" once per minute. When the writer is no longer present, indicating a failure, tracing is stopped automatically.

"},{"location":"Databases/VSSTester/#more-information","title":"More information","text":"
  • https://techcommunity.microsoft.com/t5/exchange-team-blog/troubleshoot-your-exchange-2010-database-backup-functionality/ba-p/594367
  • https://techcommunity.microsoft.com/t5/exchange-team-blog/vsstester-script-updated-8211-troubleshoot-exchange-2013-and/ba-p/610976

Note that script syntax and output has changed. Syntax and screenshots in the above articles are out of date.

"},{"location":"Databases/VSSTester/#missing-microsoft-exchange-writer","title":"Missing Microsoft Exchange Writer","text":"

We have seen a few cases where the Microsoft Exchange Writer will disappear after an unspecified amount of time and restarting the Microsoft Exchange Replication service. Steps on how to resolve this are linked here:

  • https://learn.microsoft.com/en-US/troubleshoot/windows-server/backup-and-storage/event-id-513-vss-windows-server
"},{"location":"Databases/VSSTester/#com-security","title":"COM+ Security","text":"

Here are the steps to verify that the local Administrators group is allowed to the COM+ Security on the computer. The script will detect if this is a possibility if we can not see the Exchange Writers and we have the registry settings set that determine this is a possibility.

  1. Run \"dcomCnFg\" from the run box or command prompt on the problem machine
  2. Expand Component Services then Computers
  3. Right Click on My Computer and select Properties

  1. Select the COM Security tab and select Edit Default... under Access Permissions

  1. If the local Administrators group is not here for Allow for Local and Remote Access, click Add... to add the local Administrators group to the Default Security permissions

  1. Change the locations to the computer name

  1. Type in \"Administrators\" and select Check Names. Making sure the computer account comes up

  1. Add Local Access and Remote Access for Allow
  2. Click Okay
  3. Click Apply and Okay
  4. Restart the Computer
"},{"location":"Diagnostics/ExTRA/","title":"ExTRA","text":"

Download the latest release: ExTRA.ps1

The goal of this script is to replace the ExTRA UI that was included with older versions of Exchange. The script can be run on any machine where a modern browser (Edge/Chrome/Firefox) is set as the default browser. It does not need to be run on an Exchange server. It will not work if Internet Explorer is the default browser.

"},{"location":"Diagnostics/ExTRA/#usage","title":"Usage","text":"

Generally, you will want to run this script on a user workstation and use it to generate the EnabledTraces.config file. Then, that file can be copied to the Exchange server, and a logman command can be used to start and stop the ExTRA trace.

The script can be run directly on a server if desired, but remember that IE cannot be the default browser in that case.

To use, download the latest release. Then run the script with no parameters:

.\\ExTRA.ps1\n

The default browser will launch with a tag selection interface. Once the desired tags are selected, click Save and go back to the PowerShell window. You should see some output indicating that the EnabledTraces.config file was saved in the folder. That EnabledTraces.config should be placed at the root of C:\\ on the server being traced.

The output also provides example logman syntax for creating, starting, and stopping the trace.

"},{"location":"Diagnostics/ExchangeLogCollector/","title":"Exchange Log Collector","text":"

Download the latest release: ExchangeLogCollector.ps1

This script is intended to collect the Exchange default logging data from the server in a consistent manner to make it easier to troubleshoot an issue when large amounts of data is needed to be collected. You can specify what logs you want to collect by the switches that are available, then the script has logic built in to determine how to collect the data.

"},{"location":"Diagnostics/ExchangeLogCollector/#how-to-run","title":"How to Run","text":"

The script must be run as Administrator in PowerShell session on an Exchange Server or Tools box. Supported to run and collected logs against Exchange 2013 and greater. The intent of the script is to collect logs only that you need from X servers quickly without needing to have to manually collect it yourself and label zip them all up for you. If you don't know what logs to collect, it is recommended to use -AllPossibleLogs.

This script no longer supports collecting logs from Exchange 2010. However, the last release of v2 should still work just fine. You can download that here.

The script is able to collect from the large set of servers while using the Invoke-Command. Prior to executing the main script, we check to make sure the server is up and that we are able to use Invoke-Command against the server. If Invoke-Command works remotely, then we will allow you to attempt to collect the data. You can still utilize the script to collect locally as it used to be able to, if the target OS doesn't allow this.

Prior to collecting the data, we check to make sure that there is at least 10GB of free space at the location of where we are trying to save the data of the target server. The script will continue to keep track of all the logs and data that is being copied over and will stop if we have less than 10GB of free space.

You are able to use a config file to load up all the parameters you wish to choose and the servers you wish to run the script against. Just create a file called ExchangeLogCollector.ps1.json and place at the same location as the script. Then provide the switches you would like to use in the file like so:

{\n  \"Servers\": [\n    \"ADT-E16A\",\n    \"ADT-E16B\",\n    \"ADT-E16C\"\n  ],\n  \"FilePath\": \"C:\\\\MS_Logs\",\n  \"IISLogs\": true,\n  \"AppSysLogsToXml\": false,\n  \"ScriptDebug\": true\n}\n

NOTE: It is import that you use \\\\ for the file path otherwise the settings will fail to load.

"},{"location":"Diagnostics/ExchangeLogCollector/#examples","title":"Examples:","text":"

This cmdlet will collect all default logs of the local Exchange Server and store them in the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -AllPossibleLogs\n

This cmdlet will collect all relevant data regarding database fail overs from server EXCH1 and EXCH2 and store them at Z:\\Data\\Logs. Note: at the end of the collection, the script will copy over the data to the local host execution server to make data collection even easier.

.\\ExchangeLogCollector.ps1 -DatabaseFailoverIssue -Servers EXCH1,EXCH2 -FilePath Z:\\Data\\Logs\n

This cmdlet will collect all relevant data regarding IIS Logs (within the last 3 days by default) and all RPC type logs from the servers EXCH1 and EXCH2 and store them at the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -Servers EXCH1,EXCH2 -IISLogs -RPCLogs\n

This cmdlet will collect all relevant data regarding Message Tracking Logs and Protocol Logs for the past 3 hours from the servers EXCH1 and EXCH2 and store them at the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -Servers EXCH1,EXCH2 -MessageTrackingLogs -ProtocolLogs -LogAge \"03:00:00\"\n
"},{"location":"Diagnostics/ExchangeLogCollector/#parameters","title":"Parameters","text":"Parameter Description FilePath The Location of where you would like the data to be copied over to. This location must be the same and accessible on all servers if you use the Servers parameter. Default value: C:\\MS_Logs_Collection Servers An array of servers that you would like to collect data from. AcceptedRemoteDomain Enable to collect Get-AcceptedDomain and Get-RemoteDomain. ADDriverLogs Enable to collect AD Driver Logs. Location: V15\\Logging\\ADDriver AppSysLogs Collects the Windows Event Application, System, and MSExchange Management Logs. Default value $true AppSysLogsToXml Collects the Windows Event Application and System and saves them out to XML. The time range only is from the time the script run and the value set on LogAge. Default value: $true AutoDLogs Enable to collect AutoDiscover Logs. Location: V15\\Logging\\Autodiscover and V15\\Logging\\HttpProxy\\Autodiscover CollectFailoverMetrics Enable to run the CollectOverMetrics.ps1 script against the DAG. Only able to be run on an Exchange tools box or an Exchange Server. DAGInformation Enable to collect the DAG Information from all different DAGs that are in the list of servers. DailyPerformanceLogs Enable to collect Daily Performance Logs. Default Location: V15\\Logging\\Diagnostics\\DailyPerformanceLogs DefaultTransportLogging Enables the following switches and their logs to be collected. AcceptedRemoteDomain, FrontEndConnectivityLogs, FrontEndProtocolLogs, HubConnectivityLogs, MailboxConnectivityLogs, MailboxDeliveryThrottlingLogs, MessageTrackingLogs, PipelineTracingLogs, QueueInformation, ReceiveConnectors, SendConnectors, TransportConfig, TransportRoutingTableLogs, and TransportRules EASLogs Enable to collect Exchange Active Sync Logging. Location: V15\\Logging\\HttpProxy\\Eas ECPLogs Enable to collect ECP Logs. Location: V15\\Logging\\ECP and V15\\Logging\\HttpProxy\\Ecp EWSLogs Enable to collect EWS Logs. Location: V15\\Logging\\HttpProxy\\Ews and V15\\Logging\\Ews ExchangeServerInformation Enable to collect Exchange Information like Get-ExchangeServer, Get-MailboxServer, etc... This is also collected when -ServerInformation is also enabled. ExMon Enable to collect ExMon data from the server. ExPerfWiz Enable to collect ExPerfWiz data if found. FrontEndConnectivityLogs Enable to collect the connectivity logging on the FE. Location: (Get-FrontendTransportService $server).ConnectivityLogPath FrontEndProtocolLogs Enable to collect the protocol logging on the FE. Location: (Get-FrontendTransportService $server).ReceiveProtocolLogPath and (Get-FrontendTransportService $server).SendProtocolLogPath GetVDirs Enable to collect the Virtual Directories of the environment. HighAvailabilityLogs Enable to collect High Availability Logs. Windows Event Logs like: Microsoft-Exchange-HighAvailability, Microsoft-Exchange-MailboxDatabaseFailureItems, and Microsoft-Windows-FailoverClustering HubConnectivityLogs Enable to collect the Hub connectivity logging. Location: (Get-TransportService $server).ConnectivityLogPath HubProtocolLogs Enable to collect the protocol logging. Location: (Get-TransportService $server).ReceiveProtocolLogPath and (Get-TransportService $server).SendProtocolLogPath IISLogs Enable to collect IIS Logs and HTTPErr Logs from the Exchange Server. Default Location: C:\\InetPub\\logs\\LogFiles\\W3SVC1, C:\\InetPub\\logs\\LogFiles\\W3SVC2, and C:\\Windows\\System32\\LogFiles\\HTTPERR. IISlogs do not collect all logs on CollectAllLogsBasedOnLogAge:$false, just works based on log age. ImapLogs Enable to collect IMAP logging. Location: (Get-ImapSettings -Server $server).LogFileLocation MailboxAssistantsLogs Enable to collect Mailbox Assistants logging. Location: V15\\Logging\\MailboxAssistantsLog, V15\\Logging\\MailboxAssistantsSlaReportLog, and V15\\Logging\\MailboxAssistantsDatabaseSlaLog MailboxConnectivityLogs Enable to collect the connectivity logging on the mailbox server. Location: (Get-MailboxTransportService $server).ConnectivityLogPath MailboxDeliveryThrottlingLogs Enable to collect the mailbox delivery throttling logs on the server. Location: (Get-MailboxTransportService $server).MailboxDeliveryThrottlingLogPath MailboxProtocolLogs Enable to collect protocol logging on the mailbox server. Location: (Get-MailboxTransportService $server).ReceiveProtocolLogPath and (Get-MailboxTransportService $server).SendProtocolLogPath ManagedAvailabilityLogs Enable to collect the Managed Availability Logs. Location: V15\\Logging\\Monitoring and Windows Event logs like Microsoft-Exchange-ManagedAvailability MapiLogs Enable to collect MAPI Logs. Location: V15\\Logging\\MAPI Client Access, V15\\Logging\\MapiHttp\\Mailbox, and V15\\Logging\\HttpProxy\\Mapi MessageTrackingLogs Enable to collect the Message Tracking Logs. Location: (Get-TransportService $server).MessageTrackingLogPath MitigationService Enable to collect the Mitigation Service logs. Location: V15\\Logging\\MitigationService OABLogs Enable to collect OAB Logs. Location: V15\\Logging\\HttpProxy\\OAB, V15\\Logging\\OABGeneratorLog, V15\\Logging\\OABGeneratorSimpleLog, and V15\\Logging\\MAPI AddressBook Service OrganizationConfig Enable to collect the Organization Configuration from the environment. OWALogs Enable to collect OWA Logs. Location: V15\\Logging\\OWA, Logging\\HttpProxy\\OwaCalendar, and V15\\Logging\\HttpProxy\\Owa PipelineTracingLogs Enable to collect the Pipeline Tracing Logs. Location (Get-TransportService $server).PipelineTracingPath, and (Get-MailboxTransportService $server).PipelineTracingPath PopLogs Enable to collect POP logging. Location: (Get-PopSettings -Server $server).LogFileLocation PowerShellLogs Enable to collect the PowerShell Logs. Location: V15\\Logging\\HttpProxy\\PowerShell QueueInformation Enable to collect the historical queue information. Location: (Get-TransportService $server).QueueLogPath ReceiveConnectors Enable to collect the Receive Connector information from the server. RPCLogs Enable to collect RPC Logs. Location: V15\\Logging\\RPC Client Access, V15\\Logging\\HttpProxy\\RpcHttp, and V15\\Logging\\RpcHttp SearchLogs Enable to collect Search Logs. Location: V15\\Bin\\Search\\Ceres\\Diagnostics\\Logs, V15\\Bin\\Search\\Ceres\\Diagnostics\\ETLTraces, V15\\Logging\\Search. On 2019 only we also include V15\\Logging\\BigFunnelMetricsCollectionAssistant, V15\\Logging\\BigFunnelQueryParityAssistant, and V15\\Logging\\BigFunnelRetryFeederTimeBasedAssistant SendConnectors Enable to collect the send connector information from the environment. ServerInformation Enable to collect general server information. TransportAgentLogs Enable to collect the Agent Logs. Location: (Get-TransportService $server).AgentLogPath, (Get-FrontendTransportService $server).AgentLogPath, (Get-MailboxTransportService $server).MailboxSubmissionAgentLogPath, and (Get-MailboxTransportService $server).MailboxDeliveryAgentLogPath TransportConfig Enable to collect the Transport Configuration files from the Server and Get-TransportConfig from the org. Files: EdgeTransport.exe.config, MSExchangeFrontEndTransport.exe.config, MSExchangeDelivery.exe.config, and MSExchangeSubmission.exe.config TransportRoutingTableLogs Enable to collect the Routing Table Logs. Location: (Get-TransportService $server).RoutingTableLogPath, (Get-FrontendTransportService $server).RoutingTableLogPath, and (Get-MailboxTransportService $server).RoutingTableLogPath TransportRules Enable to collect Get-TransportRule. WindowsSecurityLogs Enable to collect the Windows Security Logs. Default Location: 'C:\\Windows\\System32\\WinEvt\\Logs\\Security.evtx' AllPossibleLogs Enables the collection of all default logging collection on the Server. CollectAllLogsBasedOnLogAge Boolean to determine if you collect all the logs based off the log's age or all the logs in that directory. Default value $true ConnectivityLogs Enables the following switches and their logs to be collected: FrontEndConnectivityLogs, HubConnectivityLogs, and MailboxConnectivityLogs DatabaseFailoverIssue Enables the following switches and their logs to be collected. DAGInformation, DailyPerformanceLogs, ExchangeServerInformation, ExPerfWiz, HighAvailabilityLogs, ManagedAvailabilityLogs, and ServerInformation. DaysWorth The number of days to go back to be included int the time span for log collection. Default value: 3 HoursWorth The number of hours to go back to be included in the time span for the log collection. Default Value 0. LogStartDate Set the starting time for the log collection (DateTime). LogEndDate Set the ending time for the log collection (DateTime). DisableConfigImport Enable to not import the ExchangeLogCollector.ps1.json file if it exists. ExMonLogmanName A list of names that we want to collect for ExMon data. The default name is ExMon_Trace. ExPerfWizLogmanName A list of names that we want to collect performance data logs from. The default names are Exchange_PerfWiz, ExPerfWiz, and SimplePerf. (For both styles of ExPerfWiz) LogAge A Time Span value to use instead of the DaysWorth and HoursWorth parameters. Default Value: 3.00:00:00 OutlookConnectivityIssues Enables the following switches and their logs to be collected: AutoDLogs, DailyPerformanceLogs, EWSLogs, ExPerfWiz, IISLogs, MAPILogs, RPCLogs, and ServerInformation PerformanceIssues Enables the following switches and their logs to be collected: DailyPerformanceLogs, ExPerfWiz, and ManagedAvailabilityLogs PerformanceMailFlowIssues Enables the following switches and their logs to be collected: DailyPerformanceLogs, ExPerfWiz, MessageTrackingLogs, QueueInformation, and TransportConfig ProtocolLogs Enables the following switches and their logs to be collected: FrontEndProtocolLogs, HubProtocolLogs, and MailboxProtocolLogs ScriptDebug Enable to display all the verbose lines in the script. SkipEndCopyOver If the Servers parameter is used, by default we will attempt to collect all the data back over to the local server after all the data was collected on each server."},{"location":"Diagnostics/ManagedAvailabilityTroubleshooter/","title":"ManagedAvailabilityTroubleshooter","text":"

Download the latest release: ManagedAvailabilityTroubleshooter.ps1

"},{"location":"Diagnostics/Test-ExchAVExclusions/","title":"Test-ExchAVExclusions","text":"

Download the latest release: Test-ExchAVExclusions.ps1

Assists with testing Exchange Servers to determine if AV Exclusions have been properly set according to our documentation.

AV Exclusions Exchange 2016/2019

AV Exclusions Exchange 2013

"},{"location":"Diagnostics/Test-ExchAVExclusions/#usage","title":"Usage","text":"

Writes an EICAR test file to all paths specified in our AV Exclusions documentation and verifies all extensions in the documentation in a temporary folder.

If the file is removed then the path is not properly excluded from AV Scanning. IF the file is not removed then it should be properly excluded.

Once the files are created it will wait 5 minutes for AV to \"see\" and remove the file.

After finishing testing directories it will test Exchange Processes. Pulls all Exchange processes and their modules. Excludes known modules and reports all Non-Default modules.

Non-Default modules should be reviewed to ensure they are expected. AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured.

... .\\Test-ExchAVExclusions.ps1 ...

"},{"location":"Diagnostics/Test-ExchAVExclusions/#understanding-the-output","title":"Understanding the Output","text":""},{"location":"Diagnostics/Test-ExchAVExclusions/#file-output","title":"File Output","text":"

Review the BadExclusions.txt file to see any file paths were identified as being scanned by AV. Work with the AV Vendor to determine the best way to exclude these file paths according to our documentation:

AV Exclusions Exchange 2016/2019

"},{"location":"Diagnostics/Test-ExchAVExclusions/#process-output","title":"Process Output","text":"

Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the source of the flagged modules.

[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.

If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the vendor to ensure that they are properly configured according to:

AV Exclusions Exchange 2016/2019

AV Exclusions Update

"},{"location":"Diagnostics/Test-ExchAVExclusions/#parameters","title":"Parameters","text":"Parameter Description WaitingTimeForAVAnalysisInMinutes Set the waiting time for AV to analyze the EICAR files. Default is 5 minutes. Recurse Places an EICAR file in all SubFolders as well as the root. SkipVersionCheck Skip script version verification. ScriptUpdateOnly Just update script version to latest one."},{"location":"Diagnostics/Test-ExchAVExclusions/#outputs","title":"Outputs","text":"

Log file: $PSScriptRoot\\Test-ExchAvExclusions-#DateTime#.txt

List of Folders, extensions Scanned by AV and List of Non-Default Processes: $PSScriptRoot\\BadExclusions-#DateTime#.txt

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/","title":"FindFrontEndActivity","text":"

Download the latest release: FindFrontEndActivity.ps1

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#synopsis","title":"Synopsis","text":"

Find HttpProxy protocol activity for one or more users.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#syntax","title":"Syntax","text":"
.\\FindFrontEndActivity.ps1 -ServerName <String[]> -SamAccountName <String[]> [-LatencyThreshold <Int32>] [-Protocol <String[]>] [-IncludeNonExecutes] [-Quiet] [-TimeSpan <TimeSpan>] [<CommonParameters>]\n\n.\\FindFrontEndActivity.ps1 -ServerName <String[]> -SamAccountName <String[]> [-LatencyThreshold <Int32>] [-Protocol <String[]>] [-IncludeNonExecutes] [-Quiet] -StartTime <DateTime> -EndTime <DateTime> [<CommonParameters>]\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#quick-start-examples","title":"Quick Start Examples","text":"
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  2214\n
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -LatencyThreshold 100 | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T15:59:29.898Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  505\n2023-02-11T15:59:31.560Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  403\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  2214\n2023-02-11T15:59:35.488Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  161\n2023-02-11T15:59:38.133Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  399\n
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -Protocol \"ews\", \"mapi\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem            ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------            -------------- ------------         ----------------\n2023-02-11T15:10:10.643Z contoso\\john.doe   /EWS/Exchange.asmx EXCH1          exch1.contoso.local  1800019\n2023-02-11T15:40:44.254Z contoso\\john.doe   /EWS/Exchange.asmx EXCH1          exch1.contoso.local  1800028\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/      EXCH1          exch1.contoso.local  2214\n

Note the difference between -Quiet mode and the default:

[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -Quiet\nEXCH1\nEXCH3\n[PS] C:\\>\n[PS] C:\\># Notice how we returned two servers when using -Quiet.\n[PS] C:\\>\n[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T16:25:14.508Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  1182\n\n\n[PS] C:\\># But only one in the default mode. This is because the default is intended\n[PS] C:\\># to look for calls that are slow and are Execute calls. To see everything,\n[PS] C:\\># we need to remove the latency filter and include non-execute activity,\n[PS] C:\\># but this will return a lot of noise.\n[PS] C:\\>\n[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -LatencyThreshold 0 -IncludeNonExecutes | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T16:00:07.619Z contoso\\john.doe   /mapi/emsmdb/ EXCH3          exch1.contoso.local  17\n2023-02-11T16:01:10.555Z contoso\\john.doe   /mapi/nspi/   EXCH1          exch1.contoso.local  22\n2023-02-11T16:05:11.132Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  659066\n2023-02-11T16:05:12.101Z contoso\\john.doe   /mapi/nspi/   EXCH1          exch1.contoso.local  21\n...\n

To see all details, use fl *:

[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | fl *\n\n\nDateTime                        : 2023-02-11T16:25:14.508Z\nRequestId                       : 0aa7958e-c59a-4f0a-903f-ebbd6ed93c9a\nMajorVersion                    : 15\nMinorVersion                    : 2\nBuildVersion                    : 1118\n...\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#description","title":"Description","text":"

When an Exchange client experiences issues, the HttpProxy logs are often the starting point for determining whether the issue is with the client, the network, or the server. However, since an Exchange environment may have dozens of front-end servers, it can be difficult to find the relevant logs for a given user.

This script is designed to search the logs of all Exchange servers in parallel to quickly find the HttpProxy logs related to specified users.

The default mode of the script is intended for finding slow MAPI calls from Outlook clients. The -Protocol switch can be used to search more protocols, while specifying -LatencyThreshold allows the admin to filter more aggressively or remove the latency filter entirely. Running in -Quiet mode skips the filtering and just reports any servers that have the specified users in the HttpProxy logs for the specified protocols. See the parameters and examples for more information.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#parameters","title":"Parameters","text":"
-ServerName <String[]>\n    The name of one or more Exchange servers to search. An easy way to search all Exchange\n    servers in the forest is to simply pipe Get-ExchangeServer to the script.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       true (ByValue, ByPropertyName)\n    Accept wildcard characters?  false\n\n-SamAccountName <String[]>\n    The samAccountNames of one or more users to search for.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-LatencyThreshold <Int32>\n    The minimum latency (in milliseconds) to search for. This is useful for filtering out\n    noise from the logs. (Default: 1000). This parameter has no effect when -Quiet is used.\n\n    Required?                    false\n    Position?                    named\n    Default value                1000\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-Protocol <String[]>\n    The protocols to search. Valid values are: Autodiscover, EAS, ECP, EWS, MAPI, OWA, PowerShell,\n    RpcHttp. (Default: MAPI)\n\n    Required?                    false\n    Position?                    named\n    Default value                @('MAPI')\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-IncludeNonExecutes [<SwitchParameter>]\n    By default, NotificationWaits from the MAPI logs are not included, because these are slow\n    by design. Specify this switch to include them.\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-Quiet [<SwitchParameter>]\n    This switch causes the script to only report the server names rather than the full log\n    entries. This may be somewhat faster. However, there is no filtering for LatencyThreshold\n    and NotificationWait when this option is used.\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-TimeSpan <TimeSpan>\n    Specify how far back to search the logs. This is a TimeSpan value, such as \"01:00\" for the\n    last hour or \"00:30\" for the last 30 minutes. (Default: 15 minutes). Use this parameter to\n    search the most recent logs. Use StartTime and EndTime to search older logs.\n\n    Required?                    false\n    Position?                    named\n    Default value                (New-TimeSpan -Minutes 15)\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-StartTime <DateTime>\n    Logs older than this time are not searched. This is a DateTime value, such as (Get-Date).AddDays(-1)\n    or \"2023-02-11 08:00\". Use this parameter to search old logs. Use -TimeSpan to search the\n    most recent logs.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-EndTime <DateTime>\n    Logs newer than this time are not searched. This is a DateTime value, such as (Get-Date).AddDays(-1)\n    or \"2023-02-11 09:00\". Use this parameter to search old logs. Use -TimeSpan to search the\n    most recent logs.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n<CommonParameters>\n    This cmdlet supports the common parameters: Verbose, Debug,\n    ErrorAction, ErrorVariable, WarningAction, WarningVariable,\n    OutBuffer, PipelineVariable, and OutVariable. For more information, see\n    about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-1","title":"Example 1","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" | ft\n
Show any MAPI HttpProxy activity that took more than 1 second for user1 or user2 within the last 15 minutes on all Exchange servers in the forest.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-2","title":"Example 2","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" -Quiet\n
Show only the server names where user1 or user2 are found in the MAPI HttpProxy logs within the last 15 minutes.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-3","title":"Example 3","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" -Protocol \"ews\", \"mapi\" -LatencyThreshold 100 -TimeSpan \"00:30\"\n
Show any EWS or MAPI HttpProxy activity that took more than 100 milliseconds for user1 or user2 within the last 30 minutes on all Exchange servers in the forest.

"},{"location":"Diagnostics/HealthChecker/","title":"HealthChecker","text":"

Download the latest release: HealthChecker.ps1

The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by a simple configuration change within an Exchange Environment. It also helps collect useful information of your server to help speed up the process of common information gathering of your server.

"},{"location":"Diagnostics/HealthChecker/#requirements","title":"Requirements","text":""},{"location":"Diagnostics/HealthChecker/#supported-exchange-server-versions","title":"Supported Exchange Server Versions:","text":"

The script can be used to validate the configuration of the following Exchange Server versions: - Exchange Server 2016 - Exchange Server 2019

"},{"location":"Diagnostics/HealthChecker/#required-permissions","title":"Required Permissions:","text":"

Please make sure that the account used is a member of the Local Administrator group. This should be fulfilled on Exchange servers by being a member of the Organization Management group. However, if the group membership was adjusted or in case the script is executed on a non-Exchange system like a management server, you need to add your account to the Local Administrator group. You also need to be a member of the following groups:

  • Organization Management
  • Domain Admins (only necessary for the DCCoreRatio parameter)
"},{"location":"Diagnostics/HealthChecker/#syntax","title":"Syntax","text":"
HealthChecker.ps1\n  [-Server <string[]>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-Server <string[]>]\n  [-MailboxReport]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-LoadBalancingReport]\n  [-ServerList <string[]>]\n  [-SiteName <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-BuildHtmlServersReport]\n  [-XMLDirectoryPath <string>]\n  [-HtmlReportFile <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-AnalyzeDataOnly]\n  [-XMLDirectoryPath <string>]\n  [-HtmlReportFile <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-DCCoreRatio]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-ScriptUpdateOnly]\n  [-OutputFilePath <string>]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-VulnerabilityReport]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\n
"},{"location":"Diagnostics/HealthChecker/#how-to-run","title":"How To Run","text":"

This script must be run as Administrator in Exchange Management Shell on an Exchange Server. You can provide no parameters and the script will just run against the local server and provide the detail output of the configuration of the server.

"},{"location":"Diagnostics/HealthChecker/#examples","title":"Examples:","text":"

This cmdlet with run Health Checker Script by default and run against the local server.

PS C:\\> .\\HealthChecker.ps1\n

This cmdlet will run the Health Checker Script against the specified server.

PS C:\\> .\\HealthChecker.ps1 -Server EXCH1\n

This cmdlet will run the Health Checker Script against a list of servers.

PS C:\\> .\\HealthChecker.ps1 -Server EXCH1,EXCH2,EXCH3\n

This cmdlet will build the HTML report for all the XML files located in the same location as the Health Checker Script.

PS C:\\> .\\HealthChecker.ps1 -BuildHtmlServersReport\n

This cmdlet will build the HTML report for all the XML files located in the directory specified in the XMLDirectoryPath Parameter.

PS C:\\> .\\HealthChecker.ps1 -BuildHtmlServersReport -XMLDirectoryPath C:\\Location\n

This cmdlet will run the Health Checker Load Balancing Report for all the Exchange CAS (Front End connections only) and MBX servers (BackEnd connections) in the Organization.

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport\n

This cmdlet will run the Health Checker Load Balancing Report for these Servers EXCH1, EXCH2, and EXCH3 CAS (Front End connections) and MBX (BackEnd Connections)

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport -ServerList EXCH1,EXCH2,EXCH3\n

This cmdlet will run the Health Checker Load Balancing Report for the Exchange servers in the site SiteA.

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport -SiteName SiteA\n

This cmdlet will run the Health Checker Mailbox Report against the Server EXCH1

PS C:\\> .\\HealthChecker.ps1 -MailboxReport -Server EXCH1\n

This cmdlet will run the Health Checker against all your Exchange Servers, then run the HTML report and open it.

PS C:\\> Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match \"^Version 15\"} | .\\HealthChecker.ps1; .\\HealthChecker.ps1 -BuildHtmlServersReport -HtmlReportFile \"ExchangeAllServersReport.html\"; .\\ExchangeAllServersReport.html\n

This cmdlet will run Health Checker Vulnerability Report feature against all your Exchange Servers. Then Export out the data to a json file.

PS C:\\> .\\HealthChecker.ps1 -VulnerabilityReport\n
"},{"location":"Diagnostics/HealthChecker/#parameters","title":"Parameters","text":"Parameter Description Server The server that you would like to run the Health Checker Script against. Parameter not valid with -BuildHTMLServersReport or LoadBalancingReport. Default is the localhost. OutputFilePath The output location for the log files that the script produces. Default is the current directory. MailboxReport Produces the Mailbox Report for the server provided. LoadBalancingReport Runs the Load Balancing Report for the Script ServerList Used in combination with the LoadBalancingReport switch for letting the script to know which servers to run against. SiteName Used in combination with the LoadBalancingReport switch for letting the script to know which servers to run against in the site. XMLDirectoryPath Used in combination with BuildHtmlServersReport switch for the location of the HealthChecker XML files for servers which you want to be included in the report. Default location is the current directory. BuildHtmlServersReport Switch to enable the script to build the HTML report for all the servers XML results in the XMLDirectoryPath location. HtmlReportFile Name of the HTML output file from the BuildHtmlServersReport. Default is ExchangeAllServersReport-yyyyMMddHHmmss.html DCCoreRatio Gathers the Exchange to DC/GC Core ratio and displays the results in the current site that the script is running in. AnalyzeDataOnly Switch to analyze the existing HealthChecker XML files. The results are displayed on the screen and an HTML report is generated. VulnerabilityReport Switch to collect the Vulnerability Information for all the servers in the environment and export it out to json file. SkipVersionCheck No version check is performed when this switch is used. SaveDebugLog The debug log is kept even if the script is executed successfully. ScriptUpdateOnly Switch to check for the latest version of the script and perform an auto update if a newer version was found. Can be run on any machine with internet connectivity. No elevated permissions or EMS are required."},{"location":"Diagnostics/HealthChecker/ADSiteCount/","title":"AD Site Count Check","text":"

In large environments that contains a lot of sites, can cause a performance issue with Exchange. In particular Autodiscover app pool will peg the CPU at 4-hour intervals when there are many AD sites.

It is recommended to reduce the number of AD Sites within the environment to address this issue. However, there is a workaround that would prevent the issue from occurring every 4-hours and just every 24-hours.

In the %ExchangeInstallPath%\\Bin\\Microsoft.Exchange.Directory.TopologyService.exe.config file, change the ExchangeTopologyCacheLifetime value to be 1.00:00:00,00:20:00 instead to have the cache lifetime increase from 4-hours to 24-hours. It is not recommended to go beyond 24-hours.

Included in HTML Report?

Yes

Additional resources:

Original Issue

"},{"location":"Diagnostics/HealthChecker/AMSIIntegration/","title":"AMSI Check","text":"

The Windows AntiMalware Scan Interface (AMSI) is a versatile standard that allows applications and services to integrate with any AntiMalware product present on a machine. AMSI is vendor agnostic and designed to allow for the most common malware scanning and protection techniques provided by today's products to be integrated into applications.

It only scans the HTTP protocol, and is not meant to be a replacement to existing server-level or message hygiene protections.

AMSI integration is available on the following Operating System / Exchange Server version combinations: - Windows Server 2016, or higher - Exchange Server 2016 CU21, or higher - Exchange Server 2019 CU10, or higher - AMSI is not available on Edge Transport Servers

If you use Microsoft Defender, AV engine version at or higher than 1.1.18300.4 is also required. Alternatively, a compatible AMSI capable third-party AV provider.

This check verifies if an override exists which disables the AMSI integration with Exchange Server. It does that, by running the following query:

Get-SettingOverride | Where-Object { ($_.ComponentName -eq \"Cafe\") -and ($_.SectionName -eq \"HttpRequestFiltering\") }

Included in HTML Report?

Yes

Additional resources:

Released: June 2021 Quarterly Exchange Updates

More about AMSI integration with Exchange Server

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/","title":"Auth Certificate Check","text":""},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#description","title":"Description","text":"

The Auth Configuration and Auth Certificate are used by Microsoft Exchange server to enable server-to-server authentication using the Open Authorization (OAuth) protocol standard. The Auth Certificate is also used by several Exchange Server security features which makes it important to be valid and available on all servers (except Edge Transport Servers) within the organization.

An invalid Auth Certificate can lead to these and other issues:

  • Access to OWA or ECP isn't working

  • Management of your Exchange servers via Exchange Management Shell isn't working as expected

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#what-does-the-check-do","title":"What does the check do?","text":"

The HealthChecker script validates multiple configurations which are having a dependency to the Auth Certificate. The script will show you if the Auth Certificate which is configured, was found on the server against which the script is currently running. It will also highlight if the certificate has been expired.

HealthChecker will display the certificate, which is configured as the next Auth Certificate (if there is one) and the effective date from which it becomes available for use by the AuthAdmin servicelet (Auth Certificate rotation to ensure a smooth transition to a new one).

Note: It's required to run the Hybrid Configuration Wizard (HCW), if you are running an Exchange Server hybrid configuration and the primary Auth Certificate has been replaced by a new one.

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#additional-resources","title":"Additional resources","text":"

Maintain (rotate) the Exchange Server Auth Certificate

Replace the Auth Certificate if it has already expired or isn't available

Exchange OAuth authentication couldn't find the authorization certificate with thumbprint error when running Hybrid Configuration

MonitorExchangeAuthCertificate.ps1 script

"},{"location":"Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/","title":"CTS Processor Affinity Percentage Check","text":"

Description:

We check if the CtsProcessorAffinityPercentage DWORD value under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ExchangeServer\\V15\\Search\\SystemParameters exists and is set to any other value than 0. This setting can be used to limit CPU utilization of a process.

This can cause an impact to the server's search performance. This should never be used as a long term solution!

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/CertificateCheck/","title":"Certificate Check","text":"

This check retrieves all certificates from the Exchange server by using the Get-ExchangeCertificate cmdlet. We display the following information:

  • FriendlyName
  • Thumbprint
  • Lifetime in days
  • Key size
  • Signature algorithm
  • Signature hash algorithm
  • Bound to services
  • Current Auth Certificate
  • SAN Certificate
  • Namespaces

We also perform the following checks:

  • Certificate lifetime check:

    • We show a green output, if the certificate is valid for 60 or more days.
    • We show a yellow warning, if the certificate lifetime is between 30 and 59 days.
    • We show a red warning if the lifetime is < 30 days.

  • Weak key size check:

    • We show a red warning, if the key size is lower than 2048 bit.

  • Weak hash algorithm check:

    • We show a yellow warning if the hash algorithm used to sign a certificate is weak.

  • Valid Auth certificate check:

    • We check if the certificate which is set as current Auth certificate is available on the server.

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/CloudConnectorCheck/","title":"Cloud Connector Check","text":"

This check performs testings against the Exchange Send- and Receive Connectors which are enabled for cloud usage if a hybrid configuration was detected. We run Get-HybridConfiguration to validate if hybrid has been configured for the environment.

A proper configured Send- and Receive Connector is important - especially in hybrid scenarios. A misconfigured connector can lead to multiple issues including broken tenant attribution and email classification (internal / anonymous) which can then lead to false-positive/false-negative.

We to make sure that the mail flow between Exchange on-premises and Exchange Online works as expected

If a Send Connector has the following setting set, it means that the connector is eligible for cloud mail usage:

  • CloudServicesMailEnabled

If a Receive Connector has the following setting set, it means that the connector is eligible for cloud mail usage:

  • TlsDomainCapabilities

We only perform testings for the Receive Connectors if:

  • TransportRole is set to FrontendTransport

We run the following checks:

  • Connector enabled check:

    • We show a yellow warning, if the connector is not enabled

  • Send Connector configured to relay emails via M365 check:

    • If TlsAuthLevel is set to CertificateValidation
    • If RequireTLS is set to true
    • If TlsDomain is set (only performed if TlsAuthLevel is set to DomainValidation)

  • TlsCertificateName configuration check:

    • We check if TlsCertificateName has been set
    • We check if the certificate which is configured in TlsCertificateName exists on the server
    • If a certificate was configured and detected on the system, we then check if it expires within the next 60 days
    • If a certificate was configured, we compare it with the TlsCertificateName returned by Get-HybridConfiguration
    • If a certificate was configured, we check if the syntax is correct and not corrupt. Expected syntax: <I>X.500Issuer<S>X.500Subject

Included in HTML Report?

Yes

Additional resources:

Certificate requirements for hybrid deployments

Demystifying and troubleshooting hybrid mail flow: when is a message internal?

Set up your email server to relay mail to the internet via Microsoft 365 or Office 365

"},{"location":"Diagnostics/HealthChecker/CredentialGuardCheck/","title":"Credential Guard Check","text":"

Description:

In this check we validate, weather Credential Guard was activated or not. Credential Guard is not supported on an Exchange Server. This can cause a performance hit on the server.

Included in HTML Report?

Yes

Additional resources:

Manage Windows Defender Credential Guard

"},{"location":"Diagnostics/HealthChecker/DownloadDomainCheck/","title":"Download Domain Check","text":"

Description:

In this check we validate if the Download Domain feature was configured or not. This feature was introduced to address CVE-2021-1730.

If the feature is enabled, we validate if the URL configured to download attachments, is not set to the same as the internal or external Outlook Web App (OWA) url.

CVE-2021-1730 will not be addressed if the url configured to be used by the Download Domain feature points to the same url(s) which is/are used by OWA.

The Download Domain feature is available on Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019.

More details and configuration instructions can be found in the Microsoft Learn article, that is linked in the additional resource section.

Included in HTML Report?

Yes

Additional resources:

Configure Download Domains in Exchange Server

"},{"location":"Diagnostics/HealthChecker/EEMSCheck/","title":"Exchange Emergency Mitigation Service Check","text":"

Description:

The Exchange Emergency Mitigation Server also known as EEMS or EM was introduced with the Exchange Server 2019 Cumulative Update 11 and Exchange Server 2016 Cumulative Update 22.

The Exchange Emergency Mitigation service helps to keep your Exchange Servers secure by applying mitigations to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and to send diagnostic data to Microsoft.

The EM service runs as a Windows service on an Exchange Mailbox server. The EM service will be installed automatically on servers with the Mailbox role. The EM service will not be installed on Edge Transport servers.

The use of the EM service is optional. If you do not want Microsoft to automatically apply mitigations to your Exchange servers, you can disable the feature.

This check performs the following testings to highlight the configuration state of the EEMS:

  • Configuration Check

    • Shows if the EEMS is enabled or not on Organizational level
    • Shows if the EEMS is enabled or not on Server level

  • Windows Service Check

    • MSExchangeMitigation Windows service startup type should be: Automatic
    • MSExchangeMitigation Windows service status should be: Running

  • Pattern Service Check

    • We validate if we can reach the OCS which is used to serve the latest mitigations
    • OCS Mitigation Service url: https://officeclient.microsoft.com/GetExchangeMitigations

  • Mitigations Check

    • Shows which mitigations are currently being applied
    • Shows which mitigations are currently being blocked

  • Diagnostic Data Check

    • Shows if the service is configured to provide diagnostic data to Microsoft or not

Included in HTML Report?

Yes

Additional resources:

New security feature in September 2021 Cumulative Update for Exchange Server

Released: September 2021 Quarterly Exchange Updates

Addressing Your Feedback on the Exchange Emergency Mitigation Service

Exchange Emergency Mitigation (EM) service

Mitigations Cloud endpoint is not reachable

"},{"location":"Diagnostics/HealthChecker/ExchangeComputerMembership/","title":"Exchange Server Computer Membership","text":""},{"location":"Diagnostics/HealthChecker/ExchangeComputerMembership/#description","title":"Description:","text":"

Checks for the computer object to be members of the Exchange Trusted Subsystem and Exchange Servers security groups by default. It will also make sure the default local system account has the Exchange Trusted Subsystem a member of it as well in order to have the correct access to local system files.

This check is done by using the ADModule with using the cmdlets Get-LocalGroupMember -SID \"S-1-5-32-544\" and running Get-ADPrincipalGroupMembership (Get-ADComputer $env:COMPUTERNAME).DistinguishedName

If an issue is detected, the group will display with where the problem is located. Either Local System Membership if the group isn't part of the local system account or AD Group Membership if the computer object isn't a member of the group provided.

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/","title":"Exchange Server Maintenance Check","text":"

Description:

We validate the Maintenance State for the Exchange server. We run the following checks:

  • We query the server component state by running Get-ServerComponentState
  • We query cluster node information by running Get-ClusterNode
  • We then check for each component if Component.State is not Active
  • If this is the case, we query the Component.LocalStates and Component.RemoteStates
  • We validate if both states LocalStates & RemoteStates are the same
  • We add the information, if LocalStates & RemoteStates are different

We show a green information Server is not in Maintenance Mode if the server is not in maintenance mode.

We display a yellow warning Exchange Server Maintenance if components in maintenance state are detected. We also show additional information about the Database Copy Maintenance and Cluster Node state.

Included in HTML Report?

Yes

Additional resources:

Determine the requestor that changed Server component state

"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/","title":"Exchange Online Connector Check","text":"

This is a simple check that can be performed from the Exchange On Prem side to quickly determine if the EXO connector is misconfigured. This does not completely determine if the connector is misconfigured, as Health Checker script is not designed to connect to Exchange Online to properly determine if everything is correctly configured for the way you want your mail flow to work.

A Send Connector is determined to be destined for Exchange Online if one of the following is true:

  • SmartHost endpoint has a *.mail.protection.outlook.com
  • AddressSpaces address has a *.mail.onmicrosoft.com

For those connectors, we then determine a misconfiguration if one of the following is true:

  • TLSCertificateName is not set
  • CloudServicesMailEnabled is not set to true

These are now being flagged as an issue due to some recent changes within Exchange Online.

Some additional configuration concerns are also warned about if one of the following is true:

  • TLSAuthLevel is not set to CertificateValidation or DomainValidation
  • TLSDomain is not set to mail.protection.outlook.com if TLSAuthLevel is set to DomainValidation
"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/#additional-resources","title":"Additional resources","text":"

Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers

Updated Requirements for SMTP Relay through Exchange Online

"},{"location":"Diagnostics/HealthChecker/FIPFSCheck/","title":"FIP-FS Check","text":"

Description:

We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.

The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.

This check validates if the problematic signature file has already downloaded and processed. It shows a red warning indicating that the FIP-FS scan engine should be reset to avoid running into the transport or pattern update issue.

  • Exchange 2013 is not affected by the transport queue issue, however, if invalid patterns has been applied, no newer update pattern with a lower version number (like 2112330001) will be applied.
  • We check if a folder with number 2201010000 or greater exists under ExchangeInstallPath\\FIP-FS\\Data\\Engines\\amd64\\Microsoft\\Bin.

  • We also check if the server runs a fixed Exchange build (March 2022 Security Update or higher) that does not crash when the problematic version is used.

  • If we detect the problematic version folder and the server doesn't run a fixed build, we recommend to reset the scan engine version (see Email Stuck in Exchange On-premises Transport Queues in the \"Additional resources\" section).

  • If we detect the problematic version folder but the server runs a fixed build, it should be safe to delete the folder without performing a scan engine reset. If the directory cannot be deleted, it means that the problematic version is in use. This is a problem because in this case, no new scan engine version will be applied. In this case, a reset of the scan engine must be performed.

Please follow the instructions in the references below to reset the scan engine.

Included in HTML Report?

Yes

Additional resources:

Email Stuck in Exchange On-premises Transport Queues

"},{"location":"Diagnostics/HealthChecker/GeneralHardwareInformation/","title":"General Hardware Information","text":"

Description:

We show some general information about the Processor/Hardware of the Exchange server against which the script was executed.

Hardware Type:

  • VMWare
  • AmazonEC2
  • HyperV
  • Physical
  • Unknown

We additionally show the following information, if HardwareType is Physical or AmazonEC2: - Manufacturer - Model - Processor

Number of Processors:

  • We show an note if ServerType is VMWare [1]
  • We show an error if we have more than 2 Processors installed

Number of Physical/Logical Cores:

  • We show a warning if we have more than 24 Physical Cores and running Exchange 2013/2016 [2]
  • We show a warning if we have more than 48 Physical Cores and running Exchange 2019 [2]

Hyper-Threading:

We show if Hyper-Threading is enabled or not.

NUMA BIOS Check:

We check to see if we can properly see all cores on the server. [3], [4]

Max Processor Speed:

We return the MaxMegacyclesPerCore. This is the max speed that we can get out of the cores. We also check if the processor is throttled which may be a result of a misconfigured Power Plan.

Physical Memory:

We validate if the amount of installed memory meets our specifications. [5]

Included in HTML Report?

Yes

Additional resources:

1 - Does CoresPerSocket Affect Performance?

2 - Commodity servers

3 - CUSTOMER ADVISORY c04650594

4 - Exchange performance:HP NUMA BIOS settings

5 - Exchange 2013 Sizing

5 - Hardware requirements for Exchange 2016

5 - Hardware requirements for Exchange 2019

"},{"location":"Diagnostics/HealthChecker/HyperThreadingCheck/","title":"Hyper-Threading Check","text":"

Description:

We validate if Hyper-Threading is enabled or not. We do this by checking if LogicalCores is greater than PhysicalCores which means that Hyper-Threading is enabled. We show a red error and recommend turning off Hyper-Threading.

Included in HTML Report?

Yes

Additional resources:

Exchange 2013 Sizing and Configuration Recommendations - Processing

"},{"location":"Diagnostics/HealthChecker/IISInformation/","title":"Exchange IIS Information","text":""},{"location":"Diagnostics/HealthChecker/IISInformation/#description","title":"Description","text":"

We show some general information about your Exchange Server from the IIS perspective. This goes into detail to make sure that Sites and App Pools are started, which might not be easy to spot at a quick look a the server. It will also call out some common misconfiguration issues, that will cause problems with client connectivity.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#sites","title":"Sites","text":"

This provides the sites that we found and the following information:

  • State (Started or Stopped)
  • HSTS Enabled (Only supported on Default Web Site)
  • Protocol - Binding - Certificate ( Which protocol is binding to which port and with what certificate if any)

NOTE: HSTS if enabled on the Back End will call out an issue.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#app-pools","title":"App Pools","text":"

This provides the application pools on the server with the following information:

  • State (Started or Stopped)
  • GCServerEnabled (Garbage Collection Server Enabled - Depends on the RAM on the server if this should be enabled or not on the server. If it should be, Health Checker should call it out.)
  • RestartConditionSet ( If there is an IIS setting that will automatically restart the App Pool. This is not recommended and will cause issues with client connectivity )
"},{"location":"Diagnostics/HealthChecker/IISInformation/#virtual-directory-locations","title":"Virtual Directory Locations","text":"

This provides the different locations that you use for different connection endpoints with the following information:

  • Extended Protection ( The current value )
  • Ssl Flags ( If enabled and/or Cert based )
  • IP Filtering Enabled ( If any IP filtering is enabled )
  • URL Rewrite ( Names of each rule applied at the location )
  • Authentication ( Provides each type of authentication that is enabled for the location. If anonymous default setting will be provided if that is enabled Out of the Box on the server )

NOTE: For each of the URL Rewrite rules, we will display additional information about the rule to let you know what it is doing. It is also recommended to remove any mitigation rules that you might have applied if you have the security fix installed on the server.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/IISWebConfigCheck/","title":"IIS Web Configuration Check","text":"

Description:

After a CU or an SU install, sometimes there can be issues with the web.config or the SharedWebConfig.config file that causes issues with the virtual directories from working properly. Most of these issues are from SU installs where they are installed from double clicking on the msi file. This prevents the process from starting as administrator and can cause multiple issues.

This check detects to make sure all the default web.config and SharedWebConfig.config files exist and if they have any default variable values still set within it - %ExchangeInstallDir%.

If Default Variable Detected file is found, open up that file and replace the %ExchangeInstallDir% with the Exchange Install path from (Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Setup).MsiInstallPath

Included in HTML Report?

Yes, if issue detected

"},{"location":"Diagnostics/HealthChecker/IPv6EnabledCheck/","title":"IPv6 Enabled Check","text":"

Description:

We check if IPv6 is enabled or not. If we determine that IPv6 has been disabled, we check to see if it's fully disabled as recommended. We determine if the IPv6 is fully disabled by checking to see if we have an IPv6 Address available on the NIC and that it matches what is found in the registry at SYSTEM\\CurrentControlSet\\Services\\TcpIp6\\Parameters\\DisabledComponents.

If both places don't have IPv6 enabled/disabled properly a warning is thrown. This can cause communication issues if not properly disabled.

Included in HTML Report?

Yes

Additional resources:

Disabling IPv6 And Exchange \u2013 Going All The Way

Guidance for configuring IPv6 in Windows for advanced users

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/","title":"Internal Transport Certificate","text":""},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#description","title":"Description","text":"

The Internal Transport Certificate in Exchange Server is used in Exchange Server Front-End to Back-End MailFlow scenarios as well as in scenarios in which the Exchange Servers communicate with each other, using the SMTP (Simple Mail Transfer Protocol) protocol. It is generated on a per-server base during the Exchange Server setup process and contains the computers NetBIOS (Network Basic Input/Output System) name as well as the FQDN (Fully Qualified Domain Name).

A missing Internal Transport Certificate can lead to a broken MailFlow on or with the affected machine. It's therefore essential to have a valid certificate for this purpose on the machine. We recommend to not replace the self-signed certificate which was created by Exchange itself.

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#what-does-the-check-do","title":"What does the check do?","text":"

The check queries the certificate which is marked as Internal Transport Certificate on the server against which the script is currently running. The script will throw a warning if the certificate cannot be found on the machine. It must then be recreated by the Exchange Server administrator and set as new Internal Transport Certificate.

