From 6b04e038dd51363eaa8222a9cc2f52d7fd2c20c4 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 6 Jun 2017 08:51:15 -0700 Subject: [PATCH 01/29] adding topic --- .../notifications-microsoft-store-business.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 store-for-business/notifications-microsoft-store-business.md diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md new file mode 100644 index 0000000000..560b540d5c --- /dev/null +++ b/store-for-business/notifications-microsoft-store-business.md @@ -0,0 +1,26 @@ +--- +title: Notifications in Microsoft Store for Business and Education (Windows 10) +description: Notifications alert you to issues or outages with Micrososft Store for Business and Education. +keywords: notifications, alerts +ms.assetid: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +localizationpriority: high +--- + +# Notification in Microsoft Store for Business and Education + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. + +## Notifications + + From 0a2029fbceb546444883eae4649013fd90f2a6bf Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 6 Jun 2017 12:49:44 -0700 Subject: [PATCH 02/29] add file --- .../notifications-microsoft-store-business.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 560b540d5c..665235b329 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -11,7 +11,7 @@ author: TrudyHa localizationpriority: high --- -# Notification in Microsoft Store for Business and Education +# Notifications in Microsoft Store for Business and Education **Applies to** @@ -21,6 +21,13 @@ localizationpriority: high Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. -## Notifications - +## Notifications for admins +| Store area | Notification message | Customer impact | +| ---------- | -------------------- | --------------- | +| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | Unable to sign in, or AAD down. | +| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | TBD. | +| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Unable to sign in, or AAD down. | +| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization can't claim items from your private store. | +| Acquistion and Licensing (can we call this purchasing?) | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | How different than Shop msg? | +| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You won't be able to search for a partner. | \ No newline at end of file From 0c9adaaca0681d74da15e2381014daf11095f5c6 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 6 Jun 2017 13:03:40 -0700 Subject: [PATCH 03/29] updates --- .../notifications-microsoft-store-business.