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#how-to-create-a-new-internal-transport-certificate","title":"How to create a new Internal Transport Certificate?","text":"

You can run the following PowerShell code from an elevated Exchange Management Shell (EMS). It will generate a new Internal Transport Certificate which replaces the existing one on the machine where the command was executed.

$newInternalTransportCertificateParams = @{\n    Server               = $env:COMPUTERNAME\n    KeySize              = 2048\n    PrivateKeyExportable = $true\n    FriendlyName         = $env:COMPUTERNAME\n    DomainName           = $env:COMPUTERNAME\n    IncludeServerFQDN    = $true\n    Services             = \"SMTP\"\n    Force                = $true\n    ErrorAction          = \"Stop\"\n}\n\nNew-ExchangeCertificate @newInternalTransportCertificateParams\n
"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#additional-resources","title":"Additional resources","text":"

N/A

"},{"location":"Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/","title":"LM Compatibility Level Information Check","text":"

LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept.

Included in HTML Report?

Yes

Additional resources:

Network security: LAN Manager authentication level

"},{"location":"Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/","title":"MAPI Front End App Pool GC Mode Check","text":"

Description:

We validate the Garbage Collection (GC) configuration for MSExchangeMapiFrontEndAppPool App Pool if the check is executed against an Exchange 2013 server that is not running the EdgeTransport role.

We check if:

  • The server has a total memory of 21474836480 MB and gcServer.Enabled set to false\\ In this case we recommend to enable Server GC.

  • gcServer.Enabled is neither true nor false\\ This case should be investigated.

  • gcServer.Enabled is false In this case we're running Workstation GC.\\ You could be seeing some GC issues within the MSExchangeMapiFrontEndAppPool App Pool. However, you don't have enough memory installed on the system to recommend switching the GC mode by default without consulting a support professional.

How to fix this:

  1. Go into the file MSExchangeMapiFrontEndAppPool_CLRConfig.config\\ You can find the file by running %winDir%\\system32\\inetSrv\\AppCmd.exe list AppPool \"MSExchangeMapiFrontEndAppPool\" /text:\"CLRConfigFile\" via cmd.exe\\ It should be located here: %ExchangeInstallPath%\\bin\\MSExchangeMapiFrontEndAppPool_CLRConfig.config
  2. Open the file by using an elevated notepad.exe and change the gcServer Enabled value from false to true
  3. Recycle the MAPI Front End App Pool by running: Restart-WebAppPool MSExchangeMapiFrontEndAppPool via PowerShell or by running:\\ %winDir%\\system32\\inetSrv\\AppCmd.exe RECYCLE AppPool \"MSExchangeMapiFrontEndAppPool\" via cmd.exe

Included in HTML Report?

Yes

Additional resources:

Fundamentals of garbage collection

Workstation and server garbage collection

"},{"location":"Diagnostics/HealthChecker/May22SU/","title":"May 2022 Security Update","text":"

In order to protect against CVE-2022-21978 within your environment /PrepareDomain must be run against each domain that contains the MESO container within it.

Health Checker will query all the domains in the environment to see if it has a MESO container. If it does, it checks for a particular ACE or version number of the MESO container to see if we are secure. If we don't pass this check, it will provide what domains you need to run /PrepareDomain against.

In order to protect your environment from CVE-2022-21978, you must install the May 2022 SU or a newer SU/CU that contains this security fix. All SUs and CUs after May 2022 contain this fix. After you have installed this security fix, you must run /PrepareDomain or /PrepareAllDomains from the Exchange bin directory.

Included in HTML Report?

Yes

Additional resources:

Exchange Team Blog - May SU 2022

"},{"location":"Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/","title":".NET Framework Supportability Check","text":"

Description:

We check if the Exchange server is running a supported .NET Framework version. We do this based on the information provided by PG on Microsoft Docs (.NET Supportability Matrix).

Included in HTML Report?

Yes

Additional resources:

Microsoft .NET Framework Supportability Matrix

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/","title":"Noderunner.exe Memory Limit Check","text":""},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#description","title":"Description","text":"

This check is looking at the <ExchangeInstallPath>\\Bin\\Search\\Ceres\\Runtime\\1.0\\noderunner.exe.config to look at the memoryLimitMegabytes value. This value should be set to 0 for the best performance. By having it set to 0, we do not limit the noderunner.exe processes. However, in some scenarios you might want to recommend to limit the process memory consumption to prevent server impact. If you do this, it is only recommended as a temporary fix.

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#additional-resources","title":"Additional Resources","text":"

Users can't receive email messages or connect to their mailbox

"},{"location":"Diagnostics/HealthChecker/NumaBiosCheck/","title":"NUMA BIOS / All Processor Cores Visible Check","text":"

Description:

Check to see if the OS is able to see all the processor cores on the server. What normally happens is the OS is able to see 1 processor socket presented (aka half the number of cores)

This can become a major problem on a server if you do not see all the processor cores for a few reasons.

  • Logic is built into the Exchange Code to handle user workload management is based of the how much CPU the user is using or the process itself. When we aren't able to see all the cores on the system, the process can consume a higher amount than what logic dictates. We base this logic off of the number of cores presented to the OS by [System.Environment]::ProcessorCount. Because the underlying hardware has full access to all the processor cores, the process can go above what Exchange calculated out to set the threshold to be at and then throttling can occur.

  • Sometimes the underlying setting isn't able to keep up and doesn't distribute the load between both the processor sockets, thus causing an issue because the application just lost half of its resources. You can see this occur when you look at the performance counter \"\\Processor Information(0,_Total)\\% Processor Time\" and \"\\Processor Information(1,_Total)\\% Processor Time\" as each one sees their own socket. One will go up while the other goes down. This might only happen for a few seconds, but there are health checks on the server that can be triggered to cause additional issues that will spiral the server.

Included in HTML Report?

Yes

Additional resources:

CUSTOMER ADVISORY c04650594

Exchange performance:HP NUMA BIOS settings

Exchange 2016 users unable to edit Distribution Group membership using Outlook

"},{"location":"Diagnostics/HealthChecker/OpenRelayDomain/","title":"Open Relay Domain","text":"

Description:

We show a warning if we weren't able to run Get-AcceptedDomain and provide an unknown status. If we determine that an Open Relay Domain is set on the environment, we will throw an error in the results and provide which accepted domain ID is set with this. It is recommended to have an anonymous relay and scope down the receive connector for who can use it. Otherwise, you are allowing anybody to use your environment to send mail anywhere.

NOTE: After installing the September 2021 CUs for Exchange 2016/2019, you can see crashes occur on your system for the transport services that look like this:

Log Name:      Application\nSource:        MSExchange Common\nDate:          12/3/2021 12:40:35 PM\nEvent ID:      4999\nTask Category: General\nLevel:         Error\nKeywords:      Classic\nUser:          N/A\nComputer:      Contoso-E19A.Contoso.com\nDescription:\nWatson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005.\nErrorReportingEnabled: False\n

This is caused by having an Internal Relay with an Accepted Domain of *. This is not a recommended configuration.

Included in HTML Report?

Yes

Additional resources:

Allow anonymous relay on Exchange servers

"},{"location":"Diagnostics/HealthChecker/PacketsLossCheck/","title":"Packets Loss Check","text":"

Description:

We check if there are any PacketsReceivedDiscarded logged for the NIC. Large package loss can cause a performance impact on a system and should be investigated and fixed.

  • Good: PacketsReceivedDiscarded is 0
  • Warning: PacketsReceivedDiscarded lower than 1000
  • Error: PacketsReceivedDiscarded greater than 1000

NOTE: This counter is accumulation from reboot, or if the NIC setting was changed, so the counter can be stale for some time. However, even though you might not be actively dropping packets, the counter should be at 0 in a healthy environment.

Included in HTML Report?

Yes

Additional Information

Large packet loss in the guest OS using VMXNET3 in ESXi (2039495)

Disable \"adaptive rx ring sizing\" to avoid random interface reset (78343)

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/","title":"Pagefile Size Check","text":"

Description:

We check if the Pagefile is configured as recommended and that there is only 1 PageFile configured (multiple PageFiles can cause performance issues on Exchange server).

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#exchange-2019","title":"Exchange 2019","text":"
  • Set the paging file minimum and maximum value to the same size: 25% of installed memory
"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#exchange-20132016","title":"Exchange 2013/2016","text":"

Set the paging file minimum and maximum value to the same size:

  • Less than 32 GB of RAM installed: Physical RAM plus 10MB, up to a maximum value of 32GB (32,778MB)

  • 32 GB of RAM or more installed: 32GB

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#how-to-set-the-pagefile-to-a-static-value","title":"How to set the pagefile to a static value?","text":"

You can set the pagefile to a static size via wmic whereas InitialSize and MaximumSize is the size in megabytes calculated based on the Exchange Server version and memory installed in the server:

wmic ComputerSystem set AutomaticManagedPagefile=False\nwmic PageFileSet set InitialSize=1024,MaximumSize=1024\n

Included in HTML Report?

Yes

Additional resources:

PageFile requirements for Exchange 2019

PageFile requirements for Exchange 2016

PageFile requirements for Exchange 2013

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/","title":"Number Of Processors","text":"

Description:

Number of Processors is the number of processor sockets detected on the server. It is only recommended to have up to 2 processors on the server. [3]

An additional note is displayed if Type is set to VMware and greater than 2 processors. [1]

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked","title":"How This Is Checked","text":"
([array](Get-WmiObject -Class Win32_Processor)).count\n
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#number-of-logical-and-physical-cores","title":"Number Of Logical and Physical Cores","text":"

Show the number of Physical and Logical cores presented to the OS. This is provided by the WmiObject class Win32_Processor.

  • We show a warning if we have more than 24 Logical Cores and running Exchange 2013/2016 [2]
  • We show a warning if we have more than 48 Logical Cores and running Exchange 2019 [2]
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked_1","title":"How This Is Checked","text":"
$processor = Get-WmiObject -Class Win32_Processor\n$processor |ForEach-Object {$logical += $_.NumberOfLogicalProcessors; $physical += $_.NumberOfCores}\nPS C:\\> $logical\n24\nPS C:\\> $physical\n12\n
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#max-processor-speed","title":"Max Processor Speed","text":"

Check to see what the Max Processor Speed is set to for the processor. If the processor is throttled which may be a result of a misconfigured Power Plan.

NOTE: If Power Plan isn't set to High Performance and the processor is being throttled, this will be flagged that Power Plan is the cause and to fix it ASAP.

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked_2","title":"How This Is Checked","text":"
$processor = Get-WmiObject -Class Win32_Processor\n$throttled = $processor | Where-Object {$_.CurrentClockSpeed -lt $_.MaxClockSpeed}\n\nif ($throttled) {\n    Write-Host (\"Throttling your CPU\")\n}\n

Included in HTML Report?

Yes

Additional resources:

1 - Does CoresPerSocket Affect Performance?

2 - Commodity servers

3 - Hardware requirements for Exchange 2019

Exchange 2013 Sizing

Hardware requirements for Exchange 2016

"},{"location":"Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/","title":"RPC Minimum Connection Timeout Check","text":"

Description:

By default, Outlook Anywhere opens two default connections to the Exchange CAS called RPC_InData and RPC_OutData. The Outlook Anywhere client to server used a default timeout of 12 minutes (720 seconds) of inactivity and the server to the client timeout is 15 minutes (900 seconds).

These default Keep-Alive intervals are not aggressive enough for some of today's home networking devices and/or aggressive network devices on the Internet. Some of those devices are dropping TCP connections after as little as 5 minutes (300 seconds) of inactivity. When one or both of the two default connections are dropped, the connection to the Exchange server is essentially broken and not useable.

Included in HTML Report?

Yes

Additional resources:

Outlook Anywhere Network Timeout Issue

"},{"location":"Diagnostics/HealthChecker/RSSEnabledCheck/","title":"RSS Enabled Check","text":"

Description:

We check on Windows 2012 R2 or newer whether RSS (if it's supported from the NIC) is enabled or not. This is collected by the Get-NetAdapterRss cmdlet. We show a warning if it's supported on NIC-side but disabled.

The Get-NetAdapterRss cmdlet gets receive side scaling (RSS) properties of the network adapters that support RSS. RSS is a scalability technology that distributes the receive network traffic among multiple processors by hashing the header of the incoming packet and using an indirection table. Without RSS in Windows Server\u00ae 2012 and later, network traffic is received on the first processor which can quickly reach full utilization limiting receive network throughput. Various properties can be configured to optimize the performance of RSS.

Included in HTML Report?

Yes

Additional resources:

Introduction to Receive Side Scaling

"},{"location":"Diagnostics/HealthChecker/RebootPending/","title":"Reboot Pending","text":"

Description:

We show a warning if we detect an outstanding pending reboot. We also display the type of pending reboot. We differentiate between:

  • PendingFileRenameOperations
  • SccmReboot
  • SccmRebootPending
  • ComponentBasedServicingRebootPending
  • AutoUpdatePendingReboot
  • UpdateExeVolatile\\Flags

It is best to reboot the server to address these issues. It may take some time after a reboot to have the keys automatically removed. However, if they don't remove automatically, follow these steps to address the issue for the keys that were provided to be a problem.

  • Open regedit to the desired location. Delete the key.
  • If unable to delete the key, follow these steps:
    • Right click on it
    • Open permissions
    • Click on Advanced
    • Change ownership to your account
    • Close Advanced window
    • Give your account Full Control in Permissions window
    • Delete the key

NOTE: With Component Based Servicing\\RebootPending you need to do the same for Component Based Servicing\\PackagesPending prior to RebootPending

NOTE: Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Included in HTML Report?

Yes

Additional resources:

Determine Pending Reboot Status\u2014PowerShell Style! Part 1

Determine Pending Reboot Status\u2014PowerShell Style! Part 2

"},{"location":"Diagnostics/HealthChecker/RunHCViaSchedTask/","title":"How to run the Exchange Health Checker via Scheduled Task","text":"

Description:

You can run the Exchange Health Checker script by the help of a Scheduled Task on a daily, weekly or monthly base.

This article describes some of the ways how to run the script as task and how to create those tasks.

Note: We assume that the script is stored under C:\\Scripts\\HealthChecker. Please make sure to adjust the path if you use a different one in your environment.

  1. The first thing to do is to create a service account which is used to run the script. It is recommended to use a strong password which will be changed regularly. It's also recommended to add the user to the View-Only Organization Management instead of Organization Management. This should be sufficient for the script to run.

Note: Using View-Only Organization Management instead of Organization Management requires you to add the account to the local Administrators group on each server. This can be achieved by creating a dedicated Security Group which is then added to the Administrators group on each Exchange server (manually or via Group Policy).

  1. Now it's time to create the Scheduled Task. This can be done by the help of PowerShell:

We need to create multiple objects and finally combining them to the Scheduled Task. We need a trigger, settings, action and task object.

  • Create a trigger that defines when the script should be executed:

    • (Example) Daily at 3 AM:
      • $hcTrigger = New-ScheduledTaskTrigger -Daily -At 3am
    • (Example) Every four weeks on Monday at 3 AM:
      • $hcTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Monday -At 3am

  • Create a Scheduled Task setting object:

    • (Example) Create a Scheduled Task settings object using the default settings:
      • $hcSettings = New-ScheduledTaskSettingsSet
    • (Example) Create a Scheduled Task settings object and define RestartCount and RestartInterval:
      • $hcSettings = New-ScheduledTaskSettingsSet -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 60)

  • Define the actions to be executed via Scheduled Task:

    • (Example) Update the HealthChecker script, execute the script against the local server and generate the HTML report:
      • $hcAction = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory \"C:\\Scripts\\HealthChecker\\\" -Argument '-NonInteractive -NoLogo -NoProfile -Command \".\\HealthChecker.ps1 -ScriptUpdateOnly; .\\HealthChecker.ps1; .\\HealthChecker.ps1 -BuildHtmlServersReport\"'
    • (Example) Run the HealthChecker script against a remote Exchange server (named ExchSrv01 in this example):
      • $hcAction = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory \"C:\\Scripts\\HealthChecker\\\" -Argument '-NonInteractive -NoLogo -NoProfile -Command \".\\HealthChecker.ps1 -ScriptUpdateOnly; .\\HealthChecker.ps1 -Server ExchSrv01; .\\HealthChecker.ps1 -BuildHtmlServersReport\"'

  • Create the Scheduled Task object using the pre-defined action, trigger and settings objects:

    • $hcTask = New-ScheduledTask -Action $hcAction -Trigger $hcTrigger -Settings $hcSettings

  • Create the Scheduled Task:

    • Register-ScheduledTask -TaskName 'HealthChecker Daily Run' -InputObject $hcTask -User (Read-Host \"Please enter username in format (Domain\\Username)\") -Password (Read-Host \"Please enter password\")

Additional resources:

New-ScheduledTaskTrigger

New-ScheduledTaskSettingsSet

New-ScheduledTaskAction

New-ScheduledTask

Register-ScheduledTask

"},{"location":"Diagnostics/HealthChecker/SMBv1Check/","title":"SMBv1 Check","text":"

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it's enabled on your Exchange (2013/2016/2019) server.

There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn't safe and you lose key protections offered by later SMB protocol versions.

This check verifies that SMBv1 is not installed (if OS allows) and that its activation is blocked.

Included in HTML Report?

Yes

Additional resources:

Exchange Server and SMBv1

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/","title":"PowerShell Serialization Payload Signing","text":""},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#description","title":"Description","text":"

Certificate-based signing of PowerShell Serialization Payload is a defense-in-depth security feature to prevent malicious manipulation of serialized data exchanged in Exchange Management Shell (EMS) sessions.

The Serialized Data Signing feature was introduced with the January 2023 Exchange Server Security Update (SU). It's available on Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 and enabled by default with the November 2023 Security Update.

The HealthChecker check validates that the feature is enabled on supported Exchange builds.

Documentation Moved

This documentation has been moved to Microsoft Learn. Please read Configure certificate signing of PowerShell serialization payloads in Exchange Server for more information.

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#additional-resources","title":"Additional resources","text":"

Released: January 2023 Exchange Server Security Updates

Released: November 2023 Exchange Server Security Updates

MonitorExchangeAuthCertificate.ps1 script

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/","title":"Setting Overrides","text":""},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#description","title":"Description","text":"

Setting Overrides can be configured via New-SettingOverride cmdlet and in certain cases with the help of registry values. They can be created to change default values for common Exchange services and features (e.g., the default run cycle of the Managed Folder Assistant).

Sometimes they are used to enable new features like the recently introduced Serialized Data Signing for PowerShell payload.

In very rare cases, Microsoft recommends to disable a feature or component by the help of an override (e.g., EWS web application pool stops after the February 2023 Security Update is installed) to work around known issues.

HealthChecker checks for known overrides which should be removed as a solution for to a particular problem is available.

Important

Incorrect usage of the setting override cmdlets can cause serious damage to your Exchange organization. This damage could require you to reinstall Exchange. Only use these cmdlets as instructed by product documentation or under the direction of Microsoft Customer Service and Support.

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#setting-overrides_1","title":"Setting Overrides","text":"Feature Exchange Version(s) Controlled via Recommended setting BaseTypeCheckForDeserialization 2013, 2016, 2019 Registry Value Disabled

Enable: 

New-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Diagnostics -Name \"DisableBaseTypeCheckForDeserialization\" -Value 1 -Type String\n

Disable: 

Remove-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Diagnostics -Name \"DisableBaseTypeCheckForDeserialization\"\n

Feature Exchange Version(s) Controlled via Recommended setting Strict Mode for ClientExtensionCollectionFormatter 2016, 2019 New-SettingOverride Enabled

Enable: 

Get-SettingOverride | Where-Object {$_.ComponentName -eq \"Data\" -and $_.SectionName -eq \"DeserializationBinderSettings\" -and $_.Parameters -eq \"LearningLocations=ClientExtensionCollectionFormatter\"} | Remove-SettingOverride\n

Disable: 

New-SettingOverride -Name \"Adding learning location ClientExtensionCollectionFormatter\" -Component Data -Section DeserializationBinderSettings -Parameters @(\"LearningLocations=ClientExtensionCollectionFormatter\") -Reason \"Deserialization failed\"\n

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#additional-resources","title":"Additional resources","text":"

New-SettingOverride

Remove-SettingOverride

"},{"location":"Diagnostics/HealthChecker/SleepyNICCheck/","title":"Sleepy NIC Check","text":"

Description:

We validate the NIC power saving options. It's recommended to disable NIC power saving options as this may cause packet loss.

To detect the NIC power saving options, we're probing the sub keys under: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}

We then check if the PnPCapabilities REG_DWORD exists and if it does, we're validating its value. If it's 24 or 280, NIC power saving is disabled as we recommend it.

We skip this check for Multiplexor NIC adapters and in case that the host system is Hyper-V (because we're assuming that we don't support NIC power saving options on this platform).

NOTE: If the REG_DWORD doesn't exists, we're assuming that NIC power saving is not disabled or configured and show a warning.

Included in HTML Report?

Yes

Additional resources:

Information about power management setting on a network adapter

"},{"location":"Diagnostics/HealthChecker/TCPIPSettingsCheck/","title":"TCP/IP Settings Check","text":"

Description:

We validate if a KeepAliveTime DWORD value exists under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\TcpIp\\Parameters and verify that it is set to a recommended value.

Exchange TCP KeepAliveTime registry entry should be set to a decimal value between 900000 and 1800000 (15 to 30 minutes in milliseconds). If there's no entry in the registry for KeepAliveTime then the default value is 2 hours.

This value, if not set correctly, can affect both connectivity and performance. You must make sure that the load balancer and any other devices in the path from client to Exchange are configured correctly.

The goal is to set Exchange with the lowest value so that client sessions, when ended, are ended by Exchange and not by the device.

Example:

Client -> Firewall (1 hour) -> NLB (40 minutes) -> Exchange Servers (20 Minutes)

Included in HTML Report?

Yes

Additional resources:

Checklist for Troubleshooting Performance Related issues in Exchange 2013, 2016 and 2019 (on-prem)

"},{"location":"Diagnostics/HealthChecker/TLSConfigurationCheck/","title":"TLS Configuration Check","text":"

We check and validate Exchange servers TLS 1.0 - 1.3 configuration. We can detect mismatches in TLS versions for client and server. This is important because Exchange can be both a client and a server.

We will also show a yellow warning, if TLS 1.0 and/or TLS 1.1 is enabled. Microsoft's TLS 1.0 implementation is free of known security vulnerabilities. Due to the potential for future protocol downgrade attacks and other TLS 1.0 vulnerabilities not specific to Microsoft's implementation, it is recommended that dependencies on all security protocols older than TLS 1.2 be removed where possible (TLS 1.1/1.0/ SSLv3/SSLv2).

At this time TLS 1.3 is not supported by Exchange and has been known to cause issues if enabled. If detected to be anything but disabled on Exchange, it will be thrown as an error and needs to be addressed right away.

We also check for the SystemDefaultTlsVersions registry value which controls if .NET Framework will inherit its defaults from the Windows Schannel DisabledByDefault registry values or not.

An invalid TLS configuration can cause issues within Exchange for communication.

Only the values 0 or 1 are accepted and determined to be properly configured. The reason being is this is how our documentation provides to configure the value only and it then depends on how the code reads the value from the registry interpret the value.

By not having the registry value defined, different versions of .NET Frameworks for what the code is compiled for will treat TLS options differently. Therefore, we throw an error if the key isn't defined and action should be taken to correct this as soon as possible. To correct this, you create the missing DWORD registry key with the value you wish to have.

The Configuration result can provide a value of Enabled, Disabled, Half Disabled, or Misconfigured. They are defined by the following conditions:

Value Definition Enabled Client and Server Enabled values are set to 1 and DisabledByDefault is set to 0 on the TLS Version. Disabled Client and Server Enabled values are set to 0 and DisabledByDefault is set to 1 on the TLS Version. Half Disabled Client and Server Enabled values are set to either 0 or 1 and DisabledByDefault is set to the opposite where the value doesn't equal Enabled or Disabled.This is not a supported configuration as it doesn't follow the documentation that we have provided. Misconfigured When either the Enabled or the DisabledByDefault values do not match between the Client and Server of that TLS Version.Exchange can be a Client and a Server and this will cause problems and needs to be addressed ASAP.

The location where we are checking for the TLS values are here:

SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server

At each location, we are looking at the value of Enabled and DisabledByDefault. If the key isn't present, Enabled is set to true and DisabledByDefault is set to false. With the exception of TLS 1.3, if that isn't present it is disabled by default.

The location for the .NET Framework TLS related settings are located here:

SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319 SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319 SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v2.0.50727 SOFTWARE\\Microsoft\\.NETFramework\\v2.0.50727

At each location, we are looking at the value of SystemDefaultTlsVersions and SchUseStrongCrypto. If the key isn't present, both are set to false.

Included in HTML Report?

Yes

Additional resources:

Exchange Server TLS configuration best practices

Solving the TLS 1.0 Problem, 2nd Edition

TLS 1.2 support at Microsoft

Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

"},{"location":"Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/","title":"Visual C++ Redistributable Version Check","text":"

Description:

We check if the the latest Visual C++ Redistributable version, required for the installed Exchange server role, is installed or not.

Included in HTML Report?

Yes

Additional resources:

Microsoft Visual C++ Redistributable Latest Supported Downloads

Exchange Server 2019 prerequisites

Exchange Server 2016 prerequisites

"},{"location":"Diagnostics/HealthChecker/VulnerabilityCheck/","title":"Vulnerability Check","text":"

The script performs different checks to detect vulnerabilities which may lead into a security issue for the Exchange server.

Vulnerability checks performed:

  • Check the Exchange server build number against known vulnerabilities that exists within a specific build
  • Check for CVE-2020-0796 SMBv3 vulnerability
  • Check for CVE-2020-1147 .NET Core & .NET Framework vulnerability
  • Check for CVE-2021-1730 Download Domains state

Included in HTML Report?

Yes

"},{"location":"Hybrid/Test-HMAEAS/","title":"Validating Hybrid Modern Authentication setup for Outlook for iOS and Android","text":"

Download the latest release: Test-HMAEAS.ps1

This script allows you to check and see if your on-premises Exchange environment is configured correctly to use Hybrid Modern Authentication (HMA) with Outlook for iOS and Android. For this to work correctly, you will need to enable HMA and follow HMA Outlook for iOS and Android guidance to configure this feature properly.

To run the script, at minimum you will need a valid SMTP Address for a user that is located on-premises.

To test basic AutoDiscover and a Empty Bearer Authorization check you can run:

.\\Test-HMAEAS.ps1 user@contoso.com\n

To test basic AutoDiscover with a custom AutoDiscover Name and also do Empty Bearer Authorization check you can run:

.\\Test-HMAEAS.ps1 user@contoso.com -CustomAutoD autodiscover.contoso.com\n

To test basic EAS Connectivity you can run (you will need to use the users credentials for this test):

.\\Test-HMAEAS.ps1 user@contoso.com -TestEAS\n

"},{"location":"M365/DLT365Groupsupgrade/","title":"DLT365GroupsUpgrade","text":"

Download the latest release: DLT365GroupsUpgrade.ps1

"},{"location":"M365/DLT365Groupsupgrade/#validating-distribution-group-eligibility-for-upgrade-to-o365-group","title":"Validating Distribution group eligibility for upgrade to O365 Group","text":"

This script allows you to check Distribution to O365 Group migration eligibility for a specific distribution group SMTP, for more information over the Distribution to O365 Group migration blockers please check: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/upgrade-distribution-lists?view=o365-worldwide

The script will prompt for global administrator username & password to connect to EXO Then the script will ask for required group smtp Then start to check and provide feedback in case group migration blockers found as illustrated below:

"},{"location":"M365/MDO/MDOThreatPolicyChecker/","title":"MDOThreatPolicyChecker","text":"

Download the latest release: MDOThreatPolicyChecker.ps1

This script checks which Microsoft Defender for Office 365 and Exchange Online Protection threat policies cover a particular user, including anti-malware, anti-phishing, inbound and outbound anti-spam, as well as Safe Attachments and Safe Links policies in case these are licensed for your tenant. In addition, the script can check for threat policies that have inclusion and/or exclusion settings that may be redundant or confusing and lead to missed coverage of users or coverage by an unexpected threat policy.

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#common-usage","title":"Common Usage","text":"

The script uses Exchange Online cmdlets from Exchange Online module and Microsoft.Graph cmdLets from Microsoft.Graph.Authentication, Microsoft.Graph.Groups and Microsoft.Graph.Users modules.

To run the PowerShell Graph cmdlets used in this script, you need only the following modules from the Microsoft.Graph PowerShell SDK: - Microsoft.Graph.Groups: Contains cmdlets for managing groups, including Get-MgGroup and Get-MgGroupMember. - Microsoft.Graph.Users: Includes cmdlets for managing users, such as Get-MgUser. - Microsoft.Graph.Authentication: Required for authentication purposes and to run any cmdlet that interacts with Microsoft Graph.

You can find the Microsoft Graph modules in the following link: \u00a0\u00a0\u00a0\u00a0https://www.powershellgallery.com/packages/Microsoft.Graph/ \u00a0\u00a0\u00a0\u00a0https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0#installation

Here's how you can install the required submodules for the PowerShell Graph SDK cmdlets:

Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser\nInstall-Module -Name Microsoft.Graph.Groups -Scope CurrentUser\nInstall-Module -Name Microsoft.Graph.Users -Scope CurrentUser\n

NOTE

Remember to run these commands in a PowerShell session with the appropriate permissions. The -Scope CurrentUser parameter installs the modules for the current user only, which doesn't require administrative privileges.

In the Graph connection you will need the following scopes 'Group.Read.All','User.Read.All' 

Connect-MgGraph -Scopes 'Group.Read.All','User.Read.All'\n
You need as well an Exchange Online session. 
Connect-ExchangeOnline\n

You can find the Exchange module and information in the following links: \u00a0\u00a0\u00a0\u00a0https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps \u00a0\u00a0\u00a0\u00a0https://www.powershellgallery.com/packages/ExchangeOnlineManagement

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#examples","title":"Examples:","text":"

To check all threat policies for potentially confusing user inclusion and/or exclusion conditions and print them out for review, run the following: 

.\\MDOThreatPolicyChecker.ps1\n

To provide a CSV input file with email addresses and see only EOP policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv]\n

To provide multiple email addresses by command line and see only EOP policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com,user2@fabrikam.com\n

To provide a CSV input file with email addresses and see both EOP and MDO policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv] -IncludeMDOPolicies\n

To provide an email address and see only MDO (Safe Attachment and Safe Links) policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com -OnlyMDOPolicies\n

To see the details of the policies applied to mailbox in a CSV file for both EOP and MDO, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv] -IncludeMDOPolicies -ShowDetailedPolicies\n

To get all mailboxes in your tenant and print out their EOP and MDO policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -IncludeMDOPolicies -EmailAddress @(Get-ExOMailbox -ResultSize unlimited | Select-Object -ExpandProperty PrimarySmtpAddress)\n

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#parameters","title":"Parameters","text":"Parameter Description CsvFilePath Allows you to specify a CSV file with a list of email addresses to check. Csv file must include a first line with header Email. EmailAddress Allows you to specify email address or multiple addresses separated by commas. IncludeMDOPolicies Checks both EOP and MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter. OnlyMDOPolicies Checks only MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter. ShowDetailedPolicies In addition to the policy applied, show any policy details that are set to True, On, or not blank. SkipConnectionCheck Skips connection check for Graph and Exchange Online. SkipVersionCheck Skips the version check of the script. ScriptUpdateOnly Just updates script version to latest one."},{"location":"NewUserGuide/","title":"New User Guide","text":""},{"location":"NewUserGuide/#introduction","title":"Introduction","text":"

If you are new to Git and GitHub, and you want to contribute to CSS-Exchange, you've come to the right place.

There are many, many resources on how to use Git and GitHub. We recommend starting with Pro Git. Reading chapters 1 to 3 provides a great foundation for understanding and using Git.

This page will serve as a quick start that leads you through submitting a Pull Request to CSS-Exchange step by step.

This page will not cover the use of any GUI that attempts to insulate the user from the Git command line. In this author's opinion, the only way to really learn Git is to use the command line, so that's all we'll cover here.

"},{"location":"NewUserGuide/#before-you-start","title":"Before You Start","text":"

If you are considering a large change to a script or a brand new script, it's often a good idea to open an Issue first to discuss the change. This will allow the repository owners to provide feedback on whether they would accept this type of change. By getting feedback before you spend days on a complex change, you can ensure that you're not wasting your time.

"},{"location":"NewUserGuide/#installation","title":"Installation","text":"
  • Install PowerShell 7 or later.
  • Install Visual Studio Code. You'll need this to develop scripts for this project.
  • Assuming you're running Windows, install Git For Windows. When it asks for your default editor, choose Visual Studio Code. The rest of the defaults are fine. If you're on a different operating system, refer to the Git documentation for instructions.
  • Optional but recommended: Install Posh Git in your PowerShell 7+ shell. This adds some useful features such as branch name autocompletion in PowerShell.
"},{"location":"NewUserGuide/#forking-the-repository","title":"Forking the repository","text":"

The first step is to fork the repository on GitHub. Unless you have Write access to CSS-Exchange, you can't push directly to our repo. Creating a fork creates your own copy of the repo on GitHub, so you have somewhere to push your changes.

To fork the repository, use the Fork icon at the top right of the repository page.

You'll be prompted for a name and description. The defaults are fine. When the fork is complete, you'll be taken to the new repository page. At the top left, you should see that you are now on your own fork.

"},{"location":"NewUserGuide/#cloning-the-repository","title":"Cloning the repository","text":"

Now you're ready to start using the git command line. To clone the repository, drop down the Code button and copy the URL:

Then use that URL to clone the repository using the command line:

git clone <url>\n

This creates a folder called CSS-Exchange in your current directory.

"},{"location":"NewUserGuide/#creating-a-new-branch","title":"Creating a new branch","text":"

Change into the folder that was just created. Your shell should now look something like this.

Because we have PoshGit loaded, it's showing our current branch name in the prompt - main. Let's create a new branch for our work. It's nice to use a descriptive name. For example, if we're updating this guide, we might call name it like so:

"},{"location":"NewUserGuide/#making-changes","title":"Making changes","text":"

Now that you're on your own branch, you're ready to make your changes. You can technically use any tool you like - notepad, vim, whatever. But, if you open the repo root folder in Visual Studio Code, many of the repository formatting settings will be applied automatically. You can also shift-alt-F to reformat a file according to the settings. This may save you some time later.

For this example, I created a new script called New-Script.ps1.

After making our changes, it's a good idea to verify that git sees everything we changed, and that we haven't changed any files we didn't intend to. Because we have PoshGit, just hitting Enter to get a new prompt shows us some information about how many files have changed. We can also run git status to see some details.

This looks good. My intent was to add one script file, and that's the only change shown here.

"},{"location":"NewUserGuide/#formatting-changes","title":"Formatting changes","text":"

CSS-Exchange has some formatting requirements to ensure consistency, and these checks are integrated into our build process. Before committing changes, let's run .build\\CodeFormatter.ps1 to see if our new script meets the requirements.

CodeFormatter highlighted a few problems here:

  • File has no newline at the end.
  • File is missing the required compliance header.
  • File has no BOM. We require a BOM on scripts.
  • The formatting of the code itself is not using the correct brace style. This is shown in a warning, followed by diff output illustrating the required change. In addition, a PSScriptAnalyzer check at the end highlights the same issue with the PSPlaceOpenBrace rule.

CodeFormatter will fix some problems automatically if the -Save switch is included. Let's run it again with -Save.

Here we see CodeFormatter automatically fixed all of these issues when run with the -Save switch. Running a second time, we can confirm everything was fixed, as it generates no output at all.

"},{"location":"NewUserGuide/#staging-changes","title":"Staging changes","text":"

We're almost ready to commit our changes, but first we should stage them. Staging gives us a chance to sanity-check what we're about to commit before we actually commit. It's especially useful when we have modified several files for testing, but we only intend to commit some of them.

If we run git status again, we should once again see that only one file is modified for our simple test case. Then we can stage our file with git add, and check the result again with git status.

When we have many files to commit, we can use git add . to stage all files in the current folder and SubFolders, or git add :/ to stage all files everywhere. When using those options, it's especially important to check git status to make sure we haven't staged something we didn't intend to.

"},{"location":"NewUserGuide/#committing-changes","title":"Committing changes","text":"

If git status shows that the correct files are staged, we can commit them with git commit. This will open the default editor, which will be Visual Studio Code if you chose it when installing Git as described earlier.

The top line should be the title of the commit. Then skip a line and add further details as necessary. Close the tab, choose Save when prompted, and we see the following output.

Now our changes are committed to our local copy of our branch, but we need to push those to GitHub.

"},{"location":"NewUserGuide/#pushing-the-changes","title":"Pushing the changes","text":"

Because this is the first time we're pushing changes for our new branch, we have to provide a few details. On our first push of our new branch, the syntax will be git push -u origin <branch name>.

Origin means we're pushing to the location we cloned from - this is the name of the remote repo by default. The -u parameter tells it to set this as our upstream for this branch. We only have to do this the first time. If we make additional changes on this branch and commit them, we can now push them to the server with a simple git push, since we have now told it that origin will be our upstream going forward.

Now we're ready to request that our changes be pulled into the official repo.

"},{"location":"NewUserGuide/#creating-a-pull-request","title":"Creating a Pull Request","text":"

There are a few ways to create a Pull Request. We can see in the previous screenshot that GitHub helpfully shows us a URL we can visit to start a Pull Request. You can also manually navigate to the Pull Request tab of the official repo, and create a new Pull Request there. You might even see a prompt to create a PR for the branch you just pushed. Either of these methods will work.

At this point we're presented with a form to provide some details about the PR. Be sure that at the top of the PR form, we see the official repo and the main branch on the left, followed by your fork and the branch you created on the right.

Fill in the details and hit Create Pull Request.

"},{"location":"NewUserGuide/#responding-to-feedback","title":"Responding to feedback","text":"

The repository owners will often request some changes to our code by commenting on the Pull Request. To update the code in the Pull Request, simply make the additional changes in your local files, stage them, and commit them just as before. Then, git push. Remember, we don't need any other parameters on the push this time. After pushing new changes, we should see the PR update almost instantly.

Once the owners are satisfied with the changes, they will approve and merge the PR. And we're done!

"},{"location":"NewUserGuide/#cleaning-up","title":"Cleaning up","text":"

Once the PR is merged, we can delete our fork and delete the folder containing our local clone. We can keep the fork around if we intend to contribute further, but the main branch of the fork will not automatically pull in the latest changes from the official repo. It will get further and further out of date, which may cause problems with future pull requests. To avoid this, we'll need to pull in the changes from the main branch of the official repo into our fork. This is out of scope for this guide, so we'll leave this an exercise for the reader.

"},{"location":"Performance/ExPerfAnalyzer/","title":"ExPerfAnalyzer","text":"

Download the latest release: ExPerfAnalyzer.ps1

"},{"location":"Performance/ExPerfAnalyzer/#running-the-script","title":"Running the script","text":"
.\\ExPerfAnalyzer.ps1 .\\EXSERVER01_FULL_000001.BLG\n
"},{"location":"Performance/ExPerfAnalyzer/#registering-script-as-a-default-handler","title":"Registering script as a default handler","text":"
.\\ExPerfAnalyzer.ps1 -RegisterHandler\n

PowerShell must be running as an administrator for this command to work. The script will register itself as a shell handler for perfmon .blg files. You can then right-click any .blg file and select ExPerfAnalyzer to quickly parse the file.

"},{"location":"Performance/ExPerfAnalyzer/#inspiration","title":"Inspiration","text":"

This script was inspired by Performance Analysis of Logs (PAL) and PMA.VBS (an internal tool used by Windows support).

"},{"location":"Performance/ExPerfAnalyzer/#faq","title":"FAQ","text":"

  • This takes forever to run.

    It's faster than PAL.

  • Why don't I just use PAL?

    You could, but PAL takes even longer to run and throws a lot of false positives.

  • What's the expected running time?

    v0.2.2 and an Intel Core i7-4810MQ @ 2.8Ghz processed a 1GB perfmon sitting on an SSD in 11 seconds.

  • Can I edit this script however I'd like?

    Yes, that's the magic of open source software!

  • Do you accept pull requests? Can I contribute to the script?

    Of course!

"},{"location":"Performance/ExPerfWiz/","title":"About ExPerfWiz","text":"

Download the latest release: ExPerfWiz.ps1

ExPerfWiz is a PowerShell based script to help automate the collection of performance data on Exchange 2013, 2016 and 2019 servers.\u00a0 Supported operating systems are Windows 2012, 2012 R2, 2016 and 2019 Core and Standard.

"},{"location":"Performance/ExPerfWiz/#initial-run","title":"Initial Run","text":"

Run .\\ExPerfWiz.ps1 from an elevated shell.

  • You will be prompted to setup a default collector on the current server.
  • Selecting Y will configure but not start a default collector on the current server.
  • Selecting N will return to a prompt without creating a collector.

Once a prompt is returned all of the ExPerfWiz functions will now be available to run.

"},{"location":"Performance/ExPerfWiz/#common-usage","title":"Common Usage","text":"

New-ExPerfWiz -FolderPath C:\\PerfWiz -StartOnCreate

"},{"location":"Performance/ExPerfWiz/#how-to-use","title":"How to use","text":"

The following functions are provided by ExPerfWiz to manage data collection.

"},{"location":"Performance/ExPerfWiz/#get-experfwiz","title":"Get-ExPerfWiz","text":"

Gets ExPerfWiz data collector sets

Switch Description Default Name Name of the Data Collector set Exchange_PerfWiz Server Name of the Server Local Machine ShowLog Displays the ExPerfWiz Log file NA"},{"location":"Performance/ExPerfWiz/#new-experfwiz","title":"New-ExPerfWiz","text":"

Creates an ExPerfWiz data collector set Will overwrite any existing sets with the same name

Switch Description Default Circular Enabled or Disable circular logging Disabled Duration How long should the performance data be collected 08:00:00 FolderPath Output Path for performance logs NA Interval How often the performance data should be collected. 5s MaxSize Maximum size of the perfmon log in MegaBytes (256-4096) 1024Mb Name The name of the data collector set Exchange_PerfWiz Server Name of the server where the perfmon collector should be created Local Machine StartOnCreate Starts the counter set as soon as it is created False StartTime Daily time to start perfmon counter NA Template XML perfmon template file that should be loaded to create the data collector set. Exch_13_16_19_Full.xml Threads Includes threads in the counter set. False"},{"location":"Performance/ExPerfWiz/#set-experfwiz","title":"Set-ExPerfWiz","text":"

Modifies the configuration of an existing data collector set.

Switch Description Default Duration How long should the performance data be collected 08:00:00 Interval How often the performance data should be collected. 5s MaxSize Maximum size of the perfmon log in MegaBytes (256-4096) 1024Mb Name The name of the data collector set Exchange_PerfWiz Server Name of the server where the perfmon collector should be created Local Machine StartTime Daily time to start perfmon counter NA Quiet Suppress output False"},{"location":"Performance/ExPerfWiz/#remove-experfwiz","title":"Remove-ExPerfWiz","text":"

Removes an ExPerfWiz data collector set

Switch Description Default Name Name of the Perfmon Collector set Exchange_PerfWiz Server Name of the server to remove the collector set from Local Machine"},{"location":"Performance/ExPerfWiz/#start-experfwiz","title":"Start-ExPerfWiz","text":"

Starts an ExPerfWiz data collector set

Switch Description Default Name The Name of the Data Collector set to start Exchange_PerfWiz Server Name of the remote server to start the data collector set on. Local Machine"},{"location":"Performance/ExPerfWiz/#stop-experfwiz","title":"Stop-ExPerfWiz","text":"

Stops an ExPerfWiz data collector set

Switch Description Default Name Name of the data collector set to stop. Exchange_PerfWiz Server Name of the server to stop the collector set on. Local Machine"},{"location":"Performance/ExPerfWiz/#example-usage","title":"Example Usage","text":""},{"location":"Performance/ExPerfWiz/#default-usage-for-data-gathering","title":"Default usage for data gathering","text":"

New-ExPerfWiz -FolderPath C:\\ExPerfWiz -StartOnCreate

"},{"location":"Performance/ExPerfWiz/#stop-data-collection","title":"Stop Data Collection","text":"

Stop-ExPerfWiz

"},{"location":"Performance/ExPerfWiz/#collect-data-from-another-server","title":"Collect data from another server","text":"

New-ExPerfWiz -FolderPath C:\\ExPerfWiz -server RemoteExchServer

"},{"location":"Performance/ExPerfWiz/#collect-data-from-multiple-servers","title":"Collect data from multiple servers","text":"

Get-ExchangeServer | Foreach {New-ExPerfWiz -FolderPath C:\\ExPerfWiz -StartOnCreate -Server $_.name}

"},{"location":"Performance/ExPerfWiz/#important-notes","title":"Important Notes","text":"
  • The default duration is 8 hours to save on disk space meaning that the data collection will stop after 8 hours.
  • Using -Threads should only be done if needed to troubleshoot the issue. It will SIGNIFICANTLY increase the size of the resulting perfmon files.
  • Do not stop the log gathering thru the Perfmon GUI that can result in an unreadable log file. Always stop the data gathering with Stop-ExPerfWiz.
"},{"location":"Performance/SimplePerf/","title":"SimplePerf","text":"

Download the latest release: SimplePerf.ps1

This script is a stripped-down and streamlined performance log collector for Exchange Server.

"},{"location":"Performance/SimplePerf/#common-examples","title":"Common Examples","text":"

.\\SimplePerf.ps1 -Start\n
Starts a collector using Exchange counter defaults. The collector is non-circular, will run for 8 hours, has a 5-second interval, has a max file size of 1 GB, and saves the logs to C:\\SimplePerf.

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\Thread\"\n
Starts a collector using Exchange counter defaults plus all \\Thread counters. The collector is non-circular, will run for 8 hours, has a 5-second interval, has a max file size of 1 GB, and saves the logs to C:\\SimplePerf.

.\\SimplePerf.ps1 -Start -Duration 02:00:00 -Interval 30 -MaximumSizeInMB 512 -OutputFolder C:\\PerfLogs\n
Starts a collector using Exchange counter defaults. The collector is non-circular, will run for 2 hours, has a 30-second interval, has a max file size of 512 MB, and saves the logs to C:\\PerfLogs.

.\\SimplePerf.ps1 -Start -Duration 02:00:00 -Interval 30 -MaximumSizeInMB 1024 -Circular -OutputFolder C:\\PerfLogs\n
Starts a collector using Exchange counter defaults. The collector is circular, will run for 2 hours, has a 30-second interval, has a max file size of 1024 MB, and saves the logs to C:\\PerfLogs.

.\\SimplePerf.ps1 -Stop\n
Stops a running SimplePerf.

Get-ExchangeServer | .\\SimplePerf.ps1 -Start\n
Starts a SimplePerf with the default options on all Exchange servers.

\"SRV1\", \"SRV2\", \"SRV3\" | .\\SimplePerf.ps1 -Start\n
Starts a SimplePerf with the default options on the three named servers.

\"SRV1\", \"SRV2\", \"SRV3\" | .\\SimplePerf.ps1 -Stop\n
Stops a running SimplePerf on the three named servers.

"},{"location":"Performance/SimplePerf/#using-named-collectors","title":"Using Named Collectors","text":"

It is possible to run several SimplePerf collectors on the same computer at the same time by providing the -CollectorName parameter. For example:

.\\SimplePerf -Start -Interval 60 -CollectorName \"Minute\"\n.\\SimplePerf -Start -Interval 5 -CollectorName \"FiveSeconds\"\n

When using collector names, the same name must be provided to the -Stop command:

.\\SimplePerf -Stop -CollectorName \"Minute\"\n.\\SimplePerf -Stop -CollectorName \"FiveSeconds\"\n
"},{"location":"Performance/SimplePerf/#counter-name-filters","title":"Counter Name Filters","text":"

The counters collected by SimplePerf can be controlled with a combination of three parameters: -Scenario, -IncludeCounters, and -ExcludeCounters.

Currently, there are only two scenarios: Exchange and None. The Exchange scenario is a common set of counters for Exchange Server, similar to what ExPerfWiz would collect. None is a completely empty counter set.

-IncludeCounters and -ExcludeCounters perform a StartsWith match against the counter name. This makes it possible to collect a large number of counters with minimal syntax. For example:

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\MSExchange\", \"\\Microsoft Exchange\"\n
This example starts a SimplePerf using the Exchange scenario, but then it includes every counter starting with either MSExchange or Microsoft Exchange.

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\MSExchange\", \"\\Microsoft Exchange\" -Scenario \"None\"\n
This example starts a SimplePerf collecting all the matching Exchange counters without including any default counters at all, because the None scenario was specified.

.\\SimplePerf.ps1 -Start -ExcludeCounters \"\\MSExchange Transport\"\n
In this example, we use the Exchange scenario as a starting point, but then we remove all counters starting with MSExchange Transport.

Note that individual counters can be excluded even if the counter set has been included. To illustrate:

In this screenshot we see all the counters that exist for the Thread set.

If we tell SimplePerf to include \"\\Thread\", then it simply collects the whole object.

However, if we tell it to Include \"\\Thread\" but exclude \"\\Thread(*)\\Priority\", we see that it has correctly expanded the Thread object and is collecting all counters except \"Priority Current\" and \"Priority Base\".

This filtering mechanism makes it easy to customize the counter set with minimal text. To check the result of your counter filters, add the -Verbose switch, or check the counters txt file in $env:TEMP.

Note that the resulting set can only show counters that exist on the local machine. For instance, you won't see any Exchange counters in the Verbose output if the script is not running on an Exchange Server.

"},{"location":"Performance/SimplePerf/#language-support","title":"Language Support","text":"

SimplePerf works regardless of the current language. It does this by translating the provided counter filters to whatever the current server language happens to be. This means that counter names must always be provided in English, even when the current language is not English.

For example, here is the same command from the earlier example running on a server where Spanish is the current language:

"},{"location":"PublicFolders/SourceSideValidations/","title":"SourceSideValidations","text":"

Download the latest release: SourceSideValidations.ps1

This script performs pre-migration public folder checks for Exchange 2013, 2016, and 2019. For Exchange 2010, please use previous script found here.

"},{"location":"PublicFolders/SourceSideValidations/#syntax","title":"Syntax","text":"
SourceSideValidations.ps1\n  [-StartFresh <bool>]\n  [-SlowTraversal]\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [-Tests <string[]>]\n  [<CommonParameters>]\nSourceSideValidations.ps1 -RemoveInvalidPermissions\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [<CommonParameters>]\nSourceSideValidations.ps1 -SummarizePreviousResults\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [<CommonParameters>]\n
"},{"location":"PublicFolders/SourceSideValidations/#output","title":"Output","text":"

The script will generate the following files. Usually the only one we care about is ValidationResults.csv. The others are purely for saving time on subsequent runs.