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 665235b329..5f9282825c 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -26,8 +26,8 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti | Store area | Notification message | Customer impact | | ---------- | -------------------- | --------------- | | General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | Unable to sign in, or AAD down. | -| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | TBD. | -| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Unable to sign in, or AAD down. | +| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | Unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | +| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop is unavailable. You can't purchase new, or additional licenses. | | Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization can't claim items from your private store. | | Acquistion and Licensing (can we call this purchasing?) | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | How different than Shop msg? | -| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You won't be able to search for a partner. | \ No newline at end of file +| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You won't be able to search for a partner. | \ No newline at end of file From ddee079a37971bb4f15b0c804a484ed5fb078a05 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 7 Jun 2017 10:46:15 -0700 Subject: [PATCH 04/29] updates from review --- .../notifications-microsoft-store-business.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 5f9282825c..f48020e6da 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -25,9 +25,9 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti | Store area | Notification message | Customer impact | | ---------- | -------------------- | --------------- | -| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | Unable to sign in, or AAD down. | -| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | Unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | +| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in, or intermittent Azure AD outage. | +| Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | | Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop is unavailable. You can't purchase new, or additional licenses. | -| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization can't claim items from your private store. | -| Acquistion and Licensing (can we call this purchasing?) | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | How different than Shop msg? | +| Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | +| Acquistion and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. | | Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You won't be able to search for a partner. | \ No newline at end of file From 8a691fb66e2066e09aea92f8de85e8fb17a3ba16 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Fri, 9 Jun 2017 08:36:34 -0700 Subject: [PATCH 05/29] adding more supported markets --- .../windows-store-for-business-overview.