File Name Content Use IpmSubtree.csv A subset of properties of all Public Folders Running with -StartFresh $false loads this file instead of retrieving fresh data Statistics.csv EntryID, item count, and size of every folder Running with -StartFresh $false loads this file instead of retrieving fresh data NonIpmSubtree.csv A subset of properties of all System Folders Running with -StartFresh $false loads this file instead of retrieving fresh data ValidationResults.csv Information about any issues found. This is file we want to examine to understand any issues found. The script will display a summary of what it found, and in many cases it will provide an example command that uses input from this file to fix the problem."},{"location":"PublicFolders/SourceSideValidations/#tests","title":"Tests","text":"

The script performs the following tests. The ValidationResults.csv can be filtered by ResultType to identify the respective folders.

Test Category ResultType Criteria DumpsterMapping BadDumpsterMapping DumpsterEntryId is null, or the dumpster is not in \\NON_IPM_SUBTREE\\DUMPSTER_ROOT, or the DumpsterEntryId of the dumpster does not point back to the folder. Limit ChildCount The folder has more than 10,000 direct child folders. Limit EmptyFolder The folder and all its child folders (recursive) have no items. Limit FolderPathDepth The folder path is greater than 299 folders deep. Limit HierarchyCount There are more than 250,000 total folders in the hierarchy. Limit HierarchyAndDumpsterCount There are more than 250,000 total folders if you count both the folders and their dumpsters. Limit ItemCount The folder has more than 1,000,000 items. Limit NoStatistics Get-PublicFolderStatistics did not return any statistics for these folders. ItemCount, TotalItemSize, and EmptyFolder tests were skipped. Limit TotalItemSize The items directly in this folder (not child folders) add up to more than 25 GB. MailEnabledFolder MailDisabledWithProxyGuid The folder is not mail-enabled, but it has the GUID of an Active Directory object in its MailRecipientGuid property. MailEnabledFolder MailEnabledSystemFolder The folder is a system folder, which should not be mail-enabled. MailEnabledFolder MailEnabledWithNoADObject The folder is mail-enabled, but it has no Active Directory object. MailEnabledFolder OrphanedMPF An Active Directory object exists, but it is not linked to any folder. MailEnabledFolder OrphanedMPFDuplicate An Active Directory object exists, but it points to a public folder which points to a different object. MailEnabledFolder OrphanedMPFDisconnected An Active Directory object exists, but it points to a public folder that is mail-disabled. FolderName SpecialCharacters Folder name contains @, /, or \\. Permission BadPermission The permission does not refer to a valid entity."},{"location":"PublicFolders/SourceSideValidations/#usage","title":"Usage","text":"

Typically, the script should be run with no parameters:

.\\SourceSideValidations.ps1\n

Progress indicators are displayed as it collects data and validates the results.

The final test, which checks permissions, will usually take much longer than the other tests.

When all the tests are done, the script provides a summary of what it found, along with example commands that fix some issues.

In this example output, the script calls out four issues.

First, it points out that we have 111,124 folders that are completely empty (this is a lab). Note the ResultType of EmptyFolder. If we want to see the list of empty folders, we can open up ValidationResults.csv in Excel, filter for a ResultType of EmptyFolder, and then we see all those results:

For these folders, no action is required. The script is just giving us information.

The next thing it calls out is that 4 folders have problematic characters in the name. The output tells us these have a ResultType of SpecialCharacters. Filtering for that in the CSV, we see the folders.

Fortunately, the script gives us a command we can run to fix all the names. We can copy and paste the command it gave us, let it run, and then spot check the result.

Now that the names are fixed, we move on to the next item.

The script tells us we have a mail public folder object for a public folder that is mail-disabled. For this type of problem, we need to examine the folder and figure out what we want to do. The CSV file gives us the DN of the mail object and the entry ID of the folder, which we can use to examine the two objects.

The folder says MailEnabled is False, yet we have a MailPublicFolder which points to it. We need to decide whether we want the folder to receive email or not. For this lab, I decide I do want the folder to be mail-enabled, so I remove the orphaned MailPublicFolder and then mail-enable the folder.

I also confirm the new object has the same email address as the old one. This might need to be adjusted manually in some cases, but here I didn't have to.

Finally, the script says we have 9,850 invalid permissions. Fortunately, this is another one that is easy to fix, as the script provides a command.

This one is going to take a while. Once completed, we can rerun SourceSideValidations to make sure all the issues are resolved.

If you close the shell and you need to see the summary results again, use the -SummarizePreviousResults switch.

.\\SourceSideValidations -SummarizePreviousResults\n

The script reads the output file and repeats the instructions on what to do. You can also summarize the results from previous runs, or point to files in other locations, by providing the -ResultsFile parameter.

"},{"location":"PublicFolders/ValidateEXOPFDumpster/","title":"ValidateExoPfDumpster","text":"

Download the latest release: ValidateExoPfDumpster.ps1

This script investigates public folders/items deletion operations failures & propose FIXes for mitigation. The script is working to validate the below conditions over the affected public folder

"},{"location":"PublicFolders/ValidateEXOPFDumpster/#checks-run","title":"Checks run:","text":"
  1. Public folder size issue
    • Public folder content mailbox TotalDeletedItemSize value has exceeded its RecoverableItemsQuota value
    • Public folder size is full
  2. User permissions are not synced between public folder mailboxes
  3. Content Public folder mailbox across the public folder & its dumpster is different
  4. EntryId & DumpsterEntryID values are not mapped properly on the public folder & its dumpster
  5. Parent public folder dumpster is unhealthy
  6. Dumpster folder
  7. Dumpster folder has children
  8. Mail-enabled public folder health if MEPfProxyGuid was null
"},{"location":"PublicFolders/ValidateEXOPFDumpster/#syntax","title":"Syntax","text":"
ValidateExoPfDumpster.ps1\n  [-PFolder <string[]>]\n  [-AffectedUser <string[]>]\n  [-ExportPath <string[]>]\n
"},{"location":"PublicFolders/ValidateEXOPFDumpster/#output","title":"Output","text":"

The script will generate the public folder validation checks failures & proposed Fixes results on screen and will generate same results on ValidatePFDumpsterREPORT.txt file as well. There are other files generated for either script logging purposes or sometimes for logs to be shared with Microsoft personnel in case issues encountered requires microsoft support team intervention.

File Name Content Use ValidatePFDumpsterREPORT.txt Information about any blockers found The script will display what it found, and in many cases it will provide a mitigation to fix the problem ValidatePFDumpsterChecksLogging.csv Information about the reason of script failure to run The file will display errors encountered on running the script and at which stage PublicFolderInfo.xml All required information about the affected public folder This log file to be shared with Microsoft personnel"},{"location":"PublicFolders/ValidateEXOPFDumpster/#usage","title":"Usage","text":"

Typically, the script should run with PFolder identity parameter as illustrated below:

.\\ValidateExoPfDumpster.ps1 -PFolder \\pf1\n

The script will prompt for affected public folder identity/EntryID if it wasn't provided using PFolder parameter then it will prompt for global administrator username & password to connect to EXO by default it validates if the issue is specific to the Public folder \"e.g. all users are affected\"

If the issue happens only with a specific user on that case an affected user smtp address is required to be provided

In this example output, the script calls out two blockers.

It points out the below blockers: - Neither user nor Default user have sufficient permissions to delete items inside the public folder - Public folder size has exceeded Individual Public Folder ProhibitPostQuota value

In this example output, the script calls out four blockers.

It points out the below issues: - Public folder & its dumpster doesn't have the same content public folder mailbox - Public folder EntryId & DumpsterEntryID values are not mapped properly - Public folder size has exceeded Organization DefaultPublicFolderProhibitPostQuota value - Public folder dumpster has 1 subfolder

The script created a log file containing all the required information \"PublicFolderInfo.xml\" to be shared with Microsoft personnel for the first two blockers & provided mitigation for the last two blockers and you can see same results under ValidatePFDumpsterREPORT.txt file.

"},{"location":"PublicFolders/ValidateMailEnabledPublicFolders/","title":"ValidateMailEnabledPublicFolders","text":"

Download the latest release: ValidateMailEnabledPublicFolders.ps1

This script performs pre-migration checks on mail-enabled folders on Exchange 2010 and up. Note that these checks are also included in the new SourceSideValidations.ps1 for 2013 and up.

"},{"location":"Retention/Get-MRMDetails/","title":"Get-MRMDetails","text":"

Download the latest release: Get-MRMDetails.ps1

This script will gather the MRM configuration for a given user. It will collect the current MRM Policy and Tags for the Exchange Organization, the current MRM Policy and Tags applied to the user, the current Exchange Diagnostics Logs for the user, and Exchange Audit logs for the mailbox selected. The resulting data will allow you to see what tags are applied to the user and when the Managed Folder Assistant has run against the user. It also will grab the Admin Audit log so that we can tell if the Tags or Polices have been modified and who modified them.

To run the script, at minimum you will need a valid SMTP Address for a user. Then you can review the associated logs that are generated from the script.

Syntax:

.\\Get-MRMDetails.ps1 -Mailbox <user>\n

Example to collect the MRM Details from rob@contoso.com:

.\\Get-MRMDetails.ps1 -Mailbox rob@contoso.com\n
"},{"location":"Search/Troubleshoot-ModernSearch/","title":"Troubleshoot-ModernSearch","text":"

Download the latest release: Troubleshoot-ModernSearch.ps1

This script is still in development. However, this should be able to quickly determine if an item is indexed or not and why it isn't indexed. Just provide the full message subject and the mailbox identity and it will dump out the information needed to determine if the message is indexed or not.

"},{"location":"Search/Troubleshoot-ModernSearch/#parameters","title":"Parameters","text":"Parameter Description MailboxIdentity Provide the identity of the mailbox that you wish to be looking at. If you are able to find it via Get-Mailbox it is able to be used here. ItemSubject Provide the message's subject name. Must be exact if -MatchSubjectSubstring isn't used. This includes if there is a trailing space at the end of the message subject. MatchSubjectSubstring Enable to perform a like search in the mailbox with the value that is passed with -ItemSubject. FolderName If you want to scope the search to a folder for better and faster results, include the name of the folder that the message is in. DocumentId If you already know the document ID number for the mailbox, provide this. This can not be use with -ItemSubject parameter. Category Provides a breakdown of the messages in the mailbox for that index category state. Possible options are: All, Indexed, PartiallyIndexed, NotIndexed, Corrupted, Stale, and ShouldNotBeIndexed. NOTE: Depending the item count, this can take a long while to complete. GroupMessages To group the messages by Indexing Error Message and Permanent failure state or not. By Disabling this, you get more properties displayed of the message as well. Server Provide a list of possible servers that you wish to get mailbox statistics for all the active databases on that server. SortByProperty Provide the property that you wish to have the information sorted by in the output to screen. Default is to sort by FullyIndexPercentage ExcludeFullyIndexedMailboxes When look at the multiple mailbox statistics, we don't want to view the mailboxes that are fully indexed without any indexing problems. QueryString Include a string that you are using to try to find this item, we will run an instant query against it to see if we can find it. IsArchive Enable if you want to look at the archive mailbox. IsPublicFolder Enable if you want to look at a public folder mailbox."},{"location":"Search/Troubleshoot-ModernSearch/#examples","title":"Examples","text":"

This is an example of how to run a basic query again a single item.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity han@solo.com -ItemSubject \"Test Message\"\n

This is an example of how to run the script when you want to query multiple items with a similar subject name.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda01\" -ItemSubject \"Initial Indexing\" -MatchSubjectSubstring\n

This is an example of how to run the script against an Archive Mailbox.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity han@solo.com -ItemSubject \"Test Message\" -IsArchive\n

This is an example of how to run the script against a Public Folder Mailbox

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity PFMailbox2 -ItemSubject \"My Item Test\" -IsPublicFolder\n

This is an example of how to run the script to get all the index state categories

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda02\" -Category \"All\"\n

This is an example of how to run the script to get all the non indexed items

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda02\" -Category \"NotIndexed\"\n

This is an example of how to run the script to get all the active mailboxes on a server

.\\Troubleshoot-ModernSearch.ps1 -Server \"Solo-E19A\"\n
"},{"location":"Security/CVE-2023-21709/","title":"CVE-2023-21709","text":"

Download the latest release: CVE-2023-21709.ps1

Note

Microsoft has released the Windows Server October 2023 security update to address the TokenCacheModule vulnerability. While the script can still be used to mitigate the vulnerability, the recommended solution is to install the Windows Server October 2023 (or later) security update instead. The update and more information can be found here: CVE-2023-36434

The CVE-2023-21709.ps1 script can be used to mitigate the CVE-2023-21709 and CVE-2023-36434 vulnerability by removing the TokenCacheModule from IIS. It can also be used to restore a previously removed TokenCacheModule.

Note

The script doesn't perform any check if the Windows Server October 2023 (or later) security update has been installed before restoring the TokenCacheModule. Make sure to install the update before restoring the module.

The script allows you to explicitly specify a subset of Exchange servers on which the TokenCacheModule should be removed or restored. It's also possible to exclude a subset of Exchange servers from the operation performed by the script.

"},{"location":"Security/CVE-2023-21709/#requirements","title":"Requirements","text":"

This script must be run as Administrator in Exchange Management Shell (EMS). The user must be a member of the Organization Management role group.

"},{"location":"Security/CVE-2023-21709/#how-to-run","title":"How To Run","text":""},{"location":"Security/CVE-2023-21709/#examples","title":"Examples:","text":"

This syntax removes the TokenCacheModule from all Exchange servers within the organization.

.\\CVE-2023-21709.ps1\n

This syntax removes the TokenCacheModule from ExchangeSrv01 and ExchangeSrv02.

.\\CVE-2023-21709.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02\n

This syntax removes the TokenCacheModule from all Exchange servers within the organization except ExchangeSrv02.

.\\CVE-2023-21709.ps1 -SkipExchangeServerNames ExchangeSrv02\n

This syntax restores the TokenCacheModule on all Exchange servers within the organization.

.\\CVE-2023-21709.ps1 -Rollback\n
"},{"location":"Security/CVE-2023-21709/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of Exchange servers that you want to run the script against. This can be used for applying or rollback the CVE-2023-21709 configuration change. SkipExchangeServerNames A list of Exchange servers that you don't want to execute the TokenCacheModule configuration action. Rollback Switch parameter to rollback the CVE-2023-21709 configuration change and add the TokenCacheModule back to IIS. ScriptUpdateOnly Switch parameter to only update the script without performing any other actions. SkipVersionCheck Switch parameter to skip the automatic version check and script update."},{"location":"Security/ConfigureFipFsTextExtractionOverrides/","title":"ConfigureFipFsTextExtractionOverrides","text":"

Download the latest release: ConfigureFipFsTextExtractionOverrides.ps1

Note

Starting in the Exchange Server March 2024 security update we disable the use of the Oracle Outside In Technology (also known as OutsideInModule or OIT) in Microsoft Exchange Server due to multiple security vulnerabilities in the module. The OutsideInModule was used by the Microsoft Forefront Filtering Module to extract information from different file types, to perform content inspection as part of the Exchange Server Data Loss Prevention (DLP) or Exchange Transport Rules (ETR) features.

The ConfigureFipFsTextExtractionOverrides.ps1 script can be used to manipulate the usage of OutsideInModule that is disabled by default in the Exchange Server March 2024 security update.

There are two scenarios in which the script could be used:

  • It can be used to explicitly enable file types that should be processed by the help of the OutsideInModule.
  • It can be used to override the version of the OutsideInModule that should be used for processing file types, which were explicitly enabled to be processed by the OutsideInModule. After installing the March 2024 security update, Exchange Server uses the latest version of the OutsideInModule version 8.5.7 by default. By activating this override, OutsideInModule version 8.5.3 will be used.

Details about the change that was done as part of the March 2024 security update can be found in KB5037191.

Details about the security vulnerability can be found in the MSRC security advisory.

Warning

Microsoft strongly recommends not overriding the default behavior that was introduced with the March 2024 security update if there are no functional issues that affect your organization's mail flow.

"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#requirements","title":"Requirements","text":"

This script must be run as Administrator in Exchange Management Shell (EMS). The user must be a member of the Organization Management role group.

"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#how-to-run","title":"How To Run","text":""},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#examples","title":"Examples:","text":"

This syntax enables processing of Jpeg and AutoCad file types by the help of the OutsideInModule on the server where the command was executed.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ConfigureOverride \"Jpeg\", \"AutoCad\" -Action \"Allow\"\n

This syntax disables processing of Jpeg and AutoCad file types by the help of the OutsideInModule on the server ExchangeSrv01 and ExchangeSrv02.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02 -ConfigureOverride \"Jpeg\", \"AutoCad\" -Action \"Block\"\n

This syntax causes Exchange Server to use the previous version of the OutsideInModule. The override will be enabled on the system on which the script was executed. Note that this can make your system vulnerable to known vulnerabilities in the previous version and should not be used unless explicitly advised by Microsoft.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ConfigureOverride \"OutsideInModule\" -Action \"Allow\"\n

This syntax disables the override of the version of the OutsideInModule module on the server ExchangeSrv01 and ExchangeSrv02.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02 -ConfigureOverride \"OutsideInModule\" -Action \"Block\"\n

This syntax restores the configuration.xml from the backup that was created by a previous run of the script on the Exchange server where the script was executed.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -Rollback\n
"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of Exchange servers that you want to run the script against. SkipExchangeServerNames A list of Exchange servers that you don't want to execute the configuration action. ConfigureOverride A list of file types that should be allowed to be processed by the OutsideInModule. The following input can be used: XlsbOfficePackage, XlsmOfficePackage, XlsxOfficePackage, ExcelStorage, DocmOfficePackage, DocxOfficePackage, PptmOfficePackage, PptxOfficePackage, WordStorage, PowerPointStorage, VisioStorage, Rtf, Xml, OdfTextDocument, OdfSpreadsheet, OdfPresentation, OneNote, Pdf, Html, AutoCad, Jpeg, Tiff.If you want to enable the previous version of the OutsideInModule (8.5.3) to process file types, you must specify OutsideInModule as file type. Note that the OutsideInModule value cannot be used together with other file type values.The input is case-sensitive. Action String parameter to define the action that should be performed. Input can be Allow or Block. The default value is: Block Rollback Switch parameter to restore the configuration.xml that was backed-up during a previous run of the script. ScriptUpdateOnly Switch parameter to only update the script without performing any other actions. SkipVersionCheck Switch parameter to skip the automatic version check and script update."},{"location":"Security/EOMT/","title":"Exchange On-premises Mitigation Tool (EOMT)","text":"

Download the latest release: EOMT.ps1

This script contains mitigations to help address the following vulnerabilities.

  • CVE-2021-26855

This is the most effective way to help quickly protect and mitigate your Exchange Servers prior to patching. We recommend this script over the previous ExchangeMitigations.ps1 script. The Exchange On-premises Mitigation Tool automatically downloads any dependencies and runs the Microsoft Safety Scanner. This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods. EOMT.ps1 is completely automated and uses familiar mitigation methods previously documented. This script has four operations it performs:

  • +NEW Check for the latest version of EOMT and download it.
  • Mitigate against current known attacks using CVE-2021-26855 via a URL Rewrite configuration
  • Scan the Exchange Server using the Microsoft Safety Scanner
  • Attempt to remediate compromises detected by the Microsoft Safety Scanner.

This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods nor do these mitigation methods make any direct changes that disable features of Exchange.

Use of the Exchange On-premises Mitigation Tool and the Microsoft Safety Scanner are subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy

"},{"location":"Security/EOMT/#requirements-to-run-the-exchange-on-premises-mitigation-tool","title":"Requirements to run the Exchange On-premises Mitigation Tool","text":"
  • External Internet Connection from your Exchange server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module).
  • PowerShell script must be run as Administrator.
"},{"location":"Security/EOMT/#system-requirements","title":"System Requirements","text":"
  • PowerShell 3 or later
  • IIS 7.5 and later
  • Exchange 2013, 2016, or 2019
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
  • +New If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite Module 2.1 to work.
"},{"location":"Security/EOMT/#who-should-run-the-exchange-on-premises-mitigation-tool","title":"Who should run the Exchange On-premises Mitigation Tool","text":"Situation Guidance If you have done nothing to date to patch or mitigate this issue\u2026 Run EOMT.PS1 as soon as possible.This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns If you have mitigated using any/all of the mitigation guidance Microsoft has given (ExchangeMitigations.Ps1, Blog post, etc..) Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc\u2026. Run EOMT.PS1 as soon as possible. This will attempt to remediate any existing compromise that may not have been full remediated before patching. If you have already patched and investigated your systems for any indicators of compromise, etc\u2026. No action is required"},{"location":"Security/EOMT/#important-note-regarding-microsoft-safety-scanner","title":"Important note regarding Microsoft Safety Scanner","text":"

The Exchange On-premises Mitigation Tool runs the Microsoft Safety Scanner in a quick scan mode. If you suspect any compromise, we highly recommend you run it in the FULL SCAN mode. FULL SCAN mode can take a long time but if you are not running Microsoft Defender AV as your default AV, FULL SCAN will be required to remediate threats.

"},{"location":"Security/EOMT/#exchange-on-premises-mitigation-tool-examples","title":"Exchange On-premises Mitigation Tool Examples","text":"

The default recommended way of using EOMT.ps1. This will determine if your server is vulnerable, mitigate if vulnerable, and run MSERT in quick scan mode. If the server is not vulnerable only MSERT quick scan will run.

.\\EOMT.ps1

To run a Full MSERT Scan - We only recommend this option only if the initial quick scan discovered threats. The full scan may take hours or days to complete.

.\\EOMT.ps1 -RunFullScan -DoNotRunMitigation

To run the Exchange On-premises Mitigation Tool with MSERT in detect only mode - MSERT will not remediate detected threats.

.\\EOMT.ps1 -DoNotRemediate

To roll back the Exchange On-premises Mitigation Tool mitigations

.\\EOMT.ps1 -RollbackMitigation

Note: If ExchangeMitigations.ps1 was used previously to apply mitigations, Use ExchangeMitigations.ps1 for rollback.

+NEW EOMT will now AutoUpdate by downloading the latest version from GitHub. To prevent EOMT from fetching updates to EOMT.ps1 from the internet.

.\\EOMT.ps1 -DoNotAutoUpdateEOMT

"},{"location":"Security/EOMT/#exchange-on-premises-mitigation-tool-q-a","title":"Exchange On-premises Mitigation Tool Q & A","text":"

Question: What mode should I run EOMT.ps1 in by default?

Answer: By default, EOMT.ps1 should be run without any parameters:

This will run the default mode which does the following: 1. Checks if your server is vulnerable based on the presence of the SU patch or Exchange version. 2. Downloads and installs the IIS URL rewrite tool (only if vulnerable). 3. Applies the URL rewrite mitigation (only if vulnerable). 4. Runs the Microsoft Safety Scanner in \"Quick Scan\" mode (vulnerable or not).

Question: What if I run a full scan and it's affecting the resources of my servers?

Answer: You can terminate the process of the scan by running the following command in an Administrative PowerShell session.

Stop-Process -Name msert

Question: What is the real difference between this script (EOMT.PS1) and the previous script Microsoft released (ExchangeMitigations.Ps1).

Answer: The Exchange On-premises Mitigation Tool was released to help pull together multiple mitigation and response steps, whereas the previous script simply enabled mitigations. Some details on what each do:

"},{"location":"Security/EOMT/#eomtps1","title":"EOMT.PS1","text":"
  • Mitigation of CVE-2021-26855 via a URL Rewrite configuration.
  • Mitigation does not impact Exchange functionality.
  • Malware scan of the Exchange Server via the Microsoft Safety Scanner
  • Attempt to reverse any changes made by identified threats.
"},{"location":"Security/EOMT/#exchangemitigationsps1","title":"ExchangeMitigations.ps1:","text":"
  • Does mitigations for all 4 CVE's - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858.
  • Some of the mitigation methods impact Exchange functionality.
  • Does not do any scanning for existing compromise or exploitation.
  • Does not take response actions to existing active identified threats.

Question: What if I do not have an external internet connection from my Exchange server?

Answer: If you do not have an external internet connection, you can still use the legacy script (ExchangeMitigations.ps1) and other steps from the mitigation blog post: Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021

Question: If I have already ran the mitigations previously, will the Exchange On-premises Mitigation Tool roll back any of the mitigations?

Answer: No, please use the legacy script (ExchangeMitigations.ps1) to do rollback. The legacy script supports rollback for the mitigations the Exchange On-premises Mitigation Tool applied.

"},{"location":"Security/EOMTv2/","title":"Exchange On-premises Mitigation Tool v2 (EOMTv2)","text":"

Please read carefully

The vulnerability addressed by this mitigation script has been addressed in latest Exchange Server Security Updates (starting with November 2022 SU). Mitigations can become insufficient to protect against all variations of an attack. Thus, installation of an applicable SU is the only way to protect your servers. Once you install the updates, you can rollback the mitigation as described in the Exchange On-premises Mitigation Tool v2 Examples section.

Download the latest release: EOMTv2.ps1

The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.
  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration

Use of the Exchange On-premises Mitigation Tool v2 is subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy

"},{"location":"Security/EOMTv2/#requirements-to-run-the-exchange-on-premises-mitigation-tool-v2","title":"Requirements to run the Exchange On-premises Mitigation Tool v2","text":"
  • PowerShell 3 or later
  • PowerShell script must be run as Administrator.
  • IIS 7.5 and later
  • Exchange 2013 Client Access Server role, Exchange 2016 Mailbox role, or Exchange 2019 Mailbox role
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
  • If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite Module 2.1 to work.
  • [Optional] External Internet Connection from your Exchange server (required to update the script and install IIS URL rewrite module).

NOTE: The script has to be executed individually for each server.

"},{"location":"Security/EOMTv2/#exchange-on-premises-mitigation-tool-v2-examples","title":"Exchange On-premises Mitigation Tool v2 Examples","text":"

The default recommended way of using EOMTv2.ps1. This will apply the URL rewrite mitigation. If IIS URL rewrite module is not installed, this will also download and install the module.

.\\EOMTv2.ps1\n

To roll back EOMTv2 mitigations run

.\\EOMTv2.ps1 -RollbackMitigation\n
"},{"location":"Security/ExchangeExtendedProtectionManagement/","title":"ExchangeExtendedProtectionManagement","text":"

Download the latest release: ExchangeExtendedProtectionManagement.ps1

The Exchange Extended Protection Management is a script to help automate the Extended Protection feature on the Windows Authentication Module on Exchange Servers. Prior to configuration, it validates that all servers that we are trying to enable Extended Protection on and the servers that already have Extended Protection enabled have the same TLS settings and other prerequisites that are required for Extended Protection to be enabled successfully.

Tip

The Exchange Server Extended Protection documentation can be found on the Microsoft Learn platform: Configure Windows Extended Protection in Exchange Server

"},{"location":"Security/ExchangeExtendedProtectionManagement/#requirements","title":"Requirements","text":"

The user must be in Organization Management and must run this script from an elevated Exchange Management Shell (EMS) command prompt.

"},{"location":"Security/ExchangeExtendedProtectionManagement/#how-to-run","title":"How To Run","text":""},{"location":"Security/ExchangeExtendedProtectionManagement/#examples","title":"Examples:","text":"

This syntax will process the prerequisites check only against the servers that you provided. This will execute the same checks as if you were attempting to configure Extended Protection.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly\n

This syntax enables Extended Protection on all Exchange Servers that are online that we can reach.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1\n

This syntax enables Extended Protection on only the Exchange Servers specified in the -ExchangeServerNames parameter. However, TLS checks will still occur against all servers, and the script will confirm that the TLS settings are correct on all servers with Extended Protection enabled and all servers specified in the -ExchangeServerNames parameter.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames <Array_of_Server_Names>\n

This syntax enables Extended Protection on all Exchange Servers that are online that we can reach, excluding any servers specified in the -SkipExchangeServerNames parameter. As above, TLS checks will still occur against all servers, and the script will confirm that the TLS settings are correct on all servers with Extended Protection enabled and all servers being enabled.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -SkipExchangeServerNames <Array_of_Server_Names>\n

This syntax collects the possible IP addresses to be used for the IP restriction for a virtual directory. Plus the location to store the file.

NOTE: This is only to assist you with the IP collections. You must verify the list to make sure it is accurate and contains all the required IP addresses.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -FindExchangeServerIPAddresses -OutputFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax will enable Extended Protection for all virtual directories and set EWS Backend virtual directory to None and then proceed to set IP restriction for the EWS Backend virtual directory for all servers online, while providing the IP address list.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RestrictType \"EWSBackend\" -IPRangeFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax will verify the IP restrictions for the EWS Backend virtual directory.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ValidateType \"RestrictTypeEWSBackend\" -IPRangeFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestoreConfiguration\"\n

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

NOTE

This is done by restoring the applicationHost.config file back to the previous state before Extended Protection was configured. If other changes occurred after this configuration, those changes will be lost.

NOTE

This is a legacy version of the restore process and is no longer supported. You can still attempt to restore, if the configuration file is detected and is less than 30 days old if a configuration was done with a pervious version of the script. Moving forward, the applicationHost.config file is no longer being used as a backup to restore from. The RestoreConfiguration is the supported replacement.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestoreIISAppConfig\"\n

This syntax rolls back the Extended Protection mitigation of IP restriction for the EWS Backend virtual directory of all the Exchange Server that are online where Extended Protection was previously configured.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestrictTypeEWSBackend\"\n

This syntax displays the current Extended Protection configuration for all the Exchange Servers that are online.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection\n

This syntax will disable Extended Protection configuration for all the Exchange Servers that are online by setting the value at all current configuring locations to None.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection\n
"},{"location":"Security/ExchangeExtendedProtectionManagement/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of servers to pass that you want to run the script against. This can be used for configuration or rollback. SkipExchangeServerNames A list of server to pass that you don't want to execute the script for configuration or rollback. PrerequisitesCheckOnly Run the required prerequisites check for the passed server list to know if configuration can be attempted. ShowExtendedProtection Show the current configuration of Extended Protection for the passed server list. ExcludeVirtualDirectories Used to not enable Extended Protection on particular virtual directories. The following values are allowed: EWSFrontEnd. FindExchangeServerIPAddresses Use this to collect a list of the Exchange Server IPs that should be used for IP Restriction. OutputFilePath Is a custom file path to be used to export the list of Exchange Server IPs collected from FindExchangeServerIPAddresses. Default value is the local location IPList.txt. IPRangeFilePath Is the path to the file that contains all the IP Addresses or subnets that are needed to be in the IP Allow list for Mitigation. RestrictType To enable a IP Restriction on a virtual directory. Must be used with IPRangeFilePath. The following values are allowed: EWSBackend ValidateType To verify if the IP Restrictions have been applied correctly. Must be used with IPRangeFilePath. The following values are allowed: RestrictTypeEWSBackend RollbackType Using this parameter will allow you to rollback using the type you specified. The following values are allowed: RestoreIISAppConfig, RestrictTypeEWSBackend, RestoreConfiguration DisableExtendedProtection Using this parameter will disable extended protection for the servers you specify. This is done by setting all the configured locations back to None regardless of what the original value was set to prior to configuration or if it was enabled by default. SkipAutoUpdate Skips over the Auto Update feature to download the latest version of the script."},{"location":"Security/ExchangeMitigations/","title":"ExchangeMitigations","text":"

Download the latest release: ExchangeMitigations.ps1

This script contains 4 mitigations to help address the following vulnerabilities:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-27065
  • CVE-2021-26858

For more information on each mitigation please visit https://aka.ms/exchangevulns

This should only be used as a temporary mitigation until your Exchange Servers can be fully patched, recommended guidance is to apply all of the mitigations at once.

For this script to work you must have the IIS URL Rewrite Module installed which can be done via this script using the -FullPathToMSI parameter.

For IIS 10 and higher URL Rewrite Module 2.1 must be installed, you can download version 2.1 here:

  • x86 & x64 -https://www.iis.net/downloads/microsoft/url-rewrite

For IIS 8.5 and lower Rewrite Module 2.0 must be installed, you can download version 2.0 here:

  • x86 - https://www.microsoft.com/en-us/download/details.aspx?id=5747

  • x64 - https://www.microsoft.com/en-us/download/details.aspx?id=7435

Installing URL Rewrite version 2.1 on IIS versions 8.5 and lower may cause IIS and Exchange to become unstable. If there is a mismatch between the URL Rewrite module and IIS version, ExchangeMitigations.ps1 will not apply the mitigation for CVE-2021-26855. You must uninstall the URL Rewrite module and reinstall the correct version.

Script requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.

Download the latest release here:

Download ExchangeMitigations.ps1

To apply all mitigations with MSI install

.\\ExchangeMitigations.ps1 -FullPathToMSI \"FullPathToMSI\" -WebSiteNames \"Default Web Site\" -ApplyAllMitigations

To apply all mitigations without MSI install

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyAllMitigations -Verbose

To rollback all mitigations

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackAllMitigation

To apply multiple or specific mitigations (out of the 4)

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyECPAppPoolMitigation -ApplyOABAppPoolMitigation

To rollback multiple or specific mitigations

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackECPAppPoolMitigation -RollbackOABAppPoolMitigation

"},{"location":"Security/Extended-Protection/","title":"Exchange Server Support for Windows Extended Protection","text":"

Documentation Moved

This documentation has been moved to Microsoft Learn. Please read Configure Windows Extended Protection in Exchange Server for more information.

"},{"location":"Security/Test-CVE-2021-34470/","title":"Test-CVE-2021-34470","text":"

Download the latest release: Test-CVE-2021-34470.ps1

Environments running supported versions of Exchange Server should address CVE-2021-34470 by applying the CU and/or SU for the respective versions of Exchange, as described in Released: July 2021 Exchange Server Security Updates.

Environments where the latest version of Exchange Server is any version before Exchange 2013, or environments where all Exchange servers have been removed, can use this script to address the vulnerability.

"},{"location":"Security/Test-CVE-2021-34470/#examples","title":"Examples","text":"

Check for the vulnerability:

.\\Test-CVE-2021-34470.ps1

Fix the vulnerability if found:

.\\Test-CVE-2021-34470.ps1 -ApplyFix

Note that the user must be a Schema Admin to use the -ApplyFix switch.

"},{"location":"Security/Test-ProxyLogon/","title":"Test-ProxyLogon.ps1","text":"

Download the latest release: Test-ProxyLogon.ps1

Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.

"},{"location":"Security/Test-ProxyLogon/#usage","title":"Usage","text":"

The most typical usage of this script is to check all Exchange servers and save the reports, by using the following syntax from Exchange Management Shell:

Get-ExchangeServer | .\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs

To check the local server only, just run the script:

.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs

To check the local server and copy the identified logs and files to the OutPath:

.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs -CollectFiles

To display the results without saving them, pass -DisplayOnly:

.\\Test-ProxyLogon.ps1 -DisplayOnly

"},{"location":"Security/Test-ProxyLogon/#frequently-asked-questions","title":"Frequently Asked Questions","text":"

The script says it found suspicious files, and it lists a bunch of zip files. What does this mean?

The script will flag any zip/7x/rar files that it finds in ProgramData. As noted in this blog post, web shells have been observed using such files for exfiltration. An administrator should review the files to determine if they are valid. Determining if a zip file is a valid part of an installed product is outside the scope of this script, and whitelisting files by name would only encourage the use of those specific names by attackers.

I'm having trouble running the script on Exchange 2010.

If PowerShell 3 is present, the script can be run on Exchange 2010. It will not run-on PowerShell 2. One can also enable PS Remoting and run the script remotely against Exchange 2010. However, the script has minimal functionality in these scenarios, as Exchange 2010 is only affected by one of the four announced exploits - CVE-2021-26857. Further, this exploit is only available if the Unified Messaging role is present. As a result, it is often easier to simply run the Get-EventLog command from the blog post, rather than using Test-ProxyLogon.

"},{"location":"Security/CVE-2023-23397/","title":"CVE-2023-23397 script","text":"

Download the latest release: CVE-2023-23397.ps1

CVE-2023-23397.ps1 is a script that checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a non empty string value. It is up to the admin to determine if the value is malicious or not. If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently. Please see CVE-2023-23397 for more information.

There are two modes for the script: Audit and Cleanup.

Audit Mode: Script provides a CSV file with details of items that have the property populated.

Cleanup Mode: Script performs cleanup on detected items by either clearing the property or deleting the item.

"},{"location":"Security/CVE-2023-23397/#steps-to-run-the-script","title":"Steps to run the script:","text":"
  1. Fulfill the requirements according to environment (i.e. On-Premises or Online)

  2. Run the script in audit mode.

    For organizations with large number of mailboxes: It is recommended to break up the mailbox list into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:

    $batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {\n  if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }\n  Export-Csv -InputObject $_ -Path \"Batch$batchNumber.csv\" -Append\n}\n\n# Then run against the batches similar to this:\nImport-Csv .\\BatchFileName.csv | .\\CVE-2023-23397.ps1 -Environment Online\n

  3. If the script execution finishes with \"No vulnerable item found\", no further action is required.

  4. If step 2 generates CSV files, review the CSV file; if you find suspicious thing, then go to 5. If you only see blank things or paths to old .wav files, no need to go to step 5.
  5. If you got suspected entries in CSV file, run the script in Cleanup mode
"},{"location":"Security/CVE-2023-23397/#requirements","title":"Requirements","text":""},{"location":"Security/CVE-2023-23397/#prerequisites-to-run-the-script-for-exchange-server-on-premises","title":"Prerequisites to run the script for Exchange Server (on-premises)","text":"

To run this script in an on-premises Exchange Server environment, you need to use an account with the ApplicationImpersonation management role. You can create a new role group with the required permissions by running the following PowerShell command in an elevated Exchange Management Shell (EMS):

New-RoleGroup -Name \"CVE-2023-23397-Script\" -Roles \"ApplicationImpersonation\" -Description \"Permission to run the CVE-2023-23397 script\"\nAdd-RoleGroupMember -Identity \"CVE-2023-23397-Script\" -Member \"<UserWhoRunsTheScript>\"\n
The script uses Exchange Web Services (EWS) to fetch items from user mailboxes. So, the machine on which the script is run should be able to make EWS calls to your Exchange server.

You can also create a new Throttling Policy to prevent the user who runs the script from being throttled. Make sure to revert the throttling policy after you're done running the script.

Please note that this is for Exchange on-premises environments only.

New-ThrottlingPolicy \"CVE-2023-23397-Script\"\nSet-ThrottlingPolicy \"CVE-2023-23397-Script\" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited\nSet-Mailbox -Identity \"<UserWhoRunsTheScript>\" -ThrottlingPolicy \"CVE-2023-23397-Script\"\n
"},{"location":"Security/CVE-2023-23397/#prerequisites-to-run-the-script-for-exchange-online","title":"Prerequisites to run the script for Exchange Online","text":"

To run this script in an Exchange Online environment, you need to be a Global Administrator or an Application Administrator. The script will create an application with full access permission on all the mailboxes.

Furthermore it is possible to use a certificate to run the script in Audit and Cleanup mode. This is called Certificate Based Authentication (CBA). The steps are outlined in the FAQ section.

NOTE: The script uses Microsoft.Exchange.WebServices.dll to make EWS calls. The script will try to download the DLL and use it. However, if it is unable to, you will need to download the DLL and specify the path.

"},{"location":"Security/CVE-2023-23397/#steps-to-download-microsoftexchangewebservicesdll","title":"Steps to Download Microsoft.Exchange.WebServices.dll:","text":"
  • Download the nuget package from NuGet Gallery | Microsoft.Exchange.WebServices.2.2.0
  • Change the extension of the file from .nupkg to .zip
  • Unzip the package.
  • Use the dll present at \"\\lib\\40\" location in the package
  • Provide the path to the DLL for the -DLLPath parameter when running the script.
"},{"location":"Security/CVE-2023-23397/#how-to-run","title":"How To Run","text":""},{"location":"Security/CVE-2023-23397/#script-parameters","title":"Script Parameters","text":"

The script accepts the following parameters:

Parameter Description Environment Specify the environment where you are running the script. This parameter is required. CreateAzureApplication Use this parameter to create an Azure AD application that can be used for running the script in Exchange Online. DeleteAzureApplication Use this parameter to delete the Azure AD application. UserMailboxes Use this parameter to provide a list of user primary SMTP addresses. You can pipe the addresses while running. This parameter is required in Audit mode. StartTimeFilter Use this parameter to provide start time filter. (Format: \"mm/dd/yyyy hh:mm:ss\") EndTimeFilter Use this parameter to provide end time filter. (Format: \"mm/dd/yyyy hh:mm:ss\") CleanupAction Use this parameter to provide type of cleanup action you want to perform (ClearProperty/ClearItem). CleanupInfoFilePath Use this parameter to provide path to the CSV file containing the details of messages to be cleaned up. EWSExchange2013 Use this switch if you are running on Exchange Server 2013 mailboxes. DLLPath Provide the path to Microsoft.Exchange.WebServices.dll. This is an optional parameter. AzureApplicationName Provide the name of the application which the script should create. This is an optional parameter. The default name is CVE-2023-23397Application. CertificateThumbprint Provide the thumbprint of the certificate which was uploaded to the Azure application. The certificate must exist under the 'Cert:\\CurrentUser\\My' path on the machine. It can only be used if the private key exists and is accessible. AppId Provide the ID of the application which was created in Azure and which is required to run the script in audit or cleanup mode. The ID can be found within the Azure application under 'Overview' and is labeled as: 'Application (client) ID'. If you don't specify this parameter but specify the CertificateThumbprint parameter, the script will ask you to logon to query the required information. Organization Provide the ID of your organization. It can be provided in GUID format or by using your onmicrosoft.com domain. If you don't specify this parameter but specify the CertificateThumbprint parameter, the script will ask you to logon to query the required information. AzureEnvironment Provide the Azure Environment name. This is an optional parameter. The default value is Global. MaxCSVLength Provide the maximum number of rows the script should create in the CSV while running in Audit mode. This is an optional parameter. The default is 200,000. EWSServerURL Provide the EWS endpoint. If not provided, the script will make an Autodiscover call to get it. This parameter works only with Exchange Server. ScriptUpdateOnly This optional parameter allows you to only update the script without performing any other actions. SkipVersionCheck This optional parameter allows you to skip the automatic version check and script update. IgnoreCertificateMismatch This optional parameter lets you ignore TLS certificate mismatch errors. Credential This optional parameter lets you pass admin credentials when running on Exchange Server. UseSearchFolders This parameter causes the script to use deep-traversal search folders, significantly improving performance. SearchFolderCleanup This parameter cleans up any search folders left behind by the asynchronous search feature. It must be used together with the UseSearchFolders parameter. SkipSearchFolderCreation This parameter skips the creation of search folders. It must be used together with the UseSearchFolders parameter. TimeoutSeconds This optional parameter specifies the timeout on the EWS ExchangeService object. The default is 300 seconds (5 minutes)."},{"location":"Security/CVE-2023-23397/#set-exchange-online-cloud-specific-values","title":"Set Exchange Online Cloud Specific values:","text":"

You can use the AzureEnvironment parameter to specify the cloud against which the script runs. By default, the script will run against the Global (worldwide) service. Supported values are:

AzureEnvironment Cloud Environment Name Global AzureCloud WW USGovernmentL4 AzureUSGovernment GCC USGovernmentL5 AzureUSGovernment DOD ChinaCloud AzureChinaCloud Office365 operated by 21Vianet"},{"location":"Security/CVE-2023-23397/#running-against-exchange-server-on-premises-mailboxes","title":"Running Against Exchange Server (On-Premises) Mailboxes","text":""},{"location":"Security/CVE-2023-23397/#audit-mode","title":"Audit Mode:","text":"

Execute the script in audit mode as an admin with the ApplicationImpersonation management role. For scanning on-premises mailboxes, the Environment value should be \"Onprem\" and you should provide the EWS URL of your Exchange server in EWSServerURL property. The script will ask for a login prompt, and the username must be provided.

Note

The username which is passed to the script, must be specified in the UPN format where the domain-part is a domain accepted by the Exchange Server.

Optionally, you can use the Credential flag to provide admin credentials in PSCredential format. Set the EWSServerURL parameter to specify the EWS URL if the Autodiscover call fails.

"},{"location":"Security/CVE-2023-23397/#examples","title":"Examples:","text":"

This syntax runs the script to audit all the mailboxes.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem\n

Note: If there are Exchange 2013 servers in the environment with Exchange 2016 or 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error:

If the above error appears, run the script with an additional parameter EWSExchange2013, as shown below.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -EWSExchange2013\n

This syntax runs the script to audit all mailboxes for items that were created during a specific period.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -StartTimeFilter \"01/01/2023 00:00:00\" -EndTimeFilter \"01/01/2024 00:00:00\"\n
"},{"location":"Security/CVE-2023-23397/#cleanup-mode","title":"Cleanup Mode:","text":"

The script provides a list of all the messages containing the problematic property in the mailboxes of users specified in an AuditResult_timestamp.CSV file. Admins should analyze this file and mark (with a \"Y\") messages for which either the property is to be cleaned or the message must be removed.

Step 1 Mark the messages for cleanup by entering \"Y\" instead of \"N\" in the cleanup column of CSV file.

Step 2 Choose either to remove the message or only the problematic property in the next step by specifying CleanupAction as \"ClearItem\" or \"ClearProperty.\" Execute the script as follows to remove the message or property marked with Y in the CSV file.

"},{"location":"Security/CVE-2023-23397/#examples_1","title":"Examples:","text":"

This syntax runs the script to clear the problematic property from messages:

PS C:\\> .\\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the malicious property

PS C:\\> .\\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV>\n
"},{"location":"Security/CVE-2023-23397/#running-against-exchange-online-mailboxes","title":"Running Against Exchange Online Mailboxes","text":"

First, execute the script in Audit mode as an admin with Global Administrator or Application Administrator role. For scanning online mailboxes, the Environment parameter should be \"Online.\"

While scanning Exchange Online mailboxes, the script needs an Azure AD app that has delegate permissions for all Exchange Online mailboxes. You can create the application using the script. And once the application is no longer required, you can delete the application using the script as well.

"},{"location":"Security/CVE-2023-23397/#managing-azureadapplication","title":"Managing AzureADApplication:","text":""},{"location":"Security/CVE-2023-23397/#examples_2","title":"Examples:","text":"

This syntax runs the script to create an Azure application

PS C:\\> .\\CVE-2023-23397.ps1 -CreateAzureApplication\n

This syntax runs the script to delete the Azure application created by the script

PS C:\\> .\\CVE-2023-23397.ps1 -DeleteAzureApplication\n
"},{"location":"Security/CVE-2023-23397/#audit-mode_1","title":"Audit Mode:","text":""},{"location":"Security/CVE-2023-23397/#examples_3","title":"Examples:","text":"

This syntax runs the script to Audit all mailboxes in Exchange Online.

NOTE: Connect to EXO with Exchange Online PowerShell session

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment \"Online\"\n

This syntax runs the script to Audit all mailboxes for items that were during a specific period.

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment \"Online\" -StartTimeFilter \"01/01/2023 00:00:00\" -EndTimeFilter \"01/01/2024 00:00:00\"\n

This syntax runs the script to Audit all mailboxes by using a certificate to authenticate and using the improved SearchFolder functionality.

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -CertificateThumbprint <Thumbprint of the certificate> -AppId <Application Id of the 'CVE-2023-23397Application' app> -Organization contoso.onmicrosoft.com -UseSearchFolders\n
"},{"location":"Security/CVE-2023-23397/#cleanup-mode_1","title":"Cleanup Mode:","text":""},{"location":"Security/CVE-2023-23397/#examples_4","title":"Examples:","text":"

This syntax runs the script to clear the problematic property from messages.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the problematic property.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the problematic property. It uses a certificate to acquire the required tokens.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV> -CertificateThumbprint <Thumbprint of the certificate> -AppId <Application Id of the 'CVE-2023-23397Application' app> -Organization contoso.onmicrosoft.com\n
"},{"location":"Security/CVE-2023-23397/#script-execution-errors-and-troubleshooting","title":"Script execution errors and troubleshooting","text":""},{"location":"Security/CVE-2023-23397/#exchange-server-doesnt-support-the-requested-version","title":"Exchange Server doesn't support the requested version","text":"

If there are Exchange 2013 servers in an environment with Exchange 2016 or Exchange 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error:

If the above error appears, run the script with the EWSExchange2013 parameter:

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -EWSExchange2013\n
"},{"location":"Security/CVE-2023-23397/#blocked-autodiscover-redirection","title":"Blocked Autodiscover redirection","text":"

If Autodiscover fails due to a redirection error and the above error appears, provide the EWS URL using the EWSServerURL parameter.

"},{"location":"Security/CVE-2023-23397/#invalid-client-secret-provided","title":"Invalid client secret provided","text":"

While running the script in Exchange Online, you might see the above error intermittently. Re-running the script should resolve the issue. If it occurs frequently, then remove the Azure application you have created using -DeleteAzureApplication parameter and then recreate it using -CreateAzureApplication parameter.

"},{"location":"Security/CVE-2023-23397/#cannot-convert-the-microsoftexchangewebservicesdatawebcredentials","title":"\"Cannot convert the \"Microsoft.Exchange.WebServices.Data.WebCredentials\"","text":"

Incorrect link was provided to download Microsoft.Exchange.WebServices.dll originally that is causing this issue. Follow these steps to correct this problem.

  • Download the correct NuGet Gallery | Microsoft.Exchange.WebServices.2.2.0
  • Close PowerShell (CRITICAL)
  • Launch new PowerShell session
  • Run cmdlet again with providing new dll path ( should be lib\\40\\Microsoft.Exchange.WebServices.dll)
"},{"location":"Security/CVE-2023-23397/#unable-to-connect-to-ews-endpoint-401-unauthorized-on-prem","title":"Unable to connect to EWS endpoint - 401 unauthorized - On Prem.","text":"

You are getting a 401 unauthorized when trying to provide the -EWSServerURL parameter to the script. The possible causes can be due to bad credentials provided or the URL endpoint is not working correctly. Try to provide the credentials again to start off with. If that doesn't work, does the URL work when using a browser? You should get a result like this:

If you don't get a response looking like this after you are prompted for a username and password, then this could be the problem. Try to see if either the FQDN, https://localhost/ews/exchange.asmx, or https://127.0.0.1/ews/exchange.asmx works instead. If one of those do, use that instead for the -EWSServerURL parameter.

NOTE: Make sure to include -IgnoreCertificateMismatch if using localhost or 127.0.0.1

"},{"location":"Security/CVE-2023-23397/FAQ/","title":"CVE-2023-23397 Frequently Asked Questions","text":""},{"location":"Security/CVE-2023-23397/FAQ/#what-is-the-usesearchfolders-feature","title":"What is the -UseSearchFolders feature?","text":"

This feature changes the way Audit mode works to be dramatically faster in most environments. The original approach searches folders synchronously one by one. When using the new switch, we perform two passes. In the first pass, we create a search folder that searches the whole mailbox. In the second pass, we collect the results. This often reduces the time to run the Audit mode by 80% or more.

To use the new feature, use the same syntax as before, but add -UseSearchFolders. For example:

NOTE: Connect to EXO with Exchange Online PowerShell session

Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -UseSearchFolders\n

This switch only applies to Audit mode. Cleanup mode has no syntax changes. To take maximum advantage of the search folders, it's best to leave them in place until cleanup is done, so you can repeatedly and quickly search for any new items. After cleanup is completed, the search folders can be removed with:

Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -UseSearchFolders -SearchFolderCleanup\n
"},{"location":"Security/CVE-2023-23397/FAQ/#what-is-the-relationship-of-exchange-server-march-2023-su-and-outlook-fix-for-cve-2023-23397","title":"What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?","text":"

Those two updates are completely independent from each other. Exchange SUs address Exchange vulnerabilities and security improvements. We mentioned the Outlook\u00a0CVE-2023-23397 update in the Exchange March SU release to raise the awareness to our customers, as we know most use Outlook for Windows. Exchange March SU does not address CVE-2023-23397, you need to install Outlook update to address this vulnerability in Outlook.