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 0edcf1dfa2..51740377ed 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -488,8 +488,19 @@ Customers in these markets can use Microsoft Store for Business and Education to ### Support for free apps and Minecraft: Education Edition Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: +- Albania +- Armenia +- Azerbaijan +- Belarus +- Bosnia - Brazil +- Georgia +- Kazakhstan +- Kyrgyzstan +- Moldova - Taiwan +- Tajikistan +- Turkmenistan - Ukraine This table summarize what customers can purchase, depending on which Microsoft Store they are using. From 1429b215574b6610b2cb41990146516421b7281e Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 9 Jun 2017 11:21:29 -0700 Subject: [PATCH 06/29] TFS 12109167, Policcy CSP added 6 new power policies --- .../policy-configuration-service-provider.md | 199 ++++++++++++++++++ 1 file changed, 199 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1fb89dc1e2..2e94c38cc8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11625,6 +11625,138 @@ ADMX Info: + + +**Power/DisplayOffTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + + + +**Power/DisplayOffTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + + + +**Power/HibernateTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + + + +**Power/HibernateTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + **Power/RequirePasswordWhenComputerWakesOnBattery** @@ -11665,6 +11797,73 @@ ADMX Info: + + +**Power/StandbyTimeoutOnBattery** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + + + +**Power/StandbyTimeoutPluggedIn** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
+ + + +

Added in Windows 10, the next major update. + + + + + **Printers/PointAndPrintRestrictions** From 01e851bd76254eb122adfc7ce3113b8cd069184f Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Mon, 12 Jun 2017 10:30:04 -0700 Subject: [PATCH 07/29] updates --- store-for-business/add-profile-to-devices.md | 81 +++++++++++++++++++ .../notifications-microsoft-store-business.md | 6 +- 2 files changed, 84 insertions(+), 3 deletions(-) create mode 100644 store-for-business/add-profile-to-devices.md diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md new file mode 100644 index 0000000000..7ced700353 --- /dev/null +++ b/store-for-business/add-profile-to-devices.md @@ -0,0 +1,81 @@ +--- +title: Add profile to manage Windows installation on devices (Windows 10) +description: Add an AutoPilot profile to devices. AutoPilot profiles control what is included in Windows set up experience for your employees. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +localizationpriority: high +--- + +# Add Windows AutoPilot deployment profile to devices + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +## What is AutoPilot +Windows AutoPilot simplifies device set up for IT Admins. You create and apply an AutoPilot profile to your devices. When people in your organization run the out-of-box experience on the device, it installs and configures Windows