"},{"location":"Security/CVE-2023-23397/FAQ/#does-the-account-running-the-script-need-to-be-part-of-organization-management","title":"Does the account running the script need to be part of Organization Management?","text":"

In OnPrem environments, the account running the script only needs the EWS Impersonation role, which is provided by adding that user to the group as described in the docs.

In Online environments, the account running the script in -CreateAzureApplication mode needs Global Admin role in order to create the Azure application used for impersonation.

"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-script-need-to-be-executed-on-the-exchange-server","title":"In OnPrem, does the script need to be executed on the Exchange Server?","text":"

No, the script can be executed from a workstation. There are essentially two parts to running the script. First, we have to get a list of mailboxes. Second, we have to run the script against them. These steps do not necessarily need to be performed by the same user or on the same machine.

If we just want to run the script against a few users, the email addresses can be specified manually:

.\\CVE-2023-23397.ps1 -Environment OnPrem -UserMailboxes \"user1@contoso.com\", \"user2@contoso.com\"\n

For a large number of mailboxes, an Exchange Organization Administrator could create a CSV of mailboxes to process using a command like this:

Get-Mailbox -ResultSize Unlimited | Export-Csv .\\Mailboxes.csv\n

Then, the script could be run against the CSV file on a different machine by a different user using a command like this:

Import-Csv .\\Mailboxes.csv | .\\CVE-2023-23397.ps1 -Environment OnPrem\n
The default script execution appears to be limited to processing 1000 mailboxes, how to execute the script for more than 1000 mailboxes? You can use following steps to break up the mailboxes into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:

$batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {\n  if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }\n  Export-Csv -InputObject $_ -Path \"Batch$batchNumber.csv\" -Append\n}\n
"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-credential-parameter-need-to-be-upn-or-domainuser","title":"In OnPrem, does the -Credential parameter need to be UPN or domain\\user?","text":"

Either format can be used. However, by default, the script will attempt to use the username to perform Autodiscover. If Autodiscover does not work for your UPN, or if domain\\user is being specified, then Autodiscover can be skipped by providing the -EWSServerUrl parameter.

.\\CVE-2023-23397.ps1 -Environment OnPrem -EWSServerUrl \"https://exch1.contoso.com/EWS/Exchange.asmx\"\n
"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-impersonation-account-need-to-have-a-mailbox","title":"In OnPrem, does the impersonation account need to have a mailbox?","text":"

The latest version of the script no longer requires the impersonation account to have a mailbox if running on Exchange 2016 or later. Exchange 2013 still requires that the impersonation user have a mailbox on prem.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-contain-entries-with-empty-pidlidreminderfileparameter-column-or-reminderwav-is-this-an-issue","title":"Why does my output file contain entries with empty PidLidReminderFileParameter column or 'reminder.wav'. Is this an issue?","text":"

The search query is only determining if the property PidLidReminderFileParameter is set, including empty values is a set property. It is up to the admin to determine if they to take actions against this particular item.

NOTE: Script version 23.03.22.1926 and after only provide results for non-empty string values. So the columns should no longer be empty when running the audit mode.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-only-contain-some-of-my-mailboxes-that-we-searched-against","title":"Why does my output file only contain some of my mailboxes that we searched against?","text":"

It will only export individual items that contain the PidLidReminderFileParameter properties set. If the mailbox doesn't have any items that contains this property, it will not be exported out.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-contain-multiple-entries-for-the-same-mailbox","title":"Why does my output file contain multiple entries for the same mailbox?","text":"

For each individual item that does contain the PidLidReminderFileParameter property, it will be exported out with a item ID that is needed to possibly take action against.

"},{"location":"Security/CVE-2023-23397/FAQ/#what-are-the-required-steps-to-prepare-the-cve-2023-23397application-application-to-support-certificate-based-authentication-cba","title":"What are the required steps to prepare the 'CVE-2023-23397Application' application to support Certificate Based Authentication (CBA)","text":"

Step 1: Create the Azure application by running the script with the CreateAzureApplication. This step must be performed by someone who is Global Administrator or an Application Administrator.

Step 2: Generate a new self-signed certificate and export the public part:

$cert = New-SelfSignedCertificate -Subject $env:COMPUTERNAME -CertStoreLocation \"Cert:\\CurrentUser\\My\"\n$cert | Export-Certificate -FilePath MySelfSignedCertificate.cer\n$cert.Thumbprint\n

Important

The certificate must be kept confidential as it allows the owner to access the Azure application without further authentication.

Step 3: Upload the certificate to the CVE-2023-23397Application Azure application

Go to the Azure Active Directory and search for App registrations. Select the CVE-2023-23397Application application and go to Certificates & secrets. From here, select Certificates and click on Upload certificate. Select the MySelfSignedCertificate.cer file which was created in Step 2, add a descriptive description. Complete the process by clicking on Add.

The application is now ready for CBA.

"},{"location":"Setup/CopyMissingDlls/","title":"CopyMissingDlls","text":"

Download the latest release: CopyMissingDlls.ps1

This script is used to copy over missing dlls that might have occurred during a CU install. This script has a mapping of the location of where the .dll should be on the server and where it should be on the ISO and will attempt to copy it over if the file is detected to be missing on the install location.

Parameter Type Description IsoRoot string The Root location of the ISO. Example: D:"},{"location":"Setup/FixInstallerCache/","title":"FixInstallerCache","text":"

Download the latest release: FixInstallerCache.ps1

This script is used to copy over the missing MSI files from the installer cache.

Parameter Type Description CurrentCuRootDirectory string The root location of the current CU that you are on. MachineName string array One or more machine names from which to copy the required MSI files."},{"location":"Setup/Set-ExchAVExclusions/","title":"Set-ExchAVExclusions","text":"

Download the latest release: Set-ExchAVExclusions.ps1

The Script will assist in setting the Antivirus Exclusions according to our documentation for Microsoft Exchange Server.

AV Exclusions Exchange 2016/2019

AV Exclusions Exchange 2013

If you use Windows Defender you can Set the exclusions executing the script without parameters but if you have any other Antivirus solution you can get the full list of Expected Exclusions.

"},{"location":"Setup/Set-ExchAVExclusions/#requirements","title":"Requirements","text":""},{"location":"Setup/Set-ExchAVExclusions/#supported-exchange-server-versions","title":"Supported Exchange Server Versions:","text":"

The script can be used to validate the configuration of the following Microsoft Exchange Server versions: - Microsoft Exchange Server 2013 - Microsoft Exchange Server 2016 - Microsoft Exchange Server 2019

The server must have Microsoft Defender to set it and enable it to be effective.

"},{"location":"Setup/Set-ExchAVExclusions/#required-permissions","title":"Required Permissions:","text":"

Please make sure that the account used is a member of the Local Administrator group. This should be fulfilled on Exchange servers by being a member of the Organization Management group.

"},{"location":"Setup/Set-ExchAVExclusions/#how-to-run","title":"How To Run","text":"

This script must be run as Administrator in Exchange Management Shell on an Exchange Server. You do not need to provide any parameters and the script will set the Windows Defender exclusions for the local Exchange server.

If you want to get the full list of expected exclusions you should use the parameter ListRecommendedExclusions

You can export the Exclusion List with the parameter FileName

"},{"location":"Setup/Set-ExchAVExclusions/#parameters","title":"Parameters","text":"Parameter Description ListRecommendedExclusions Get the full list of expected exclusions without set. FileName Export the Exclusion List. SkipVersionCheck Skip script version verification. ScriptUpdateOnly Just update script version to latest one."},{"location":"Setup/Set-ExchAVExclusions/#examples","title":"Examples:","text":"

This will run Set-ExchAVExclusions Script against the local server.

.\\Set-ExchAVExclusions.ps1\n

This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them.

.\\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions\n

This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them and write them in the defined FileName.

.\\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions -FileName .\\Exclusions.txt\n

This will run Set-ExchAVExclusions Script against the local server and write them in the defined FileName.

.\\Set-ExchAVExclusions.ps1 -FileName .\\Exclusions.txt\n
"},{"location":"Setup/Set-ExchAVExclusions/#outputs","title":"Outputs","text":"

Exclusions List File: FileName

Log file: $PSScriptRoot\\SetExchAvExclusions.log

"},{"location":"Setup/SetupLogReviewer/","title":"SetupLogReviewer","text":"

Download the latest release: SetupLogReviewer.ps1

This script is meant to be run against the Exchange Setup Logs located at C:\\ExchangeSetupLogs\\ExchangeSetup.log. You can run this on the server, or on a personal computer.

It currently checks for common prerequisite issues, clearly calling out if you need up run /PrepareAD in your environment and calls out where it needs to be run. It also checks for some other common issue that we have seen in support that we call out and display the actions to the screen.

Parameter Description [string]SetupLog The location of the Exchange Setup Log that needs to be reviewed [switch]DelegatedSetup Use this switch if you are troubleshooting Prerequisites of a Delegated Setup issue"},{"location":"Setup/SetupAssist/","title":"SetupAssist","text":"

Download the latest release: SetupAssist.ps1

This script is meant to be run on the system where you are running setup from. It currently checks and displays the following when just running it:

  • Current Logged on User and SID
  • Are you running as an Administrator
  • Member of Domain Admins
  • Member of Schema Admins
  • Member of Enterprise Admins
  • Member of Organization Management
  • Current PowerShell Execution Policy setting
  • Checks to see if you are missing files in the installer cache (only checks to see if they are there, not if they are valid)
  • More than 1 powershell.exe process up and running
  • If reboot pending. (Add -Verbose to see where)
  • The current AD level of readiness for CU upgrading. Displays warnings if a mismatch is detected.

Additional Parameters are used for when they are called out from the SetupLogReviewer.ps1

Parameter Type Description OtherWellKnownObjects switch Tests for deleted objects in the otherWellKnownObjects attribute"},{"location":"Setup/SetupAssist/ComputersContainer/","title":"Computers container renamed or missing","text":"

When the CN=Computers container has been renamed or removed from the root of an Active Directory domain, /PrepareAD will fail for certain Cumulative Updates. Please see https://support.microsoft.com/help/5005319 for details.

"},{"location":"Setup/SetupAssist/InstallWatermark/","title":"Install Watermark","text":"

After a failed install attempt of Exchange, we can leave behind a watermark that then prevents you from trying to run setup again when trying use unattended mode. To get around this issue, run Setup.exe from the GUI and not the command line. From the GUI, it is able to detect that we had a watermark and tries to pick up where we left off. However, unattended mode fails in the prerequisites check section prior to running and the GUI skips over this section.

Warning

Do NOT remove the watermark from the registry as you will run into more setup issues trying to run steps the server already completed. Run setup from the GUI to allow setup to pick up where the watermark is set at.

"},{"location":"Setup/SetupAssist/ReadOnlyDomainControllerContainer/","title":"Read Only Domain Controller - Domain Controllers OU","text":"

A Read Only Domain Controller appears to be in the container other than CN=Domain Controllers. This will cause setup to fail if we attempt to domain prep that domain. The path to the RODC must be CN=DCName,CN=Domain Controllers....

"},{"location":"Setup/SetupAssist/RebootPending/","title":"Reboot Pending","text":"

It is best to reboot the server to address these issues. It may take some time after a reboot to have the keys automatically removed. However, if they don't remove automatically, follow these steps to address the issue for the keys that were provided to be a problem.

  • Open regedit to the desired location. Delete the key.
  • If unable to delete the key, follow these steps:
    • Right click on it
    • Open permissions
    • Click on Advanced
    • Change ownership to your account
    • Close Advanced window
    • Give your account Full Control in Permissions window
    • Delete the key

NOTE: With Component Based Servicing\\RebootPending you need to do the same for Component Based Servicing\\PackagesPending prior to RebootPending

NOTE: Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/","title":"Compute-TopExoRecipientsFromMessageTrace","text":"

Download the latest release: Compute-TopExoRecipientsFromMessageTrace.ps1

This script aggregates message trace events hourly and generates a report with the top o365 recipients

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#parameters","title":"Parameters","text":"

-StartDate

The StartDate parameter specifies the end date of the date range

-EndDate

The EndDate parameter specifies the end date of the date range. It is recommended to limit the start-end date range to a range of hours. i.e. an ~ 5 to 7 hours.

-TimeoutAfter

The TimeoutAfter parameter specifies the number of minutes before the script stop working. This is to make sure that the script does not run for infinity. The default value is 30 minutes.

-Threshold

The Threshold parameter specifies the min threshold for the received limit. It is used to filter the hourly aggregation. The default value is 3600 messages.

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#examples","title":"Examples","text":"
$results = Compute-TopExoRecipientsFromMessageTrace -StartDate (Get-Date).AddHours(-7) -EndDate (Get-Date)\n
"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#output","title":"Output","text":"

$results.TopRecipients : hourly report for top recipients over the threshold $results.HourlyReport : hourly aggregated message events without applying the threshold $results.MessageTraceEvents: all downloaded message trace events without aggregations

"},{"location":"Transport/ReplayQueueDatabases/","title":"ReplayQueueDatabases","text":"

Download the latest release: ReplayQueueDatabases.ps1

When Transport crashes, in some scenarios it will move the current queue database to Messaging.old- and create a new empty database. The old database is usually not needed, unless shadow redundancy was failing. In that case, it can be useful to drain the old queue file to recover those messages.

This script automates the process of replaying many old queue files created by a series of crashes.

"},{"location":"Transport/ReplayQueueDatabases/#syntax","title":"Syntax","text":"
ReplayQueueDatabases.ps1\n  [-MaxAgeInDays <int>]\n  [-RemoveDeliveryDelayedMessages]\n
"},{"location":"Transport/ReplayQueueDatabases/#parameters","title":"Parameters","text":"
-MaxAgeInDays <Int32>\n    Only replay queue databases newer than this date\n\n    Required?                    false\n    Position?                    1\n    Default value                7\n\n-RemoveDeliveryDelayedMessages [<SwitchParameter>]\n    Attempt to remove delivery delay notifications so user mailboxes do not fill up with these while we replay old messages\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n
"},{"location":"Transport/ReplayQueueDatabases/#usage","title":"Usage","text":"

The script must be run from Exchange Management Shell locally on the server where queue databases are being replayed. Preliminary steps before running this script:

  • Move all active Mailbox Databases to another DAG member
  • Run this command from Exchange Management Shell: Set-MailboxServer $env:ComputerName -DatabaseCopyAutoActivationPolicy Blocked

When the script is run, it takes the following actions.

  • Read the QueueDatabasePath and QueueDatabaseLoggingPath from the EdgeTransport.exe.config file. If these do not match, the script exits. That type of configuration is not yet supported by this script.
  • Search the QueueDatabasePath for any folders with names matching Message.old-*.
  • Parse the date string in the folder name to determine if this folder is under the MaxAgeInDays.
  • Any folders over the MaxAgeInDays are moved to the ReplaySkipped folder in the QueueDatabasePath.

  • The EdgeTransport.exe.config is copied to EdgeTransport.exe.config.before-replay.

  • Begin looping over the folders that were under MaxAgeInDays, starting with the most deeply nested folder.

  • Check if the HubTransport component is in Draining state, and switch it to Draining if it is not.
  • Stop the Transport services (MSExchangeTransport and MSExchangeFrontEndTransport).
  • Move the current folder to be replayed to OldReplayQueue in the QueueDatabasePath.
  • Start the Transport services.
  • Check every 5 seconds if the queues clear. While waiting, run Remove-Message once a minute to remove any \"Delivery Delayed\" messages.
  • Once queues are cleared, stop the transport services.
  • Move OldQueueReplay to a folder inside of Replayed in the QueueDatabasePath, named Replayed-\\<original date on the folder>.

  • Continue to the next folder.

  • When finished with all the folders, stop the Transport services.

  • Overwrite EdgeTransport.exe.config with EdgeTransport.exe.config.before-replay.
  • Start the Transport services.
  • Notify the user that they must run the command to take the HubTransport component out of the Draining state when ready.

Note that when the script is run without -Confirm:$false, it will prompt for nearly every step of this process. This is probably the best approach for most scenarios, so that each step of the script is visible and understood by the user. \"Yes to All\" can be used to remove most of the prompting within the script. However, even with \"Yes to All\", prompts to start and stop services between replays of each database will occur.

If there are many databases to replay, -Confirm:$false can be used to remove all prompting.

"},{"location":"Transport/ReplayQueueDatabases/#cleanup","title":"Cleanup","text":"

If the script fails out or is terminated in the middle, the following steps may be needed in order to run the script again and/or return the environment to a normal state.

  • OldQueueReplay may have been left in place. If it is not clear whether this database was already replayed, Transport services should be started while QueueDatabasePath and QueueDatabaseLoggingPath in EdgeTransport.exe.config still point to OldQueueReplay. Once the queues have drained, Transport can be stopped, and OldQueueReplay can be moved to the Replayed folder.
  • The EdgeTransport.exe.config may be left pointing to OldQueueReplay. To fix it, replace EdgeTransport.exe.config with the EdgeTransport.exe.config.before-replay, which was the backup of the file prior to any changes.
  • MSExchangeTransport and MSExchangeFrontEndTransport may need to be started.
  • The HubTransport component must be set back to Active.
"}]} \ No newline at end of file +{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Microsoft Exchange Server Support Scripts","text":"

This project contains scripts for supporting and troubleshooting Microsoft Exchange Server.

"},{"location":"#popular-scripts","title":"Popular Scripts","text":"Script Docs Download HealthChecker.ps1 Docs Download ExchangeExtendedProtectionManagement.ps1 Docs Download SetupAssist.ps1 Docs Download SourceSideValidations.ps1 Docs Download Test-AMSI.ps1 Docs Download"},{"location":"Emerging-Issues/","title":"Emerging Issues for Exchange On-Premises","text":"

This page lists emerging issues for Exchange On-Premises deployments, possible root cause and solution/workaround to fix the issues. The page will be consistently updated with new issues found and reflect current status of the issues mentioned.

Updated on Update causing the issue Issue Workaround/Solution 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Search in Outlook (cached mode) may show \"We're having trouble fetching results from the server...\". The search works fine in OWA or Outlook online mode. Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the Security Update, add-ins may stop working with following error \"Add-in Error Something went wrong and we couldn't start this add-in. Please try again later or contact your system administrator Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, Unread envelope icon is not getting updated after applying March 2024 SU Please install April 2024 Hotfix Update 4/23/2024 March 2024 Security Update for Exchange 2019,2016 After installing the March 2024 Security Update, preview of Office documents in OWA may fail with error \"Sorry, there was a problem and we can't open this document.\" Please install April 2024 Hotfix Update 2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details 2/20/2024 CU 14 for Exchange 2019 Environments that are using SSL offloading configuration may face issues with Outlook connectivity issues after upgrading to Exchange 2019 CU14. As announced in August 2023 , by default, starting with CU14, Setup enables the Windows Extended Protection (EP) feature on the Exchange server being installed. Extended Protection isn't supported in environments that use SSL Offloading. SSL termination during SSL Offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers. Please check this link for more details 2/19/2024 CU 14 for Exchange 2019 Exchange 2019 CU14 RecoverServer fails while creating \"New-PushNotificationsVirtualDirectory\" with following error: Exception setting \"ExtendedProtectionTokenChecking\": \"Cannot convert null to type \"Microsoft.Exchange.Data.Directory.SystemConfiguration.ExtendedProtectionTokenCheckingMode\" due to enumeration values that are not valid. Please follow the steps from this KB to resolve the issue 11/23/2023 November 2023 Security Update for Exchange 2016, Exchange 2019 Some customers may find queue viewer crashing with error \"Failed to enable constraints. One or more rows contain values violating non-null, unique, or foreign-key constraints\" The error can occur if the Exchange server auth certificate has expired. Solution is to renew the Exchange server auth certificate manually or by using this script 10/12/2023 All versions of August 2023 Security Update for Exchange 2016, Exchange 2019 Users in account forest can't change expired password in OWA in multi-forest Exchange deployments after installing any version of August 2023 Security Update for Exchange servers Note The account forest user will be able to change the password after they sign in to Outlook on the web if their password is not yet expired. The issue affects only account forest users who have passwords that are already expired. This change does not affect users in organizations that don't use multiple forests. ** Update on 10/12/2023 ** Follow steps on this article 8/15/2023 Non-English August 2023 Security Update for Exchange 2016, Exchange 2019 When you install the Microsoft Exchange Server 2019 or 2016 August 2023 Security Update (SU) on a Windows Server-based device that is running a non-English operating system (OS) version, Setup suddenly stops and rolls back the changes. However, the Exchange Server services remain in a disabled state. The latest SUs have been released that do not require a workaround to install. If you used a workaround to install KB5029388, it is highly recommend to uninstall the KB5029388 to avoid issues down the line. For more information please check out this KB. 6/15/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 When you try to uninstall Microsoft Exchange Server 2019 or 2016 on servers, that had January 2023 Security Update for Exchange Server installed at any point, the Setup fails with following error message: [ERROR] The operation couldn't be performed because object '' couldn't be found on ''. Install Exchange Security Update June 2023 or higher to resolve the issue. Check this KB for more details 6/15/2023 Extended protection enabled on Exchange server Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed. Install Exchange Security Update June 2023 or higher Security Update and create the setting override mentioned in this KB 3/16/2023 Outlook client update for CVE-2023-23397 released These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment, and if applicable, installing the security update for Outlook on Windows described on the link on the right.More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).Awareness: Outlook client update for CVE-2023-23397 releasedThere is a critical security update for Microsoft Outlook for Windows that is required to address CVE-2023-23397. To address this CVE, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform). Please check this page for FAQs about the Outlook CVE-2023-23397 3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 After installing February 2023 security update, customers are seeing EWS application pool crash with Event ID 4999 with following error E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021. The issue is causing connectivity issues to EWS based clients (Outlook for Mac) Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers Please follow the steps in this KB 3/14/2023 February 2023 Security Update for Exchange 2016, Exchange 2019, Exchange 2013 Some customers are reporting issues with Outlook/OWA add-ins, like add-in not listing in EAC or with the Get-App command. Additionally, they may notice EWS application pool crash with Event ID 4999 in the application log of the Exchange server. Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers 3/14/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 The Exchange toolbox may start crashing on launch after certificate Serialization for PowerShell is enabled. The error noticed is \"Deserialization fails: System.Reflection.TargetInvocationException\". The issue happens only on Exchange 2016 and Exchange 2019 Update on 3/14/2023 The issue is fixed in March 2023 security update for Exchange servers - - - - 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 After installing January 2023 security update and enabling certificate signing for serialization of PowerShell, you may find various Exchange commands and scripts (example: RedistributeActiveDatabases.ps1) that use deserialization failing with the error similar to : Error: \"Cannot convert the value of type.....to type\" Use this script to update the auth certificate 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 RecoverServer will fail at pre-requisites check with following error: \"Exchange Server version Version 15.1 (Build 2507.17) or later must be used to perform a recovery of this server.\" Update on 02/23/2023 The issue has been fixed in February 2023 Security Update for Exchange servers, however, the following workaround still needs to be used for servers that are on January 2023 Security Update Workaround Use the steps in this article 1/24/2023 January 2023 Security Update for Exchange 2016 installed on Windows 2012 R2, other versions are not affected The Exchange services in Automatic start-up mode will not start after reboot of the server. The services start successfully if started manually Update on 02/23/2023The issue has been fixed in February 2023 Security Update for Exchange servers 1/24/2023 January 2023 Security Update for Exchange 2016, Exchange 2019 Transport header shows the older version of server once January 2023 SU is installed (the build shown seems to be the build of the last CU) The issue will be addressed in upcoming security update

Updated on 11/8/2022

Issue Possible reason Workaround/Solution Zero-day vulnerabilities reported in Microsoft Exchange Server, CVE-2022-41040 and CVE-2022-41082 N/A Install November 2022 Exchange Server Security Updates to address the vulnerability

Updated on 5/11/2022

Issue Possible reason Workaround/Solution After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Install May 2022 Exchange Server Security Updates to resolve the issue

Updated on 3/16/2022

Issue Possible reason Workaround/Solution After installing March 2022 Security Update For Exchange Server 2013, 2016, 2019, the Microsoft Exchange Service Host service may crash repeatedly with Event ID 7031 in system log and Event ID 4999 in application log. Event ID 4999 Watson report about to be sent for process id: 4564, with parameters: E12IIS, c-RTL-AMD64, 15.01.2375.024, M.Exchange.ServiceHost, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.LoadType, M.E.Diagnostics.BlockedDeserializeTypeException, c0e9-DumpTidSet, 15.01.2375.024. The issue can occur if there are any expired certificates present on or any certificates nearing expiry on the server Update 3/16/2022 Follow the steps from KB 5013118 to resolve the issue"},{"location":"Emerging-Issues/#old-issues","title":"Old Issues","text":""},{"location":"Emerging-Issues/#email-stuck-in-transport-queues","title":"Email Stuck in Transport Queues","text":"Issue Possible reason Workaround/Solution You may observe emails building up in the transport queues of Exchange Server 2016 and Exchange Server 2019. The issue does not impact Exchange 2013 servers.Following events may be noticed in the application log: Log Name: ApplicationSource: FIPFSLogged: 1/1/2022 1:03:42 AM Event ID: 5300 Level: Error Computer: server1.contoso.comDescription: The FIP-FS \"Microsoft\" Scan Engine failed to load. PID: 23092, Error Code: 0x80004005.Error Description: Can't convert \"2201010001\" to long. Log Name: Application Source: FIPFS Logged: 1/1/2022 11:47:16 AM Event ID: 1106 Level: Error Computer: server1.contoso.com Description: The FIP-FS Scan Process failed initialization. Error: 0x80004005. Error Details: Unspecified error. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue. The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues. Run this script on each Exchange server in your organization. You can run this script on multiple servers in parallel. Check this article for detailed steps."},{"location":"Emerging-Issues/#november-2021-security-update","title":"November 2021 Security Update","text":"

Following are the known issues after installing November 2021 Security Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution Hybrid OWA Redirect is broken after application of November SU for Exchange 2013/2016 and 2019. Users using Exchange 2016 and 2019 server will see error \":-( Something went wrong. We can't get that information right now. Please try again later. Exchange 2013 users will see error \"External component has thrown an exception.\" Some On-Premises environments, that are not using FBA, may also see cross-site OWA redirection fail with similar errors. After installing November SU, the OWA redirection URL for hybrid users is providing an encoded URL for &., causing the redirect to fail Update 1/12/2022 The OWA redirection issue is fixed in January 2022 security updates. Please install the relevant update to fix the issue. Alternatively, you can also use the workarounds provided in KB article 5008997"},{"location":"Emerging-Issues/#september-cumulative-updates","title":"September Cumulative Updates","text":"

Following are the known issues after installing September 2021 Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution After installing the September 2021 CU, the Microsoft Exchange Transport Services will continue to crash. You can see the following message for the 4999 crash event Watson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005. Having a Wild Card Only (*) Accepted Domain Set on an Internal Relay. This is an open relay and is very bad to have set. Remove the Accepted Domain that is set to * and properly configure an anonymous relay on a receive connector or change to an External Relay. More Information: Allow anonymous relay on Exchange servers"},{"location":"Emerging-Issues/#july-2021-security-updatecumulative-updates","title":"July 2021 Security Update/Cumulative Updates","text":"

Following are the known issues after installing July 2021 Security Updates/Cumulative Updates for Exchange On-Premises servers

Issue Possible reason Workaround/Solution OWA/ECP stops working after installing July Security Update with following error: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1 The issue occurs if OAuth certificate is missing or expired Follow steps on this article to re-publish the Oauth certificate. Do note it takes up to an hour for certificate to change place OWA/ECP stops working when accessed from load balanced URL, but works if directly accessed from the server URL The root cause for the issue is under investigation Follow steps in this article to fix the issue PrepareAD with Exchange 2016 CU21/Exchange 2019 CU10 error: Used domain controller dc1.contoso.com to read object CN=AdminSDHolder,CN=System,DC=Contoso,DC=COM. [ERROR] Object reference not set to an instance of an object. The issue is under investigation Follow steps in this article to fix the issue PrepareSchema in environments that have empty root AD domain July Security Update for Exchange 2013 have shipped schema changes and needs Exchange role installed for PrepareSchema, this makes it difficult for environments that have Exchange 2013 as the highest installed Exchange server and do not have an Exchange server installed in the same AD site as that of root AD domain. Option 1 Introduce a new server that meets system requirements for Exchange 2013 Management tools, in the root AD domain. Install just the Exchange 2013 Management Tools role on this server. Install the July security fix, perform Schema update. Option 2 PrepareSchema using Exchange 2016 21/Exchange 2019 CU10 media, as the CU's have the changes. However, once Exchange 2016/2019 media is used to perform schema update, you will need to continue using Exchange 2016/2019 media in the future as well. The Schema Version number for Exchange 2013 environment remains on 15312, even after installing SU and performing PrepareSchema This is expected behavior. The schema version is going to remain 15312 after installing Security Update and performing PrepareSchema After installing Exchange 2016 CU21/Exchange 2019 CU10, the values added to custom attributes using EAC are not retained. The scenario works fine in Exchange 2016 CU20/Exchange 2019 CU9 The issue is under investigation Workaround 1: Use EAC from Internet Explorer Workaround 2: Add the values using Exchange Management Shell"},{"location":"Admin/Clear-MailboxPermission/","title":"Clear-MailboxPermission","text":"

Download the latest release: Clear-MailboxPermission.ps1

Attempting to Add-MailboxPermission or Remove-MailboxPermission sometimes fails with the following message:

The ACL for object is not in canonical order (Deny/Allow/Inherited) and will be ignored.

This indicates that the ACEs that make up the ACL do not follow canonical ordering, which generally means denies before allows, and explicit before inherited. When the mailbox security descriptor is in this state, the cmdlets can no longer modify it.

This script can be used to return it to a working state. The script does this by clearing all permissions and resetting it to the default permissions that a brand new mailbox would have.

"},{"location":"Admin/Clear-MailboxPermission/#common-usage","title":"Common Usage","text":"

The easiest way to use the script is to pipe the affected mailboxes to it:

Get-Mailbox joe@contoso.com | .\\Clear-MailboxPermission.ps1

Note the script also supports -WhatIf and -Confirm. It will prompt for confirmation by default.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/","title":"CrossTenantMailboxMigrationValidation","text":"

Download the latest release: CrossTenantMailboxMigrationValidation.ps1

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#description","title":"DESCRIPTION","text":"

This script offers the ability to validate users and org settings related to the Cross-tenant mailbox migration before creating a migration batch and have a better experience.

It will help you on:

  • Making sure the source mailbox object is a member of the Mail-Enabled Security Group defined on the MailboxMovePublishedScopes of the source organization relationship
  • Making sure the source mailbox object ExchangeGuid attribute value matches the one from the target MailUser object, and give you the option to set it
  • Making sure the source mailbox object ArchiveGuid attribute (if there's an Archive enabled) value matches the one from the target MailUser object, and give you the option to set it
  • Making sure the source mailbox object has no more than 12 auxArchives
  • Making sure the source mailbox object has no hold applied
  • Making sure the source mailbox object TotalDeletedItemsSize is not bigger than Target MailUser recoverable items size
  • Making sure the source mailbox object LegacyExchangeDN attribute value is present on the target MailUser object as an X500 proxyAddress, and give you the option to set it, as long as the Target MailUser is not DirSynced
  • Making sure the source mailbox object X500 addresses are also present on the target MailUser object.
  • Checking if the source mailbox object has an Archive enabled, and if so, check if there's any content on the SubstrateHolds folder of the archive mailbox.
  • Making sure the target MailUser object PrimarySMTPAddress attribute value is part of the target tenant accepted domains and give you the option to set it to be like the UPN if not true, as long as the Target MailUser is not DirSynced
  • Making sure the target MailUser object EmailAddresses are all part of the target tenant accepted domains and give you the option to remove them if any doesn't belong to are found, as long as the Target MailUser is not DirSynced
  • Making sure the target MailUser object ExternalEmailAddress attribute value points to the source Mailbox object PrimarySMTPAddress and give you the option to set it if not true, as long as the Target MailUser is not DirSynced
  • Verifying if there's a T2T license assigned on either the source or target objects.
  • Checking if there's an AAD app as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-destination-tenant-by-creating-the-migration-application-and-secret
  • Checking if the AAD app on Target has been consented in Source tenant as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-source-current-mailbox-location-tenant-by-accepting-the-migration-application-and-configuring-the-organization-relationship
  • Checking if the target tenant has an Organization Relationship as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-tenant-by-creating-the-exchange-online-migration-endpoint-and-organization-relationship
  • Checking if the target tenant has a Migration Endpoint as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-target-tenant-by-creating-the-exchange-online-migration-endpoint-and-organization-relationship
  • Checking if the source tenant has an Organization Relationship as described on https://docs.microsoft.com/en-us/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide#prepare-the-source-current-mailbox-location-tenant-by-accepting-the-migration-application-and-configuring-the-organization-relationship including a Mail-Enabled security group defined on the MailboxMovePublishedScopes property.
  • Gather all the necessary information for troubleshooting and send it to Microsoft Support if needed
  • Because not all scenarios allow access to both tenants by the same person, this will also allow you to collect the source tenant and mailbox information and wrap it into a zip file so the target tenant admin can use it as a source to validate against.

The script will prompt you to connect to your source and target tenants for EXO and AAD as needed You can decide to run the checks for the source mailbox and target MailUser (individually or by providing a CSV file), for the organization settings described above, collect the source information and compress it to a zip file that can be used by the target tenant admins, or use the collected zip file as a source to validate the target objects and configurations against it.

Additionally, the script provides a version check feature that will check if there's a newer version available on CSS-Exchange repository and will download it if so. If for some reason the version cannot be checked, the build check will be skipped and the existing file will be used.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#pre-requisites","title":"PRE-REQUISITES:","text":"
  • Please make sure you have at least the Exchange Online V2 Powershell module (https://docs.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps#install-and-maintain-the-exo-v2-module)
  • You would need the Microsoft Graph Module (https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0)
"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#parameters","title":"PARAMETERS","text":""},{"location":"Admin/CrossTenantMailboxMigrationValidation/#skipversioncheck","title":"SkipVersionCheck","text":"

This will allow you to skip the version check and run the existing local version of the script. This parameter is optional.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#scriptupdateonly","title":"ScriptUpdateOnly","text":"

This will allow you to check if there's a newer version available on CSS-Exchange repository without performing any additional checks, and will download it if so. This parameter is optional.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#checkobjects","title":"CheckObjects","text":"

This will allow you to perform the checks for the Source Mailbox and Target MailUser objects you provide. If used without the \"-CSV\" parameter, you will be prompted to type the identities.. If used with the '-SourceIsOffline' you also need to specify the '-PathForCollectedData' parameter

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#csv","title":"CSV","text":"

This will allow you to specify a path for a CSV file you have with a list of users that contain the \"SourceUser, TargetUser\" columns. An example of the CSV file content would be:

SourceUser, TargetUser\nJdoe@contoso.com, Jdoe@fabrikam.com\nBSmith@contoso.com, BSmith@fabrikam.com\n

If Used along with the 'CollectSourceOnly' parameter, you only need the 'SourceUser' column.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#checkorgs","title":"CheckOrgs","text":"

This will allow you to perform the checks for the source and target organizations. More specifically the organization relationship on both tenants, the migration endpoint on target tenant and the existence of the AAD application needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#sdp","title":"SDP","text":"

This will collect all the relevant information for troubleshooting from both tenants and be able to send it to Microsoft Support in case of needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#logpath","title":"LogPath","text":"

This will allow you to specify a log path to transcript all the script execution and it's results. This parameter is mandatory.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#collectsourceonly","title":"CollectSourceOnly","text":"

This will allow you to specify a CSV file so we can export all necessary data of the source tenant and mailboxes to migrate, compress the files as a zip file to be used by the target tenant admin as a source for validation against the target. This parameter is mandatory and also requires the '-CSV' parameter to be specified containing the SourceUser column.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#pathforcollecteddata","title":"PathForCollectedData","text":"

This will allow you to specify a path to store the exported data from the source tenant when used along with the 'CollectSourceOnly' and 'SDP' parameters transcript all the script execution and it's results. This parameter is mandatory.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#sourceisoffline","title":"SourceIsOffline","text":"

With this parameter, the script will only connect to target tenant and not source, instead it will rely on the zip file gathered when running this script along with the 'CollectSourceOnly' parameter. When used, you also need to specify the 'PathForCollectedData' parameter pointing to the collected zip file.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#examples","title":"EXAMPLES","text":""},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-1","title":"EXAMPLE 1","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckObjects -LogPath C:\\Temp\\LogFile.txt\n

This will prompt you to type the source mailbox identity and the target identity, will establish 2 EXO remote powershell sessions (one to the source tenant and another one to the target tenant), and will check the objects.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-2","title":"EXAMPLE 2","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckObjects -CSV C:\\Temp\\UsersToMigrateValidationList.CSV -LogPath C:\\Temp\\LogFile.txt\n

This will establish 2 EXO remote powershell sessions (one to the source tenant and another one to the target tenant), will import the CSV file contents and will check the objects one by one.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-3","title":"EXAMPLE 3","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CheckOrgs -LogPath C:\\Temp\\LogFile.txt\n

This will establish 4 remote powershell sessions (source and target EXO tenants, and source and target AAD tenants), and will validate the migration endpoint on the target tenant, AAD applicationId on target tenant and the Organization relationship on both tenants.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-4","title":"EXAMPLE 4","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SDP -LogPath C:\\Temp\\LogFile.txt -PathForCollectedData C:\\temp\n

This will establish 4 remote powershell sessions (source and target EXO tenants, and source and target AAD tenants), and will collect all the relevant information (config-wise) so it can be used for troubleshooting and send it to Microsoft Support if needed.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-5","title":"EXAMPLE 5","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SourceIsOffline -PathForCollectedData C:\\temp\\CTMMCollectedSourceData.zip -CheckObjects -LogPath C:\\temp\\CTMMTarget.log\n

This will expand the CTMMCollectedSourceData.zip file contents into a folder with the same name within the zip location, will establish the EXO remote powershell session and also with AAD against the Target tenant and will check the objects contained on the UsersToProcess.CSV file.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-6","title":"EXAMPLE 6","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -SourceIsOffline -PathForCollectedData C:\\temp\\CTMMCollectedSourceData.zip -CheckOrgs -LogPath C:\\temp\\CTMMTarget.log\n

This will expand the CTMMCollectedSourceData.zip file contents into a folder with the same name within the zip location, will establish the EXO remote powershell session and also with AAD against the Target tenant, and will validate the migration endpoint on the target tenant, AAD applicationId on target tenant and the Organization relationship on both tenants.

"},{"location":"Admin/CrossTenantMailboxMigrationValidation/#example-7","title":"EXAMPLE 7","text":"
.\\CrossTenantMailboxMigrationValidation.ps1 -CollectSourceOnly -PathForCollectedData c:\\temp -LogPath C:\\temp\\CTMMCollectSource.log -CSV C:\\temp\\UsersToMigrate.csv\n

This will connect to the Source tenant against AAD and EXO, and will collect all the relevant information (config and user wise) so it can be used passed to the Target tenant admin for the Target validation to be done without the need to connect to the source tenant at the same time.

"},{"location":"Admin/Find-AmbiguousSids/","title":"Find-AmbiguousSids","text":"

Download the latest release: Find-AmbiguousSids.ps1

Useful when Exchange throws NonUniqueRecipientException, but doesn't log the objects causing it.

"},{"location":"Admin/Find-AmbiguousSids/#syntax","title":"Syntax","text":"
Find-AmbiguousSids.ps1\n  [-GCName <string>]\n  [-IgnoreWellKnown <bool>]\n  [-Verbose]\n
"},{"location":"Admin/Find-AmbiguousSids/#examples","title":"Examples","text":"

Find all ambiguous SIDs: 

.\\Find-AmbiguousSids.ps1\n

Find all ambiguous SIDs while not ignoring the well-known ones, such as Everyone and other SIDs that always appear in multiple places: 

.\\Find-AmbiguousSids.ps1 -IgnoreWellKnown $false\n

Show each object being checked: 

.\\Find-AmbiguousSids.ps1 -Verbose\n

"},{"location":"Admin/Get-EASMailboxLogs/","title":"Get-EASMailboxLogs","text":"

Download the latest release: Get-EASMailboxLogs.ps1

Used for when you need to get EAS Mailbox Logging over a long period of time. It will collect the logs and re-enable the Active Sync Logging enabled to avoid it being disabled after 72 hours.

"},{"location":"Admin/Get-EASMailboxLogs/#syntax","title":"Syntax","text":"
Get-EASMailboxLogs.ps1\n  [-Mailbox <string[]>]\n  [-OutputPath <string>]\n  [-Interval <int>]\n  [-EnableMailboxLoggingVerboseMode <bool>]\n
"},{"location":"Admin/Get-EASMailboxLogs/#examples","title":"Examples","text":"

The following example collects logs for two mailbox every hour:

.\\Get-EASMailboxLogs.ps1 -mailbox @(\"jim\",\"zeke\") -OutputPath C:\\EASLogs -interval 60\n

The following example collects logs for a mailbox: 

.\\Get-EASMailboxLogs.ps1 -Mailbox \"jim\" -OutputPath c:\\EASLogs\n

The following example enables Verbose Logging on the current on premise server and collects logs for a mailbox: 

.\\Get-EASMailboxLogs.ps1 -Mailbox \"jim\" -OutputPath c:\\EASLogs -EnableMailboxLoggingVerboseMode $true\n

"},{"location":"Admin/Get-SimpleAuditLogReport/","title":"Get-SimpleAuditLogReport","text":"

Download the latest release: Get-SimpleAuditLogReport.ps1

Exchange admin audit logs are not readily human readable. All of the data needed to understand what Cmdlet has been run is in the data but it is not very easy to read. Get-SimpleAuditLogReport will take the results of an audit log search and provide a significantly more human readable version of the data.

It will parse the audit log and attempt to reconstruct the actual Cmdlet that was run.

"},{"location":"Admin/Get-SimpleAuditLogReport/#common-usage","title":"Common Usage","text":"

$Search = Search-AdminAuditLog

$search | C:\\Scripts\\Get-SimpleAuditLogReport.ps1

"},{"location":"Admin/Get-SimpleAuditLogReport/#how-to-use","title":"How to use","text":"
  1. Gather admin audit log results using Search-AdminAuditLog.
  2. Pipe the results into the Get-SimpleAuditLogReport script.
  3. Open the CSV file created in the same directory with the script.
"},{"location":"Admin/MonitorExchangeAuthCertificate/","title":"MonitorExchangeAuthCertificate","text":"

Download the latest release: MonitorExchangeAuthCertificate.ps1

The MonitorExchangeAuthCertificate.ps1 PowerShell script can help you to manage the Auth Certificate used by multiple security features in Exchange Server. The script can be used to renew an already expired Auth Certificate or repair an invalid Auth Configuration in which the current Auth Certificate isn't available on all Exchange Servers running the Mailbox or Client Access Server (CAS) role. It can also manage rotation of the Auth Certificate to ensure a smooth transition to a new Auth Certificate.

The script comes with a manual execution mode and an automation mode that works using the Windows Task Scheduler.

"},{"location":"Admin/MonitorExchangeAuthCertificate/#requirements","title":"Requirements","text":"

To run the script, you must be a member of the Organization Management role group. The script must be run from an elevated Exchange Management Shell (EMS) command prompt on an Exchange Server running the Mailbox role. The script cannot be run on an Exchange Management Tools-only machine.

"},{"location":"Admin/MonitorExchangeAuthCertificate/#logging","title":"Logging","text":"

Each run of the script is logged to the following directory: <ExchangeInstallPath>\\Logging\\AuthCertificateMonitoring

The naming syntax of the log file is: <AuthCertificateMonitoringLog>_<Timestamp>.txt

NOTE: If the <ExchangeInstallPath> directory doesn't exists, the log file will be written to the following directory: <$env:TEMP>\\Logging\\AuthCertificateMonitoring

"},{"location":"Admin/MonitorExchangeAuthCertificate/#how-to-run","title":"How To Run","text":""},{"location":"Admin/MonitorExchangeAuthCertificate/#examples","title":"Examples:","text":"

The following syntax runs the script in validation-only mode. It will show you the required Auth Certificate renewal action that would be performed if the script is executed in renewal mode.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1\n

The following syntax executes the script in renewal mode with user interaction. The required Auth Certificate renewal action will be performed, and the administrator might see prompts that need to be confirmed before the script continues:

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true\n

If you respond with 'Y', then the script will run in unattended mode and will not prompt you again.

It's recommended to recycle the WebApp Pools when the active Auth Certificate is replaced. You should respond with 'Y'.

It's not recommended to replace the internal transport certificate with the newly created Auth Certificate. You should respond with 'N'.

The following syntax executes the script in renewal mode without user interaction. The required Auth Certificate renewal action will be performed. In unattended mode the internal SMTP certificate is replaced with the new Auth Certificate and then set back to the previous one. The script also restarts the MSExchangeServiceHost service and the MSExchangeOWAAppPool and MSExchangeECPAppPool WebApp Pools when the primary Auth Certificate has been replaced.

NOTE: The script creates a new internal transport certificate if the previously configured one wasn't found on the machine where the script is run.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -Confirm:$false\n

The following syntax runs the script in renewal mode without user interaction. We only take the Exchange servers into account if they are reachable and will perform the renewal action if required.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreUnreachableServers $true -Confirm:$false\n

The following syntax executes the script in renewal mode without user interaction. The renewal action will be performed even when an Exchange hybrid configuration is detected.

NOTE: You must re-run the Hybrid Configuration Wizard (HCW) after the active Auth Certificate has been replaced.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ValidateAndRenewAuthCertificate $true -IgnoreHybridConfig $true -Confirm:$false\n

The following syntax executes the script in scheduled task mode. In this mode, the script performs the following steps:

NOTE: It doesn't matter what you type into the Username box, so you can enter, for example abc. Make sure to use a password that complies with the password guidelines of your organization.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ConfigureScriptToRunViaScheduledTask -Password (Get-Credential).Password\n

NOTE: The ConfigureScriptToRunViaScheduledTask parameter can be combined with the IgnoreHybridConfig and IgnoreUnreachableServers parameter.

  1. It creates a new Exchange Role Group, Auth Certificate Management, which has the following roles assigned: View-Only Configuration, View-Only Recipients, Exchange Server Certificates, Organization Client Access
  2. It creates a new user account with the following User Principal Name (UPN): SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local
  3. The user account is mail-enabled and hidden from address lists
  4. The user account is added to the local Administrators group on the Exchange Server where the script is executed
  5. The user account is added to the Auth Certificate Management Exchange Role Group
  6. The script is copied to <ExchangeInstallPath>\\Scripts
  7. A new scheduled task is registered to run the script in context of the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local user

The following syntax runs the script in Active Directory (AD) account creation mode which can be useful when Exchange runs in AD Split Permissions mode. An AD administrator with sufficient permissions to create a user in AD (e.g., a Domain Admin) can run the script in this mode to create the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local account. The account can then be passed by the Exchange administrator via AutomationAccountCredential parameter as outlined in the next example.

In this mode, the script can be executed from an elevated PowerShell command prompt (no EMS required) running on a non-Exchange Server machine with the ActiveDirectory PowerShell module installed, as it only uses cmdlets which are coming with this module.

NOTE: We recommend creating a user account in the same domain where Exchange was installed. You can specify the domain by using the ADAccountDomain parameter.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -PrepareADForAutomationOnly -ADAccountDomain \"root.local\"\n

The following syntax executes the script in scheduled task mode, but it doesn't create the SystemMailbox{b963af59-3975-4f92-9d58-ad0b1fe3a1a3}@contoso.local user account. Instead, the account passed via AutomationAccountCredential parameter is used. Should a renewal action be performed, then email notifications will be sent to John.Doe@contoso.com\".

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ConfigureScriptToRunViaScheduledTask -AutomationAccountCredential (Get-Credential) -SendEmailNotificationTo \"John.Doe@contoso.com\"\n

The following syntax runs the script in Auth Certificate export mode. In this mode, the script exports the current and (if configured) the next Auth Certificate as DER (Distinguished Encoding Rules) binary encoded PKCS #12 files, using the .pfx file name extension.

The naming syntax for the exported .pfx file is: <CertificateThumbprint>-<Timestamp>.pfx

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ExportAuthCertificatesAsPfx\n

The following syntax executes the script in update-only mode. In this mode, the script only checks for a more current version of the script and downloads it if found.

PS C:\\> .\\MonitorExchangeAuthCertificate.ps1 -ScriptUpdateOnly\n
"},{"location":"Admin/MonitorExchangeAuthCertificate/#parameters","title":"Parameters","text":"Parameter Description ValidateAndRenewAuthCertificate This optional parameter enables the validation and renewal mode which will perform the required actions to replace an invalid/expired Auth Certificate or configures a new next Auth Certificate if the current Auth Certificate expires in < 60 days or the certificate configured as next Auth Certificate expires in < 120 days. IgnoreUnreachableServers This optional parameter can be used to ignore if some of the Exchange servers within the organization cannot be reached. If this parameter is used, the script only validates the servers that can be reached and will perform Auth Certificate renewal actions based on the result. Parameter can be combined with the IgnoreHybridConfig parameter and can also be used with the ConfigureScriptToRunViaScheduledTask parameter to configure the script to run via scheduled task. IgnoreHybridConfig This optional parameter allows you to explicitly perform Auth Certificate renewal actions (if required) even if an Exchange hybrid configuration was detected. You need to run the HCW after the renewed Auth Certificate becomes the one in use. Parameter can be combined with the IgnoreUnreachableServers parameter and can also be used with the ConfigureScriptToRunViaScheduledTask parameter to configure the script to run via scheduled task. PrepareADForAutomationOnly This optional parameter can be used in AD Split Permission scenarios. It allows you to create the AD account which can then be used to run the Exchange Auth Certificate Monitoring script automatically via Task Scheduler. ADAccountDomain This optional parameter allows you to specify the domain which is then used by the script to generate the AD account used for automation. Parameter can be combined with the PrepareADForAutomationOnly parameter. ConfigureScriptToRunViaScheduledTask This optional parameter can be used to automatically prepare the requirements in AD (user account), Exchange (email enable the account, hide the account from address book, create a new role group with limited permissions) and finally it creates the scheduled task on the computer on which the script was executed (it has to be an Exchange server running the mailbox role). AutomationAccountCredential This optional parameter can be used to provide a different user under whose context the script is then executed via scheduled task. SendEmailNotificationTo This optional parameter can be used to specify recipients which will then be notified in case that an Exchange Auth Certificate renewal action was performed. The script uses the EWS API to send out email notifications. Make sure that the user in whose context the script is running is allowed to use EWS. TrustAllCertificates This optional parameter can be used to trust all certificates when connecting to the EWS service to send out email notifications. TestEmailNotification This optional parameter can be used to test the email notification feature of the script. Password Parameter to provide a password to the script which is required in some scenarios. ExportAuthCertificatesAsPfx This optional parameter can be used to export all on the system available Auth Certificates as password protected .pfx file. ScriptUpdateOnly This optional parameter allows you to only update the script without performing any other actions. SkipVersionCheck This optional parameter can be used to skip the Auto Update feature to download the latest version of the script."},{"location":"Admin/Remove-CertExpiryNotifications/","title":"Remove-CertExpiryNotifications","text":"

Download the latest release: Remove-CertExpiryNotifications.ps1

This script deletes all AsyncOperationNotification items from the Exchange SystemMailbox that contains them. This corrects the BlockedDeserializeTypeException error described in KB5013118.

NOTE: This script only supports Exchange 2016 and Exchange 2019. It will not work on Exchange 2013.

"},{"location":"Admin/Remove-CertExpiryNotifications/#syntax","title":"Syntax","text":"
Remove-CertExpiryNotifications.ps1\n  [-Server <string>]\n  [[-Credential] <PsCredential>]\n  [-WhatIf]\n  [-Confirm]\n
"},{"location":"Admin/Remove-CertExpiryNotifications/#usage","title":"Usage","text":"

NOTE: If an error occurs please see Common Errors.

The user running the script must be granted full access to the arbitration mailbox prior to running the script. That can be accomplished with this command:

Get-Mailbox -Arbitration \"SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\" | Add-MailboxPermission -User SomeAdmin -AccessRights FullAccess\n

Next, the same user that was granted access should run the script from Exchange Management Shell. Start by running the script with -WhatIf. Optionally, the -Credential switch can be provided. Otherwise, the current user will be used.

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com -WhatIf\n

If this succeeds, it will list all the messages that would be deleted. The output should look something like this:

To remove the messages, the script can be run without -WhatIf:

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com\n

This syntax will cause it to prompt for each message:

Or, the script can be run with -Confirm:$false to skip the prompts:

.\\Remove-CertExpiryNotifications.ps1 -Server exch1.contoso.com -Confirm:$false\n

After the script has run successfully, it should report that there are no messages present in the folder:

Finally, remember to remove the permission that was granted to the user:

Get-Mailbox -Arbitration \"SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}\" | Remove-MailboxPermission -User SomeAdmin -AccessRights FullAccess\n
"},{"location":"Admin/Remove-CertExpiryNotifications/#common-errors","title":"Common errors","text":"
Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.\n

\"Unexpected error occurred on a send\" usually means that the name in the certificate on the target server does not match what was specified in the -Server parameter. In other words, navigating to https://the.server.you.specified/owa must not return a certificate error. If it does, the script will fail. The specified server must be the name in the certificate bound to IIS.

Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.\n

This can occur if the user running the script does not have full access to the mailbox. Be sure the Add-MailboxPermission command was successful.

This can also occur if the server name specified is the local server, due to the loopback check. This can be resolved by passing a different name.

"},{"location":"Admin/Reset-ScanEngineVersion/","title":"Reset-ScanEngineVersion","text":"

Download the latest release: Reset-ScanEngineVersion.ps1

"},{"location":"Admin/Reset-ScanEngineVersion/#syntax","title":"Syntax","text":"
Reset-ScanEngineVersion.ps1\n  [-Force <switch>]\n  [-EngineUpdatePath <string>]\n
"},{"location":"Admin/Reset-ScanEngineVersion/#usage","title":"Usage","text":"

Copy the script to an affected Exchange server and run it with no parameters. It can be run from EMS or plain PowerShell.

In scenarios where centralized distribution of scan engines is used, add the -EngineUpdatePath switch to point to the share containing the engines. For example:

.\\Reset-ScanEngineVersion.ps1 -EngineUpdatePath \\\\FileServer1\\ScanEngineUpdates\n
"},{"location":"Admin/SetUnifiedContentPath/","title":"SetUnifiedContentPath","text":"

Download the latest release: SetUnifiedContentPath.ps1

Sets the CleanupFolderREsponderFolderPaths in the AntiMalware.xml file that is responsible for having Exchange automatically clean up the Unified Content that is left behind.

If this isn't properly set, you can have large amount of files left on the computer that is just using up space and can cause issues with Exchange.

The script will keep the default values of D:\\ExchangeTemp\\TransportCts\\UnifiedContent, C:\\Windows\\Temp\\UnifiedContent, and $ExInstall\\TransportRoles\\data\\Temp\\UnifiedContent within the value and will include TemporaryStoragePath from the EdgeTransport.exe.config if different from the install path.

In order for the new settings to take effect right away, use the -RestartService switch to have the MSExchangeHM service take in the new changes right away.

"},{"location":"Admin/SetUnifiedContentPath/#common-usage","title":"Common Usage","text":"

The easiest way to run the script is against all the servers and restart the service.

Get-ExchangeServer | .\\SetUnifiedContentPath.ps1 -RestartService\n

If you don't want to change anything just yet, use the -WhatIf switch to see what servers will have something changed.

Get-ExchangeServer | .\\SetUnifiedContentPath.ps1 -WhatIf\n

Or you can just run it locally on the server

.\\SetUnifiedContentPath.ps1 -RestartService\n

NOTE: The switch -RestartService is only going to restart the service if a change has been detected and done. Otherwise, it will not restart the service.

"},{"location":"Admin/Test-AMSI/","title":"Test-AMSI","text":"

The Windows AntiMalware Scan Interface (AMSI) is a versatile standard that allows applications and services to integrate with any AntiMalware product present on a machine. Seeing that Exchange administrators might not be familiar with AMSI, we wanted to provide a script that would make life a bit easier to test, enable, disable, or Check your AMSI Providers.

"},{"location":"Admin/Test-AMSI/#download","title":"Download","text":"

Download the latest release: Test-AMSI.ps1

"},{"location":"Admin/Test-AMSI/#parameters","title":"Parameters","text":"Parameter Description TestAMSI If you want to test to see if AMSI integration is working. You can use a server, server list or FQDN of load balanced array of Client Access servers. IgnoreSSL If you need to test and ignoring the certificate check. CheckAMSIConfig If you want to see what AMSI Providers are installed. You can combine with ServerList, AllServers or Sites. EnableAMSI If you want to enable AMSI. Without any additional parameter it will apply at Organization Level. If combine with ServerList, AllServers or Sites it will apply at server level. DisableAMSI If you want to disable AMSI. Without any additional parameter it will apply at Organization Level. If combine with ServerList, AllServers or Sites it will apply at server level. RestartIIS If you want to restart the Internet Information Services (IIS). You can combine with ServerList, AllServers or Sites. Force If you want to restart the Internet Information Services (IIS) without confirmation. ServerList If you want to apply to some specific servers. AllServers If you want to apply to all server. Sites If you want to apply to all server on a sites or list of sites."},{"location":"Admin/Test-AMSI/#common-usage","title":"Common Usage","text":"

After you download the script, you will need to run it within an elevated Exchange Management Shell Session

If you want to test to see if AMSI integration is working in a LB Array, you can run: .\\Test-AMSI.ps1 mail.contoso.com

If you want to test to see if AMSI integration is working in list of servers, you can run: .\\Test-AMSI.ps1 -ServerList server1, server2

If you want to test to see if AMSI integration is working in all server, you can run: .\\Test-AMSI.ps1 -AllServers

If you want to test to see if AMSI integration is working in all server in a list of sites, you can run: .\\Test-AMSI.ps1 -AllServers -Sites Site1, Site2

If you need to test and ignoring the certificate check, you can run: .\\Test-AMSI.ps1 -IgnoreSSL

If you want to see what AMSI Providers are installed on the local machine you can run: .\\Test-AMSI.ps1 -CheckAMSIConfig

If you want to enable AMSI at organization level, you can run: .\\Test-AMSI.ps1 -EnableAMSI

If you want to enable AMSI in an Exchange Server or Server List at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -ServerList Exch1, Exch2

If you want to enable AMSI in all Exchange Server at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -AllServers

If you want to enable AMSI in all Exchange Server in a site or sites at server level, you can run: .\\Test-AMSI.ps1 -EnableAMSI -AllServers -Sites Site1, Site2

If you want to disable AMSI on the Exchange Server, you can run: .\\Test-AMSI.ps1 -DisableAMSI

If you want to disable AMSI in an Exchange Server or Server List at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -ServerList Exch1, Exch2

If you want to disable AMSI in all Exchange Server at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -AllServers

If you want to disable AMSI in all Exchange Server in a site or sites at server level, you can run: .\\Test-AMSI.ps1 -DisableAMSI -AllServers -Sites Site1, Site2

If you want to restart the Internet Information Services (IIS), you can run: .\\Test-AMSI.ps1 -RestartIIS

If you want to restart the Internet Information Services (IIS) without confirmation, you can run: .\\Test-AMSI.ps1 -RestartIIS -Force

"},{"location":"Admin/Test-ExchangePropertyPermissions/","title":"Test-ExchangePropertyPermissions","text":"

Download the latest release: Test-ExchangePropertyPermissions.ps1

"},{"location":"Admin/Test-ExchangePropertyPermissions/#syntax","title":"Syntax","text":"
Test-ExchangePropertyPermissions.ps1\n    [-TargetObjectDN] <string>\n    [-ComputerAccountDN] <string>\n    [[-DomainController] <string>]\n    [-OutputDebugInfo]\n    [<CommonParameters>]\n
"},{"location":"Admin/Test-ExchangePropertyPermissions/#example","title":"Example","text":"

.\\Test-ExchangePropertyPermissions.ps1 -TargetObjectDN \"CN=SomeRecipient,OU=Users,DC=contoso,DC=com\" -ComputerAccountDN \"CN=SomeServerName,OU=Computers,DC=contoso,DC=com\"

This example retrieves the group memberships of the SomeServerName computer account and then examines the ACL of SomeRecipient to determine if that computer account can write to all expected attributes of that recipient.

"},{"location":"Admin/Test-ExchangePropertyPermissions/#description","title":"Description","text":"

Test-ExchangePropertyPermissions is designed to detect certain schema issues which can manifest as permissions problems and can be challenging to identify manually, including:

  • Scenarios where a property set does not include all the expected properties.
  • Scenarios where an objectClass definition is missing expected properties.

Note that the script does not perform an exhaustive check for all possible schema issues. It is only designed to identify a specific subset of issues which we have encountered. For example, using AD Schema Analyzer as described here is one such scenario:

https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd547839(v=msdn.10)

As noted in that article, this is known to corrupt the Exchange attributes. This script is able to detect that scenario, and other similar scenarios.

Further, note that such issues cannot be fixed by the script. Using AD Schema Analyzer as described results in an unsupported forest that should be torn down.

"},{"location":"Admin/Update-Engines/","title":"Update-Engines","text":"

Download the latest release: Update-Engines.ps1

The UpdateEngines script can be used to download the engine packages to be used by the Forefront Protection engine on Exchange Server and Sharepoint Server products.

"},{"location":"Admin/Update-Engines/#description","title":"Description","text":"

Follow the steps given below to manually update the scan engines in Exchange Server. You may need to do so if you experience issues with accessing anti-malware updates online and want to download those definitions to a central location.

The manual update involves running the Update-Engines.ps1 PowerShell script. This script can be changed according to your needs.

The update path, list of engines, and list of platforms can be passed as parameters when the script is executed.

Note:

The script will default the engine update path to https://forefrontdl.microsoft.com/server/scanengineupdate/. If this endpoint isn't available, you can change the script to use the failover endpoint https://amupdatedl.microsoft.com/server/scanengineupdate/. If the previous endpoints aren't available, you can use http://amupdatedl.microsoft.com/server/amupdate/ as an alternative download location. By default, all engines will be downloaded for the 64-bit (amd64) platform.

"},{"location":"Admin/Update-Engines/#syntax","title":"Syntax","text":"
Update-Engines.ps1\n  [-EngineDirPath <string>]\n  [-UpdatePathUrl <string>]\n  [-FailoverPathUrl <string>]\n  [-EngineDownloadUrlV2 <string>]\n  [-Engines <string[]>]\n  [-Platforms <string[]>]\n  [-ScriptUpdateOnly <switch>]\n  [-SkipVersionCheck <switch>]\n
"},{"location":"Admin/Update-Engines/#steps-to-update-scan-engines","title":"Steps to update scan engines","text":"

  1. Create a local directory structure on the computer on which you want to download the scan engine updates.

    a. Create a directory. For example, create a directory named ScanEngineUpdates. This directory must be passed via -EngineDirPath parameter to the script.

    b. Set the NTFS file system and share permissions on the directory so that the target Exchange servers have access to it.

  2. Download the latest version of the script from here

  3. Execute the Update-Engines.ps1 PowerShell script, providing any necessary parameters.

  4. You can now configure the servers to download updates from the directory created in step 1) by using the UNC path of a share name, such as \\\\server_name\\share_name.

"},{"location":"Admin/Update-Engines/#examples","title":"Examples","text":"

The following syntax uses the directory C:\\ScanEngineUpdates\\ as the root engine's directory to store the update pattern.

Update-Engines.ps1 -EngineDirPath C:\\ScanEngineUpdates\\\n

The following syntax uses the directory C:\\ScanEngineUpdates\\ as the root engine's directory. It also tries to download the latest updates for the Microsoft engine using the amd64 platform from http://forefrontdl.microsoft.com/server/scanengineupdate/.

Update-Engines.ps1 -EngineDirPath C:\\ScanEngineUpdates\\ -UpdatePathUrl http://forefrontdl.microsoft.com/server/scanengineupdate/ -Engines Microsoft -Platforms amd64\n
"},{"location":"Admin/Update-Engines/#found-a-bug-or-want-to-update-the-script","title":"Found a bug or want to update the script?","text":"

Please open a new work item here or reach out to us via: ExToolsFeedback@microsoft.com

"},{"location":"Calendar/Check-SharingStatus/","title":"Check-SharingStatus","text":"

Download the latest release: Check-SharingStatus.ps1

This script runs a variety of PowerShell cmdlets to validate the sharing relationship between two users.

"},{"location":"Calendar/Check-SharingStatus/#terminology","title":"Terminology:","text":"
  • Owner - this is the mailbox that owns the Calendar being shared.
  • Receiver - this is the mailbox 'viewing' the owner calendar.

Sample Execution: 

Check-SharingStatus.ps1 -Owner Owner@contoso.com -Receiver Receiver@contoso.com\n

"},{"location":"Calendar/Check-SharingStatus/#general-overview-of-looking-at-sharing-issues","title":"General Overview of looking at Sharing Issues:","text":"
  1. The first thing to determine is what kind of sharing relationship the users have.
    • Modern Sharing (New Model Sharing / REST) - Recipient gets a replicated copy of the Owners Calendar in their Mailbox.
    • Old Model Sharing \u2013 Recipient is granted rights but has to connect to the Owners server to get Calendar information.
    • External Sharing \u2013 Can be New or Old Model sharing, but outside of the Exchange Online Tenant / Organization.
    • Publishing (ICS) \u2013 Owner publishes a link to their calendar, which clients can pull.

  2. Next you need to determine if the relationship is healthy. Look at the output from the script.

  3. Last, you need to look at how it is working. Generally, you will get Calendar Logs from Owner and Receiver for a copied meeting and check replication times, etc.

  4. See CalLogSummaryScript for collecting CalLogs.
"},{"location":"Calendar/Get-CalendarDiagnosticObjectsSummary/","title":"Get-CalendarDiagnosticObjectsSummary","text":"

Download the latest release: Get-CalendarDiagnosticObjectsSummary.ps1

This script runs the Get-CalendarDiagnosticObjects cmdlet and returns a summarized timeline of actions into clear English. It will also output an easier to read version of the CalLogs (enhanced) as well as a Raw copy of the logs for Developers.

To run the script, you will need a valid SMTP Address for a user and a meeting Subject or MeetingID.

The script will display summarized timeline of actions and save the logs returned in csv format in the current directory. New -ExportToExcel highly recommended for ease of use (all logs in one file, color coding, etc.). First time use will request installing the ImportExcel module. See https://github.com/dfinke/ImportExcel for more information on the ImportExcel module.

Parameters: Explanation: -Identity One (or more) SMTP Address of EXO User Mailbox to query. -Subject Subject of the meeting to query, only valid if Identity is a single user. -MeetingID MeetingID of the meeting to query. - Preferred way to get CalLogs. -TrackingLogs Populate attendee tracking columns in the output. - Only useable with the MeetingID parameter. -Exceptions Include Exception objects in the output. - Only useable with the MeetingID parameter. -ExportToExcel - [NEW Feature] Export the output to an Excel file with formatting. - Running the script for multiple users will create three tabs in the Excel file for each user. If you want to add more users to the Excel file, close the file and rerun with new user. - one tab for Enhanced CalLog - one tab for the TimeLine - Tab one for Raw CalLog -CaseNumber Case Number to include in the Filename of the output. - PrePend <CaseNumber>_ to filename. -ShortLogs Limit Logs to 500 instead of the default 2000, in case the server has trouble responding with the full logs. ---"},{"location":"Calendar/Get-CalendarDiagnosticObjectsSummary/#syntax","title":"Syntax:","text":"

Example to return timeline for a user with MeetingID: 

.\\Get-CalendarDiagnosticObjectsSummary.ps1 -Identity user@contoso.com -MeetingID 040000008200E00074C5B7101A82E0080000000010E4301F9312D801000000000000000010000000996102014F1D484A8123C16DDBF8603E\n

Example to return timeline for a user with Subject:

.\\Get-CalendarDiagnosticObjectsSummary.ps1 -Identity user@contoso.com -Subject Test_OneTime_Meeting_Subject\n
Get CalLogs for 3 users: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity User1, User2, Delegate -MeetingID $MeetingID\n
Add Tracking Logs and Exceptions: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity $Users -MeetingID $MeetingID -TrackingLogs -Exceptions\n
Export CalLogs to Excel: 
Get-CalendarDiagnosticObjectsSummary.ps1 -Identity $Users -MeetingID $MeetingID -TrackingLogs -Exceptions -ExportToExcel -CaseNumber 123456\n
Will create file like .\\123456_CalLogSummary_<MeetingID>.xlsx in current directory.

"},{"location":"Calendar/Get-RBASummary/","title":"Get-RBASummary","text":"

Download the latest release: Get-RBASummary.ps1

This script runs the Get-CalendarProcessing cmdlet and returns the output with more details in clear English, highlighting the key settings that affect RBA and some of the common errors in configuration.

The script will also validate the mailbox is the correct type for RBA to interact with (via the Get-Mailbox cmdlet) as well as check for any Delegate rules that would interfere with RBA functionality (via the Get-InboxRules cmdlet).

"},{"location":"Calendar/Get-RBASummary/#syntax","title":"Syntax:","text":"

Example to display the setting of room mailbox. 

.\\Get-RBASummary.ps1 -Identity Room1@Contoso.com\n\n.\\Get-RBASummary.ps1 -Identity Room1 -Verbose\n

"},{"location":"Calendar/Get-RBASummary/#high-level-steps-for-rba-processing","title":"High-level steps for RBA processing:","text":"
  1. Determine if the Meeting Request is in policy or out of policy.
  2. If the meeting request is Out of Policy, see if the user has rights to create an Out of Policy request and if so, forward it to the Delegates.
  3. If it is In Policy, then either book it or forward it to the delegate based on the settings.
  4. Lastly the RBA does the configured Post Processing steps to format the meeting (delete attachments, rename meeting, etc.)

When the RBA receives a Meeting Request, the first thing that it will do is to determine if the meeting is in or out of policy. How does the RBA do this? The RBA compares the Meeting properties to the Policy Configuration. If all the checks 'pass', then the meeting request is In Policy, otherwise it is Out of Policy.

Whether the meeting is in or out of policy, the RBA will look up the configuration that will tell it what to do with the meeting. By default, all out of policy meetings are rejected, and all in policy meetings are accepted, but there is a larger range of customization that you can do to get the RBA to treat this resource the way you want it to.

If the meeting is accepted, the RBA will Post Process it based on the Post Processing configuration.

"},{"location":"Databases/Analyze-SpaceDump/","title":"Analyze-SpaceDump","text":"

Download the latest release: Analyze-SpaceDump.ps1

This script reports the space taken up by various tables based on a database space dump.

"},{"location":"Databases/Analyze-SpaceDump/#usage","title":"Usage","text":"

The space dump must be obtained while the database is dismounted, or on a suspended copy if the issue is happening there. To obtain the space dump, use the following syntax:

eseUtil /ms /v > C:\\SpaceDump.txt

Then, feed that file to this script as follows:

.\\Analyze-SpaceDump.ps1 -File C:\\SpaceDump.txt

This script will only work with Exchange 2013 and later space dumps.

"},{"location":"Databases/Compare-MailboxStatistics/","title":"Compare-MailboxStatistics","text":"

Download the latest release: Compare-MailboxStatistics.ps1

"},{"location":"Databases/Compare-MailboxStatistics/#usage","title":"Usage","text":"

This script compares two sets of mailbox statistics from the same database and highlights mailbox growth that occurred between the two snapshots.

For a growing database, a typical approach would be to start by exporting the statistics for the database:

Get-MailboxStatistics -Database DB1 | Export-CliXML C:\\stats-before.xml\n

After the initial export is obtained, wait until significant growth is observed. That could mean waiting an hour, or a day, depending on the scenario. At that point, compare the stats-before.xml with the live data by using this script as follows:

.\\Compare-MailboxStatistics.ps1 -Before (Import-CliXml C:\\stats-before.xml) -After (Get-MailboxStatistics -Database DB1)\n

This makes it easy to see which mailboxes grew the most.

"},{"location":"Databases/VSSTester/","title":"VSSTester","text":"

Download the latest release: VSSTester.ps1

"},{"location":"Databases/VSSTester/#usage","title":"Usage","text":""},{"location":"Databases/VSSTester/#trace-while-using-a-third-party-backup-solution","title":"Trace while using a third-party backup solution","text":"

.\\VSSTester -TraceOnly -DatabaseName \"Mailbox Database 1637196748\"

Enables tracing of the specified database. The user may then attempt a backup of that database and use Ctrl-C to stop data collection after the backup attempt completes.

"},{"location":"Databases/VSSTester/#trace-a-snapshot-using-the-diskshadow-tool","title":"Trace a snapshot using the DiskShadow tool","text":"

.\\VSSTester -DiskShadow -DatabaseName \"Mailbox Database 1637196748\" -ExposeSnapshotsOnDriveLetters M, N

Enables tracing and then uses DiskShadow to snapshot the specified database. If the database and logs are on the same drive, the snapshot is exposed as M: drive. If they are on separate drives, the snapshots are exposed as M: and N:. The user is prompted to stop data collection and should typically wait until log truncation has occurred before doing so, so that the truncation is traced.

"},{"location":"Databases/VSSTester/#trace-a-snapshot-using-the-diskshadow-tool-by-volume-instead-of-by-database","title":"Trace a snapshot using the DiskShadow tool by volume instead of by Database","text":"

.\\VSSTester -DiskShadow -VolumesToBackup D:\\, E:\\ -ExposeSnapshotsOnDriveLetters M, N

Enables tracing and then uses DiskShadow to snapshot the specified volumes. To see a list of available volumes, including mount points, pass an invalid volume name, such as -VolumesToBackup foo. The error will show the available volumes. Volume names must be typed exactly as shown in that output.

"},{"location":"Databases/VSSTester/#trace-in-circular-mode-until-the-microsoft-exchange-writer-fails","title":"Trace in circular mode until the Microsoft Exchange Writer fails","text":"

.\\VSSTester -WaitForWriterFailure -DatabaseName \"Mailbox Database 1637196748\"

Enables circular tracing of the specified database, and then polls \"vssadmin list writers\" once per minute. When the writer is no longer present, indicating a failure, tracing is stopped automatically.

"},{"location":"Databases/VSSTester/#more-information","title":"More information","text":"
  • https://techcommunity.microsoft.com/t5/exchange-team-blog/troubleshoot-your-exchange-2010-database-backup-functionality/ba-p/594367
  • https://techcommunity.microsoft.com/t5/exchange-team-blog/vsstester-script-updated-8211-troubleshoot-exchange-2013-and/ba-p/610976

Note that script syntax and output has changed. Syntax and screenshots in the above articles are out of date.

"},{"location":"Databases/VSSTester/#missing-microsoft-exchange-writer","title":"Missing Microsoft Exchange Writer","text":"

We have seen a few cases where the Microsoft Exchange Writer will disappear after an unspecified amount of time and restarting the Microsoft Exchange Replication service. Steps on how to resolve this are linked here:

  • https://learn.microsoft.com/en-US/troubleshoot/windows-server/backup-and-storage/event-id-513-vss-windows-server
"},{"location":"Databases/VSSTester/#com-security","title":"COM+ Security","text":"

Here are the steps to verify that the local Administrators group is allowed to the COM+ Security on the computer. The script will detect if this is a possibility if we can not see the Exchange Writers and we have the registry settings set that determine this is a possibility.

  1. Run \"dcomCnFg\" from the run box or command prompt on the problem machine
  2. Expand Component Services then Computers
  3. Right Click on My Computer and select Properties

  1. Select the COM Security tab and select Edit Default... under Access Permissions

  1. If the local Administrators group is not here for Allow for Local and Remote Access, click Add... to add the local Administrators group to the Default Security permissions

  1. Change the locations to the computer name

  1. Type in \"Administrators\" and select Check Names. Making sure the computer account comes up

  1. Add Local Access and Remote Access for Allow
  2. Click Okay
  3. Click Apply and Okay
  4. Restart the Computer
"},{"location":"Diagnostics/ExTRA/","title":"ExTRA","text":"

Download the latest release: ExTRA.ps1

The goal of this script is to replace the ExTRA UI that was included with older versions of Exchange. The script can be run on any machine where a modern browser (Edge/Chrome/Firefox) is set as the default browser. It does not need to be run on an Exchange server. It will not work if Internet Explorer is the default browser.

"},{"location":"Diagnostics/ExTRA/#usage","title":"Usage","text":"

Generally, you will want to run this script on a user workstation and use it to generate the EnabledTraces.config file. Then, that file can be copied to the Exchange server, and a logman command can be used to start and stop the ExTRA trace.

The script can be run directly on a server if desired, but remember that IE cannot be the default browser in that case.

To use, download the latest release. Then run the script with no parameters:

.\\ExTRA.ps1\n

The default browser will launch with a tag selection interface. Once the desired tags are selected, click Save and go back to the PowerShell window. You should see some output indicating that the EnabledTraces.config file was saved in the folder. That EnabledTraces.config should be placed at the root of C:\\ on the server being traced.

The output also provides example logman syntax for creating, starting, and stopping the trace.

"},{"location":"Diagnostics/ExchangeLogCollector/","title":"Exchange Log Collector","text":"

Download the latest release: ExchangeLogCollector.ps1

This script is intended to collect the Exchange default logging data from the server in a consistent manner to make it easier to troubleshoot an issue when large amounts of data is needed to be collected. You can specify what logs you want to collect by the switches that are available, then the script has logic built in to determine how to collect the data.

"},{"location":"Diagnostics/ExchangeLogCollector/#how-to-run","title":"How to Run","text":"

The script must be run as Administrator in PowerShell session on an Exchange Server or Tools box. Supported to run and collected logs against Exchange 2013 and greater. The intent of the script is to collect logs only that you need from X servers quickly without needing to have to manually collect it yourself and label zip them all up for you. If you don't know what logs to collect, it is recommended to use -AllPossibleLogs.

This script no longer supports collecting logs from Exchange 2010. However, the last release of v2 should still work just fine. You can download that here.

The script is able to collect from the large set of servers while using the Invoke-Command. Prior to executing the main script, we check to make sure the server is up and that we are able to use Invoke-Command against the server. If Invoke-Command works remotely, then we will allow you to attempt to collect the data. You can still utilize the script to collect locally as it used to be able to, if the target OS doesn't allow this.

Prior to collecting the data, we check to make sure that there is at least 10GB of free space at the location of where we are trying to save the data of the target server. The script will continue to keep track of all the logs and data that is being copied over and will stop if we have less than 10GB of free space.

You are able to use a config file to load up all the parameters you wish to choose and the servers you wish to run the script against. Just create a file called ExchangeLogCollector.ps1.json and place at the same location as the script. Then provide the switches you would like to use in the file like so:

{\n  \"Servers\": [\n    \"ADT-E16A\",\n    \"ADT-E16B\",\n    \"ADT-E16C\"\n  ],\n  \"FilePath\": \"C:\\\\MS_Logs\",\n  \"IISLogs\": true,\n  \"AppSysLogsToXml\": false,\n  \"ScriptDebug\": true\n}\n

NOTE: It is import that you use \\\\ for the file path otherwise the settings will fail to load.

"},{"location":"Diagnostics/ExchangeLogCollector/#examples","title":"Examples:","text":"

This cmdlet will collect all default logs of the local Exchange Server and store them in the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -AllPossibleLogs\n

This cmdlet will collect all relevant data regarding database fail overs from server EXCH1 and EXCH2 and store them at Z:\\Data\\Logs. Note: at the end of the collection, the script will copy over the data to the local host execution server to make data collection even easier.

.\\ExchangeLogCollector.ps1 -DatabaseFailoverIssue -Servers EXCH1,EXCH2 -FilePath Z:\\Data\\Logs\n

This cmdlet will collect all relevant data regarding IIS Logs (within the last 3 days by default) and all RPC type logs from the servers EXCH1 and EXCH2 and store them at the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -Servers EXCH1,EXCH2 -IISLogs -RPCLogs\n

This cmdlet will collect all relevant data regarding Message Tracking Logs and Protocol Logs for the past 3 hours from the servers EXCH1 and EXCH2 and store them at the default location of \"C:\\MS_Logs_Collection\"

.\\ExchangeLogCollector.ps1 -Servers EXCH1,EXCH2 -MessageTrackingLogs -ProtocolLogs -LogAge \"03:00:00\"\n
"},{"location":"Diagnostics/ExchangeLogCollector/#parameters","title":"Parameters","text":"Parameter Description FilePath The Location of where you would like the data to be copied over to. This location must be the same and accessible on all servers if you use the Servers parameter. Default value: C:\\MS_Logs_Collection Servers An array of servers that you would like to collect data from. AcceptedRemoteDomain Enable to collect Get-AcceptedDomain and Get-RemoteDomain. ADDriverLogs Enable to collect AD Driver Logs. Location: V15\\Logging\\ADDriver AppSysLogs Collects the Windows Event Application, System, and MSExchange Management Logs. Default value $true AppSysLogsToXml Collects the Windows Event Application and System and saves them out to XML. The time range only is from the time the script run and the value set on LogAge. Default value: $true AutoDLogs Enable to collect AutoDiscover Logs. Location: V15\\Logging\\Autodiscover and V15\\Logging\\HttpProxy\\Autodiscover CollectFailoverMetrics Enable to run the CollectOverMetrics.ps1 script against the DAG. Only able to be run on an Exchange tools box or an Exchange Server. DAGInformation Enable to collect the DAG Information from all different DAGs that are in the list of servers. DailyPerformanceLogs Enable to collect Daily Performance Logs. Default Location: V15\\Logging\\Diagnostics\\DailyPerformanceLogs DefaultTransportLogging Enables the following switches and their logs to be collected. AcceptedRemoteDomain, FrontEndConnectivityLogs, FrontEndProtocolLogs, HubConnectivityLogs, MailboxConnectivityLogs, MailboxDeliveryThrottlingLogs, MessageTrackingLogs, PipelineTracingLogs, QueueInformation, ReceiveConnectors, SendConnectors, TransportConfig, TransportRoutingTableLogs, and TransportRules EASLogs Enable to collect Exchange Active Sync Logging. Location: V15\\Logging\\HttpProxy\\Eas ECPLogs Enable to collect ECP Logs. Location: V15\\Logging\\ECP and V15\\Logging\\HttpProxy\\Ecp EWSLogs Enable to collect EWS Logs. Location: V15\\Logging\\HttpProxy\\Ews and V15\\Logging\\Ews ExchangeServerInformation Enable to collect Exchange Information like Get-ExchangeServer, Get-MailboxServer, etc... This is also collected when -ServerInformation is also enabled. ExMon Enable to collect ExMon data from the server. ExPerfWiz Enable to collect ExPerfWiz data if found. FrontEndConnectivityLogs Enable to collect the connectivity logging on the FE. Location: (Get-FrontendTransportService $server).ConnectivityLogPath FrontEndProtocolLogs Enable to collect the protocol logging on the FE. Location: (Get-FrontendTransportService $server).ReceiveProtocolLogPath and (Get-FrontendTransportService $server).SendProtocolLogPath GetVDirs Enable to collect the Virtual Directories of the environment. HighAvailabilityLogs Enable to collect High Availability Logs. Windows Event Logs like: Microsoft-Exchange-HighAvailability, Microsoft-Exchange-MailboxDatabaseFailureItems, and Microsoft-Windows-FailoverClustering HubConnectivityLogs Enable to collect the Hub connectivity logging. Location: (Get-TransportService $server).ConnectivityLogPath HubProtocolLogs Enable to collect the protocol logging. Location: (Get-TransportService $server).ReceiveProtocolLogPath and (Get-TransportService $server).SendProtocolLogPath IISLogs Enable to collect IIS Logs and HTTPErr Logs from the Exchange Server. Default Location: C:\\InetPub\\logs\\LogFiles\\W3SVC1, C:\\InetPub\\logs\\LogFiles\\W3SVC2, and C:\\Windows\\System32\\LogFiles\\HTTPERR. IISlogs do not collect all logs on CollectAllLogsBasedOnLogAge:$false, just works based on log age. ImapLogs Enable to collect IMAP logging. Location: (Get-ImapSettings -Server $server).LogFileLocation MailboxAssistantsLogs Enable to collect Mailbox Assistants logging. Location: V15\\Logging\\MailboxAssistantsLog, V15\\Logging\\MailboxAssistantsSlaReportLog, and V15\\Logging\\MailboxAssistantsDatabaseSlaLog MailboxConnectivityLogs Enable to collect the connectivity logging on the mailbox server. Location: (Get-MailboxTransportService $server).ConnectivityLogPath MailboxDeliveryThrottlingLogs Enable to collect the mailbox delivery throttling logs on the server. Location: (Get-MailboxTransportService $server).MailboxDeliveryThrottlingLogPath MailboxProtocolLogs Enable to collect protocol logging on the mailbox server. Location: (Get-MailboxTransportService $server).ReceiveProtocolLogPath and (Get-MailboxTransportService $server).SendProtocolLogPath ManagedAvailabilityLogs Enable to collect the Managed Availability Logs. Location: V15\\Logging\\Monitoring and Windows Event logs like Microsoft-Exchange-ManagedAvailability MapiLogs Enable to collect MAPI Logs. Location: V15\\Logging\\MAPI Client Access, V15\\Logging\\MapiHttp\\Mailbox, and V15\\Logging\\HttpProxy\\Mapi MessageTrackingLogs Enable to collect the Message Tracking Logs. Location: (Get-TransportService $server).MessageTrackingLogPath MitigationService Enable to collect the Mitigation Service logs. Location: V15\\Logging\\MitigationService OABLogs Enable to collect OAB Logs. Location: V15\\Logging\\HttpProxy\\OAB, V15\\Logging\\OABGeneratorLog, V15\\Logging\\OABGeneratorSimpleLog, and V15\\Logging\\MAPI AddressBook Service OrganizationConfig Enable to collect the Organization Configuration from the environment. OWALogs Enable to collect OWA Logs. Location: V15\\Logging\\OWA, Logging\\HttpProxy\\OwaCalendar, and V15\\Logging\\HttpProxy\\Owa PipelineTracingLogs Enable to collect the Pipeline Tracing Logs. Location (Get-TransportService $server).PipelineTracingPath, and (Get-MailboxTransportService $server).PipelineTracingPath PopLogs Enable to collect POP logging. Location: (Get-PopSettings -Server $server).LogFileLocation PowerShellLogs Enable to collect the PowerShell Logs. Location: V15\\Logging\\HttpProxy\\PowerShell QueueInformation Enable to collect the historical queue information. Location: (Get-TransportService $server).QueueLogPath ReceiveConnectors Enable to collect the Receive Connector information from the server. RPCLogs Enable to collect RPC Logs. Location: V15\\Logging\\RPC Client Access, V15\\Logging\\HttpProxy\\RpcHttp, and V15\\Logging\\RpcHttp SearchLogs Enable to collect Search Logs. Location: V15\\Bin\\Search\\Ceres\\Diagnostics\\Logs, V15\\Bin\\Search\\Ceres\\Diagnostics\\ETLTraces, V15\\Logging\\Search. On 2019 only we also include V15\\Logging\\BigFunnelMetricsCollectionAssistant, V15\\Logging\\BigFunnelQueryParityAssistant, and V15\\Logging\\BigFunnelRetryFeederTimeBasedAssistant SendConnectors Enable to collect the send connector information from the environment. ServerInformation Enable to collect general server information. TransportAgentLogs Enable to collect the Agent Logs. Location: (Get-TransportService $server).AgentLogPath, (Get-FrontendTransportService $server).AgentLogPath, (Get-MailboxTransportService $server).MailboxSubmissionAgentLogPath, and (Get-MailboxTransportService $server).MailboxDeliveryAgentLogPath TransportConfig Enable to collect the Transport Configuration files from the Server and Get-TransportConfig from the org. Files: EdgeTransport.exe.config, MSExchangeFrontEndTransport.exe.config, MSExchangeDelivery.exe.config, and MSExchangeSubmission.exe.config TransportRoutingTableLogs Enable to collect the Routing Table Logs. Location: (Get-TransportService $server).RoutingTableLogPath, (Get-FrontendTransportService $server).RoutingTableLogPath, and (Get-MailboxTransportService $server).RoutingTableLogPath TransportRules Enable to collect Get-TransportRule. WindowsSecurityLogs Enable to collect the Windows Security Logs. Default Location: 'C:\\Windows\\System32\\WinEvt\\Logs\\Security.evtx' AllPossibleLogs Enables the collection of all default logging collection on the Server. CollectAllLogsBasedOnLogAge Boolean to determine if you collect all the logs based off the log's age or all the logs in that directory. Default value $true ConnectivityLogs Enables the following switches and their logs to be collected: FrontEndConnectivityLogs, HubConnectivityLogs, and MailboxConnectivityLogs DatabaseFailoverIssue Enables the following switches and their logs to be collected. DAGInformation, DailyPerformanceLogs, ExchangeServerInformation, ExPerfWiz, HighAvailabilityLogs, ManagedAvailabilityLogs, and ServerInformation. DaysWorth The number of days to go back to be included int the time span for log collection. Default value: 3 HoursWorth The number of hours to go back to be included in the time span for the log collection. Default Value 0. LogStartDate Set the starting time for the log collection (DateTime). LogEndDate Set the ending time for the log collection (DateTime). DisableConfigImport Enable to not import the ExchangeLogCollector.ps1.json file if it exists. ExMonLogmanName A list of names that we want to collect for ExMon data. The default name is ExMon_Trace. ExPerfWizLogmanName A list of names that we want to collect performance data logs from. The default names are Exchange_PerfWiz, ExPerfWiz, and SimplePerf. (For both styles of ExPerfWiz) LogAge A Time Span value to use instead of the DaysWorth and HoursWorth parameters. Default Value: 3.00:00:00 OutlookConnectivityIssues Enables the following switches and their logs to be collected: AutoDLogs, DailyPerformanceLogs, EWSLogs, ExPerfWiz, IISLogs, MAPILogs, RPCLogs, and ServerInformation PerformanceIssues Enables the following switches and their logs to be collected: DailyPerformanceLogs, ExPerfWiz, and ManagedAvailabilityLogs PerformanceMailFlowIssues Enables the following switches and their logs to be collected: DailyPerformanceLogs, ExPerfWiz, MessageTrackingLogs, QueueInformation, and TransportConfig ProtocolLogs Enables the following switches and their logs to be collected: FrontEndProtocolLogs, HubProtocolLogs, and MailboxProtocolLogs ScriptDebug Enable to display all the verbose lines in the script. SkipEndCopyOver If the Servers parameter is used, by default we will attempt to collect all the data back over to the local server after all the data was collected on each server."},{"location":"Diagnostics/ManagedAvailabilityTroubleshooter/","title":"ManagedAvailabilityTroubleshooter","text":"

Download the latest release: ManagedAvailabilityTroubleshooter.ps1

"},{"location":"Diagnostics/Test-ExchAVExclusions/","title":"Test-ExchAVExclusions","text":"

Download the latest release: Test-ExchAVExclusions.ps1

Assists with testing Exchange Servers to determine if AV Exclusions have been properly set according to our documentation.

AV Exclusions Exchange 2016/2019

AV Exclusions Exchange 2013

"},{"location":"Diagnostics/Test-ExchAVExclusions/#usage","title":"Usage","text":"

Writes an EICAR test file to all paths specified in our AV Exclusions documentation and verifies all extensions in the documentation in a temporary folder.

If the file is removed then the path is not properly excluded from AV Scanning. IF the file is not removed then it should be properly excluded.

Once the files are created it will wait 5 minutes for AV to \"see\" and remove the file.

After finishing testing directories it will test Exchange Processes. Pulls all Exchange processes and their modules. Excludes known modules and reports all Non-Default modules.

Non-Default modules should be reviewed to ensure they are expected. AV Modules loaded into Exchange Processes indicate that AV Process Exclusions are NOT properly configured.

... .\\Test-ExchAVExclusions.ps1 ...

"},{"location":"Diagnostics/Test-ExchAVExclusions/#understanding-the-output","title":"Understanding the Output","text":""},{"location":"Diagnostics/Test-ExchAVExclusions/#file-output","title":"File Output","text":"

Review the BadExclusions.txt file to see any file paths were identified as being scanned by AV. Work with the AV Vendor to determine the best way to exclude these file paths according to our documentation:

AV Exclusions Exchange 2016/2019

"},{"location":"Diagnostics/Test-ExchAVExclusions/#process-output","title":"Process Output","text":"

Review NonDefaultModules.txt to determine if any Non-Default modules are loaded into Exchange processes. The output should have sufficient information to identity the source of the flagged modules.

[FAIL] - PROCESS: ExchangeTransport MODULE: scanner.dll COMPANY: Contoso Security LTT.

If the Module is from an AV or Security software vendor it is a strong indication that process exclusions are not properly configured on the Exchange server. Please work with the vendor to ensure that they are properly configured according to:

AV Exclusions Exchange 2016/2019

AV Exclusions Update

"},{"location":"Diagnostics/Test-ExchAVExclusions/#parameters","title":"Parameters","text":"Parameter Description WaitingTimeForAVAnalysisInMinutes Set the waiting time for AV to analyze the EICAR files. Default is 5 minutes. Recurse Places an EICAR file in all SubFolders as well as the root. SkipVersionCheck Skip script version verification. ScriptUpdateOnly Just update script version to latest one."},{"location":"Diagnostics/Test-ExchAVExclusions/#outputs","title":"Outputs","text":"

Log file: $PSScriptRoot\\Test-ExchAvExclusions-#DateTime#.txt

List of Folders, extensions Scanned by AV and List of Non-Default Processes: $PSScriptRoot\\BadExclusions-#DateTime#.txt

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/","title":"FindFrontEndActivity","text":"

Download the latest release: FindFrontEndActivity.ps1

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#synopsis","title":"Synopsis","text":"

Find HttpProxy protocol activity for one or more users.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#syntax","title":"Syntax","text":"
.\\FindFrontEndActivity.ps1 -ServerName <String[]> -SamAccountName <String[]> [-LatencyThreshold <Int32>] [-Protocol <String[]>] [-IncludeNonExecutes] [-Quiet] [-TimeSpan <TimeSpan>] [<CommonParameters>]\n\n.\\FindFrontEndActivity.ps1 -ServerName <String[]> -SamAccountName <String[]> [-LatencyThreshold <Int32>] [-Protocol <String[]>] [-IncludeNonExecutes] [-Quiet] -StartTime <DateTime> -EndTime <DateTime> [<CommonParameters>]\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#quick-start-examples","title":"Quick Start Examples","text":"
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  2214\n
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -LatencyThreshold 100 | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T15:59:29.898Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  505\n2023-02-11T15:59:31.560Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  403\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  2214\n2023-02-11T15:59:35.488Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  161\n2023-02-11T15:59:38.133Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  399\n
[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -Protocol \"ews\", \"mapi\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem            ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------            -------------- ------------         ----------------\n2023-02-11T15:10:10.643Z contoso\\john.doe   /EWS/Exchange.asmx EXCH1          exch1.contoso.local  1800019\n2023-02-11T15:40:44.254Z contoso\\john.doe   /EWS/Exchange.asmx EXCH1          exch1.contoso.local  1800028\n2023-02-11T15:59:35.174Z contoso\\john.doe   /mapi/emsmdb/      EXCH1          exch1.contoso.local  2214\n

Note the difference between -Quiet mode and the default:

[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -Quiet\nEXCH1\nEXCH3\n[PS] C:\\>\n[PS] C:\\># Notice how we returned two servers when using -Quiet.\n[PS] C:\\>\n[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T16:25:14.508Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  1182\n\n\n[PS] C:\\># But only one in the default mode. This is because the default is intended\n[PS] C:\\># to look for calls that are slow and are Execute calls. To see everything,\n[PS] C:\\># we need to remove the latency filter and include non-execute activity,\n[PS] C:\\># but this will return a lot of noise.\n[PS] C:\\>\n[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" -LatencyThreshold 0 -IncludeNonExecutes | ft\n\nDateTime                 AuthenticatedUser  UrlStem       ServerHostName TargetServer         TotalRequestTime\n--------                 -----------------  -------       -------------- ------------         ----------------\n2023-02-11T16:00:07.619Z contoso\\john.doe   /mapi/emsmdb/ EXCH3          exch1.contoso.local  17\n2023-02-11T16:01:10.555Z contoso\\john.doe   /mapi/nspi/   EXCH1          exch1.contoso.local  22\n2023-02-11T16:05:11.132Z contoso\\john.doe   /mapi/emsmdb/ EXCH1          exch1.contoso.local  659066\n2023-02-11T16:05:12.101Z contoso\\john.doe   /mapi/nspi/   EXCH1          exch1.contoso.local  21\n...\n

To see all details, use fl *:

[PS] C:\\>Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"john.doe\" | fl *\n\n\nDateTime                        : 2023-02-11T16:25:14.508Z\nRequestId                       : 0aa7958e-c59a-4f0a-903f-ebbd6ed93c9a\nMajorVersion                    : 15\nMinorVersion                    : 2\nBuildVersion                    : 1118\n...\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#description","title":"Description","text":"

When an Exchange client experiences issues, the HttpProxy logs are often the starting point for determining whether the issue is with the client, the network, or the server. However, since an Exchange environment may have dozens of front-end servers, it can be difficult to find the relevant logs for a given user.

This script is designed to search the logs of all Exchange servers in parallel to quickly find the HttpProxy logs related to specified users.

The default mode of the script is intended for finding slow MAPI calls from Outlook clients. The -Protocol switch can be used to search more protocols, while specifying -LatencyThreshold allows the admin to filter more aggressively or remove the latency filter entirely. Running in -Quiet mode skips the filtering and just reports any servers that have the specified users in the HttpProxy logs for the specified protocols. See the parameters and examples for more information.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#parameters","title":"Parameters","text":"
-ServerName <String[]>\n    The name of one or more Exchange servers to search. An easy way to search all Exchange\n    servers in the forest is to simply pipe Get-ExchangeServer to the script.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       true (ByValue, ByPropertyName)\n    Accept wildcard characters?  false\n\n-SamAccountName <String[]>\n    The samAccountNames of one or more users to search for.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-LatencyThreshold <Int32>\n    The minimum latency (in milliseconds) to search for. This is useful for filtering out\n    noise from the logs. (Default: 1000). This parameter has no effect when -Quiet is used.\n\n    Required?                    false\n    Position?                    named\n    Default value                1000\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-Protocol <String[]>\n    The protocols to search. Valid values are: Autodiscover, EAS, ECP, EWS, MAPI, OWA, PowerShell,\n    RpcHttp. (Default: MAPI)\n\n    Required?                    false\n    Position?                    named\n    Default value                @('MAPI')\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-IncludeNonExecutes [<SwitchParameter>]\n    By default, NotificationWaits from the MAPI logs are not included, because these are slow\n    by design. Specify this switch to include them.\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-Quiet [<SwitchParameter>]\n    This switch causes the script to only report the server names rather than the full log\n    entries. This may be somewhat faster. However, there is no filtering for LatencyThreshold\n    and NotificationWait when this option is used.\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-TimeSpan <TimeSpan>\n    Specify how far back to search the logs. This is a TimeSpan value, such as \"01:00\" for the\n    last hour or \"00:30\" for the last 30 minutes. (Default: 15 minutes). Use this parameter to\n    search the most recent logs. Use StartTime and EndTime to search older logs.\n\n    Required?                    false\n    Position?                    named\n    Default value                (New-TimeSpan -Minutes 15)\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-StartTime <DateTime>\n    Logs older than this time are not searched. This is a DateTime value, such as (Get-Date).AddDays(-1)\n    or \"2023-02-11 08:00\". Use this parameter to search old logs. Use -TimeSpan to search the\n    most recent logs.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n-EndTime <DateTime>\n    Logs newer than this time are not searched. This is a DateTime value, such as (Get-Date).AddDays(-1)\n    or \"2023-02-11 09:00\". Use this parameter to search old logs. Use -TimeSpan to search the\n    most recent logs.\n\n    Required?                    true\n    Position?                    named\n    Default value\n    Accept pipeline input?       false\n    Accept wildcard characters?  false\n\n<CommonParameters>\n    This cmdlet supports the common parameters: Verbose, Debug,\n    ErrorAction, ErrorVariable, WarningAction, WarningVariable,\n    OutBuffer, PipelineVariable, and OutVariable. For more information, see\n    about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).\n
"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-1","title":"Example 1","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" | ft\n
Show any MAPI HttpProxy activity that took more than 1 second for user1 or user2 within the last 15 minutes on all Exchange servers in the forest.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-2","title":"Example 2","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" -Quiet\n
Show only the server names where user1 or user2 are found in the MAPI HttpProxy logs within the last 15 minutes.

"},{"location":"Diagnostics/FindFrontEndActivity/FindFrontEndActivity/#example-3","title":"Example 3","text":"

Get-ExchangeServer | .\\FindFrontEndActivity.ps1 -SamAccountName \"user1\", \"user2\" -Protocol \"ews\", \"mapi\" -LatencyThreshold 100 -TimeSpan \"00:30\"\n
Show any EWS or MAPI HttpProxy activity that took more than 100 milliseconds for user1 or user2 within the last 30 minutes on all Exchange servers in the forest.

"},{"location":"Diagnostics/HealthChecker/","title":"HealthChecker","text":"

Download the latest release: HealthChecker.ps1

The Exchange Server Health Checker script helps detect common configuration issues that are known to cause performance issues and other long running issues that are caused by a simple configuration change within an Exchange Environment. It also helps collect useful information of your server to help speed up the process of common information gathering of your server.