based on the profile you applied to the device. + +Windows AutoPilot deployment program sets these items: +- Skips setup for Cortana, OneDrive, and OEM registration +- Automatically sets up work or school accounts + +You can decide whether or not to set these items: +- Skip privacy settings +- Disable local admin account creation on the device + +### AutoPilot requirements +Verify this list ... +- Devices pre-installed with Windows 10 Pro Creators Update (version 1703 or later) +- The devices must have access to the internet. When the device can’t connect, it shows the default Windows out-of-box experience (OOBE) screens. +- Enrolling the device into an MDM requires Azure Active Directory Premium. + +For more information, see [Overview of Windows AutoPilot](https://review.docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot?branch=dh-autopilot11975619). + +## AutoPilot in Microsoft Store for Business and Education +You can manage new devices in Microsoft Store. Devices need to meet these requirements: +- Windows 10 (version ... which???) +- Specific hardware vendor??? +- New devices that have not been through Windows out-of-box experience. + +You can create and apply AutoPilot profiles to these devices. The overall process looks like this. + +![Block diagram with main steps for using AutoPilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png) + +Figure 1 - AutoPilot process + +## Add devices +To manage devices through Microsoft Store for Business and Education, you'll need a csv file that contains specific information about the devices. You should be able to get this from the supplier or store where you purchased the devices. + +The device information file needs to be in this format: + +| Column | Data | +| --------- | ---- | +| column A | data type 1| +| column B | data type 2| +| column C | data type 3| + +**Upload device list** +1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +2. Click **Manage**, and then click **Devices**. +3. + +## Group devices +Info on creating groups. + +Why would you use them? + +**Create device groups** + +## Add profile +Info on adding profiles -- need to create one to start; can have multiple; can edit later + +TODO: include info in this topic on managing profiles, making changes, and which devices those changes are applied to -- or -- have a separate topic on managing AutoPilot profiles + +**Add AutoPilot profile** + +## Apply profile +Info on selecting devices by group or individually to apply profile \ No newline at end of file diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index f48020e6da..cb657a21ef 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -25,9 +25,9 @@ Microsoft Store for Business and Microsoft Store for Education use a set of noti | Store area | Notification message | Customer impact | | ---------- | -------------------- | --------------- | -| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in, or