"},{"location":"Diagnostics/HealthChecker/#requirements","title":"Requirements","text":""},{"location":"Diagnostics/HealthChecker/#supported-exchange-server-versions","title":"Supported Exchange Server Versions:","text":"

The script can be used to validate the configuration of the following Exchange Server versions: - Exchange Server 2016 - Exchange Server 2019

"},{"location":"Diagnostics/HealthChecker/#required-permissions","title":"Required Permissions:","text":"

Please make sure that the account used is a member of the Local Administrator group. This should be fulfilled on Exchange servers by being a member of the Organization Management group. However, if the group membership was adjusted or in case the script is executed on a non-Exchange system like a management server, you need to add your account to the Local Administrator group. You also need to be a member of the following groups:

  • Organization Management
  • Domain Admins (only necessary for the DCCoreRatio parameter)
"},{"location":"Diagnostics/HealthChecker/#syntax","title":"Syntax","text":"
HealthChecker.ps1\n  [-Server <string[]>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-Server <string[]>]\n  [-MailboxReport]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-LoadBalancingReport]\n  [-ServerList <string[]>]\n  [-SiteName <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-BuildHtmlServersReport]\n  [-XMLDirectoryPath <string>]\n  [-HtmlReportFile <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-AnalyzeDataOnly]\n  [-XMLDirectoryPath <string>]\n  [-HtmlReportFile <string>]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-DCCoreRatio]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-ScriptUpdateOnly]\n  [-OutputFilePath <string>]\n  [-SaveDebugLog]\nHealthChecker.ps1\n  [-VulnerabilityReport]\n  [-OutputFilePath <string>]\n  [-SkipVersionCheck]\n  [-SaveDebugLog]\n
"},{"location":"Diagnostics/HealthChecker/#how-to-run","title":"How To Run","text":"

This script must be run as Administrator in Exchange Management Shell on an Exchange Server. You can provide no parameters and the script will just run against the local server and provide the detail output of the configuration of the server.

"},{"location":"Diagnostics/HealthChecker/#examples","title":"Examples:","text":"

This cmdlet with run Health Checker Script by default and run against the local server.

PS C:\\> .\\HealthChecker.ps1\n

This cmdlet will run the Health Checker Script against the specified server.

PS C:\\> .\\HealthChecker.ps1 -Server EXCH1\n

This cmdlet will run the Health Checker Script against a list of servers.

PS C:\\> .\\HealthChecker.ps1 -Server EXCH1,EXCH2,EXCH3\n

This cmdlet will build the HTML report for all the XML files located in the same location as the Health Checker Script.

PS C:\\> .\\HealthChecker.ps1 -BuildHtmlServersReport\n

This cmdlet will build the HTML report for all the XML files located in the directory specified in the XMLDirectoryPath Parameter.

PS C:\\> .\\HealthChecker.ps1 -BuildHtmlServersReport -XMLDirectoryPath C:\\Location\n

This cmdlet will run the Health Checker Load Balancing Report for all the Exchange CAS (Front End connections only) and MBX servers (BackEnd connections) in the Organization.

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport\n

This cmdlet will run the Health Checker Load Balancing Report for these Servers EXCH1, EXCH2, and EXCH3 CAS (Front End connections) and MBX (BackEnd Connections)

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport -ServerList EXCH1,EXCH2,EXCH3\n

This cmdlet will run the Health Checker Load Balancing Report for the Exchange servers in the site SiteA.

PS C:\\> .\\HealthChecker.ps1 -LoadBalancingReport -SiteName SiteA\n

This cmdlet will run the Health Checker Mailbox Report against the Server EXCH1

PS C:\\> .\\HealthChecker.ps1 -MailboxReport -Server EXCH1\n

This cmdlet will run the Health Checker against all your Exchange Servers, then run the HTML report and open it.

PS C:\\> Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match \"^Version 15\"} | .\\HealthChecker.ps1; .\\HealthChecker.ps1 -BuildHtmlServersReport -HtmlReportFile \"ExchangeAllServersReport.html\"; .\\ExchangeAllServersReport.html\n

This cmdlet will run Health Checker Vulnerability Report feature against all your Exchange Servers. Then Export out the data to a json file.

PS C:\\> .\\HealthChecker.ps1 -VulnerabilityReport\n
"},{"location":"Diagnostics/HealthChecker/#parameters","title":"Parameters","text":"Parameter Description Server The server that you would like to run the Health Checker Script against. Parameter not valid with -BuildHTMLServersReport or LoadBalancingReport. Default is the localhost. OutputFilePath The output location for the log files that the script produces. Default is the current directory. MailboxReport Produces the Mailbox Report for the server provided. LoadBalancingReport Runs the Load Balancing Report for the Script ServerList Used in combination with the LoadBalancingReport switch for letting the script to know which servers to run against. SiteName Used in combination with the LoadBalancingReport switch for letting the script to know which servers to run against in the site. XMLDirectoryPath Used in combination with BuildHtmlServersReport switch for the location of the HealthChecker XML files for servers which you want to be included in the report. Default location is the current directory. BuildHtmlServersReport Switch to enable the script to build the HTML report for all the servers XML results in the XMLDirectoryPath location. HtmlReportFile Name of the HTML output file from the BuildHtmlServersReport. Default is ExchangeAllServersReport-yyyyMMddHHmmss.html DCCoreRatio Gathers the Exchange to DC/GC Core ratio and displays the results in the current site that the script is running in. AnalyzeDataOnly Switch to analyze the existing HealthChecker XML files. The results are displayed on the screen and an HTML report is generated. VulnerabilityReport Switch to collect the Vulnerability Information for all the servers in the environment and export it out to json file. SkipVersionCheck No version check is performed when this switch is used. SaveDebugLog The debug log is kept even if the script is executed successfully. ScriptUpdateOnly Switch to check for the latest version of the script and perform an auto update if a newer version was found. Can be run on any machine with internet connectivity. No elevated permissions or EMS are required."},{"location":"Diagnostics/HealthChecker/ADSiteCount/","title":"AD Site Count Check","text":"

In large environments that contains a lot of sites, can cause a performance issue with Exchange. In particular Autodiscover app pool will peg the CPU at 4-hour intervals when there are many AD sites.

It is recommended to reduce the number of AD Sites within the environment to address this issue. However, there is a workaround that would prevent the issue from occurring every 4-hours and just every 24-hours.

In the %ExchangeInstallPath%\\Bin\\Microsoft.Exchange.Directory.TopologyService.exe.config file, change the ExchangeTopologyCacheLifetime value to be 1.00:00:00,00:20:00 instead to have the cache lifetime increase from 4-hours to 24-hours. It is not recommended to go beyond 24-hours.

Included in HTML Report?

Yes

Additional resources:

Original Issue

"},{"location":"Diagnostics/HealthChecker/AMSIIntegration/","title":"AMSI Check","text":"

The Windows AntiMalware Scan Interface (AMSI) is a versatile standard that allows applications and services to integrate with any AntiMalware product present on a machine. AMSI is vendor agnostic and designed to allow for the most common malware scanning and protection techniques provided by today's products to be integrated into applications.

It only scans the HTTP protocol, and is not meant to be a replacement to existing server-level or message hygiene protections.

AMSI integration is available on the following Operating System / Exchange Server version combinations: - Windows Server 2016, or higher - Exchange Server 2016 CU21, or higher - Exchange Server 2019 CU10, or higher - AMSI is not available on Edge Transport Servers

If you use Microsoft Defender, AV engine version at or higher than 1.1.18300.4 is also required. Alternatively, a compatible AMSI capable third-party AV provider.

This check verifies if an override exists which disables the AMSI integration with Exchange Server. It does that, by running the following query:

Get-SettingOverride | Where-Object { ($_.ComponentName -eq \"Cafe\") -and ($_.SectionName -eq \"HttpRequestFiltering\") }

Included in HTML Report?

Yes

Additional resources:

Released: June 2021 Quarterly Exchange Updates

More about AMSI integration with Exchange Server

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/","title":"Auth Certificate Check","text":""},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#description","title":"Description","text":"

The Auth Configuration and Auth Certificate are used by Microsoft Exchange server to enable server-to-server authentication using the Open Authorization (OAuth) protocol standard. The Auth Certificate is also used by several Exchange Server security features which makes it important to be valid and available on all servers (except Edge Transport Servers) within the organization.

An invalid Auth Certificate can lead to these and other issues:

  • Access to OWA or ECP isn't working

  • Management of your Exchange servers via Exchange Management Shell isn't working as expected

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#what-does-the-check-do","title":"What does the check do?","text":"

The HealthChecker script validates multiple configurations which are having a dependency to the Auth Certificate. The script will show you if the Auth Certificate which is configured, was found on the server against which the script is currently running. It will also highlight if the certificate has been expired.

HealthChecker will display the certificate, which is configured as the next Auth Certificate (if there is one) and the effective date from which it becomes available for use by the AuthAdmin servicelet (Auth Certificate rotation to ensure a smooth transition to a new one).

Note: It's required to run the Hybrid Configuration Wizard (HCW), if you are running an Exchange Server hybrid configuration and the primary Auth Certificate has been replaced by a new one.

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/AuthCertificateCheck/#additional-resources","title":"Additional resources","text":"

Maintain (rotate) the Exchange Server Auth Certificate

Replace the Auth Certificate if it has already expired or isn't available

Exchange OAuth authentication couldn't find the authorization certificate with thumbprint error when running Hybrid Configuration

MonitorExchangeAuthCertificate.ps1 script

"},{"location":"Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/","title":"CTS Processor Affinity Percentage Check","text":"

Description:

We check if the CtsProcessorAffinityPercentage DWORD value under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ExchangeServer\\V15\\Search\\SystemParameters exists and is set to any other value than 0. This setting can be used to limit CPU utilization of a process.

This can cause an impact to the server's search performance. This should never be used as a long term solution!

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/CertificateCheck/","title":"Certificate Check","text":"

This check retrieves all certificates from the Exchange server by using the Get-ExchangeCertificate cmdlet. We display the following information:

  • FriendlyName
  • Thumbprint
  • Lifetime in days
  • Key size
  • Signature algorithm
  • Signature hash algorithm
  • Bound to services
  • Current Auth Certificate
  • SAN Certificate
  • Namespaces

We also perform the following checks:

  • Certificate lifetime check:

    • We show a green output, if the certificate is valid for 60 or more days.
    • We show a yellow warning, if the certificate lifetime is between 30 and 59 days.
    • We show a red warning if the lifetime is < 30 days.

  • Weak key size check:

    • We show a red warning, if the key size is lower than 2048 bit.

  • Weak hash algorithm check:

    • We show a yellow warning if the hash algorithm used to sign a certificate is weak.

  • Valid Auth certificate check:

    • We check if the certificate which is set as current Auth certificate is available on the server.

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/CloudConnectorCheck/","title":"Cloud Connector Check","text":"

This check performs testings against the Exchange Send- and Receive Connectors which are enabled for cloud usage if a hybrid configuration was detected. We run Get-HybridConfiguration to validate if hybrid has been configured for the environment.

A proper configured Send- and Receive Connector is important - especially in hybrid scenarios. A misconfigured connector can lead to multiple issues including broken tenant attribution and email classification (internal / anonymous) which can then lead to false-positive/false-negative.

We to make sure that the mail flow between Exchange on-premises and Exchange Online works as expected

If a Send Connector has the following setting set, it means that the connector is eligible for cloud mail usage:

  • CloudServicesMailEnabled

If a Receive Connector has the following setting set, it means that the connector is eligible for cloud mail usage:

  • TlsDomainCapabilities

We only perform testings for the Receive Connectors if:

  • TransportRole is set to FrontendTransport

We run the following checks:

  • Connector enabled check:

    • We show a yellow warning, if the connector is not enabled

  • Send Connector configured to relay emails via M365 check:

    • If TlsAuthLevel is set to CertificateValidation
    • If RequireTLS is set to true
    • If TlsDomain is set (only performed if TlsAuthLevel is set to DomainValidation)

  • TlsCertificateName configuration check:

    • We check if TlsCertificateName has been set
    • We check if the certificate which is configured in TlsCertificateName exists on the server
    • If a certificate was configured and detected on the system, we then check if it expires within the next 60 days
    • If a certificate was configured, we compare it with the TlsCertificateName returned by Get-HybridConfiguration
    • If a certificate was configured, we check if the syntax is correct and not corrupt. Expected syntax: <I>X.500Issuer<S>X.500Subject

Included in HTML Report?

Yes

Additional resources:

Certificate requirements for hybrid deployments

Demystifying and troubleshooting hybrid mail flow: when is a message internal?

Set up your email server to relay mail to the internet via Microsoft 365 or Office 365

"},{"location":"Diagnostics/HealthChecker/CredentialGuardCheck/","title":"Credential Guard Check","text":"

Description:

In this check we validate, weather Credential Guard was activated or not. Credential Guard is not supported on an Exchange Server. This can cause a performance hit on the server.

Included in HTML Report?

Yes

Additional resources:

Manage Windows Defender Credential Guard

"},{"location":"Diagnostics/HealthChecker/DownloadDomainCheck/","title":"Download Domain Check","text":"

Description:

In this check we validate if the Download Domain feature was configured or not. This feature was introduced to address CVE-2021-1730.

If the feature is enabled, we validate if the URL configured to download attachments, is not set to the same as the internal or external Outlook Web App (OWA) url.

CVE-2021-1730 will not be addressed if the url configured to be used by the Download Domain feature points to the same url(s) which is/are used by OWA.

The Download Domain feature is available on Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019.

More details and configuration instructions can be found in the Microsoft Learn article, that is linked in the additional resource section.

Included in HTML Report?

Yes

Additional resources:

Configure Download Domains in Exchange Server

"},{"location":"Diagnostics/HealthChecker/EEMSCheck/","title":"Exchange Emergency Mitigation Service Check","text":"

Description:

The Exchange Emergency Mitigation Server also known as EEMS or EM was introduced with the Exchange Server 2019 Cumulative Update 11 and Exchange Server 2016 Cumulative Update 22.

The Exchange Emergency Mitigation service helps to keep your Exchange Servers secure by applying mitigations to address any potential threats against your servers. It uses the cloud-based Office Config Service (OCS) to check for and download available mitigations and to send diagnostic data to Microsoft.

The EM service runs as a Windows service on an Exchange Mailbox server. The EM service will be installed automatically on servers with the Mailbox role. The EM service will not be installed on Edge Transport servers.

The use of the EM service is optional. If you do not want Microsoft to automatically apply mitigations to your Exchange servers, you can disable the feature.

This check performs the following testings to highlight the configuration state of the EEMS:

  • Configuration Check

    • Shows if the EEMS is enabled or not on Organizational level
    • Shows if the EEMS is enabled or not on Server level

  • Windows Service Check

    • MSExchangeMitigation Windows service startup type should be: Automatic
    • MSExchangeMitigation Windows service status should be: Running

  • Pattern Service Check

    • We validate if we can reach the OCS which is used to serve the latest mitigations
    • OCS Mitigation Service url: https://officeclient.microsoft.com/GetExchangeMitigations

  • Mitigations Check

    • Shows which mitigations are currently being applied
    • Shows which mitigations are currently being blocked

  • Diagnostic Data Check

    • Shows if the service is configured to provide diagnostic data to Microsoft or not

Included in HTML Report?

Yes

Additional resources:

New security feature in September 2021 Cumulative Update for Exchange Server

Released: September 2021 Quarterly Exchange Updates

Addressing Your Feedback on the Exchange Emergency Mitigation Service

Exchange Emergency Mitigation (EM) service

Mitigations Cloud endpoint is not reachable

"},{"location":"Diagnostics/HealthChecker/ExchangeComputerMembership/","title":"Exchange Server Computer Membership","text":""},{"location":"Diagnostics/HealthChecker/ExchangeComputerMembership/#description","title":"Description:","text":"

Checks for the computer object to be members of the Exchange Trusted Subsystem and Exchange Servers security groups by default. It will also make sure the default local system account has the Exchange Trusted Subsystem a member of it as well in order to have the correct access to local system files.

This check is done by using the ADModule with using the cmdlets Get-LocalGroupMember -SID \"S-1-5-32-544\" and running Get-ADPrincipalGroupMembership (Get-ADComputer $env:COMPUTERNAME).DistinguishedName

If an issue is detected, the group will display with where the problem is located. Either Local System Membership if the group isn't part of the local system account or AD Group Membership if the computer object isn't a member of the group provided.

Included in HTML Report?

Yes

"},{"location":"Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/","title":"Exchange Server Maintenance Check","text":"

Description:

We validate the Maintenance State for the Exchange server. We run the following checks:

  • We query the server component state by running Get-ServerComponentState
  • We query cluster node information by running Get-ClusterNode
  • We then check for each component if Component.State is not Active
  • If this is the case, we query the Component.LocalStates and Component.RemoteStates
  • We validate if both states LocalStates & RemoteStates are the same
  • We add the information, if LocalStates & RemoteStates are different

We show a green information Server is not in Maintenance Mode if the server is not in maintenance mode.

We display a yellow warning Exchange Server Maintenance if components in maintenance state are detected. We also show additional information about the Database Copy Maintenance and Cluster Node state.

Included in HTML Report?

Yes

Additional resources:

Determine the requestor that changed Server component state

"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/","title":"Exchange Online Connector Check","text":"

This is a simple check that can be performed from the Exchange On Prem side to quickly determine if the EXO connector is misconfigured. This does not completely determine if the connector is misconfigured, as Health Checker script is not designed to connect to Exchange Online to properly determine if everything is correctly configured for the way you want your mail flow to work.

A Send Connector is determined to be destined for Exchange Online if one of the following is true:

  • SmartHost endpoint has a *.mail.protection.outlook.com
  • AddressSpaces address has a *.mail.onmicrosoft.com

For those connectors, we then determine a misconfiguration if one of the following is true:

  • TLSCertificateName is not set
  • CloudServicesMailEnabled is not set to true

These are now being flagged as an issue due to some recent changes within Exchange Online.

Some additional configuration concerns are also warned about if one of the following is true:

  • TLSAuthLevel is not set to CertificateValidation or DomainValidation
  • TLSDomain is not set to mail.protection.outlook.com if TLSAuthLevel is set to DomainValidation
"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/ExoConnectorCheck/#additional-resources","title":"Additional resources","text":"

Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers

Updated Requirements for SMTP Relay through Exchange Online

"},{"location":"Diagnostics/HealthChecker/FIPFSCheck/","title":"FIP-FS Check","text":"

Description:

We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.

The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues.

This check validates if the problematic signature file has already downloaded and processed. It shows a red warning indicating that the FIP-FS scan engine should be reset to avoid running into the transport or pattern update issue.

  • Exchange 2013 is not affected by the transport queue issue, however, if invalid patterns has been applied, no newer update pattern with a lower version number (like 2112330001) will be applied.
  • We check if a folder with number 2201010000 or greater exists under ExchangeInstallPath\\FIP-FS\\Data\\Engines\\amd64\\Microsoft\\Bin.

  • We also check if the server runs a fixed Exchange build (March 2022 Security Update or higher) that does not crash when the problematic version is used.

  • If we detect the problematic version folder and the server doesn't run a fixed build, we recommend to reset the scan engine version (see Email Stuck in Exchange On-premises Transport Queues in the \"Additional resources\" section).

  • If we detect the problematic version folder but the server runs a fixed build, it should be safe to delete the folder without performing a scan engine reset. If the directory cannot be deleted, it means that the problematic version is in use. This is a problem because in this case, no new scan engine version will be applied. In this case, a reset of the scan engine must be performed.

Please follow the instructions in the references below to reset the scan engine.

Included in HTML Report?

Yes

Additional resources:

Email Stuck in Exchange On-premises Transport Queues

"},{"location":"Diagnostics/HealthChecker/GeneralHardwareInformation/","title":"General Hardware Information","text":"

Description:

We show some general information about the Processor/Hardware of the Exchange server against which the script was executed.

Hardware Type:

  • VMWare
  • AmazonEC2
  • HyperV
  • Physical
  • Unknown

We additionally show the following information, if HardwareType is Physical or AmazonEC2: - Manufacturer - Model - Processor

Number of Processors:

  • We show an note if ServerType is VMWare [1]
  • We show an error if we have more than 2 Processors installed

Number of Physical/Logical Cores:

  • We show a warning if we have more than 24 Physical Cores and running Exchange 2013/2016 [2]
  • We show a warning if we have more than 48 Physical Cores and running Exchange 2019 [2]

Hyper-Threading:

We show if Hyper-Threading is enabled or not.

NUMA BIOS Check:

We check to see if we can properly see all cores on the server. [3], [4]

Max Processor Speed:

We return the MaxMegacyclesPerCore. This is the max speed that we can get out of the cores. We also check if the processor is throttled which may be a result of a misconfigured Power Plan.

Physical Memory:

We validate if the amount of installed memory meets our specifications. [5]

Included in HTML Report?

Yes

Additional resources:

1 - Does CoresPerSocket Affect Performance?

2 - Commodity servers

3 - CUSTOMER ADVISORY c04650594

4 - Exchange performance:HP NUMA BIOS settings

5 - Exchange 2013 Sizing

5 - Hardware requirements for Exchange 2016

5 - Hardware requirements for Exchange 2019

"},{"location":"Diagnostics/HealthChecker/HyperThreadingCheck/","title":"Hyper-Threading Check","text":"

Description:

We validate if Hyper-Threading is enabled or not. We do this by checking if LogicalCores is greater than PhysicalCores which means that Hyper-Threading is enabled. We show a red error and recommend turning off Hyper-Threading.

Included in HTML Report?

Yes

Additional resources:

Exchange 2013 Sizing and Configuration Recommendations - Processing

"},{"location":"Diagnostics/HealthChecker/IISInformation/","title":"Exchange IIS Information","text":""},{"location":"Diagnostics/HealthChecker/IISInformation/#description","title":"Description","text":"

We show some general information about your Exchange Server from the IIS perspective. This goes into detail to make sure that Sites and App Pools are started, which might not be easy to spot at a quick look a the server. It will also call out some common misconfiguration issues, that will cause problems with client connectivity.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#sites","title":"Sites","text":"

This provides the sites that we found and the following information:

  • State (Started or Stopped)
  • HSTS Enabled (Only supported on Default Web Site)
  • Protocol - Binding - Certificate ( Which protocol is binding to which port and with what certificate if any)

NOTE: HSTS if enabled on the Back End will call out an issue.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#app-pools","title":"App Pools","text":"

This provides the application pools on the server with the following information:

  • State (Started or Stopped)
  • GCServerEnabled (Garbage Collection Server Enabled - Depends on the RAM on the server if this should be enabled or not on the server. If it should be, Health Checker should call it out.)
  • RestartConditionSet ( If there is an IIS setting that will automatically restart the App Pool. This is not recommended and will cause issues with client connectivity )
"},{"location":"Diagnostics/HealthChecker/IISInformation/#virtual-directory-locations","title":"Virtual Directory Locations","text":"

This provides the different locations that you use for different connection endpoints with the following information:

  • Extended Protection ( The current value )
  • Ssl Flags ( If enabled and/or Cert based )
  • IP Filtering Enabled ( If any IP filtering is enabled )
  • URL Rewrite ( Names of each rule applied at the location )
  • Authentication ( Provides each type of authentication that is enabled for the location. If anonymous default setting will be provided if that is enabled Out of the Box on the server )

NOTE: For each of the URL Rewrite rules, we will display additional information about the rule to let you know what it is doing. It is also recommended to remove any mitigation rules that you might have applied if you have the security fix installed on the server.

"},{"location":"Diagnostics/HealthChecker/IISInformation/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/IISWebConfigCheck/","title":"IIS Web Configuration Check","text":"

Description:

After a CU or an SU install, sometimes there can be issues with the web.config or the SharedWebConfig.config file that causes issues with the virtual directories from working properly. Most of these issues are from SU installs where they are installed from double clicking on the msi file. This prevents the process from starting as administrator and can cause multiple issues.

This check detects to make sure all the default web.config and SharedWebConfig.config files exist and if they have any default variable values still set within it - %ExchangeInstallDir%.

If Default Variable Detected file is found, open up that file and replace the %ExchangeInstallDir% with the Exchange Install path from (Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Setup).MsiInstallPath

Included in HTML Report?

Yes, if issue detected

"},{"location":"Diagnostics/HealthChecker/IPv6EnabledCheck/","title":"IPv6 Enabled Check","text":"

Description:

We check if IPv6 is enabled or not. If we determine that IPv6 has been disabled, we check to see if it's fully disabled as recommended. We determine if the IPv6 is fully disabled by checking to see if we have an IPv6 Address available on the NIC and that it matches what is found in the registry at SYSTEM\\CurrentControlSet\\Services\\TcpIp6\\Parameters\\DisabledComponents.

If both places don't have IPv6 enabled/disabled properly a warning is thrown. This can cause communication issues if not properly disabled.

Included in HTML Report?

Yes

Additional resources:

Disabling IPv6 And Exchange \u2013 Going All The Way

Guidance for configuring IPv6 in Windows for advanced users

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/","title":"Internal Transport Certificate","text":""},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#description","title":"Description","text":"

The Internal Transport Certificate in Exchange Server is used in Exchange Server Front-End to Back-End MailFlow scenarios as well as in scenarios in which the Exchange Servers communicate with each other, using the SMTP (Simple Mail Transfer Protocol) protocol. It is generated on a per-server base during the Exchange Server setup process and contains the computers NetBIOS (Network Basic Input/Output System) name as well as the FQDN (Fully Qualified Domain Name).

A missing Internal Transport Certificate can lead to a broken MailFlow on or with the affected machine. It's therefore essential to have a valid certificate for this purpose on the machine. We recommend to not replace the self-signed certificate which was created by Exchange itself.

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#what-does-the-check-do","title":"What does the check do?","text":"

The check queries the certificate which is marked as Internal Transport Certificate on the server against which the script is currently running. The script will throw a warning if the certificate cannot be found on the machine. It must then be recreated by the Exchange Server administrator and set as new Internal Transport Certificate.

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#how-to-create-a-new-internal-transport-certificate","title":"How to create a new Internal Transport Certificate?","text":"

You can run the following PowerShell code from an elevated Exchange Management Shell (EMS). It will generate a new Internal Transport Certificate which replaces the existing one on the machine where the command was executed.

$newInternalTransportCertificateParams = @{\n    Server               = $env:COMPUTERNAME\n    KeySize              = 2048\n    PrivateKeyExportable = $true\n    FriendlyName         = $env:COMPUTERNAME\n    DomainName           = $env:COMPUTERNAME\n    IncludeServerFQDN    = $true\n    Services             = \"SMTP\"\n    Force                = $true\n    ErrorAction          = \"Stop\"\n}\n\nNew-ExchangeCertificate @newInternalTransportCertificateParams\n
"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/InternalTransportCertificateCheck/#additional-resources","title":"Additional resources","text":"

N/A

"},{"location":"Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/","title":"LM Compatibility Level Information Check","text":"

LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept.

Included in HTML Report?

Yes

Additional resources:

Network security: LAN Manager authentication level

"},{"location":"Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/","title":"MAPI Front End App Pool GC Mode Check","text":"

Description:

We validate the Garbage Collection (GC) configuration for MSExchangeMapiFrontEndAppPool App Pool if the check is executed against an Exchange 2013 server that is not running the EdgeTransport role.

We check if:

  • The server has a total memory of 21474836480 MB and gcServer.Enabled set to false\\ In this case we recommend to enable Server GC.

  • gcServer.Enabled is neither true nor false\\ This case should be investigated.

  • gcServer.Enabled is false In this case we're running Workstation GC.\\ You could be seeing some GC issues within the MSExchangeMapiFrontEndAppPool App Pool. However, you don't have enough memory installed on the system to recommend switching the GC mode by default without consulting a support professional.

How to fix this:

  1. Go into the file MSExchangeMapiFrontEndAppPool_CLRConfig.config\\ You can find the file by running %winDir%\\system32\\inetSrv\\AppCmd.exe list AppPool \"MSExchangeMapiFrontEndAppPool\" /text:\"CLRConfigFile\" via cmd.exe\\ It should be located here: %ExchangeInstallPath%\\bin\\MSExchangeMapiFrontEndAppPool_CLRConfig.config
  2. Open the file by using an elevated notepad.exe and change the gcServer Enabled value from false to true
  3. Recycle the MAPI Front End App Pool by running: Restart-WebAppPool MSExchangeMapiFrontEndAppPool via PowerShell or by running:\\ %winDir%\\system32\\inetSrv\\AppCmd.exe RECYCLE AppPool \"MSExchangeMapiFrontEndAppPool\" via cmd.exe

Included in HTML Report?

Yes

Additional resources:

Fundamentals of garbage collection

Workstation and server garbage collection

"},{"location":"Diagnostics/HealthChecker/May22SU/","title":"May 2022 Security Update","text":"

In order to protect against CVE-2022-21978 within your environment /PrepareDomain must be run against each domain that contains the MESO container within it.

Health Checker will query all the domains in the environment to see if it has a MESO container. If it does, it checks for a particular ACE or version number of the MESO container to see if we are secure. If we don't pass this check, it will provide what domains you need to run /PrepareDomain against.

In order to protect your environment from CVE-2022-21978, you must install the May 2022 SU or a newer SU/CU that contains this security fix. All SUs and CUs after May 2022 contain this fix. After you have installed this security fix, you must run /PrepareDomain or /PrepareAllDomains from the Exchange bin directory.

Included in HTML Report?

Yes

Additional resources:

Exchange Team Blog - May SU 2022

"},{"location":"Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/","title":".NET Framework Supportability Check","text":"

Description:

We check if the Exchange server is running a supported .NET Framework version. We do this based on the information provided by PG on Microsoft Docs (.NET Supportability Matrix).

Included in HTML Report?

Yes

Additional resources:

Microsoft .NET Framework Supportability Matrix

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/","title":"Noderunner.exe Memory Limit Check","text":""},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#description","title":"Description","text":"

This check is looking at the <ExchangeInstallPath>\\Bin\\Search\\Ceres\\Runtime\\1.0\\noderunner.exe.config to look at the memoryLimitMegabytes value. This value should be set to 0 for the best performance. By having it set to 0, we do not limit the noderunner.exe processes. However, in some scenarios you might want to recommend to limit the process memory consumption to prevent server impact. If you do this, it is only recommended as a temporary fix.

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/#additional-resources","title":"Additional Resources","text":"

Users can't receive email messages or connect to their mailbox

"},{"location":"Diagnostics/HealthChecker/NumaBiosCheck/","title":"NUMA BIOS / All Processor Cores Visible Check","text":"

Description:

Check to see if the OS is able to see all the processor cores on the server. What normally happens is the OS is able to see 1 processor socket presented (aka half the number of cores)

This can become a major problem on a server if you do not see all the processor cores for a few reasons.

  • Logic is built into the Exchange Code to handle user workload management is based of the how much CPU the user is using or the process itself. When we aren't able to see all the cores on the system, the process can consume a higher amount than what logic dictates. We base this logic off of the number of cores presented to the OS by [System.Environment]::ProcessorCount. Because the underlying hardware has full access to all the processor cores, the process can go above what Exchange calculated out to set the threshold to be at and then throttling can occur.

  • Sometimes the underlying setting isn't able to keep up and doesn't distribute the load between both the processor sockets, thus causing an issue because the application just lost half of its resources. You can see this occur when you look at the performance counter \"\\Processor Information(0,_Total)\\% Processor Time\" and \"\\Processor Information(1,_Total)\\% Processor Time\" as each one sees their own socket. One will go up while the other goes down. This might only happen for a few seconds, but there are health checks on the server that can be triggered to cause additional issues that will spiral the server.

Included in HTML Report?

Yes

Additional resources:

CUSTOMER ADVISORY c04650594

Exchange performance:HP NUMA BIOS settings

Exchange 2016 users unable to edit Distribution Group membership using Outlook

"},{"location":"Diagnostics/HealthChecker/OpenRelayDomain/","title":"Open Relay Domain","text":"

Description:

We show a warning if we weren't able to run Get-AcceptedDomain and provide an unknown status. If we determine that an Open Relay Domain is set on the environment, we will throw an error in the results and provide which accepted domain ID is set with this. It is recommended to have an anonymous relay and scope down the receive connector for who can use it. Otherwise, you are allowing anybody to use your environment to send mail anywhere.

NOTE: After installing the September 2021 CUs for Exchange 2016/2019, you can see crashes occur on your system for the transport services that look like this:

Log Name:      Application\nSource:        MSExchange Common\nDate:          12/3/2021 12:40:35 PM\nEvent ID:      4999\nTask Category: General\nLevel:         Error\nKeywords:      Classic\nUser:          N/A\nComputer:      Contoso-E19A.Contoso.com\nDescription:\nWatson report about to be sent for process id: 10072, with parameters: E12IIS, c-RTL-AMD64, 15.02.0986.005, MSExchangeDelivery, M.Exchange.Transport, M.E.T.AcceptedDomainTable..ctor, System.FormatException, 28d7-DumpTidSet, 15.02.0986.005.\nErrorReportingEnabled: False\n

This is caused by having an Internal Relay with an Accepted Domain of *. This is not a recommended configuration.

Included in HTML Report?

Yes

Additional resources:

Allow anonymous relay on Exchange servers

"},{"location":"Diagnostics/HealthChecker/PacketsLossCheck/","title":"Packets Loss Check","text":"

Description:

We check if there are any PacketsReceivedDiscarded logged for the NIC. Large package loss can cause a performance impact on a system and should be investigated and fixed.

  • Good: PacketsReceivedDiscarded is 0
  • Warning: PacketsReceivedDiscarded lower than 1000
  • Error: PacketsReceivedDiscarded greater than 1000

NOTE: This counter is accumulation from reboot, or if the NIC setting was changed, so the counter can be stale for some time. However, even though you might not be actively dropping packets, the counter should be at 0 in a healthy environment.

Included in HTML Report?

Yes

Additional Information

Large packet loss in the guest OS using VMXNET3 in ESXi (2039495)

Disable \"adaptive rx ring sizing\" to avoid random interface reset (78343)

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/","title":"Pagefile Size Check","text":"

Description:

We check if the Pagefile is configured as recommended and that there is only 1 PageFile configured (multiple PageFiles can cause performance issues on Exchange server).

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#exchange-2019","title":"Exchange 2019","text":"
  • Set the paging file minimum and maximum value to the same size: 25% of installed memory
"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#exchange-20132016","title":"Exchange 2013/2016","text":"

Set the paging file minimum and maximum value to the same size:

  • Less than 32 GB of RAM installed: Physical RAM plus 10MB, up to a maximum value of 32GB (32,778MB)

  • 32 GB of RAM or more installed: 32GB

"},{"location":"Diagnostics/HealthChecker/PagefileSizeCheck/#how-to-set-the-pagefile-to-a-static-value","title":"How to set the pagefile to a static value?","text":"

You can set the pagefile to a static size via wmic whereas InitialSize and MaximumSize is the size in megabytes calculated based on the Exchange Server version and memory installed in the server:

wmic ComputerSystem set AutomaticManagedPagefile=False\nwmic PageFileSet set InitialSize=1024,MaximumSize=1024\n

Included in HTML Report?

Yes

Additional resources:

PageFile requirements for Exchange 2019

PageFile requirements for Exchange 2016

PageFile requirements for Exchange 2013

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/","title":"Number Of Processors","text":"

Description:

Number of Processors is the number of processor sockets detected on the server. It is only recommended to have up to 2 processors on the server. [3]

An additional note is displayed if Type is set to VMware and greater than 2 processors. [1]

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked","title":"How This Is Checked","text":"
([array](Get-WmiObject -Class Win32_Processor)).count\n
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#number-of-logical-and-physical-cores","title":"Number Of Logical and Physical Cores","text":"

Show the number of Physical and Logical cores presented to the OS. This is provided by the WmiObject class Win32_Processor.

  • We show a warning if we have more than 24 Logical Cores and running Exchange 2013/2016 [2]
  • We show a warning if we have more than 48 Logical Cores and running Exchange 2019 [2]
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked_1","title":"How This Is Checked","text":"
$processor = Get-WmiObject -Class Win32_Processor\n$processor |ForEach-Object {$logical += $_.NumberOfLogicalProcessors; $physical += $_.NumberOfCores}\nPS C:\\> $logical\n24\nPS C:\\> $physical\n12\n
"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#max-processor-speed","title":"Max Processor Speed","text":"

Check to see what the Max Processor Speed is set to for the processor. If the processor is throttled which may be a result of a misconfigured Power Plan.

NOTE: If Power Plan isn't set to High Performance and the processor is being throttled, this will be flagged that Power Plan is the cause and to fix it ASAP.

"},{"location":"Diagnostics/HealthChecker/ProcessorCheck/#how-this-is-checked_2","title":"How This Is Checked","text":"
$processor = Get-WmiObject -Class Win32_Processor\n$throttled = $processor | Where-Object {$_.CurrentClockSpeed -lt $_.MaxClockSpeed}\n\nif ($throttled) {\n    Write-Host (\"Throttling your CPU\")\n}\n

Included in HTML Report?

Yes

Additional resources:

1 - Does CoresPerSocket Affect Performance?

2 - Commodity servers

3 - Hardware requirements for Exchange 2019

Exchange 2013 Sizing

Hardware requirements for Exchange 2016

"},{"location":"Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/","title":"RPC Minimum Connection Timeout Check","text":"

Description:

By default, Outlook Anywhere opens two default connections to the Exchange CAS called RPC_InData and RPC_OutData. The Outlook Anywhere client to server used a default timeout of 12 minutes (720 seconds) of inactivity and the server to the client timeout is 15 minutes (900 seconds).

These default Keep-Alive intervals are not aggressive enough for some of today's home networking devices and/or aggressive network devices on the Internet. Some of those devices are dropping TCP connections after as little as 5 minutes (300 seconds) of inactivity. When one or both of the two default connections are dropped, the connection to the Exchange server is essentially broken and not useable.

Included in HTML Report?

Yes

Additional resources:

Outlook Anywhere Network Timeout Issue

"},{"location":"Diagnostics/HealthChecker/RSSEnabledCheck/","title":"RSS Enabled Check","text":"

Description:

We check on Windows 2012 R2 or newer whether RSS (if it's supported from the NIC) is enabled or not. This is collected by the Get-NetAdapterRss cmdlet. We show a warning if it's supported on NIC-side but disabled.

The Get-NetAdapterRss cmdlet gets receive side scaling (RSS) properties of the network adapters that support RSS. RSS is a scalability technology that distributes the receive network traffic among multiple processors by hashing the header of the incoming packet and using an indirection table. Without RSS in Windows Server\u00ae 2012 and later, network traffic is received on the first processor which can quickly reach full utilization limiting receive network throughput. Various properties can be configured to optimize the performance of RSS.

Included in HTML Report?

Yes

Additional resources:

Introduction to Receive Side Scaling

"},{"location":"Diagnostics/HealthChecker/RebootPending/","title":"Reboot Pending","text":"

Description:

We show a warning if we detect an outstanding pending reboot. We also display the type of pending reboot. We differentiate between:

  • PendingFileRenameOperations
  • SccmReboot
  • SccmRebootPending
  • ComponentBasedServicingRebootPending
  • AutoUpdatePendingReboot
  • UpdateExeVolatile\\Flags

It is best to reboot the server to address these issues. It may take some time after a reboot to have the keys automatically removed. However, if they don't remove automatically, follow these steps to address the issue for the keys that were provided to be a problem.

  • Open regedit to the desired location. Delete the key.
  • If unable to delete the key, follow these steps:
    • Right click on it
    • Open permissions
    • Click on Advanced
    • Change ownership to your account
    • Close Advanced window
    • Give your account Full Control in Permissions window
    • Delete the key

NOTE: With Component Based Servicing\\RebootPending you need to do the same for Component Based Servicing\\PackagesPending prior to RebootPending

NOTE: Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Included in HTML Report?

Yes

Additional resources:

Determine Pending Reboot Status\u2014PowerShell Style! Part 1

Determine Pending Reboot Status\u2014PowerShell Style! Part 2

"},{"location":"Diagnostics/HealthChecker/RunHCViaSchedTask/","title":"How to run the Exchange Health Checker via Scheduled Task","text":"

Description:

You can run the Exchange Health Checker script by the help of a Scheduled Task on a daily, weekly or monthly base.

This article describes some of the ways how to run the script as task and how to create those tasks.

Note: We assume that the script is stored under C:\\Scripts\\HealthChecker. Please make sure to adjust the path if you use a different one in your environment.

  1. The first thing to do is to create a service account which is used to run the script. It is recommended to use a strong password which will be changed regularly. It's also recommended to add the user to the View-Only Organization Management instead of Organization Management. This should be sufficient for the script to run.

Note: Using View-Only Organization Management instead of Organization Management requires you to add the account to the local Administrators group on each server. This can be achieved by creating a dedicated Security Group which is then added to the Administrators group on each Exchange server (manually or via Group Policy).

  1. Now it's time to create the Scheduled Task. This can be done by the help of PowerShell:

We need to create multiple objects and finally combining them to the Scheduled Task. We need a trigger, settings, action and task object.

  • Create a trigger that defines when the script should be executed:

    • (Example) Daily at 3 AM:
      • $hcTrigger = New-ScheduledTaskTrigger -Daily -At 3am
    • (Example) Every four weeks on Monday at 3 AM:
      • $hcTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Monday -At 3am

  • Create a Scheduled Task setting object:

    • (Example) Create a Scheduled Task settings object using the default settings:
      • $hcSettings = New-ScheduledTaskSettingsSet
    • (Example) Create a Scheduled Task settings object and define RestartCount and RestartInterval:
      • $hcSettings = New-ScheduledTaskSettingsSet -RestartCount 3 -RestartInterval (New-TimeSpan -Minutes 60)

  • Define the actions to be executed via Scheduled Task:

    • (Example) Update the HealthChecker script, execute the script against the local server and generate the HTML report:
      • $hcAction = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory \"C:\\Scripts\\HealthChecker\\\" -Argument '-NonInteractive -NoLogo -NoProfile -Command \".\\HealthChecker.ps1 -ScriptUpdateOnly; .\\HealthChecker.ps1; .\\HealthChecker.ps1 -BuildHtmlServersReport\"'
    • (Example) Run the HealthChecker script against a remote Exchange server (named ExchSrv01 in this example):
      • $hcAction = New-ScheduledTaskAction -Execute 'powershell.exe' -WorkingDirectory \"C:\\Scripts\\HealthChecker\\\" -Argument '-NonInteractive -NoLogo -NoProfile -Command \".\\HealthChecker.ps1 -ScriptUpdateOnly; .\\HealthChecker.ps1 -Server ExchSrv01; .\\HealthChecker.ps1 -BuildHtmlServersReport\"'

  • Create the Scheduled Task object using the pre-defined action, trigger and settings objects:

    • $hcTask = New-ScheduledTask -Action $hcAction -Trigger $hcTrigger -Settings $hcSettings

  • Create the Scheduled Task:

    • Register-ScheduledTask -TaskName 'HealthChecker Daily Run' -InputObject $hcTask -User (Read-Host \"Please enter username in format (Domain\\Username)\") -Password (Read-Host \"Please enter password\")

Additional resources:

New-ScheduledTaskTrigger

New-ScheduledTaskSettingsSet

New-ScheduledTaskAction

New-ScheduledTask

Register-ScheduledTask

"},{"location":"Diagnostics/HealthChecker/SMBv1Check/","title":"SMBv1 Check","text":"

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it's enabled on your Exchange (2013/2016/2019) server.

There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn't safe and you lose key protections offered by later SMB protocol versions.

This check verifies that SMBv1 is not installed (if OS allows) and that its activation is blocked.

Included in HTML Report?

Yes

Additional resources:

Exchange Server and SMBv1

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/","title":"PowerShell Serialization Payload Signing","text":""},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#description","title":"Description","text":"

Certificate-based signing of PowerShell Serialization Payload is a defense-in-depth security feature to prevent malicious manipulation of serialized data exchanged in Exchange Management Shell (EMS) sessions.

The Serialized Data Signing feature was introduced with the January 2023 Exchange Server Security Update (SU). It's available on Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 and enabled by default with the November 2023 Security Update.

The HealthChecker check validates that the feature is enabled on supported Exchange builds.

Documentation Moved

This documentation has been moved to Microsoft Learn. Please read Configure certificate signing of PowerShell serialization payloads in Exchange Server for more information.

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/SerializedDataSigningCheck/#additional-resources","title":"Additional resources","text":"

Released: January 2023 Exchange Server Security Updates

Released: November 2023 Exchange Server Security Updates

MonitorExchangeAuthCertificate.ps1 script

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/","title":"Setting Overrides","text":""},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#description","title":"Description","text":"

Setting Overrides can be configured via New-SettingOverride cmdlet and in certain cases with the help of registry values. They can be created to change default values for common Exchange services and features (e.g., the default run cycle of the Managed Folder Assistant).

Sometimes they are used to enable new features like the recently introduced Serialized Data Signing for PowerShell payload.

In very rare cases, Microsoft recommends to disable a feature or component by the help of an override (e.g., EWS web application pool stops after the February 2023 Security Update is installed) to work around known issues.

HealthChecker checks for known overrides which should be removed as a solution for to a particular problem is available.

Important

Incorrect usage of the setting override cmdlets can cause serious damage to your Exchange organization. This damage could require you to reinstall Exchange. Only use these cmdlets as instructed by product documentation or under the direction of Microsoft Customer Service and Support.

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#setting-overrides_1","title":"Setting Overrides","text":"Feature Exchange Version(s) Controlled via Recommended setting BaseTypeCheckForDeserialization 2013, 2016, 2019 Registry Value Disabled

Enable: 

New-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Diagnostics -Name \"DisableBaseTypeCheckForDeserialization\" -Value 1 -Type String\n

Disable: 

Remove-ItemProperty -Path HKLM:\\SOFTWARE\\Microsoft\\ExchangeServer\\v15\\Diagnostics -Name \"DisableBaseTypeCheckForDeserialization\"\n

Feature Exchange Version(s) Controlled via Recommended setting Strict Mode for ClientExtensionCollectionFormatter 2016, 2019 New-SettingOverride Enabled

Enable: 

Get-SettingOverride | Where-Object {$_.ComponentName -eq \"Data\" -and $_.SectionName -eq \"DeserializationBinderSettings\" -and $_.Parameters -eq \"LearningLocations=ClientExtensionCollectionFormatter\"} | Remove-SettingOverride\n

Disable: 

New-SettingOverride -Name \"Adding learning location ClientExtensionCollectionFormatter\" -Component Data -Section DeserializationBinderSettings -Parameters @(\"LearningLocations=ClientExtensionCollectionFormatter\") -Reason \"Deserialization failed\"\n

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#included-in-html-report","title":"Included in HTML Report?","text":"

Yes

"},{"location":"Diagnostics/HealthChecker/SettingOverridesCheck/#additional-resources","title":"Additional resources","text":"

New-SettingOverride

Remove-SettingOverride

"},{"location":"Diagnostics/HealthChecker/SleepyNICCheck/","title":"Sleepy NIC Check","text":"

Description:

We validate the NIC power saving options. It's recommended to disable NIC power saving options as this may cause packet loss.

To detect the NIC power saving options, we're probing the sub keys under: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}

We then check if the PnPCapabilities REG_DWORD exists and if it does, we're validating its value. If it's 24 or 280, NIC power saving is disabled as we recommend it.

We skip this check for Multiplexor NIC adapters and in case that the host system is Hyper-V (because we're assuming that we don't support NIC power saving options on this platform).

NOTE: If the REG_DWORD doesn't exists, we're assuming that NIC power saving is not disabled or configured and show a warning.

Included in HTML Report?

Yes

Additional resources:

Information about power management setting on a network adapter

"},{"location":"Diagnostics/HealthChecker/TCPIPSettingsCheck/","title":"TCP/IP Settings Check","text":"

Description:

We validate if a KeepAliveTime DWORD value exists under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\TcpIp\\Parameters and verify that it is set to a recommended value.

Exchange TCP KeepAliveTime registry entry should be set to a decimal value between 900000 and 1800000 (15 to 30 minutes in milliseconds). If there's no entry in the registry for KeepAliveTime then the default value is 2 hours.

This value, if not set correctly, can affect both connectivity and performance. You must make sure that the load balancer and any other devices in the path from client to Exchange are configured correctly.

The goal is to set Exchange with the lowest value so that client sessions, when ended, are ended by Exchange and not by the device.

Example:

Client -> Firewall (1 hour) -> NLB (40 minutes) -> Exchange Servers (20 Minutes)

Included in HTML Report?

Yes

Additional resources:

Checklist for Troubleshooting Performance Related issues in Exchange 2013, 2016 and 2019 (on-prem)

"},{"location":"Diagnostics/HealthChecker/TLSConfigurationCheck/","title":"TLS Configuration Check","text":"

We check and validate Exchange servers TLS 1.0 - 1.3 configuration. We can detect mismatches in TLS versions for client and server. This is important because Exchange can be both a client and a server.

We will also show a yellow warning, if TLS 1.0 and/or TLS 1.1 is enabled. Microsoft's TLS 1.0 implementation is free of known security vulnerabilities. Due to the potential for future protocol downgrade attacks and other TLS 1.0 vulnerabilities not specific to Microsoft's implementation, it is recommended that dependencies on all security protocols older than TLS 1.2 be removed where possible (TLS 1.1/1.0/ SSLv3/SSLv2).

At this time TLS 1.3 is not supported by Exchange and has been known to cause issues if enabled. If detected to be anything but disabled on Exchange, it will be thrown as an error and needs to be addressed right away.

We also check for the SystemDefaultTlsVersions registry value which controls if .NET Framework will inherit its defaults from the Windows Schannel DisabledByDefault registry values or not.

An invalid TLS configuration can cause issues within Exchange for communication.

Only the values 0 or 1 are accepted and determined to be properly configured. The reason being is this is how our documentation provides to configure the value only and it then depends on how the code reads the value from the registry interpret the value.

By not having the registry value defined, different versions of .NET Frameworks for what the code is compiled for will treat TLS options differently. Therefore, we throw an error if the key isn't defined and action should be taken to correct this as soon as possible. To correct this, you create the missing DWORD registry key with the value you wish to have.

The Configuration result can provide a value of Enabled, Disabled, Half Disabled, or Misconfigured. They are defined by the following conditions:

Value Definition Enabled Client and Server Enabled values are set to 1 and DisabledByDefault is set to 0 on the TLS Version. Disabled Client and Server Enabled values are set to 0 and DisabledByDefault is set to 1 on the TLS Version. Half Disabled Client and Server Enabled values are set to either 0 or 1 and DisabledByDefault is set to the opposite where the value doesn't equal Enabled or Disabled.This is not a supported configuration as it doesn't follow the documentation that we have provided. Misconfigured When either the Enabled or the DisabledByDefault values do not match between the Client and Server of that TLS Version.Exchange can be a Client and a Server and this will cause problems and needs to be addressed ASAP.

The location where we are checking for the TLS values are here:

SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.0\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.1\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.2\\Server SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Client SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL\\Protocols\\TLS 1.3\\Server

At each location, we are looking at the value of Enabled and DisabledByDefault. If the key isn't present, Enabled is set to true and DisabledByDefault is set to false. With the exception of TLS 1.3, if that isn't present it is disabled by default.

The location for the .NET Framework TLS related settings are located here:

SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v4.0.30319 SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319 SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\v2.0.50727 SOFTWARE\\Microsoft\\.NETFramework\\v2.0.50727

At each location, we are looking at the value of SystemDefaultTlsVersions and SchUseStrongCrypto. If the key isn't present, both are set to false.

Included in HTML Report?