intermittent Azure AD outage. | +| General | We’re on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. | | Manage | We’re on it. Something happened on our end with management for apps and software. We’re working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. | -| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop is unavailable. You can't purchase new, or additional licenses. | +| Shop | We’re on it. Something happened on our end with purchasing. We’re working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. | | Private store | We’re on it. Something happened on our end with your organization’s private store. People in your organization can’t download apps right now. We’re working to fix the problem. | People in your organization might not be able to view the private store, or get apps. | | Acquistion and licensing | We’re on it. People in your org might not be able to install or use certain apps. We’re working to fix the problem. | People in your org might not be able to claim a license from your private store. | -| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You won't be able to search for a partner. | \ No newline at end of file +| Partner | We’re on it. Something happened on our end with Find a Partner. We’re working to fix the problem. | You might not be able to search for a partner. | \ No newline at end of file From 6f087cf49b6d4988ef16376039a614c7aa19846b Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Mon, 12 Jun 2017 14:41:24 -0700 Subject: [PATCH 08/29] added new screenshot for recommended apps section of SUSPC and updated the doc to include info about Office Centennial --- ...atepackage_recommendedapps_office061217.png | Bin 0 -> 133223 bytes education/windows/use-set-up-school-pcs-app.md | 10 +++++++--- 2 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 education/windows/images/suspc_createpackage_recommendedapps_office061217.png diff --git a/education/windows/images/suspc_createpackage_recommendedapps_office061217.png b/education/windows/images/suspc_createpackage_recommendedapps_office061217.png new file mode 100644 index 0000000000000000000000000000000000000000..ac2ccbe4ebc495a199470c785bc72b55b49eab47 GIT binary patch literal 133223 zcmdqIRa9I}(*}yWySux)J3#^jcL@?0+&wtK-EDy2?iO5wySoQ>hCxog_mltP+??w( zYwg)<_SEj~>aMPSs`}|4YO3<6NJK~w5D=(}3NjiH5YVR(5KsXKaDSgnGfHy&y+OKa z$V)-gOp*Nk2Li@gQbiI1qCOt^)eQFUZ$u{rJy!?_EVqAMkXu&dUJwu;KNV#pHNA|_ zH(?ENzLCRUZ(nLCg%mI#m|J-M>$AMNnY%);61Ew%2^*EG5TWq&2v(+`+&bIz&hvcl z30TVYw({`suv*F87MY$tIi%~5F?-rwoavA}Qc9j;L;tJh0KBJP;0F^vew5 ze|wPpQ;}-VJdsKA|GF%JJYMO5s2XDil%T5PME_r{-wFMi+jTvs!rT-AfGX8$g+9@3 zn{(u*!L2FpP~d;1M$ubr7n$BS&a2uW?7n^t#iW*tq!piv#%EXW^5U##=MEGPJaC<& ze|&S+p7-CGH$u+cAaZFZ(Wrm*Wc`I1r3Vb>dD<8*3iiJZ6|fkI3u|w0UrC>uo5P}(kHY~6usqqXs~2h8*RyYe zknGQh+EE;8Pn6dCT=$2XtDctg6Uw~GyG(7eJ|7b zNScs>G5z$R7g#}Olr(9%UFsb!!L@^j*X$(oXTxR2z5;T2ot%=;13o`#&heNJumtre zNoM+%X7828SU|tOyXlMY85hrKu+dJy>40YI`GtD_VvV=_1|eD*1MG(2MLy^`Bo}%& zUF(0j>pqyyJY%;mvVvw9vAO=ZbDavG3FR{rQF`t3nsvpOlHEHuK@e2ib;Cy$$F8*h z^geccGsn1d;f{V4GOrVwxN#BZLh zf`!kPBl|0g_C^fX%j*s+X}_rcYDc~Jt1dmz)3acFLDbxY2f3ryBoqO^Bl2U%R7kz6Z#N1idg639L>yVq_jeU0vzaJjDUeRFQ3^W`4}z=` z{&3eSa{b%jr*4*_>~*@Lp$x5+ZWl7Pu1UXw@BjEo45@cEX6>pS*YRaC!+F;vhrTZF zx~4jrSR&p8jHhMQ?Ds53q*J7NADv2-+P$qaY*eZk(<`6N zLlgT4*PFhx7zVx*@h_nqZGZaBw^gM)L6gB-1>MmMh*9-*%UBm;4-Sdl%`qUMgswHP zR;zO$2CVtxOs?}o9MhBLc~bwUv*jD#A`2f8^}c(F3XYn&Maw=n}Xx1N!>_?jF2ktA#Ky&Fnk zZ3l!k!@53~>?$xMq$EIWN0ipB+C#H}h|IQDv;kEFWxOVQMl-fN92{JDVC96g?PfYY zh8*_vm2_gzJvR*)#mccKZUKH?t?S)uFcc0La5zB^wriG4AV%06`-B@48+$#L@1M7K zdi+CJ5Kqq5mPac1UTsO6<*Q4k-re--<{%rdUc_aQmFdHjKf=@6c)C^@APD=o!Pp$_ z*?ygyXE6{ZA{gX+qf)5*>A$mxto;6rGqrN_qtprihuwBPwcmDkUsL%PwG!n_06X22 zj{g^hd}DreZ9doDi|;bUWxQpX(>Td&Fn3Qb`?p@3uT~s$$%Ta>j9GXsre>o4eWbT5 zLC22Jn1lxr=s-FKTlo9)MYMPF2M+rw!+RSeXjQ>b?nUYqf%+T8(TqjcL+0Qw4#=3b zn)~ld-d?oErJK6gA*+o?RJ^hwKSPL$7QRdRd1v*G=s4dmVTXo=?XMBCr!X3$Xg|pB z%v5=_9TSIrw~oJIN>foP3e})h{!*z;$tecef-1j%k`veVB!=V+?6wiNB!6jQ3&ylK z1Io=iD=4V%y>we5G_j8Lun7vn>Y=k2)BU7s^$%FlKgLk{zMHLTVJQz^CF%mZYu0z& z;S85&e06g_#@a+81T8GTIIy&-GgSYd_4QyG8y`PnW=2iK_mO3unuR5%cJqUtM9c+; zRLEUM!|z4#q=s3iK=op+O!HwJIpqU4@I>r%0}50m&oxAD5Gl_=@r)-I+lJ0STJQeaYC*WRL#^7); ziZy$;)1C1C3|-%mqI@Z5+e|VgW6i7_|~qijwyN z{ZOkidDFyy_iYAOk935Mj>S`6yBWa!5_(gsweeBFFE(Fo+ie5!k)*Zf)&ch6x&*r+ z#yxzB)XI@`1p_Mt$o_*!UVXB7z9rcc9RL1n)6TEY&h-Z)t1b4zFAw86g7bjQKXF^X zd?igxOjtk`4aS>q=wbKyW5JiP>KM}!szEWfz0&~Ga=zYqRxdLynwN*8qn`h#?uR1Iq4e^>gB zHui}X`IIkEq*yw6FsVc4gf8?|$W2JXit6#dj$3t`WNv?NuZ%A?!6ZSu@-Jo)q;X4# z`#1jWFNBMRFbd6Nd1N`loOVHn>~mgKNr$+ckPc{=E^)&y<08sC;DByzhy>El)7(y+!(*`daLXcrI)5kEZANQn9m39oU*9V|NV}pUnuRqzI>UX%6^s{~q((XfUPv%!(S)eh-juD$_f?*e^V_OcQ$A<tX5>81V42Y!HXLja!3IPI(V`9_g)5t+i* z!(liR$3NYceKrJ9`>yeSF63_x!vhQ4U;8YvIljJYcl&ysx$HH$+`Z+~!WSyN&E;>) zQ#JP8`s)k^nIPQ@MXy=r%#T>dFTK%IpJmS1I+Dm~;YTR%yAue&suMYfqBsDIBGItZ z?l$LNct9fEdfmU?`n}MJ8%A{k>p|5uket1{b`t@sIfi zW~uyND_CE4leG!1kP#tI<}38WPl?Tr((b;OHw*NqYYgNS`d^rz)^biqxQ|@^knU+p zwO69cFJ+g!K%;)X6>ng5zRX<>>%cXf+fEk^pIW6uQ^CJ^#`x1hIP8e67~rYa`E_f0 zpZJ(9Joh*ciQ3A^;)A4#oDKlZ&UPsgMDmhvlH4Ojy%9h>jz0d||8i70klurB@j6bm z@n5t1oior5g=fK9IMPZ3Ac7b7&|Ptbzd-vvvmORqBhzQ*fI;(R#ln^%EDOL?$Tfc2iSIQgSsrn3|CcV6jdo1v#xLav~<{9xQ;spt3em@_pL zQn?A)b;j&#N)Cho$NZx3UG5A;WGZ6^=wE<$Z6d)lvzdF|jK)KTSE!JiwPQY#kSA%4 zF2N=j*U|19k;Bdr&;6YT`i%KG#N}q*>&H#vHhYYz(&I9yS_$*L(CAr^^W+(=RLE<+ zg(AQ5i81*FJ{jJ~r&donWC1MzT1Z3g&ciEfFqGKN9FWz^_YHz-&{;s3j_145MOCk?#Cq|Tv{5?U^BRlC;{Xa679R;d@x~#lV;G{eF1<83-1T7VGfE5 z1a-CiTp_4WSi=cwI5&lXiP+n06m~*s4~_!4+`_AJfnj`qP~wsLMNp@cQ_%1r96wbL z4`)K}&UiHl#8GTLajKH9hEQMLsTHm=OsxBp_5u6aT)eoETh|l0Kl?jRpio`jLi!$y z(yAHty>r) zpOza#5#bu_zwN=HKQ~@nZQj9;68ex}l|Ig7)st)B0eWPwS8>bM3i(NFJ;I*uJQ2+9 zIvj@_ow7H{Rp>5oN3aH8wuhRr$*z5U;7UN1MZ>+c*Qf}=S4!+|3{_J3RzErY!T!