Yes

Additional resources:

Exchange Server TLS configuration best practices

Solving the TLS 1.0 Problem, 2nd Edition

TLS 1.2 support at Microsoft

Exchange Server TLS guidance, part 1: Getting Ready for TLS 1.2

Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It

Exchange Server TLS guidance Part 3: Turning Off TLS 1.0/1.1

"},{"location":"Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/","title":"Visual C++ Redistributable Version Check","text":"

Description:

We check if the the latest Visual C++ Redistributable version, required for the installed Exchange server role, is installed or not.

Included in HTML Report?

Yes

Additional resources:

Microsoft Visual C++ Redistributable Latest Supported Downloads

Exchange Server 2019 prerequisites

Exchange Server 2016 prerequisites

"},{"location":"Diagnostics/HealthChecker/VulnerabilityCheck/","title":"Vulnerability Check","text":"

The script performs different checks to detect vulnerabilities which may lead into a security issue for the Exchange server.

Vulnerability checks performed:

  • Check the Exchange server build number against known vulnerabilities that exists within a specific build
  • Check for CVE-2020-0796 SMBv3 vulnerability
  • Check for CVE-2020-1147 .NET Core & .NET Framework vulnerability
  • Check for CVE-2021-1730 Download Domains state

Included in HTML Report?

Yes

"},{"location":"Hybrid/Test-HMAEAS/","title":"Validating Hybrid Modern Authentication setup for Outlook for iOS and Android","text":"

Download the latest release: Test-HMAEAS.ps1

This script allows you to check and see if your on-premises Exchange environment is configured correctly to use Hybrid Modern Authentication (HMA) with Outlook for iOS and Android. For this to work correctly, you will need to enable HMA and follow HMA Outlook for iOS and Android guidance to configure this feature properly.

To run the script, at minimum you will need a valid SMTP Address for a user that is located on-premises.

To test basic AutoDiscover and a Empty Bearer Authorization check you can run:

.\\Test-HMAEAS.ps1 user@contoso.com\n

To test basic AutoDiscover with a custom AutoDiscover Name and also do Empty Bearer Authorization check you can run:

.\\Test-HMAEAS.ps1 user@contoso.com -CustomAutoD autodiscover.contoso.com\n

To test basic EAS Connectivity you can run (you will need to use the users credentials for this test):

.\\Test-HMAEAS.ps1 user@contoso.com -TestEAS\n

"},{"location":"M365/DLT365Groupsupgrade/","title":"DLT365GroupsUpgrade","text":"

Download the latest release: DLT365GroupsUpgrade.ps1

"},{"location":"M365/DLT365Groupsupgrade/#validating-distribution-group-eligibility-for-upgrade-to-o365-group","title":"Validating Distribution group eligibility for upgrade to O365 Group","text":"

This script allows you to check Distribution to O365 Group migration eligibility for a specific distribution group SMTP, for more information over the Distribution to O365 Group migration blockers please check: https://docs.microsoft.com/en-us/microsoft-365/admin/manage/upgrade-distribution-lists?view=o365-worldwide

The script will prompt for global administrator username & password to connect to EXO Then the script will ask for required group smtp Then start to check and provide feedback in case group migration blockers found as illustrated below:

"},{"location":"M365/MDO/MDOThreatPolicyChecker/","title":"MDOThreatPolicyChecker","text":"

Download the latest release: MDOThreatPolicyChecker.ps1

This script checks which Microsoft Defender for Office 365 and Exchange Online Protection threat policies cover a particular user, including anti-malware, anti-phishing, inbound and outbound anti-spam, as well as Safe Attachments and Safe Links policies in case these are licensed for your tenant. In addition, the script can check for threat policies that have inclusion and/or exclusion settings that may be redundant or confusing and lead to missed coverage of users or coverage by an unexpected threat policy.

It also includes an option to show all the actions and settings of the policies that apply to a user.

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#common-usage","title":"Common Usage","text":"

The script uses Exchange Online cmdlets from Exchange Online module and Microsoft.Graph cmdLets from Microsoft.Graph.Authentication, Microsoft.Graph.Groups and Microsoft.Graph.Users modules.

To run the PowerShell Graph cmdlets used in this script, you need only the following modules from the Microsoft.Graph PowerShell SDK: - Microsoft.Graph.Groups: Contains cmdlets for managing groups, including Get-MgGroup and Get-MgGroupMember. - Microsoft.Graph.Users: Includes cmdlets for managing users, such as Get-MgUser. - Microsoft.Graph.Authentication: Required for authentication purposes and to run any cmdlet that interacts with Microsoft Graph.

You can find the Microsoft Graph modules in the following link: \u00a0\u00a0\u00a0\u00a0https://www.powershellgallery.com/packages/Microsoft.Graph/ \u00a0\u00a0\u00a0\u00a0https://learn.microsoft.com/en-us/powershell/microsoftgraph/installation?view=graph-powershell-1.0#installation

Here's how you can install the required submodules for the PowerShell Graph SDK cmdlets:

Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser\nInstall-Module -Name Microsoft.Graph.Groups -Scope CurrentUser\nInstall-Module -Name Microsoft.Graph.Users -Scope CurrentUser\n

NOTE

Remember to run these commands in a PowerShell session with the appropriate permissions. The -Scope CurrentUser parameter installs the modules for the current user only, which doesn't require administrative privileges.

In the Graph connection you will need the following scopes 'Group.Read.All','User.Read.All' 

Connect-MgGraph -Scopes 'Group.Read.All','User.Read.All'\n
You need as well an Exchange Online session. 
Connect-ExchangeOnline\n

You can find the Exchange module and information in the following links: \u00a0\u00a0\u00a0\u00a0https://learn.microsoft.com/en-us/powershell/exchange/exchange-online-powershell-v2?view=exchange-ps \u00a0\u00a0\u00a0\u00a0https://www.powershellgallery.com/packages/ExchangeOnlineManagement

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#examples","title":"Examples:","text":"

To check all threat policies for potentially confusing user inclusion and/or exclusion conditions and print them out for review, run the following: 

.\\MDOThreatPolicyChecker.ps1\n

To provide a CSV input file with email addresses and see only EOP policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv]\n

To provide multiple email addresses by command line and see only EOP policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com,user2@fabrikam.com\n

To provide a CSV input file with email addresses and see both EOP and MDO policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv] -IncludeMDOPolicies\n

To provide an email address and see only MDO (Safe Attachment and Safe Links) policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -EmailAddress user1@contoso.com -OnlyMDOPolicies\n

To see the details of the policies applied to mailbox in a CSV file for both EOP and MDO, run the following: 

.\\MDOThreatPolicyChecker.ps1 -CsvFilePath [Path\\filename.csv] -IncludeMDOPolicies -ShowDetailedPolicies\n

To get all mailboxes in your tenant and print out their EOP and MDO policies, run the following: 

.\\MDOThreatPolicyChecker.ps1 -IncludeMDOPolicies -EmailAddress @(Get-ExOMailbox -ResultSize unlimited | Select-Object -ExpandProperty PrimarySmtpAddress)\n

"},{"location":"M365/MDO/MDOThreatPolicyChecker/#parameters","title":"Parameters","text":"Parameter Description CsvFilePath Allows you to specify a CSV file with a list of email addresses to check. Csv file must include a first line with header Email. EmailAddress Allows you to specify email address or multiple addresses separated by commas. IncludeMDOPolicies Checks both EOP and MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter. OnlyMDOPolicies Checks only MDO (Safe Attachment and Safe Links) policies for user(s) specified in the CSV file or EmailAddress parameter. ShowDetailedPolicies In addition to the policy applied, show any policy details that are set to True, On, or not blank. SkipConnectionCheck Skips connection check for Graph and Exchange Online. SkipVersionCheck Skips the version check of the script. ScriptUpdateOnly Just updates script version to latest one."},{"location":"NewUserGuide/","title":"New User Guide","text":""},{"location":"NewUserGuide/#introduction","title":"Introduction","text":"

If you are new to Git and GitHub, and you want to contribute to CSS-Exchange, you've come to the right place.

There are many, many resources on how to use Git and GitHub. We recommend starting with Pro Git. Reading chapters 1 to 3 provides a great foundation for understanding and using Git.

This page will serve as a quick start that leads you through submitting a Pull Request to CSS-Exchange step by step.

This page will not cover the use of any GUI that attempts to insulate the user from the Git command line. In this author's opinion, the only way to really learn Git is to use the command line, so that's all we'll cover here.

"},{"location":"NewUserGuide/#before-you-start","title":"Before You Start","text":"

If you are considering a large change to a script or a brand new script, it's often a good idea to open an Issue first to discuss the change. This will allow the repository owners to provide feedback on whether they would accept this type of change. By getting feedback before you spend days on a complex change, you can ensure that you're not wasting your time.

"},{"location":"NewUserGuide/#installation","title":"Installation","text":"
  • Install PowerShell 7 or later.
  • Install Visual Studio Code. You'll need this to develop scripts for this project.
  • Assuming you're running Windows, install Git For Windows. When it asks for your default editor, choose Visual Studio Code. The rest of the defaults are fine. If you're on a different operating system, refer to the Git documentation for instructions.
  • Optional but recommended: Install Posh Git in your PowerShell 7+ shell. This adds some useful features such as branch name autocompletion in PowerShell.
"},{"location":"NewUserGuide/#forking-the-repository","title":"Forking the repository","text":"

The first step is to fork the repository on GitHub. Unless you have Write access to CSS-Exchange, you can't push directly to our repo. Creating a fork creates your own copy of the repo on GitHub, so you have somewhere to push your changes.

To fork the repository, use the Fork icon at the top right of the repository page.

You'll be prompted for a name and description. The defaults are fine. When the fork is complete, you'll be taken to the new repository page. At the top left, you should see that you are now on your own fork.

"},{"location":"NewUserGuide/#cloning-the-repository","title":"Cloning the repository","text":"

Now you're ready to start using the git command line. To clone the repository, drop down the Code button and copy the URL:

Then use that URL to clone the repository using the command line:

git clone <url>\n

This creates a folder called CSS-Exchange in your current directory.

"},{"location":"NewUserGuide/#creating-a-new-branch","title":"Creating a new branch","text":"

Change into the folder that was just created. Your shell should now look something like this.

Because we have PoshGit loaded, it's showing our current branch name in the prompt - main. Let's create a new branch for our work. It's nice to use a descriptive name. For example, if we're updating this guide, we might call name it like so:

"},{"location":"NewUserGuide/#making-changes","title":"Making changes","text":"

Now that you're on your own branch, you're ready to make your changes. You can technically use any tool you like - notepad, vim, whatever. But, if you open the repo root folder in Visual Studio Code, many of the repository formatting settings will be applied automatically. You can also shift-alt-F to reformat a file according to the settings. This may save you some time later.

For this example, I created a new script called New-Script.ps1.

After making our changes, it's a good idea to verify that git sees everything we changed, and that we haven't changed any files we didn't intend to. Because we have PoshGit, just hitting Enter to get a new prompt shows us some information about how many files have changed. We can also run git status to see some details.

This looks good. My intent was to add one script file, and that's the only change shown here.

"},{"location":"NewUserGuide/#formatting-changes","title":"Formatting changes","text":"

CSS-Exchange has some formatting requirements to ensure consistency, and these checks are integrated into our build process. Before committing changes, let's run .build\\CodeFormatter.ps1 to see if our new script meets the requirements.

CodeFormatter highlighted a few problems here:

  • File has no newline at the end.
  • File is missing the required compliance header.
  • File has no BOM. We require a BOM on scripts.
  • The formatting of the code itself is not using the correct brace style. This is shown in a warning, followed by diff output illustrating the required change. In addition, a PSScriptAnalyzer check at the end highlights the same issue with the PSPlaceOpenBrace rule.

CodeFormatter will fix some problems automatically if the -Save switch is included. Let's run it again with -Save.

Here we see CodeFormatter automatically fixed all of these issues when run with the -Save switch. Running a second time, we can confirm everything was fixed, as it generates no output at all.

"},{"location":"NewUserGuide/#staging-changes","title":"Staging changes","text":"

We're almost ready to commit our changes, but first we should stage them. Staging gives us a chance to sanity-check what we're about to commit before we actually commit. It's especially useful when we have modified several files for testing, but we only intend to commit some of them.

If we run git status again, we should once again see that only one file is modified for our simple test case. Then we can stage our file with git add, and check the result again with git status.

When we have many files to commit, we can use git add . to stage all files in the current folder and SubFolders, or git add :/ to stage all files everywhere. When using those options, it's especially important to check git status to make sure we haven't staged something we didn't intend to.

"},{"location":"NewUserGuide/#committing-changes","title":"Committing changes","text":"

If git status shows that the correct files are staged, we can commit them with git commit. This will open the default editor, which will be Visual Studio Code if you chose it when installing Git as described earlier.

The top line should be the title of the commit. Then skip a line and add further details as necessary. Close the tab, choose Save when prompted, and we see the following output.

Now our changes are committed to our local copy of our branch, but we need to push those to GitHub.

"},{"location":"NewUserGuide/#pushing-the-changes","title":"Pushing the changes","text":"

Because this is the first time we're pushing changes for our new branch, we have to provide a few details. On our first push of our new branch, the syntax will be git push -u origin <branch name>.

Origin means we're pushing to the location we cloned from - this is the name of the remote repo by default. The -u parameter tells it to set this as our upstream for this branch. We only have to do this the first time. If we make additional changes on this branch and commit them, we can now push them to the server with a simple git push, since we have now told it that origin will be our upstream going forward.

Now we're ready to request that our changes be pulled into the official repo.

"},{"location":"NewUserGuide/#creating-a-pull-request","title":"Creating a Pull Request","text":"

There are a few ways to create a Pull Request. We can see in the previous screenshot that GitHub helpfully shows us a URL we can visit to start a Pull Request. You can also manually navigate to the Pull Request tab of the official repo, and create a new Pull Request there. You might even see a prompt to create a PR for the branch you just pushed. Either of these methods will work.

At this point we're presented with a form to provide some details about the PR. Be sure that at the top of the PR form, we see the official repo and the main branch on the left, followed by your fork and the branch you created on the right.

Fill in the details and hit Create Pull Request.

"},{"location":"NewUserGuide/#responding-to-feedback","title":"Responding to feedback","text":"

The repository owners will often request some changes to our code by commenting on the Pull Request. To update the code in the Pull Request, simply make the additional changes in your local files, stage them, and commit them just as before. Then, git push. Remember, we don't need any other parameters on the push this time. After pushing new changes, we should see the PR update almost instantly.

Once the owners are satisfied with the changes, they will approve and merge the PR. And we're done!

"},{"location":"NewUserGuide/#cleaning-up","title":"Cleaning up","text":"

Once the PR is merged, we can delete our fork and delete the folder containing our local clone. We can keep the fork around if we intend to contribute further, but the main branch of the fork will not automatically pull in the latest changes from the official repo. It will get further and further out of date, which may cause problems with future pull requests. To avoid this, we'll need to pull in the changes from the main branch of the official repo into our fork. This is out of scope for this guide, so we'll leave this an exercise for the reader.

"},{"location":"Performance/ExPerfAnalyzer/","title":"ExPerfAnalyzer","text":"

Download the latest release: ExPerfAnalyzer.ps1

"},{"location":"Performance/ExPerfAnalyzer/#running-the-script","title":"Running the script","text":"
.\\ExPerfAnalyzer.ps1 .\\EXSERVER01_FULL_000001.BLG\n
"},{"location":"Performance/ExPerfAnalyzer/#registering-script-as-a-default-handler","title":"Registering script as a default handler","text":"
.\\ExPerfAnalyzer.ps1 -RegisterHandler\n

PowerShell must be running as an administrator for this command to work. The script will register itself as a shell handler for perfmon .blg files. You can then right-click any .blg file and select ExPerfAnalyzer to quickly parse the file.

"},{"location":"Performance/ExPerfAnalyzer/#inspiration","title":"Inspiration","text":"

This script was inspired by Performance Analysis of Logs (PAL) and PMA.VBS (an internal tool used by Windows support).

"},{"location":"Performance/ExPerfAnalyzer/#faq","title":"FAQ","text":"

  • This takes forever to run.

    It's faster than PAL.

  • Why don't I just use PAL?

    You could, but PAL takes even longer to run and throws a lot of false positives.

  • What's the expected running time?

    v0.2.2 and an Intel Core i7-4810MQ @ 2.8Ghz processed a 1GB perfmon sitting on an SSD in 11 seconds.

  • Can I edit this script however I'd like?

    Yes, that's the magic of open source software!

  • Do you accept pull requests? Can I contribute to the script?

    Of course!

"},{"location":"Performance/ExPerfWiz/","title":"About ExPerfWiz","text":"

Download the latest release: ExPerfWiz.ps1

ExPerfWiz is a PowerShell based script to help automate the collection of performance data on Exchange 2013, 2016 and 2019 servers.\u00a0 Supported operating systems are Windows 2012, 2012 R2, 2016 and 2019 Core and Standard.

"},{"location":"Performance/ExPerfWiz/#initial-run","title":"Initial Run","text":"

Run .\\ExPerfWiz.ps1 from an elevated shell.

  • You will be prompted to setup a default collector on the current server.
  • Selecting Y will configure but not start a default collector on the current server.
  • Selecting N will return to a prompt without creating a collector.

Once a prompt is returned all of the ExPerfWiz functions will now be available to run.

"},{"location":"Performance/ExPerfWiz/#common-usage","title":"Common Usage","text":"

New-ExPerfWiz -FolderPath C:\\PerfWiz -StartOnCreate

"},{"location":"Performance/ExPerfWiz/#how-to-use","title":"How to use","text":"

The following functions are provided by ExPerfWiz to manage data collection.

"},{"location":"Performance/ExPerfWiz/#get-experfwiz","title":"Get-ExPerfWiz","text":"

Gets ExPerfWiz data collector sets

Switch Description Default Name Name of the Data Collector set Exchange_PerfWiz Server Name of the Server Local Machine ShowLog Displays the ExPerfWiz Log file NA"},{"location":"Performance/ExPerfWiz/#new-experfwiz","title":"New-ExPerfWiz","text":"

Creates an ExPerfWiz data collector set Will overwrite any existing sets with the same name

Switch Description Default Circular Enabled or Disable circular logging Disabled Duration How long should the performance data be collected 08:00:00 FolderPath Output Path for performance logs NA Interval How often the performance data should be collected. 5s MaxSize Maximum size of the perfmon log in MegaBytes (256-4096) 1024Mb Name The name of the data collector set Exchange_PerfWiz Server Name of the server where the perfmon collector should be created Local Machine StartOnCreate Starts the counter set as soon as it is created False StartTime Daily time to start perfmon counter NA Template XML perfmon template file that should be loaded to create the data collector set. Exch_13_16_19_Full.xml Threads Includes threads in the counter set. False"},{"location":"Performance/ExPerfWiz/#set-experfwiz","title":"Set-ExPerfWiz","text":"

Modifies the configuration of an existing data collector set.

Switch Description Default Duration How long should the performance data be collected 08:00:00 Interval How often the performance data should be collected. 5s MaxSize Maximum size of the perfmon log in MegaBytes (256-4096) 1024Mb Name The name of the data collector set Exchange_PerfWiz Server Name of the server where the perfmon collector should be created Local Machine StartTime Daily time to start perfmon counter NA Quiet Suppress output False"},{"location":"Performance/ExPerfWiz/#remove-experfwiz","title":"Remove-ExPerfWiz","text":"

Removes an ExPerfWiz data collector set

Switch Description Default Name Name of the Perfmon Collector set Exchange_PerfWiz Server Name of the server to remove the collector set from Local Machine"},{"location":"Performance/ExPerfWiz/#start-experfwiz","title":"Start-ExPerfWiz","text":"

Starts an ExPerfWiz data collector set

Switch Description Default Name The Name of the Data Collector set to start Exchange_PerfWiz Server Name of the remote server to start the data collector set on. Local Machine"},{"location":"Performance/ExPerfWiz/#stop-experfwiz","title":"Stop-ExPerfWiz","text":"

Stops an ExPerfWiz data collector set

Switch Description Default Name Name of the data collector set to stop. Exchange_PerfWiz Server Name of the server to stop the collector set on. Local Machine"},{"location":"Performance/ExPerfWiz/#example-usage","title":"Example Usage","text":""},{"location":"Performance/ExPerfWiz/#default-usage-for-data-gathering","title":"Default usage for data gathering","text":"

New-ExPerfWiz -FolderPath C:\\ExPerfWiz -StartOnCreate

"},{"location":"Performance/ExPerfWiz/#stop-data-collection","title":"Stop Data Collection","text":"

Stop-ExPerfWiz

"},{"location":"Performance/ExPerfWiz/#collect-data-from-another-server","title":"Collect data from another server","text":"

New-ExPerfWiz -FolderPath C:\\ExPerfWiz -server RemoteExchServer

"},{"location":"Performance/ExPerfWiz/#collect-data-from-multiple-servers","title":"Collect data from multiple servers","text":"

Get-ExchangeServer | Foreach {New-ExPerfWiz -FolderPath C:\\ExPerfWiz -StartOnCreate -Server $_.name}

"},{"location":"Performance/ExPerfWiz/#important-notes","title":"Important Notes","text":"
  • The default duration is 8 hours to save on disk space meaning that the data collection will stop after 8 hours.
  • Using -Threads should only be done if needed to troubleshoot the issue. It will SIGNIFICANTLY increase the size of the resulting perfmon files.
  • Do not stop the log gathering thru the Perfmon GUI that can result in an unreadable log file. Always stop the data gathering with Stop-ExPerfWiz.
"},{"location":"Performance/SimplePerf/","title":"SimplePerf","text":"

Download the latest release: SimplePerf.ps1

This script is a stripped-down and streamlined performance log collector for Exchange Server.

"},{"location":"Performance/SimplePerf/#common-examples","title":"Common Examples","text":"

.\\SimplePerf.ps1 -Start\n
Starts a collector using Exchange counter defaults. The collector is non-circular, will run for 8 hours, has a 5-second interval, has a max file size of 1 GB, and saves the logs to C:\\SimplePerf.

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\Thread\"\n
Starts a collector using Exchange counter defaults plus all \\Thread counters. The collector is non-circular, will run for 8 hours, has a 5-second interval, has a max file size of 1 GB, and saves the logs to C:\\SimplePerf.

.\\SimplePerf.ps1 -Start -Duration 02:00:00 -Interval 30 -MaximumSizeInMB 512 -OutputFolder C:\\PerfLogs\n
Starts a collector using Exchange counter defaults. The collector is non-circular, will run for 2 hours, has a 30-second interval, has a max file size of 512 MB, and saves the logs to C:\\PerfLogs.

.\\SimplePerf.ps1 -Start -Duration 02:00:00 -Interval 30 -MaximumSizeInMB 1024 -Circular -OutputFolder C:\\PerfLogs\n
Starts a collector using Exchange counter defaults. The collector is circular, will run for 2 hours, has a 30-second interval, has a max file size of 1024 MB, and saves the logs to C:\\PerfLogs.

.\\SimplePerf.ps1 -Stop\n
Stops a running SimplePerf.

Get-ExchangeServer | .\\SimplePerf.ps1 -Start\n
Starts a SimplePerf with the default options on all Exchange servers.

\"SRV1\", \"SRV2\", \"SRV3\" | .\\SimplePerf.ps1 -Start\n
Starts a SimplePerf with the default options on the three named servers.

\"SRV1\", \"SRV2\", \"SRV3\" | .\\SimplePerf.ps1 -Stop\n
Stops a running SimplePerf on the three named servers.

"},{"location":"Performance/SimplePerf/#using-named-collectors","title":"Using Named Collectors","text":"

It is possible to run several SimplePerf collectors on the same computer at the same time by providing the -CollectorName parameter. For example:

.\\SimplePerf -Start -Interval 60 -CollectorName \"Minute\"\n.\\SimplePerf -Start -Interval 5 -CollectorName \"FiveSeconds\"\n

When using collector names, the same name must be provided to the -Stop command:

.\\SimplePerf -Stop -CollectorName \"Minute\"\n.\\SimplePerf -Stop -CollectorName \"FiveSeconds\"\n
"},{"location":"Performance/SimplePerf/#counter-name-filters","title":"Counter Name Filters","text":"

The counters collected by SimplePerf can be controlled with a combination of three parameters: -Scenario, -IncludeCounters, and -ExcludeCounters.

Currently, there are only two scenarios: Exchange and None. The Exchange scenario is a common set of counters for Exchange Server, similar to what ExPerfWiz would collect. None is a completely empty counter set.

-IncludeCounters and -ExcludeCounters perform a StartsWith match against the counter name. This makes it possible to collect a large number of counters with minimal syntax. For example:

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\MSExchange\", \"\\Microsoft Exchange\"\n
This example starts a SimplePerf using the Exchange scenario, but then it includes every counter starting with either MSExchange or Microsoft Exchange.

.\\SimplePerf.ps1 -Start -IncludeCounters \"\\MSExchange\", \"\\Microsoft Exchange\" -Scenario \"None\"\n
This example starts a SimplePerf collecting all the matching Exchange counters without including any default counters at all, because the None scenario was specified.

.\\SimplePerf.ps1 -Start -ExcludeCounters \"\\MSExchange Transport\"\n
In this example, we use the Exchange scenario as a starting point, but then we remove all counters starting with MSExchange Transport.

Note that individual counters can be excluded even if the counter set has been included. To illustrate:

In this screenshot we see all the counters that exist for the Thread set.

If we tell SimplePerf to include \"\\Thread\", then it simply collects the whole object.

However, if we tell it to Include \"\\Thread\" but exclude \"\\Thread(*)\\Priority\", we see that it has correctly expanded the Thread object and is collecting all counters except \"Priority Current\" and \"Priority Base\".

This filtering mechanism makes it easy to customize the counter set with minimal text. To check the result of your counter filters, add the -Verbose switch, or check the counters txt file in $env:TEMP.

Note that the resulting set can only show counters that exist on the local machine. For instance, you won't see any Exchange counters in the Verbose output if the script is not running on an Exchange Server.

"},{"location":"Performance/SimplePerf/#language-support","title":"Language Support","text":"

SimplePerf works regardless of the current language. It does this by translating the provided counter filters to whatever the current server language happens to be. This means that counter names must always be provided in English, even when the current language is not English.

For example, here is the same command from the earlier example running on a server where Spanish is the current language:

"},{"location":"PublicFolders/SourceSideValidations/","title":"SourceSideValidations","text":"

Download the latest release: SourceSideValidations.ps1

This script performs pre-migration public folder checks for Exchange 2013, 2016, and 2019. For Exchange 2010, please use previous script found here.

"},{"location":"PublicFolders/SourceSideValidations/#syntax","title":"Syntax","text":"
SourceSideValidations.ps1\n  [-StartFresh <bool>]\n  [-SlowTraversal]\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [-Tests <string[]>]\n  [<CommonParameters>]\nSourceSideValidations.ps1 -RemoveInvalidPermissions\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [<CommonParameters>]\nSourceSideValidations.ps1 -SummarizePreviousResults\n  [-ResultsFile <string>]\n  [-SkipVersionCheck]\n  [<CommonParameters>]\n
"},{"location":"PublicFolders/SourceSideValidations/#output","title":"Output","text":"

The script will generate the following files. Usually the only one we care about is ValidationResults.csv. The others are purely for saving time on subsequent runs.

File Name Content Use IpmSubtree.csv A subset of properties of all Public Folders Running with -StartFresh $false loads this file instead of retrieving fresh data Statistics.csv EntryID, item count, and size of every folder Running with -StartFresh $false loads this file instead of retrieving fresh data NonIpmSubtree.csv A subset of properties of all System Folders Running with -StartFresh $false loads this file instead of retrieving fresh data ValidationResults.csv Information about any issues found. This is file we want to examine to understand any issues found. The script will display a summary of what it found, and in many cases it will provide an example command that uses input from this file to fix the problem."},{"location":"PublicFolders/SourceSideValidations/#tests","title":"Tests","text":"

The script performs the following tests. The ValidationResults.csv can be filtered by ResultType to identify the respective folders.

Test Category ResultType Criteria DumpsterMapping BadDumpsterMapping DumpsterEntryId is null, or the dumpster is not in \\NON_IPM_SUBTREE\\DUMPSTER_ROOT, or the DumpsterEntryId of the dumpster does not point back to the folder. Limit ChildCount The folder has more than 10,000 direct child folders. Limit EmptyFolder The folder and all its child folders (recursive) have no items. Limit FolderPathDepth The folder path is greater than 299 folders deep. Limit HierarchyCount There are more than 250,000 total folders in the hierarchy. Limit HierarchyAndDumpsterCount There are more than 250,000 total folders if you count both the folders and their dumpsters. Limit ItemCount The folder has more than 1,000,000 items. Limit NoStatistics Get-PublicFolderStatistics did not return any statistics for these folders. ItemCount, TotalItemSize, and EmptyFolder tests were skipped. Limit TotalItemSize The items directly in this folder (not child folders) add up to more than 25 GB. MailEnabledFolder MailDisabledWithProxyGuid The folder is not mail-enabled, but it has the GUID of an Active Directory object in its MailRecipientGuid property. MailEnabledFolder MailEnabledSystemFolder The folder is a system folder, which should not be mail-enabled. MailEnabledFolder MailEnabledWithNoADObject The folder is mail-enabled, but it has no Active Directory object. MailEnabledFolder OrphanedMPF An Active Directory object exists, but it is not linked to any folder. MailEnabledFolder OrphanedMPFDuplicate An Active Directory object exists, but it points to a public folder which points to a different object. MailEnabledFolder OrphanedMPFDisconnected An Active Directory object exists, but it points to a public folder that is mail-disabled. FolderName SpecialCharacters Folder name contains @, /, or \\. Permission BadPermission The permission does not refer to a valid entity."},{"location":"PublicFolders/SourceSideValidations/#usage","title":"Usage","text":"

Typically, the script should be run with no parameters:

.\\SourceSideValidations.ps1\n

Progress indicators are displayed as it collects data and validates the results.

The final test, which checks permissions, will usually take much longer than the other tests.

When all the tests are done, the script provides a summary of what it found, along with example commands that fix some issues.

In this example output, the script calls out four issues.

First, it points out that we have 111,124 folders that are completely empty (this is a lab). Note the ResultType of EmptyFolder. If we want to see the list of empty folders, we can open up ValidationResults.csv in Excel, filter for a ResultType of EmptyFolder, and then we see all those results:

For these folders, no action is required. The script is just giving us information.

The next thing it calls out is that 4 folders have problematic characters in the name. The output tells us these have a ResultType of SpecialCharacters. Filtering for that in the CSV, we see the folders.

Fortunately, the script gives us a command we can run to fix all the names. We can copy and paste the command it gave us, let it run, and then spot check the result.

Now that the names are fixed, we move on to the next item.

The script tells us we have a mail public folder object for a public folder that is mail-disabled. For this type of problem, we need to examine the folder and figure out what we want to do. The CSV file gives us the DN of the mail object and the entry ID of the folder, which we can use to examine the two objects.

The folder says MailEnabled is False, yet we have a MailPublicFolder which points to it. We need to decide whether we want the folder to receive email or not. For this lab, I decide I do want the folder to be mail-enabled, so I remove the orphaned MailPublicFolder and then mail-enable the folder.

I also confirm the new object has the same email address as the old one. This might need to be adjusted manually in some cases, but here I didn't have to.

Finally, the script says we have 9,850 invalid permissions. Fortunately, this is another one that is easy to fix, as the script provides a command.

This one is going to take a while. Once completed, we can rerun SourceSideValidations to make sure all the issues are resolved.

If you close the shell and you need to see the summary results again, use the -SummarizePreviousResults switch.

.\\SourceSideValidations -SummarizePreviousResults\n

The script reads the output file and repeats the instructions on what to do. You can also summarize the results from previous runs, or point to files in other locations, by providing the -ResultsFile parameter.

"},{"location":"PublicFolders/ValidateEXOPFDumpster/","title":"ValidateExoPfDumpster","text":"

Download the latest release: ValidateExoPfDumpster.ps1

This script investigates public folders/items deletion operations failures & propose FIXes for mitigation. The script is working to validate the below conditions over the affected public folder

"},{"location":"PublicFolders/ValidateEXOPFDumpster/#checks-run","title":"Checks run:","text":"
  1. Public folder size issue
    • Public folder content mailbox TotalDeletedItemSize value has exceeded its RecoverableItemsQuota value
    • Public folder size is full
  2. User permissions are not synced between public folder mailboxes
  3. Content Public folder mailbox across the public folder & its dumpster is different
  4. EntryId & DumpsterEntryID values are not mapped properly on the public folder & its dumpster
  5. Parent public folder dumpster is unhealthy
  6. Dumpster folder
  7. Dumpster folder has children
  8. Mail-enabled public folder health if MEPfProxyGuid was null
"},{"location":"PublicFolders/ValidateEXOPFDumpster/#syntax","title":"Syntax","text":"
ValidateExoPfDumpster.ps1\n  [-PFolder <string[]>]\n  [-AffectedUser <string[]>]\n  [-ExportPath <string[]>]\n
"},{"location":"PublicFolders/ValidateEXOPFDumpster/#output","title":"Output","text":"

The script will generate the public folder validation checks failures & proposed Fixes results on screen and will generate same results on ValidatePFDumpsterREPORT.txt file as well. There are other files generated for either script logging purposes or sometimes for logs to be shared with Microsoft personnel in case issues encountered requires microsoft support team intervention.

File Name Content Use ValidatePFDumpsterREPORT.txt Information about any blockers found The script will display what it found, and in many cases it will provide a mitigation to fix the problem ValidatePFDumpsterChecksLogging.csv Information about the reason of script failure to run The file will display errors encountered on running the script and at which stage PublicFolderInfo.xml All required information about the affected public folder This log file to be shared with Microsoft personnel"},{"location":"PublicFolders/ValidateEXOPFDumpster/#usage","title":"Usage","text":"

Typically, the script should run with PFolder identity parameter as illustrated below:

.\\ValidateExoPfDumpster.ps1 -PFolder \\pf1\n

The script will prompt for affected public folder identity/EntryID if it wasn't provided using PFolder parameter then it will prompt for global administrator username & password to connect to EXO by default it validates if the issue is specific to the Public folder \"e.g. all users are affected\"

If the issue happens only with a specific user on that case an affected user smtp address is required to be provided

In this example output, the script calls out two blockers.

It points out the below blockers: - Neither user nor Default user have sufficient permissions to delete items inside the public folder - Public folder size has exceeded Individual Public Folder ProhibitPostQuota value

In this example output, the script calls out four blockers.

It points out the below issues: - Public folder & its dumpster doesn't have the same content public folder mailbox - Public folder EntryId & DumpsterEntryID values are not mapped properly - Public folder size has exceeded Organization DefaultPublicFolderProhibitPostQuota value - Public folder dumpster has 1 subfolder

The script created a log file containing all the required information \"PublicFolderInfo.xml\" to be shared with Microsoft personnel for the first two blockers & provided mitigation for the last two blockers and you can see same results under ValidatePFDumpsterREPORT.txt file.

"},{"location":"PublicFolders/ValidateMailEnabledPublicFolders/","title":"ValidateMailEnabledPublicFolders","text":"

Download the latest release: ValidateMailEnabledPublicFolders.ps1

This script performs pre-migration checks on mail-enabled folders on Exchange 2010 and up. Note that these checks are also included in the new SourceSideValidations.ps1 for 2013 and up.

"},{"location":"Retention/Get-MRMDetails/","title":"Get-MRMDetails","text":"

Download the latest release: Get-MRMDetails.ps1

This script will gather the MRM configuration for a given user. It will collect the current MRM Policy and Tags for the Exchange Organization, the current MRM Policy and Tags applied to the user, the current Exchange Diagnostics Logs for the user, and Exchange Audit logs for the mailbox selected. The resulting data will allow you to see what tags are applied to the user and when the Managed Folder Assistant has run against the user. It also will grab the Admin Audit log so that we can tell if the Tags or Polices have been modified and who modified them.

To run the script, at minimum you will need a valid SMTP Address for a user. Then you can review the associated logs that are generated from the script.

Syntax:

.\\Get-MRMDetails.ps1 -Mailbox <user>\n

Example to collect the MRM Details from rob@contoso.com:

.\\Get-MRMDetails.ps1 -Mailbox rob@contoso.com\n
"},{"location":"Search/Troubleshoot-ModernSearch/","title":"Troubleshoot-ModernSearch","text":"

Download the latest release: Troubleshoot-ModernSearch.ps1

This script is still in development. However, this should be able to quickly determine if an item is indexed or not and why it isn't indexed. Just provide the full message subject and the mailbox identity and it will dump out the information needed to determine if the message is indexed or not.

"},{"location":"Search/Troubleshoot-ModernSearch/#parameters","title":"Parameters","text":"Parameter Description MailboxIdentity Provide the identity of the mailbox that you wish to be looking at. If you are able to find it via Get-Mailbox it is able to be used here. ItemSubject Provide the message's subject name. Must be exact if -MatchSubjectSubstring isn't used. This includes if there is a trailing space at the end of the message subject. MatchSubjectSubstring Enable to perform a like search in the mailbox with the value that is passed with -ItemSubject. FolderName If you want to scope the search to a folder for better and faster results, include the name of the folder that the message is in. DocumentId If you already know the document ID number for the mailbox, provide this. This can not be use with -ItemSubject parameter. Category Provides a breakdown of the messages in the mailbox for that index category state. Possible options are: All, Indexed, PartiallyIndexed, NotIndexed, Corrupted, Stale, and ShouldNotBeIndexed. NOTE: Depending the item count, this can take a long while to complete. GroupMessages To group the messages by Indexing Error Message and Permanent failure state or not. By Disabling this, you get more properties displayed of the message as well. Server Provide a list of possible servers that you wish to get mailbox statistics for all the active databases on that server. SortByProperty Provide the property that you wish to have the information sorted by in the output to screen. Default is to sort by FullyIndexPercentage ExcludeFullyIndexedMailboxes When look at the multiple mailbox statistics, we don't want to view the mailboxes that are fully indexed without any indexing problems. QueryString Include a string that you are using to try to find this item, we will run an instant query against it to see if we can find it. IsArchive Enable if you want to look at the archive mailbox. IsPublicFolder Enable if you want to look at a public folder mailbox."},{"location":"Search/Troubleshoot-ModernSearch/#examples","title":"Examples","text":"

This is an example of how to run a basic query again a single item.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity han@solo.com -ItemSubject \"Test Message\"\n

This is an example of how to run the script when you want to query multiple items with a similar subject name.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda01\" -ItemSubject \"Initial Indexing\" -MatchSubjectSubstring\n

This is an example of how to run the script against an Archive Mailbox.

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity han@solo.com -ItemSubject \"Test Message\" -IsArchive\n

This is an example of how to run the script against a Public Folder Mailbox

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity PFMailbox2 -ItemSubject \"My Item Test\" -IsPublicFolder\n

This is an example of how to run the script to get all the index state categories

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda02\" -Category \"All\"\n

This is an example of how to run the script to get all the non indexed items

.\\Troubleshoot-ModernSearch.ps1 -MailboxIdentity \"Zelda02\" -Category \"NotIndexed\"\n

This is an example of how to run the script to get all the active mailboxes on a server

.\\Troubleshoot-ModernSearch.ps1 -Server \"Solo-E19A\"\n
"},{"location":"Security/CVE-2023-21709/","title":"CVE-2023-21709","text":"

Download the latest release: CVE-2023-21709.ps1

Note

Microsoft has released the Windows Server October 2023 security update to address the TokenCacheModule vulnerability. While the script can still be used to mitigate the vulnerability, the recommended solution is to install the Windows Server October 2023 (or later) security update instead. The update and more information can be found here: CVE-2023-36434

The CVE-2023-21709.ps1 script can be used to mitigate the CVE-2023-21709 and CVE-2023-36434 vulnerability by removing the TokenCacheModule from IIS. It can also be used to restore a previously removed TokenCacheModule.

Note

The script doesn't perform any check if the Windows Server October 2023 (or later) security update has been installed before restoring the TokenCacheModule. Make sure to install the update before restoring the module.

The script allows you to explicitly specify a subset of Exchange servers on which the TokenCacheModule should be removed or restored. It's also possible to exclude a subset of Exchange servers from the operation performed by the script.

"},{"location":"Security/CVE-2023-21709/#requirements","title":"Requirements","text":"

This script must be run as Administrator in Exchange Management Shell (EMS). The user must be a member of the Organization Management role group.

"},{"location":"Security/CVE-2023-21709/#how-to-run","title":"How To Run","text":""},{"location":"Security/CVE-2023-21709/#examples","title":"Examples:","text":"

This syntax removes the TokenCacheModule from all Exchange servers within the organization.

.\\CVE-2023-21709.ps1\n

This syntax removes the TokenCacheModule from ExchangeSrv01 and ExchangeSrv02.

.\\CVE-2023-21709.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02\n

This syntax removes the TokenCacheModule from all Exchange servers within the organization except ExchangeSrv02.

.\\CVE-2023-21709.ps1 -SkipExchangeServerNames ExchangeSrv02\n

This syntax restores the TokenCacheModule on all Exchange servers within the organization.

.\\CVE-2023-21709.ps1 -Rollback\n
"},{"location":"Security/CVE-2023-21709/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of Exchange servers that you want to run the script against. This can be used for applying or rollback the CVE-2023-21709 configuration change. SkipExchangeServerNames A list of Exchange servers that you don't want to execute the TokenCacheModule configuration action. Rollback Switch parameter to rollback the CVE-2023-21709 configuration change and add the TokenCacheModule back to IIS. ScriptUpdateOnly Switch parameter to only update the script without performing any other actions. SkipVersionCheck Switch parameter to skip the automatic version check and script update."},{"location":"Security/ConfigureFipFsTextExtractionOverrides/","title":"ConfigureFipFsTextExtractionOverrides","text":"

Download the latest release: ConfigureFipFsTextExtractionOverrides.ps1

Note

Starting in the Exchange Server March 2024 security update we disable the use of the Oracle Outside In Technology (also known as OutsideInModule or OIT) in Microsoft Exchange Server due to multiple security vulnerabilities in the module. The OutsideInModule was used by the Microsoft Forefront Filtering Module to extract information from different file types, to perform content inspection as part of the Exchange Server Data Loss Prevention (DLP) or Exchange Transport Rules (ETR) features.

The ConfigureFipFsTextExtractionOverrides.ps1 script can be used to manipulate the usage of OutsideInModule that is disabled by default in the Exchange Server March 2024 security update.

There are two scenarios in which the script could be used:

  • It can be used to explicitly enable file types that should be processed by the help of the OutsideInModule.
  • It can be used to override the version of the OutsideInModule that should be used for processing file types, which were explicitly enabled to be processed by the OutsideInModule. After installing the March 2024 security update, Exchange Server uses the latest version of the OutsideInModule version 8.5.7 by default. By activating this override, OutsideInModule version 8.5.3 will be used.

Details about the change that was done as part of the March 2024 security update can be found in KB5037191.

Details about the security vulnerability can be found in the MSRC security advisory.

Warning

Microsoft strongly recommends not overriding the default behavior that was introduced with the March 2024 security update if there are no functional issues that affect your organization's mail flow.

"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#requirements","title":"Requirements","text":"

This script must be run as Administrator in Exchange Management Shell (EMS). The user must be a member of the Organization Management role group.

"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#how-to-run","title":"How To Run","text":""},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#examples","title":"Examples:","text":"

This syntax enables processing of Jpeg and AutoCad file types by the help of the OutsideInModule on the server where the command was executed.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ConfigureOverride \"Jpeg\", \"AutoCad\" -Action \"Allow\"\n

This syntax disables processing of Jpeg and AutoCad file types by the help of the OutsideInModule on the server ExchangeSrv01 and ExchangeSrv02.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02 -ConfigureOverride \"Jpeg\", \"AutoCad\" -Action \"Block\"\n

This syntax causes Exchange Server to use the previous version of the OutsideInModule. The override will be enabled on the system on which the script was executed. Note that this can make your system vulnerable to known vulnerabilities in the previous version and should not be used unless explicitly advised by Microsoft.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ConfigureOverride \"OutsideInModule\" -Action \"Allow\"\n

This syntax disables the override of the version of the OutsideInModule module on the server ExchangeSrv01 and ExchangeSrv02.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -ExchangeServerNames ExchangeSrv01, ExchangeSrv02 -ConfigureOverride \"OutsideInModule\" -Action \"Block\"\n

This syntax restores the configuration.xml from the backup that was created by a previous run of the script on the Exchange server where the script was executed.

.\\ConfigureFipFsTextExtractionOverrides.ps1 -Rollback\n
"},{"location":"Security/ConfigureFipFsTextExtractionOverrides/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of Exchange servers that you want to run the script against. SkipExchangeServerNames A list of Exchange servers that you don't want to execute the configuration action. ConfigureOverride A list of file types that should be allowed to be processed by the OutsideInModule. The following input can be used: XlsbOfficePackage, XlsmOfficePackage, XlsxOfficePackage, ExcelStorage, DocmOfficePackage, DocxOfficePackage, PptmOfficePackage, PptxOfficePackage, WordStorage, PowerPointStorage, VisioStorage, Rtf, Xml, OdfTextDocument, OdfSpreadsheet, OdfPresentation, OneNote, Pdf, Html, AutoCad, Jpeg, Tiff.If you want to enable the previous version of the OutsideInModule (8.5.3) to process file types, you must specify OutsideInModule as file type. Note that the OutsideInModule value cannot be used together with other file type values.The input is case-sensitive. Action String parameter to define the action that should be performed. Input can be Allow or Block. The default value is: Block Rollback Switch parameter to restore the configuration.xml that was backed-up during a previous run of the script. ScriptUpdateOnly Switch parameter to only update the script without performing any other actions. SkipVersionCheck Switch parameter to skip the automatic version check and script update."},{"location":"Security/EOMT/","title":"Exchange On-premises Mitigation Tool (EOMT)","text":"

Download the latest release: EOMT.ps1

This script contains mitigations to help address the following vulnerabilities.

  • CVE-2021-26855

This is the most effective way to help quickly protect and mitigate your Exchange Servers prior to patching. We recommend this script over the previous ExchangeMitigations.ps1 script. The Exchange On-premises Mitigation Tool automatically downloads any dependencies and runs the Microsoft Safety Scanner. This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods. EOMT.ps1 is completely automated and uses familiar mitigation methods previously documented. This script has four operations it performs:

  • +NEW Check for the latest version of EOMT and download it.
  • Mitigate against current known attacks using CVE-2021-26855 via a URL Rewrite configuration
  • Scan the Exchange Server using the Microsoft Safety Scanner
  • Attempt to remediate compromises detected by the Microsoft Safety Scanner.

This a better approach for Exchange deployments with Internet access and for those who want an attempt at automated remediation. We have not observed any impact to Exchange Server functionality via these mitigation methods nor do these mitigation methods make any direct changes that disable features of Exchange.

Use of the Exchange On-premises Mitigation Tool and the Microsoft Safety Scanner are subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy

"},{"location":"Security/EOMT/#requirements-to-run-the-exchange-on-premises-mitigation-tool","title":"Requirements to run the Exchange On-premises Mitigation Tool","text":"
  • External Internet Connection from your Exchange server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module).
  • PowerShell script must be run as Administrator.
"},{"location":"Security/EOMT/#system-requirements","title":"System Requirements","text":"
  • PowerShell 3 or later
  • IIS 7.5 and later
  • Exchange 2013, 2016, or 2019
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
  • +New If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite Module 2.1 to work.
"},{"location":"Security/EOMT/#who-should-run-the-exchange-on-premises-mitigation-tool","title":"Who should run the Exchange On-premises Mitigation Tool","text":"Situation Guidance If you have done nothing to date to patch or mitigate this issue\u2026 Run EOMT.PS1 as soon as possible.This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns If you have mitigated using any/all of the mitigation guidance Microsoft has given (ExchangeMitigations.Ps1, Blog post, etc..) Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc\u2026. Run EOMT.PS1 as soon as possible. This will attempt to remediate any existing compromise that may not have been full remediated before patching. If you have already patched and investigated your systems for any indicators of compromise, etc\u2026. No action is required"},{"location":"Security/EOMT/#important-note-regarding-microsoft-safety-scanner","title":"Important note regarding Microsoft Safety Scanner","text":"

The Exchange On-premises Mitigation Tool runs the Microsoft Safety Scanner in a quick scan mode. If you suspect any compromise, we highly recommend you run it in the FULL SCAN mode. FULL SCAN mode can take a long time but if you are not running Microsoft Defender AV as your default AV, FULL SCAN will be required to remediate threats.

"},{"location":"Security/EOMT/#exchange-on-premises-mitigation-tool-examples","title":"Exchange On-premises Mitigation Tool Examples","text":"

The default recommended way of using EOMT.ps1. This will determine if your server is vulnerable, mitigate if vulnerable, and run MSERT in quick scan mode. If the server is not vulnerable only MSERT quick scan will run.

.\\EOMT.ps1

To run a Full MSERT Scan - We only recommend this option only if the initial quick scan discovered threats. The full scan may take hours or days to complete.

.\\EOMT.ps1 -RunFullScan -DoNotRunMitigation

To run the Exchange On-premises Mitigation Tool with MSERT in detect only mode - MSERT will not remediate detected threats.

.\\EOMT.ps1 -DoNotRemediate

To roll back the Exchange On-premises Mitigation Tool mitigations

.\\EOMT.ps1 -RollbackMitigation

Note: If ExchangeMitigations.ps1 was used previously to apply mitigations, Use ExchangeMitigations.ps1 for rollback.

+NEW EOMT will now AutoUpdate by downloading the latest version from GitHub. To prevent EOMT from fetching updates to EOMT.ps1 from the internet.

.\\EOMT.ps1 -DoNotAutoUpdateEOMT

"},{"location":"Security/EOMT/#exchange-on-premises-mitigation-tool-q-a","title":"Exchange On-premises Mitigation Tool Q & A","text":"

Question: What mode should I run EOMT.ps1 in by default?

Answer: By default, EOMT.ps1 should be run without any parameters:

This will run the default mode which does the following: 1. Checks if your server is vulnerable based on the presence of the SU patch or Exchange version. 2. Downloads and installs the IIS URL rewrite tool (only if vulnerable). 3. Applies the URL rewrite mitigation (only if vulnerable). 4. Runs the Microsoft Safety Scanner in \"Quick Scan\" mode (vulnerable or not).

Question: What if I run a full scan and it's affecting the resources of my servers?

Answer: You can terminate the process of the scan by running the following command in an Administrative PowerShell session.

Stop-Process -Name msert

Question: What is the real difference between this script (EOMT.PS1) and the previous script Microsoft released (ExchangeMitigations.Ps1).

Answer: The Exchange On-premises Mitigation Tool was released to help pull together multiple mitigation and response steps, whereas the previous script simply enabled mitigations. Some details on what each do:

"},{"location":"Security/EOMT/#eomtps1","title":"EOMT.PS1","text":"
  • Mitigation of CVE-2021-26855 via a URL Rewrite configuration.
  • Mitigation does not impact Exchange functionality.
  • Malware scan of the Exchange Server via the Microsoft Safety Scanner
  • Attempt to reverse any changes made by identified threats.
"},{"location":"Security/EOMT/#exchangemitigationsps1","title":"ExchangeMitigations.ps1:","text":"
  • Does mitigations for all 4 CVE's - CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 & CVE-2021-26858.
  • Some of the mitigation methods impact Exchange functionality.
  • Does not do any scanning for existing compromise or exploitation.
  • Does not take response actions to existing active identified threats.