#G zzHx&Hr~4UJFK=b}A94enmUn`GtJ?wnLasyWjwF(;a(YblN|EJhY9WQ2(1&mR!jDNp zf|3u`QP;bS1_wCr5&Yv5XKCu|>xG)BV4wVo>e*+oe1(rO;ZVHcbWfoXi9|9}h-F<) zq%&16CYK57z6Y!elaYQNq!3b%IF!CK1xWhSR19IhLvgpGHCw||(zG&8HFL@XNw}V0 zep0PYV8B)vzoK<&AdgyN(Nwzmsf0oz_W;sXtY;)sfqcUWsjmB#x`Iz24a5{0&cwkptJ{+V%ZL#kJ&#+Ksh>S=BfNQht zMaSL-+uf-u$mv((9UUF{#jb6eePu9XO%ZxZ&+QwTD|XlsM-*Oi z@Nc}8NvGzR14q~W5tvX`Lc37mD6Y+4SQlH+%EN=QFDcbZWsU1uCXdt?IlV4O7sxK6 z>}raJ=4!Lonh4T1ktM3F?wq`@bnAI?aSc?DVoRxaUPbC?Cmxonhw4yU;V3Atrr_0kT8h0^o^t5 zTdY1sT|7djhh|&Qyc2)vk#X7+xp0NgB1CMw)*Rd>WKKAhcf~Tj>CPNngh|EB)*(6{BE{diG3sf-y9qD0sdt%TAkCKk;m>=zAtr6p zfY(YdWU3%3T5P5KGcc$=5obN#uipS~W*faVtSFTX`5o)PIq444D6yhHsPvNpR%%87 zE13|UZTs4*JUce$osY=tUK59f@J|wMyvSNnmENk#8?PHhXl@HezqjQ2$7&?U!W3OE zUPvN5Ka~|LF2&Z*kE#YYPN9(>{W2LTCZkl-ydS4Ezg@B;iHyLj$_Uw9>NA$B7itmbk%U|#+^i_9O*OQy<%aJlB z7?!&f+W**L;m9Kyax&rY{QCLH0^XdIeXrYmxZ!)^|$GFV%*}qz^I7z2i>0TWq zj_*l1Pz7yKM)?X{r*hZPUCutW7`HJQ54kak@$zqg-kbl3(Uw zf?$-Xa}Q4>WyRO*WT=Lqna3qTL;0 zo-?2=)^mLx$3uW)yV$iE4Zc6UKLzLN1)-mVUQf@jy#K!7_b#}f)!pDHqIsSTGEe(H zRW4`?`O)>3!2f|lQzVXjVt-8XLRH}U!m^EAbCaeIwikEuScP#@9og~+S=UOuD^eI| z1{8yTvj1&&Xeazfmm3)SJ(HS5ciwD%^*)53uzLGwnA}G2#n2`k6Z`!~V9TT;-|UF}kDg5LB9Dse{dKRYSS@h+DJBG=(pOp>R$wMW zRaFBHxp0k*9&Fe<-ozQ}-GKCCdd)4uIjNz!o5ae*I%8bO zFL?bbg~?`v9oTMIT|PrccHaa7^SU!hPU>hNVyEc)lT>`Ci(mpAlh&u__AB17aq2S2 zqo6!qIMS3j?Q{f=M8DL57J;{WrU2goG5GBF)oAiWR|}q)Rq$mGQEZ`|xOq;&JA7*Zyjb%0>*L`IJBHNH6E!zq970B(uJ< zJGlqkm7-w0G|skpI54Dc=uHII3FG(4CLn&%M}Re{lQwd#(NYO7Vd#+_fz{rx$hRBd zc5yX;PUezUA5>r&9V9S{BHD+^CXW+3!6O@jY)of41otrQ;?{&h77b6~Aa{S&tU*^^ zxr=i>eacv7S}mQ@!p1WXl=A>ZHGJf%C;4AiA>lW}uXt+85&eXEjBWg;KXovX4lP)@ zgbU_k)?a}Fa-PDYZM3>hPUg-OnLi$fd!B0(lB;fDf(feYRI?VQT%05{XI0~tcdrJ; zc6KE3rdWx9K93_@YHi&d`5TThSy~1jg=&p@7=JDs8)PdDdw(!Xu?D<`K<}XW#}KXr zU410sW*y@OT)mgAoFH`hf?(tyFMF@`DxVvQLt{!w5#Wsi&eA}Rhupt{%aY*R+)qPw zds)RC#@WNuU>iQZO&e9Be)wJG)lIlAeH&=eD3JYi6nU)luej!x``MsU3q*>~nlIdg z&SucypCR$cU_&SC0haY);TS1BaWXF>JzC-&$R4>7D7B6$m3Fmo^Cy-;tM7ky1$@q& zT<+TP-dUxmms@Nc8nbe#^3Fm5`<0xW6h!p5$8w}zj1kjS&YrkIEhy!1)YsrnsZ1c} zkJKZW)gIfb&7IVL&Cg-#i&gjLDDMzti)oEew83%+J1c162zIE)w&H6VOzUf>j8~Aw z$etc~Ds)!-95;j5&e@VhIQ3xW8)0}s2F^M9#G8X3W`3dOd(UheIY`4=;xQdt`PK$% z?)#}dyz-oLq1#w6dufREYAtB0q2hXOI)8Os1&`?2UH$2YhqVUK@Feucy~@c_pG>5k zIHLFKw_zk-selZ@@yC9SKt>W_F9?HHKp)Kg^5MhqCY%~#Xpt3D3lg<$hJ#~6GdHn%zj9Z&U5z1GO5@<>9>1?^ zXc-<}9*gv2H*8`Z)Uh!)jPA^NyHa>3m=N#O9IYXh5W;_i#W}~Pef%MrBHWgaTAl)K z`TeK>#j}B_dI_e2zO);axw4x#-zFD={=4%NtDk-PdOm}0Sb!#hMr@a1ttXb2rhU?W zLIze1jBgsC{Z@Hk*ZS7P!|^>h+hjJo6IfTJXLvpyelQMtea7?h3_z@^ZZNRs6ByIh znW%&a*l1-BJMP!3!OlobF{s*ZVZ7m+B&DvkXRT|a5&CMEyI)7oQHTf-zI=J3$lQaU7eySM zH0q1{xnS^lPtE=t#qX&*=}O{H8Ml)=?h1#-m1d5^WQ^sXPBg#Y+(SJ21S*ukN!!)L zpXdUIg;Ce}!@iJFE36t@K`poBtMvG&BKlD+vh><U?Pa@5+Fs;OIdlaK}V zrJY1o4vWU6RtFkX{nf7$N~S!qV7?y!m+k1VRT?Upt%T0WSP{4yMgIZ&qgHj-N&t+E z{3N$LWyI+;LxHkK4n13~Brk$u5ttqYzXCQalRTi2L45G_>A`NJHE-PEQFPuoT#fmyj{#ljZq ze4;&>iOX~wWRi~Jz&tV3?@x4QUi}POsds}CX=MpT1xtwHli)=Bld{Rbt{u14Z)p`P zNudnSj|)?