Question: What if I do not have an external internet connection from my Exchange server?

Answer: If you do not have an external internet connection, you can still use the legacy script (ExchangeMitigations.ps1) and other steps from the mitigation blog post: Microsoft Exchange Server Vulnerabilities Mitigations \u2013 March 2021

Question: If I have already ran the mitigations previously, will the Exchange On-premises Mitigation Tool roll back any of the mitigations?

Answer: No, please use the legacy script (ExchangeMitigations.ps1) to do rollback. The legacy script supports rollback for the mitigations the Exchange On-premises Mitigation Tool applied.

"},{"location":"Security/EOMTv2/","title":"Exchange On-premises Mitigation Tool v2 (EOMTv2)","text":"

Please read carefully

The vulnerability addressed by this mitigation script has been addressed in latest Exchange Server Security Updates (starting with November 2022 SU). Mitigations can become insufficient to protect against all variations of an attack. Thus, installation of an applicable SU is the only way to protect your servers. Once you install the updates, you can rollback the mitigation as described in the Exchange On-premises Mitigation Tool v2 Examples section.

Download the latest release: EOMTv2.ps1

The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.
  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration

Use of the Exchange On-premises Mitigation Tool v2 is subject to the terms of the Microsoft Privacy Statement: https://aka.ms/privacy

"},{"location":"Security/EOMTv2/#requirements-to-run-the-exchange-on-premises-mitigation-tool-v2","title":"Requirements to run the Exchange On-premises Mitigation Tool v2","text":"
  • PowerShell 3 or later
  • PowerShell script must be run as Administrator.
  • IIS 7.5 and later
  • Exchange 2013 Client Access Server role, Exchange 2016 Mailbox role, or Exchange 2019 Mailbox role
  • Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
  • If Operating System is older than Windows Server 2016, must have KB2999226 for IIS Rewrite Module 2.1 to work.
  • [Optional] External Internet Connection from your Exchange server (required to update the script and install IIS URL rewrite module).

NOTE: The script has to be executed individually for each server.

"},{"location":"Security/EOMTv2/#exchange-on-premises-mitigation-tool-v2-examples","title":"Exchange On-premises Mitigation Tool v2 Examples","text":"

The default recommended way of using EOMTv2.ps1. This will apply the URL rewrite mitigation. If IIS URL rewrite module is not installed, this will also download and install the module.

.\\EOMTv2.ps1\n

To roll back EOMTv2 mitigations run

.\\EOMTv2.ps1 -RollbackMitigation\n
"},{"location":"Security/ExchangeExtendedProtectionManagement/","title":"ExchangeExtendedProtectionManagement","text":"

Download the latest release: ExchangeExtendedProtectionManagement.ps1

The Exchange Extended Protection Management is a script to help automate the Extended Protection feature on the Windows Authentication Module on Exchange Servers. Prior to configuration, it validates that all servers that we are trying to enable Extended Protection on and the servers that already have Extended Protection enabled have the same TLS settings and other prerequisites that are required for Extended Protection to be enabled successfully.

Tip

The Exchange Server Extended Protection documentation can be found on the Microsoft Learn platform: Configure Windows Extended Protection in Exchange Server

"},{"location":"Security/ExchangeExtendedProtectionManagement/#requirements","title":"Requirements","text":"

The user must be in Organization Management and must run this script from an elevated Exchange Management Shell (EMS) command prompt.

"},{"location":"Security/ExchangeExtendedProtectionManagement/#how-to-run","title":"How To Run","text":""},{"location":"Security/ExchangeExtendedProtectionManagement/#examples","title":"Examples:","text":"

This syntax will process the prerequisites check only against the servers that you provided. This will execute the same checks as if you were attempting to configure Extended Protection.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -PrerequisitesCheckOnly\n

This syntax enables Extended Protection on all Exchange Servers that are online that we can reach.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1\n

This syntax enables Extended Protection on only the Exchange Servers specified in the -ExchangeServerNames parameter. However, TLS checks will still occur against all servers, and the script will confirm that the TLS settings are correct on all servers with Extended Protection enabled and all servers specified in the -ExchangeServerNames parameter.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames <Array_of_Server_Names>\n

This syntax enables Extended Protection on all Exchange Servers that are online that we can reach, excluding any servers specified in the -SkipExchangeServerNames parameter. As above, TLS checks will still occur against all servers, and the script will confirm that the TLS settings are correct on all servers with Extended Protection enabled and all servers being enabled.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -SkipExchangeServerNames <Array_of_Server_Names>\n

This syntax collects the possible IP addresses to be used for the IP restriction for a virtual directory. Plus the location to store the file.

NOTE: This is only to assist you with the IP collections. You must verify the list to make sure it is accurate and contains all the required IP addresses.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -FindExchangeServerIPAddresses -OutputFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax will enable Extended Protection for all virtual directories and set EWS Backend virtual directory to None and then proceed to set IP restriction for the EWS Backend virtual directory for all servers online, while providing the IP address list.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RestrictType \"EWSBackend\" -IPRangeFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax will verify the IP restrictions for the EWS Backend virtual directory.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ValidateType \"RestrictTypeEWSBackend\" -IPRangeFilePath \"C:\\temp\\ExchangeIPs.txt\"\n

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestoreConfiguration\"\n

This syntax rolls back the Extended Protection configuration for all the Exchange Servers that are online where Extended Protection was previously configured.

NOTE

This is done by restoring the applicationHost.config file back to the previous state before Extended Protection was configured. If other changes occurred after this configuration, those changes will be lost.

NOTE

This is a legacy version of the restore process and is no longer supported. You can still attempt to restore, if the configuration file is detected and is less than 30 days old if a configuration was done with a pervious version of the script. Moving forward, the applicationHost.config file is no longer being used as a backup to restore from. The RestoreConfiguration is the supported replacement.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestoreIISAppConfig\"\n

This syntax rolls back the Extended Protection mitigation of IP restriction for the EWS Backend virtual directory of all the Exchange Server that are online where Extended Protection was previously configured.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -RollbackType \"RestrictTypeEWSBackend\"\n

This syntax displays the current Extended Protection configuration for all the Exchange Servers that are online.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -ShowExtendedProtection\n

This syntax will disable Extended Protection configuration for all the Exchange Servers that are online by setting the value at all current configuring locations to None.

PS C:\\> .\\ExchangeExtendedProtectionManagement.ps1 -DisableExtendedProtection\n
"},{"location":"Security/ExchangeExtendedProtectionManagement/#parameters","title":"Parameters","text":"Parameter Description ExchangeServerNames A list of servers to pass that you want to run the script against. This can be used for configuration or rollback. SkipExchangeServerNames A list of server to pass that you don't want to execute the script for configuration or rollback. PrerequisitesCheckOnly Run the required prerequisites check for the passed server list to know if configuration can be attempted. ShowExtendedProtection Show the current configuration of Extended Protection for the passed server list. ExcludeVirtualDirectories Used to not enable Extended Protection on particular virtual directories. The following values are allowed: EWSFrontEnd. FindExchangeServerIPAddresses Use this to collect a list of the Exchange Server IPs that should be used for IP Restriction. OutputFilePath Is a custom file path to be used to export the list of Exchange Server IPs collected from FindExchangeServerIPAddresses. Default value is the local location IPList.txt. IPRangeFilePath Is the path to the file that contains all the IP Addresses or subnets that are needed to be in the IP Allow list for Mitigation. RestrictType To enable a IP Restriction on a virtual directory. Must be used with IPRangeFilePath. The following values are allowed: EWSBackend ValidateType To verify if the IP Restrictions have been applied correctly. Must be used with IPRangeFilePath. The following values are allowed: RestrictTypeEWSBackend RollbackType Using this parameter will allow you to rollback using the type you specified. The following values are allowed: RestoreIISAppConfig, RestrictTypeEWSBackend, RestoreConfiguration DisableExtendedProtection Using this parameter will disable extended protection for the servers you specify. This is done by setting all the configured locations back to None regardless of what the original value was set to prior to configuration or if it was enabled by default. SkipAutoUpdate Skips over the Auto Update feature to download the latest version of the script."},{"location":"Security/ExchangeMitigations/","title":"ExchangeMitigations","text":"

Download the latest release: ExchangeMitigations.ps1

This script contains 4 mitigations to help address the following vulnerabilities:

  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-27065
  • CVE-2021-26858

For more information on each mitigation please visit https://aka.ms/exchangevulns

This should only be used as a temporary mitigation until your Exchange Servers can be fully patched, recommended guidance is to apply all of the mitigations at once.

For this script to work you must have the IIS URL Rewrite Module installed which can be done via this script using the -FullPathToMSI parameter.

For IIS 10 and higher URL Rewrite Module 2.1 must be installed, you can download version 2.1 here:

  • x86 & x64 -https://www.iis.net/downloads/microsoft/url-rewrite

For IIS 8.5 and lower Rewrite Module 2.0 must be installed, you can download version 2.0 here:

  • x86 - https://www.microsoft.com/en-us/download/details.aspx?id=5747

  • x64 - https://www.microsoft.com/en-us/download/details.aspx?id=7435

Installing URL Rewrite version 2.1 on IIS versions 8.5 and lower may cause IIS and Exchange to become unstable. If there is a mismatch between the URL Rewrite module and IIS version, ExchangeMitigations.ps1 will not apply the mitigation for CVE-2021-26855. You must uninstall the URL Rewrite module and reinstall the correct version.

Script requires PowerShell 3.0 and later and must be executed from an elevated PowerShell Session.

Download the latest release here:

Download ExchangeMitigations.ps1

To apply all mitigations with MSI install

.\\ExchangeMitigations.ps1 -FullPathToMSI \"FullPathToMSI\" -WebSiteNames \"Default Web Site\" -ApplyAllMitigations

To apply all mitigations without MSI install

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyAllMitigations -Verbose

To rollback all mitigations

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackAllMitigation

To apply multiple or specific mitigations (out of the 4)

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -ApplyECPAppPoolMitigation -ApplyOABAppPoolMitigation

To rollback multiple or specific mitigations

.\\ExchangeMitigations.ps1 -WebSiteNames \"Default Web Site\" -RollbackECPAppPoolMitigation -RollbackOABAppPoolMitigation

"},{"location":"Security/Extended-Protection/","title":"Exchange Server Support for Windows Extended Protection","text":"

Documentation Moved

This documentation has been moved to Microsoft Learn. Please read Configure Windows Extended Protection in Exchange Server for more information.

"},{"location":"Security/Test-CVE-2021-34470/","title":"Test-CVE-2021-34470","text":"

Download the latest release: Test-CVE-2021-34470.ps1

Environments running supported versions of Exchange Server should address CVE-2021-34470 by applying the CU and/or SU for the respective versions of Exchange, as described in Released: July 2021 Exchange Server Security Updates.

Environments where the latest version of Exchange Server is any version before Exchange 2013, or environments where all Exchange servers have been removed, can use this script to address the vulnerability.

"},{"location":"Security/Test-CVE-2021-34470/#examples","title":"Examples","text":"

Check for the vulnerability:

.\\Test-CVE-2021-34470.ps1

Fix the vulnerability if found:

.\\Test-CVE-2021-34470.ps1 -ApplyFix

Note that the user must be a Schema Admin to use the -ApplyFix switch.

"},{"location":"Security/Test-ProxyLogon/","title":"Test-ProxyLogon.ps1","text":"

Download the latest release: Test-ProxyLogon.ps1

Formerly known as Test-Hafnium, this script automates all four of the commands found in the Hafnium blog post. It also has a progress bar and some performance tweaks to make the CVE-2021-26855 test run much faster.

"},{"location":"Security/Test-ProxyLogon/#usage","title":"Usage","text":"

The most typical usage of this script is to check all Exchange servers and save the reports, by using the following syntax from Exchange Management Shell:

Get-ExchangeServer | .\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs

To check the local server only, just run the script:

.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs

To check the local server and copy the identified logs and files to the OutPath:

.\\Test-ProxyLogon.ps1 -OutPath $home\\desktop\\logs -CollectFiles

To display the results without saving them, pass -DisplayOnly:

.\\Test-ProxyLogon.ps1 -DisplayOnly

"},{"location":"Security/Test-ProxyLogon/#frequently-asked-questions","title":"Frequently Asked Questions","text":"

The script says it found suspicious files, and it lists a bunch of zip files. What does this mean?

The script will flag any zip/7x/rar files that it finds in ProgramData. As noted in this blog post, web shells have been observed using such files for exfiltration. An administrator should review the files to determine if they are valid. Determining if a zip file is a valid part of an installed product is outside the scope of this script, and whitelisting files by name would only encourage the use of those specific names by attackers.

I'm having trouble running the script on Exchange 2010.

If PowerShell 3 is present, the script can be run on Exchange 2010. It will not run-on PowerShell 2. One can also enable PS Remoting and run the script remotely against Exchange 2010. However, the script has minimal functionality in these scenarios, as Exchange 2010 is only affected by one of the four announced exploits - CVE-2021-26857. Further, this exploit is only available if the Unified Messaging role is present. As a result, it is often easier to simply run the Get-EventLog command from the blog post, rather than using Test-ProxyLogon.

"},{"location":"Security/CVE-2023-23397/","title":"CVE-2023-23397 script","text":"

Download the latest release: CVE-2023-23397.ps1

CVE-2023-23397.ps1 is a script that checks Exchange messaging items (mail, calendar and tasks) to see whether a property is populated with a non empty string value. It is up to the admin to determine if the value is malicious or not. If required, admins can use this script to clean up the property for items that are malicious or even delete the items permanently. Please see CVE-2023-23397 for more information.

There are two modes for the script: Audit and Cleanup.

Audit Mode: Script provides a CSV file with details of items that have the property populated.

Cleanup Mode: Script performs cleanup on detected items by either clearing the property or deleting the item.

"},{"location":"Security/CVE-2023-23397/#steps-to-run-the-script","title":"Steps to run the script:","text":"
  1. Fulfill the requirements according to environment (i.e. On-Premises or Online)

  2. Run the script in audit mode.

    For organizations with large number of mailboxes: It is recommended to break up the mailbox list into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:

    $batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {\n  if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }\n  Export-Csv -InputObject $_ -Path \"Batch$batchNumber.csv\" -Append\n}\n\n# Then run against the batches similar to this:\nImport-Csv .\\BatchFileName.csv | .\\CVE-2023-23397.ps1 -Environment Online\n

  3. If the script execution finishes with \"No vulnerable item found\", no further action is required.

  4. If step 2 generates CSV files, review the CSV file; if you find suspicious thing, then go to 5. If you only see blank things or paths to old .wav files, no need to go to step 5.
  5. If you got suspected entries in CSV file, run the script in Cleanup mode
"},{"location":"Security/CVE-2023-23397/#requirements","title":"Requirements","text":""},{"location":"Security/CVE-2023-23397/#prerequisites-to-run-the-script-for-exchange-server-on-premises","title":"Prerequisites to run the script for Exchange Server (on-premises)","text":"

To run this script in an on-premises Exchange Server environment, you need to use an account with the ApplicationImpersonation management role. You can create a new role group with the required permissions by running the following PowerShell command in an elevated Exchange Management Shell (EMS):

New-RoleGroup -Name \"CVE-2023-23397-Script\" -Roles \"ApplicationImpersonation\" -Description \"Permission to run the CVE-2023-23397 script\"\nAdd-RoleGroupMember -Identity \"CVE-2023-23397-Script\" -Member \"<UserWhoRunsTheScript>\"\n
The script uses Exchange Web Services (EWS) to fetch items from user mailboxes. So, the machine on which the script is run should be able to make EWS calls to your Exchange server.

You can also create a new Throttling Policy to prevent the user who runs the script from being throttled. Make sure to revert the throttling policy after you're done running the script.

Please note that this is for Exchange on-premises environments only.

New-ThrottlingPolicy \"CVE-2023-23397-Script\"\nSet-ThrottlingPolicy \"CVE-2023-23397-Script\" -EWSMaxConcurrency Unlimited -EWSMaxSubscriptions Unlimited -CPAMaxConcurrency Unlimited -EwsCutoffBalance Unlimited -EwsMaxBurst Unlimited -EwsRechargeRate Unlimited\nSet-Mailbox -Identity \"<UserWhoRunsTheScript>\" -ThrottlingPolicy \"CVE-2023-23397-Script\"\n
"},{"location":"Security/CVE-2023-23397/#prerequisites-to-run-the-script-for-exchange-online","title":"Prerequisites to run the script for Exchange Online","text":"

To run this script in an Exchange Online environment, you need to be a Global Administrator or an Application Administrator. The script will create an application with full access permission on all the mailboxes.

Furthermore it is possible to use a certificate to run the script in Audit and Cleanup mode. This is called Certificate Based Authentication (CBA). The steps are outlined in the FAQ section.

NOTE: The script uses Microsoft.Exchange.WebServices.dll to make EWS calls. The script will try to download the DLL and use it. However, if it is unable to, you will need to download the DLL and specify the path.

"},{"location":"Security/CVE-2023-23397/#steps-to-download-microsoftexchangewebservicesdll","title":"Steps to Download Microsoft.Exchange.WebServices.dll:","text":"
  • Download the nuget package from NuGet Gallery | Microsoft.Exchange.WebServices.2.2.0
  • Change the extension of the file from .nupkg to .zip
  • Unzip the package.
  • Use the dll present at \"\\lib\\40\" location in the package
  • Provide the path to the DLL for the -DLLPath parameter when running the script.
"},{"location":"Security/CVE-2023-23397/#how-to-run","title":"How To Run","text":""},{"location":"Security/CVE-2023-23397/#script-parameters","title":"Script Parameters","text":"

The script accepts the following parameters:

Parameter Description Environment Specify the environment where you are running the script. This parameter is required. CreateAzureApplication Use this parameter to create an Azure AD application that can be used for running the script in Exchange Online. DeleteAzureApplication Use this parameter to delete the Azure AD application. UserMailboxes Use this parameter to provide a list of user primary SMTP addresses. You can pipe the addresses while running. This parameter is required in Audit mode. StartTimeFilter Use this parameter to provide start time filter. (Format: \"mm/dd/yyyy hh:mm:ss\") EndTimeFilter Use this parameter to provide end time filter. (Format: \"mm/dd/yyyy hh:mm:ss\") CleanupAction Use this parameter to provide type of cleanup action you want to perform (ClearProperty/ClearItem). CleanupInfoFilePath Use this parameter to provide path to the CSV file containing the details of messages to be cleaned up. EWSExchange2013 Use this switch if you are running on Exchange Server 2013 mailboxes. DLLPath Provide the path to Microsoft.Exchange.WebServices.dll. This is an optional parameter. AzureApplicationName Provide the name of the application which the script should create. This is an optional parameter. The default name is CVE-2023-23397Application. CertificateThumbprint Provide the thumbprint of the certificate which was uploaded to the Azure application. The certificate must exist under the 'Cert:\\CurrentUser\\My' path on the machine. It can only be used if the private key exists and is accessible. AppId Provide the ID of the application which was created in Azure and which is required to run the script in audit or cleanup mode. The ID can be found within the Azure application under 'Overview' and is labeled as: 'Application (client) ID'. If you don't specify this parameter but specify the CertificateThumbprint parameter, the script will ask you to logon to query the required information. Organization Provide the ID of your organization. It can be provided in GUID format or by using your onmicrosoft.com domain. If you don't specify this parameter but specify the CertificateThumbprint parameter, the script will ask you to logon to query the required information. AzureEnvironment Provide the Azure Environment name. This is an optional parameter. The default value is Global. MaxCSVLength Provide the maximum number of rows the script should create in the CSV while running in Audit mode. This is an optional parameter. The default is 200,000. EWSServerURL Provide the EWS endpoint. If not provided, the script will make an Autodiscover call to get it. This parameter works only with Exchange Server. ScriptUpdateOnly This optional parameter allows you to only update the script without performing any other actions. SkipVersionCheck This optional parameter allows you to skip the automatic version check and script update. IgnoreCertificateMismatch This optional parameter lets you ignore TLS certificate mismatch errors. Credential This optional parameter lets you pass admin credentials when running on Exchange Server. UseSearchFolders This parameter causes the script to use deep-traversal search folders, significantly improving performance. SearchFolderCleanup This parameter cleans up any search folders left behind by the asynchronous search feature. It must be used together with the UseSearchFolders parameter. SkipSearchFolderCreation This parameter skips the creation of search folders. It must be used together with the UseSearchFolders parameter. TimeoutSeconds This optional parameter specifies the timeout on the EWS ExchangeService object. The default is 300 seconds (5 minutes)."},{"location":"Security/CVE-2023-23397/#set-exchange-online-cloud-specific-values","title":"Set Exchange Online Cloud Specific values:","text":"

You can use the AzureEnvironment parameter to specify the cloud against which the script runs. By default, the script will run against the Global (worldwide) service. Supported values are:

AzureEnvironment Cloud Environment Name Global AzureCloud WW USGovernmentL4 AzureUSGovernment GCC USGovernmentL5 AzureUSGovernment DOD ChinaCloud AzureChinaCloud Office365 operated by 21Vianet"},{"location":"Security/CVE-2023-23397/#running-against-exchange-server-on-premises-mailboxes","title":"Running Against Exchange Server (On-Premises) Mailboxes","text":""},{"location":"Security/CVE-2023-23397/#audit-mode","title":"Audit Mode:","text":"

Execute the script in audit mode as an admin with the ApplicationImpersonation management role. For scanning on-premises mailboxes, the Environment value should be \"Onprem\" and you should provide the EWS URL of your Exchange server in EWSServerURL property. The script will ask for a login prompt, and the username must be provided.

Note

The username which is passed to the script, must be specified in the UPN format where the domain-part is a domain accepted by the Exchange Server.

Optionally, you can use the Credential flag to provide admin credentials in PSCredential format. Set the EWSServerURL parameter to specify the EWS URL if the Autodiscover call fails.

"},{"location":"Security/CVE-2023-23397/#examples","title":"Examples:","text":"

This syntax runs the script to audit all the mailboxes.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem\n

Note: If there are Exchange 2013 servers in the environment with Exchange 2016 or 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error:

If the above error appears, run the script with an additional parameter EWSExchange2013, as shown below.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -EWSExchange2013\n

This syntax runs the script to audit all mailboxes for items that were created during a specific period.

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -StartTimeFilter \"01/01/2023 00:00:00\" -EndTimeFilter \"01/01/2024 00:00:00\"\n
"},{"location":"Security/CVE-2023-23397/#cleanup-mode","title":"Cleanup Mode:","text":"

The script provides a list of all the messages containing the problematic property in the mailboxes of users specified in an AuditResult_timestamp.CSV file. Admins should analyze this file and mark (with a \"Y\") messages for which either the property is to be cleaned or the message must be removed.

Step 1 Mark the messages for cleanup by entering \"Y\" instead of \"N\" in the cleanup column of CSV file.

Step 2 Choose either to remove the message or only the problematic property in the next step by specifying CleanupAction as \"ClearItem\" or \"ClearProperty.\" Execute the script as follows to remove the message or property marked with Y in the CSV file.

"},{"location":"Security/CVE-2023-23397/#examples_1","title":"Examples:","text":"

This syntax runs the script to clear the problematic property from messages:

PS C:\\> .\\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the malicious property

PS C:\\> .\\CVE-2023-23397.ps1 -Environment Onprem -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV>\n
"},{"location":"Security/CVE-2023-23397/#running-against-exchange-online-mailboxes","title":"Running Against Exchange Online Mailboxes","text":"

First, execute the script in Audit mode as an admin with Global Administrator or Application Administrator role. For scanning online mailboxes, the Environment parameter should be \"Online.\"

While scanning Exchange Online mailboxes, the script needs an Azure AD app that has delegate permissions for all Exchange Online mailboxes. You can create the application using the script. And once the application is no longer required, you can delete the application using the script as well.

"},{"location":"Security/CVE-2023-23397/#managing-azureadapplication","title":"Managing AzureADApplication:","text":""},{"location":"Security/CVE-2023-23397/#examples_2","title":"Examples:","text":"

This syntax runs the script to create an Azure application

PS C:\\> .\\CVE-2023-23397.ps1 -CreateAzureApplication\n

This syntax runs the script to delete the Azure application created by the script

PS C:\\> .\\CVE-2023-23397.ps1 -DeleteAzureApplication\n
"},{"location":"Security/CVE-2023-23397/#audit-mode_1","title":"Audit Mode:","text":""},{"location":"Security/CVE-2023-23397/#examples_3","title":"Examples:","text":"

This syntax runs the script to Audit all mailboxes in Exchange Online.

NOTE: Connect to EXO with Exchange Online PowerShell session

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment \"Online\"\n

This syntax runs the script to Audit all mailboxes for items that were during a specific period.

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment \"Online\" -StartTimeFilter \"01/01/2023 00:00:00\" -EndTimeFilter \"01/01/2024 00:00:00\"\n

This syntax runs the script to Audit all mailboxes by using a certificate to authenticate and using the improved SearchFolder functionality.

PS C:\\> Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -CertificateThumbprint <Thumbprint of the certificate> -AppId <Application Id of the 'CVE-2023-23397Application' app> -Organization contoso.onmicrosoft.com -UseSearchFolders\n
"},{"location":"Security/CVE-2023-23397/#cleanup-mode_1","title":"Cleanup Mode:","text":""},{"location":"Security/CVE-2023-23397/#examples_4","title":"Examples:","text":"

This syntax runs the script to clear the problematic property from messages.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearProperty -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the problematic property.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV>\n

This syntax runs the script to delete messages containing the problematic property. It uses a certificate to acquire the required tokens.

PS C:\\> .\\CVE-2023-23397.ps1 -Environment \"Online\" -CleanupAction ClearItem -CleanupInfoFilePath <Path to modified CSV> -CertificateThumbprint <Thumbprint of the certificate> -AppId <Application Id of the 'CVE-2023-23397Application' app> -Organization contoso.onmicrosoft.com\n
"},{"location":"Security/CVE-2023-23397/#script-execution-errors-and-troubleshooting","title":"Script execution errors and troubleshooting","text":""},{"location":"Security/CVE-2023-23397/#exchange-server-doesnt-support-the-requested-version","title":"Exchange Server doesn't support the requested version","text":"

If there are Exchange 2013 servers in an environment with Exchange 2016 or Exchange 2019, the script may not be able to open mailboxes on Exchange 2013 and may give the following error:

If the above error appears, run the script with the EWSExchange2013 parameter:

PS C:\\> Get-Mailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Onprem -EWSExchange2013\n
"},{"location":"Security/CVE-2023-23397/#blocked-autodiscover-redirection","title":"Blocked Autodiscover redirection","text":"

If Autodiscover fails due to a redirection error and the above error appears, provide the EWS URL using the EWSServerURL parameter.

"},{"location":"Security/CVE-2023-23397/#invalid-client-secret-provided","title":"Invalid client secret provided","text":"

While running the script in Exchange Online, you might see the above error intermittently. Re-running the script should resolve the issue. If it occurs frequently, then remove the Azure application you have created using -DeleteAzureApplication parameter and then recreate it using -CreateAzureApplication parameter.

"},{"location":"Security/CVE-2023-23397/#cannot-convert-the-microsoftexchangewebservicesdatawebcredentials","title":"\"Cannot convert the \"Microsoft.Exchange.WebServices.Data.WebCredentials\"","text":"

Incorrect link was provided to download Microsoft.Exchange.WebServices.dll originally that is causing this issue. Follow these steps to correct this problem.

  • Download the correct NuGet Gallery | Microsoft.Exchange.WebServices.2.2.0
  • Close PowerShell (CRITICAL)
  • Launch new PowerShell session
  • Run cmdlet again with providing new dll path ( should be lib\\40\\Microsoft.Exchange.WebServices.dll)
"},{"location":"Security/CVE-2023-23397/#unable-to-connect-to-ews-endpoint-401-unauthorized-on-prem","title":"Unable to connect to EWS endpoint - 401 unauthorized - On Prem.","text":"

You are getting a 401 unauthorized when trying to provide the -EWSServerURL parameter to the script. The possible causes can be due to bad credentials provided or the URL endpoint is not working correctly. Try to provide the credentials again to start off with. If that doesn't work, does the URL work when using a browser? You should get a result like this:

If you don't get a response looking like this after you are prompted for a username and password, then this could be the problem. Try to see if either the FQDN, https://localhost/ews/exchange.asmx, or https://127.0.0.1/ews/exchange.asmx works instead. If one of those do, use that instead for the -EWSServerURL parameter.

NOTE: Make sure to include -IgnoreCertificateMismatch if using localhost or 127.0.0.1

"},{"location":"Security/CVE-2023-23397/FAQ/","title":"CVE-2023-23397 Frequently Asked Questions","text":""},{"location":"Security/CVE-2023-23397/FAQ/#what-is-the-usesearchfolders-feature","title":"What is the -UseSearchFolders feature?","text":"

This feature changes the way Audit mode works to be dramatically faster in most environments. The original approach searches folders synchronously one by one. When using the new switch, we perform two passes. In the first pass, we create a search folder that searches the whole mailbox. In the second pass, we collect the results. This often reduces the time to run the Audit mode by 80% or more.

To use the new feature, use the same syntax as before, but add -UseSearchFolders. For example:

NOTE: Connect to EXO with Exchange Online PowerShell session

Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -UseSearchFolders\n

This switch only applies to Audit mode. Cleanup mode has no syntax changes. To take maximum advantage of the search folders, it's best to leave them in place until cleanup is done, so you can repeatedly and quickly search for any new items. After cleanup is completed, the search folders can be removed with:

Get-EXOMailbox -ResultSize Unlimited | .\\CVE-2023-23397.ps1 -Environment Online -UseSearchFolders -SearchFolderCleanup\n
"},{"location":"Security/CVE-2023-23397/FAQ/#what-is-the-relationship-of-exchange-server-march-2023-su-and-outlook-fix-for-cve-2023-23397","title":"What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?","text":"

Those two updates are completely independent from each other. Exchange SUs address Exchange vulnerabilities and security improvements. We mentioned the Outlook\u00a0CVE-2023-23397 update in the Exchange March SU release to raise the awareness to our customers, as we know most use Outlook for Windows. Exchange March SU does not address CVE-2023-23397, you need to install Outlook update to address this vulnerability in Outlook.

"},{"location":"Security/CVE-2023-23397/FAQ/#does-the-account-running-the-script-need-to-be-part-of-organization-management","title":"Does the account running the script need to be part of Organization Management?","text":"

In OnPrem environments, the account running the script only needs the EWS Impersonation role, which is provided by adding that user to the group as described in the docs.

In Online environments, the account running the script in -CreateAzureApplication mode needs Global Admin role in order to create the Azure application used for impersonation.

"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-script-need-to-be-executed-on-the-exchange-server","title":"In OnPrem, does the script need to be executed on the Exchange Server?","text":"

No, the script can be executed from a workstation. There are essentially two parts to running the script. First, we have to get a list of mailboxes. Second, we have to run the script against them. These steps do not necessarily need to be performed by the same user or on the same machine.

If we just want to run the script against a few users, the email addresses can be specified manually:

.\\CVE-2023-23397.ps1 -Environment OnPrem -UserMailboxes \"user1@contoso.com\", \"user2@contoso.com\"\n

For a large number of mailboxes, an Exchange Organization Administrator could create a CSV of mailboxes to process using a command like this:

Get-Mailbox -ResultSize Unlimited | Export-Csv .\\Mailboxes.csv\n

Then, the script could be run against the CSV file on a different machine by a different user using a command like this:

Import-Csv .\\Mailboxes.csv | .\\CVE-2023-23397.ps1 -Environment OnPrem\n
The default script execution appears to be limited to processing 1000 mailboxes, how to execute the script for more than 1000 mailboxes? You can use following steps to break up the mailboxes into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:

$batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {\n  if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }\n  Export-Csv -InputObject $_ -Path \"Batch$batchNumber.csv\" -Append\n}\n
"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-credential-parameter-need-to-be-upn-or-domainuser","title":"In OnPrem, does the -Credential parameter need to be UPN or domain\\user?","text":"

Either format can be used. However, by default, the script will attempt to use the username to perform Autodiscover. If Autodiscover does not work for your UPN, or if domain\\user is being specified, then Autodiscover can be skipped by providing the -EWSServerUrl parameter.

.\\CVE-2023-23397.ps1 -Environment OnPrem -EWSServerUrl \"https://exch1.contoso.com/EWS/Exchange.asmx\"\n
"},{"location":"Security/CVE-2023-23397/FAQ/#in-onprem-does-the-impersonation-account-need-to-have-a-mailbox","title":"In OnPrem, does the impersonation account need to have a mailbox?","text":"

The latest version of the script no longer requires the impersonation account to have a mailbox if running on Exchange 2016 or later. Exchange 2013 still requires that the impersonation user have a mailbox on prem.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-contain-entries-with-empty-pidlidreminderfileparameter-column-or-reminderwav-is-this-an-issue","title":"Why does my output file contain entries with empty PidLidReminderFileParameter column or 'reminder.wav'. Is this an issue?","text":"

The search query is only determining if the property PidLidReminderFileParameter is set, including empty values is a set property. It is up to the admin to determine if they to take actions against this particular item.

NOTE: Script version 23.03.22.1926 and after only provide results for non-empty string values. So the columns should no longer be empty when running the audit mode.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-only-contain-some-of-my-mailboxes-that-we-searched-against","title":"Why does my output file only contain some of my mailboxes that we searched against?","text":"

It will only export individual items that contain the PidLidReminderFileParameter properties set. If the mailbox doesn't have any items that contains this property, it will not be exported out.

"},{"location":"Security/CVE-2023-23397/FAQ/#why-does-my-output-file-contain-multiple-entries-for-the-same-mailbox","title":"Why does my output file contain multiple entries for the same mailbox?","text":"

For each individual item that does contain the PidLidReminderFileParameter property, it will be exported out with a item ID that is needed to possibly take action against.

"},{"location":"Security/CVE-2023-23397/FAQ/#what-are-the-required-steps-to-prepare-the-cve-2023-23397application-application-to-support-certificate-based-authentication-cba","title":"What are the required steps to prepare the 'CVE-2023-23397Application' application to support Certificate Based Authentication (CBA)","text":"

Step 1: Create the Azure application by running the script with the CreateAzureApplication. This step must be performed by someone who is Global Administrator or an Application Administrator.

Step 2: Generate a new self-signed certificate and export the public part:

$cert = New-SelfSignedCertificate -Subject $env:COMPUTERNAME -CertStoreLocation \"Cert:\\CurrentUser\\My\"\n$cert | Export-Certificate -FilePath MySelfSignedCertificate.cer\n$cert.Thumbprint\n

Important

The certificate must be kept confidential as it allows the owner to access the Azure application without further authentication.

Step 3: Upload the certificate to the CVE-2023-23397Application Azure application

Go to the Azure Active Directory and search for App registrations. Select the CVE-2023-23397Application application and go to Certificates & secrets. From here, select Certificates and click on Upload certificate. Select the MySelfSignedCertificate.cer file which was created in Step 2, add a descriptive description. Complete the process by clicking on Add.

The application is now ready for CBA.

"},{"location":"Setup/CopyMissingDlls/","title":"CopyMissingDlls","text":"

Download the latest release: CopyMissingDlls.ps1

This script is used to copy over missing dlls that might have occurred during a CU install. This script has a mapping of the location of where the .dll should be on the server and where it should be on the ISO and will attempt to copy it over if the file is detected to be missing on the install location.

Parameter Type Description IsoRoot string The Root location of the ISO. Example: D:"},{"location":"Setup/FixInstallerCache/","title":"FixInstallerCache","text":"

Download the latest release: FixInstallerCache.ps1

This script is used to copy over the missing MSI files from the installer cache.

Parameter Type Description CurrentCuRootDirectory string The root location of the current CU that you are on. MachineName string array One or more machine names from which to copy the required MSI files."},{"location":"Setup/Set-ExchAVExclusions/","title":"Set-ExchAVExclusions","text":"

Download the latest release: Set-ExchAVExclusions.ps1

The Script will assist in setting the Antivirus Exclusions according to our documentation for Microsoft Exchange Server.

AV Exclusions Exchange 2016/2019

AV Exclusions Exchange 2013

If you use Windows Defender you can Set the exclusions executing the script without parameters but if you have any other Antivirus solution you can get the full list of Expected Exclusions.

"},{"location":"Setup/Set-ExchAVExclusions/#requirements","title":"Requirements","text":""},{"location":"Setup/Set-ExchAVExclusions/#supported-exchange-server-versions","title":"Supported Exchange Server Versions:","text":"

The script can be used to validate the configuration of the following Microsoft Exchange Server versions: - Microsoft Exchange Server 2013 - Microsoft Exchange Server 2016 - Microsoft Exchange Server 2019

The server must have Microsoft Defender to set it and enable it to be effective.

"},{"location":"Setup/Set-ExchAVExclusions/#required-permissions","title":"Required Permissions:","text":"

Please make sure that the account used is a member of the Local Administrator group. This should be fulfilled on Exchange servers by being a member of the Organization Management group.

"},{"location":"Setup/Set-ExchAVExclusions/#how-to-run","title":"How To Run","text":"

This script must be run as Administrator in Exchange Management Shell on an Exchange Server. You do not need to provide any parameters and the script will set the Windows Defender exclusions for the local Exchange server.

If you want to get the full list of expected exclusions you should use the parameter ListRecommendedExclusions

You can export the Exclusion List with the parameter FileName

"},{"location":"Setup/Set-ExchAVExclusions/#parameters","title":"Parameters","text":"Parameter Description ListRecommendedExclusions Get the full list of expected exclusions without set. FileName Export the Exclusion List. SkipVersionCheck Skip script version verification. ScriptUpdateOnly Just update script version to latest one."},{"location":"Setup/Set-ExchAVExclusions/#examples","title":"Examples:","text":"

This will run Set-ExchAVExclusions Script against the local server.

.\\Set-ExchAVExclusions.ps1\n

This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them.

.\\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions\n

This will run Set-ExchAVExclusions Script against the local server and show in screen the expected exclusions on screen without setting them and write them in the defined FileName.

.\\Set-ExchAVExclusions.ps1 -ListRecommendedExclusions -FileName .\\Exclusions.txt\n

This will run Set-ExchAVExclusions Script against the local server and write them in the defined FileName.

.\\Set-ExchAVExclusions.ps1 -FileName .\\Exclusions.txt\n
"},{"location":"Setup/Set-ExchAVExclusions/#outputs","title":"Outputs","text":"

Exclusions List File: FileName

Log file: $PSScriptRoot\\SetExchAvExclusions.log

"},{"location":"Setup/SetupLogReviewer/","title":"SetupLogReviewer","text":"

Download the latest release: SetupLogReviewer.ps1

This script is meant to be run against the Exchange Setup Logs located at C:\\ExchangeSetupLogs\\ExchangeSetup.log. You can run this on the server, or on a personal computer.

It currently checks for common prerequisite issues, clearly calling out if you need up run /PrepareAD in your environment and calls out where it needs to be run. It also checks for some other common issue that we have seen in support that we call out and display the actions to the screen.

Parameter Description [string]SetupLog The location of the Exchange Setup Log that needs to be reviewed [switch]DelegatedSetup Use this switch if you are troubleshooting Prerequisites of a Delegated Setup issue"},{"location":"Setup/SetupAssist/","title":"SetupAssist","text":"

Download the latest release: SetupAssist.ps1

This script is meant to be run on the system where you are running setup from. It currently checks and displays the following when just running it:

  • Current Logged on User and SID
  • Are you running as an Administrator
  • Member of Domain Admins
  • Member of Schema Admins
  • Member of Enterprise Admins
  • Member of Organization Management
  • Current PowerShell Execution Policy setting
  • Checks to see if you are missing files in the installer cache (only checks to see if they are there, not if they are valid)
  • More than 1 powershell.exe process up and running
  • If reboot pending. (Add -Verbose to see where)
  • The current AD level of readiness for CU upgrading. Displays warnings if a mismatch is detected.

Additional Parameters are used for when they are called out from the SetupLogReviewer.ps1

Parameter Type Description OtherWellKnownObjects switch Tests for deleted objects in the otherWellKnownObjects attribute"},{"location":"Setup/SetupAssist/ComputersContainer/","title":"Computers container renamed or missing","text":"

When the CN=Computers container has been renamed or removed from the root of an Active Directory domain, /PrepareAD will fail for certain Cumulative Updates. Please see https://support.microsoft.com/help/5005319 for details.

"},{"location":"Setup/SetupAssist/InstallWatermark/","title":"Install Watermark","text":"

After a failed install attempt of Exchange, we can leave behind a watermark that then prevents you from trying to run setup again when trying use unattended mode. To get around this issue, run Setup.exe from the GUI and not the command line. From the GUI, it is able to detect that we had a watermark and tries to pick up where we left off. However, unattended mode fails in the prerequisites check section prior to running and the GUI skips over this section.

Warning

Do NOT remove the watermark from the registry as you will run into more setup issues trying to run steps the server already completed. Run setup from the GUI to allow setup to pick up where the watermark is set at.

"},{"location":"Setup/SetupAssist/ReadOnlyDomainControllerContainer/","title":"Read Only Domain Controller - Domain Controllers OU","text":"

A Read Only Domain Controller appears to be in the container other than CN=Domain Controllers. This will cause setup to fail if we attempt to domain prep that domain. The path to the RODC must be CN=DCName,CN=Domain Controllers....

"},{"location":"Setup/SetupAssist/RebootPending/","title":"Reboot Pending","text":"

It is best to reboot the server to address these issues. It may take some time after a reboot to have the keys automatically removed. However, if they don't remove automatically, follow these steps to address the issue for the keys that were provided to be a problem.

  • Open regedit to the desired location. Delete the key.
  • If unable to delete the key, follow these steps:
    • Right click on it
    • Open permissions
    • Click on Advanced
    • Change ownership to your account
    • Close Advanced window
    • Give your account Full Control in Permissions window
    • Delete the key

NOTE: With Component Based Servicing\\RebootPending you need to do the same for Component Based Servicing\\PackagesPending prior to RebootPending

NOTE: Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/","title":"Compute-TopExoRecipientsFromMessageTrace","text":"

Download the latest release: Compute-TopExoRecipientsFromMessageTrace.ps1

This script aggregates message trace events hourly and generates a report with the top o365 recipients

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#parameters","title":"Parameters","text":"

-StartDate

The StartDate parameter specifies the end date of the date range

-EndDate

The EndDate parameter specifies the end date of the date range. It is recommended to limit the start-end date range to a range of hours. i.e. an ~ 5 to 7 hours.

-TimeoutAfter

The TimeoutAfter parameter specifies the number of minutes before the script stop working. This is to make sure that the script does not run for infinity. The default value is 30 minutes.

-Threshold

The Threshold parameter specifies the min threshold for the received limit. It is used to filter the hourly aggregation. The default value is 3600 messages.

"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#examples","title":"Examples","text":"
$results = Compute-TopExoRecipientsFromMessageTrace -StartDate (Get-Date).AddHours(-7) -EndDate (Get-Date)\n
"},{"location":"Transport/Compute-TopExoRecipientsFromMessageTrace/#output","title":"Output","text":"

$results.TopRecipients : hourly report for top recipients over the threshold $results.HourlyReport : hourly aggregated message events without applying the threshold $results.MessageTraceEvents: all downloaded message trace events without aggregations

"},{"location":"Transport/ReplayQueueDatabases/","title":"ReplayQueueDatabases","text":"

Download the latest release: ReplayQueueDatabases.ps1

When Transport crashes, in some scenarios it will move the current queue database to Messaging.old- and create a new empty database. The old database is usually not needed, unless shadow redundancy was failing. In that case, it can be useful to drain the old queue file to recover those messages.

This script automates the process of replaying many old queue files created by a series of crashes.

"},{"location":"Transport/ReplayQueueDatabases/#syntax","title":"Syntax","text":"
ReplayQueueDatabases.ps1\n  [-MaxAgeInDays <int>]\n  [-RemoveDeliveryDelayedMessages]\n
"},{"location":"Transport/ReplayQueueDatabases/#parameters","title":"Parameters","text":"
-MaxAgeInDays <Int32>\n    Only replay queue databases newer than this date\n\n    Required?                    false\n    Position?                    1\n    Default value                7\n\n-RemoveDeliveryDelayedMessages [<SwitchParameter>]\n    Attempt to remove delivery delay notifications so user mailboxes do not fill up with these while we replay old messages\n\n    Required?                    false\n    Position?                    named\n    Default value                False\n
"},{"location":"Transport/ReplayQueueDatabases/#usage","title":"Usage","text":"

The script must be run from Exchange Management Shell locally on the server where queue databases are being replayed. Preliminary steps before running this script:

  • Move all active Mailbox Databases to another DAG member
  • Run this command from Exchange Management Shell: Set-MailboxServer $env:ComputerName -DatabaseCopyAutoActivationPolicy Blocked

When the script is run, it takes the following actions.

  • Read the QueueDatabasePath and QueueDatabaseLoggingPath from the EdgeTransport.exe.config file. If these do not match, the script exits. That type of configuration is not yet supported by this script.
  • Search the QueueDatabasePath for any folders with names matching Message.old-*.
  • Parse the date string in the folder name to determine if this folder is under the MaxAgeInDays.
  • Any folders over the MaxAgeInDays are moved to the ReplaySkipped folder in the QueueDatabasePath.

  • The EdgeTransport.exe.config is copied to EdgeTransport.exe.config.before-replay.

  • Begin looping over the folders that were under MaxAgeInDays, starting with the most deeply nested folder.

  • Check if the HubTransport component is in Draining state, and switch it to Draining if it is not.
  • Stop the Transport services (MSExchangeTransport and MSExchangeFrontEndTransport).
  • Move the current folder to be replayed to OldReplayQueue in the QueueDatabasePath.
  • Start the Transport services.
  • Check every 5 seconds if the queues clear. While waiting, run Remove-Message once a minute to remove any \"Delivery Delayed\" messages.
  • Once queues are cleared, stop the transport services.
  • Move OldQueueReplay to a folder inside of Replayed in the QueueDatabasePath, named Replayed-\\<original date on the folder>.

  • Continue to the next folder.

  • When finished with all the folders, stop the Transport services.

  • Overwrite EdgeTransport.exe.config with EdgeTransport.exe.config.before-replay.
  • Start the Transport services.
  • Notify the user that they must run the command to take the HubTransport component out of the Draining state when ready.

Note that when the script is run without -Confirm:$false, it will prompt for nearly every step of this process. This is probably the best approach for most scenarios, so that each step of the script is visible and understood by the user. \"Yes to All\" can be used to remove most of the prompting within the script. However, even with \"Yes to All\", prompts to start and stop services between replays of each database will occur.

If there are many databases to replay, -Confirm:$false can be used to remove all prompting.

"},{"location":"Transport/ReplayQueueDatabases/#cleanup","title":"Cleanup","text":"

If the script fails out or is terminated in the middle, the following steps may be needed in order to run the script again and/or return the environment to a normal state.

  • OldQueueReplay may have been left in place. If it is not clear whether this database was already replayed, Transport services should be started while QueueDatabasePath and QueueDatabaseLoggingPath in EdgeTransport.exe.config still point to OldQueueReplay. Once the queues have drained, Transport can be stopped, and OldQueueReplay can be moved to the Replayed folder.
  • The EdgeTransport.exe.config may be left pointing to OldQueueReplay. To fix it, replace EdgeTransport.exe.config with the EdgeTransport.exe.config.before-replay, which was the backup of the file prior to any changes.
  • MSExchangeTransport and MSExchangeFrontEndTransport may need to be started.
  • The HubTransport component must be set back to Active.
"}]} \ No newline at end of file diff --git a/sitemap.xml b/sitemap.xml index afdee7c704..ee1db05897 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -2,507 +2,507 @@ https://microsoft.github.io/CSS-Exchange/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Emerging-Issues/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Clear-MailboxPermission/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/CrossTenantMailboxMigrationValidation/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Find-AmbiguousSids/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Get-EASMailboxLogs/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Get-SimpleAuditLogReport/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Remove-CertExpiryNotifications/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Reset-ScanEngineVersion/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/SetUnifiedContentPath/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Test-AMSI/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Test-ExchangePropertyPermissions/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Admin/Update-Engines/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Calendar/Check-SharingStatus/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Calendar/Get-CalendarDiagnosticObjectsSummary/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Calendar/Get-RBASummary/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Databases/Analyze-SpaceDump/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Databases/Compare-MailboxStatistics/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Databases/VSSTester/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/ExTRA/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/ExchangeLogCollector/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/ManagedAvailabilityTroubleshooter/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/Test-ExchAVExclusions/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/FindFrontEndActivity/FindFrontEndActivity/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ADSiteCount/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/AMSIIntegration/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/AuthCertificateCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/CTSProcessorAffinityPercentageCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/CertificateCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/CloudConnectorCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/CredentialGuardCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/DownloadDomainCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/EEMSCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ExchangeComputerMembership/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ExchangeServerMaintenanceCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ExoConnectorCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/FIPFSCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/GeneralHardwareInformation/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/HyperThreadingCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/IISInformation/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/IISWebConfigCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/IPv6EnabledCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/InternalTransportCertificateCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/LMCompatibilityLevelInformationCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/MAPIFrontEndAppPoolGCModeCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/May22SU/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/NETFrameworkSupportabilityCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/NodeRunnerMemoryLimitCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/NumaBiosCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/OpenRelayDomain/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/PacketsLossCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/PagefileSizeCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/ProcessorCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/RPCMinConnectionTimeoutCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/RSSEnabledCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/RebootPending/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/RunHCViaSchedTask/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SMBv1Check/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SerializedDataSigningCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SettingOverridesCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/SleepyNICCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/TCPIPSettingsCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/TLSConfigurationCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/VisualCRedistributableVersionCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Diagnostics/HealthChecker/VulnerabilityCheck/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Hybrid/Test-HMAEAS/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/M365/DLT365Groupsupgrade/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/M365/MDO/MDOThreatPolicyChecker/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/NewUserGuide/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Performance/ExPerfAnalyzer/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Performance/ExPerfWiz/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Performance/SimplePerf/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/PublicFolders/SourceSideValidations/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/PublicFolders/ValidateEXOPFDumpster/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/PublicFolders/ValidateMailEnabledPublicFolders/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Retention/Get-MRMDetails/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Search/Troubleshoot-ModernSearch/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-21709/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/ConfigureFipFsTextExtractionOverrides/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/EOMT/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/ExchangeExtendedProtectionManagement/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/ExchangeMitigations/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/Test-CVE-2021-34470/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/Test-ProxyLogon/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/FAQ/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/CopyMissingDlls/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/FixInstallerCache/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/Set-ExchAVExclusions/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupLogReviewer/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/ComputersContainer/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/InstallWatermark/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/ReadOnlyDomainControllerContainer/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Setup/SetupAssist/RebootPending/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Transport/Compute-TopExoRecipientsFromMessageTrace/ - 2024-07-19 + 2024-07-23 daily https://microsoft.github.io/CSS-Exchange/Transport/ReplayQueueDatabases/ - 2024-07-19 + 2024-07-23 daily \ No newline at end of file diff --git a/sitemap.xml.gz b/sitemap.xml.gz index f8675d3063..1740643aa2 100644 Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