-fyc(HYLD*8Bvb?;w>Y;U*E#$0ZN%jvuD7xoZje-jfeH)`5H6tTMac7@ zXWwsZoOlpN!ViY`2|+u0+ZZ?Iiz0!L{52Jsq6b`rNh_*A^KR}BpG_(HGCYC8gmN^( z&mo78u+mAqEGh_h(A6-W)Jf@&~B6O#DTPc0xHu+nBkdT-MS}KSrd>peOUl$Kx8r6KcBgQf~#7 zfIQ4`Y@5D6;7Pc|;n0X;Y9=dh_k{!yC)3ESx`<{w;0j2&&%{hrR=MEQ zqhVtbVIld5=|a1W2(qT>Dv*QaR~{0!G@=`$ZCA|9PPiw^i?QPFEo*H-7*4ua@y=2- z4Ff9*M^7;siw?|wA3W^TcC=)+3g&C|9M@hJV?~h$$Bq-qmP`eQ%NGWXyUe@e?=IwT zTA^5uMVc8s^dy`=Hp(IN?`;8L@~wq8>mY%y_u}9)cc710YMA5CdPuRU-?5Nq!MjJ) z3%7P(cmYDT8-64aWcXiJep}?v4-&lPxHGg-Lb0#%Y^cha>LlQWZ*V9H(jCqBjq&0b zzXP_eh6_$hoCtp4=TINWXC1slsL-+Efg7j?ChFa9&UZHM4H6F>N5re2Fs9DlHIUGJ znawhQe9fA)yM}*QBew6RO`h)|roXfa)4o1LTQ;A}kj)?Wd%8gT0zVx2G>&uPRr`tv=vdu0E@o(~owKC`pWuINu;axmLQn=O-&+iw`E7|(N= zzapNGW5nG^^%sYVL_dx@APS{aLJxhKUy3b7=evUvwKL91e|4N`tNCn?2^%%APuvwqD~iITJ@L zanpB6&2i{9$2FR?f8}EjX{6JMuU^#6J(`fX5iL z7Emq>Q3?`If!2c5HVcLqBU44^I@;tuOLSf<%Sesv!@bm+ z5!6Oi>f-TYZsqzsHObIlZk0F=jk!_)@BsbkjTN;yh<#Cux`$sx+*t+^xu>>s=dQN8 zY94$;1%6m4qPWP?^j~1meg~z{pjvq}OWR?yzU0Kn9^Psb=xyV?Fp=WCz(r3VgiyHOx} zDNc6f@WH7k*T2Jl!3Lv>=}~%dyGP+we5&Og!O4AAML!k;sX-%xO5k$3HX^Mk6kO#= z&=4LtC36-bmh2fRdipYLIQsr1UCVolzd6ppyMV9wEjw8e){U8}@0F~-udoV^AFsCf z1C^Yz6k5l(dT6r>cR@%T#Uvp>xW5XH&z8Z%a;Z(yv$tJPU$8VH;Kxc~@wauvS68e2 z8JAbSl#})(6Z)L{Mlg4Dtm$2LX~K&9UznUge&L9I%J`{;dY%See`Ty~;@QYaxB-y~ z@sCzr@9LJIb9*i8uqNl>wDdAJU;j(X(d*l+AQ4_3ubhwW>@1uo{84}5%TYq(=iG^4 z+c9&iHZcnPC4MgXRji{7<6(p!=kAEMh*nMYeUrw5z0FFW)gW?h4R+y(pPcCJa9Wcr zeS0a@fzm&b(%N`O@y1udWvfkXu8Ya5=6Rb-aGo#gg{orERi|H}?f7a9k)f;W#nL?M z`l^FkbPY#P5XXe>Z4;m$T*eZ5lUkZX5Nn?5gCN)2nKcGcbY6~w4ZgUhuvx{m;~u=W zp9_iN^{=n(P1S9jd>Mu~%PT4PS(GDQD<(N9rAW$mb>2w+_0ITOn2d$;z~F&g2z68o zznS#?^M!kykWC792EV|YhqY_G$e!a*D`w8#;em7vETSl#t!1^zRSY}mGc#3Te3`+o z4)K1sH`tG@U?eO>GLm191VA8VTObGliSQG~yeXZ~Q3|EdDf42i9>W)nge)qkNd5~5pAb+gQM*G1c&Sxy}JHBM6J92(SyYFzZsNUC&G{sH~20gDw)=7M!#!L*O$!HIMYajG5MzOO1^~q0;F4S zF%Tf$pIMYgKt>+U%pKROn?jEt@5fzh-wvH_+Gt=1wNJineB$fNbM?f)!V8yQj;HPk zg7KtMxxV~%)JbWR0uVhq3*9=3pd8a8O#fxvU@uO9k5*+dKZ=-Y?=G_bkS)M>y*opt z5QA(seM*dgfHWMzKh04fDc1G1hxoGc<%h+;wr&49VjqR$$D}q=xW^pr&O7U$brhgq zP(E_yh6SpNxA@vh=9?RUTgbey!h8dUtY z_R|uTA7GS?v-Z=k_%6+WLd1=TgCoW;(Y7bd2qnY{NxY9`Orpozw@W^qpboE?Kf0&`LVTeizeJ<7Y`#ZH^HCoh zakXhWghO65F7OfIhw%O3_2C(desmx2+uDNE%0iQjZ?<-_nsr(@nSmy?Lp&z^5MNxo zA1sKA9qeXLy%K?jL|5$-x)!n3VL*eImrtqEBnHxH-7ruveNi~h@y(5VtNBuAJxqZ! zbrtFdi)1kq?4Qx-j(o5ukmKx2zW+Y@PFRdiF*i`xl^N#Ma?<<}=CHz%1{EL^9fSftXc9{Fk%e#lk^H9Xce&xj$NfXqKn z1d&@Rl|TH0*WR@E$A&h0lXDq#Xv9f!ZY|C`h}$mGBhg|jfU?O;3^~kqsTXIlE<<0Y za}$0EhW@6Frl>8#W?HljZxcbirV|mm6H3Mp6Pk@@jqf^{Yhzk}CsC_0c62jx#(L7e zmpVMMpZ&S3Tbm+>zz zCe}YFZDn20M*JJc1FlQ<86}fmG&sbCswb7qgju!G1BqkPi^Y$E6ass=P4n99WzxBGiM`9etE%kF=R!nd;AB7x# zeC_sk4(_LVT+ZH2sE#%z^MB|S@2FKJ;NDWBWjR9qL_cqE`;|I1_m>Act~#49aao5lO8Nql^? z6-@D3e$YEf=5`i}E+2?j{}BEUX(J&pzc&9Lifck(sOmVW^V=J^*!t(8LuuhlL>%6~ z2)YNIz<+2RuV3$#0g(IstH$S7b`!2gA+nU0#t8qU0{DymBXP@{fnYS3?AUEXQhIm4 zAL-v<@DG<@v8GaygM%=1!@~)Rw0@b1KL{r#4*Z^;sAjpp&hr#eQyh@fV)8lv9gxrjM-L}S z>lSp%zBikCiG^+1U^DrxX#c=eq@ddEz3Iz}P?gzWCCLuOT4~|rT^@FR{yECV5*K2dc4?_3HBNPW$k4oqLu4aDwWhHeC zD;V{RL@=TP!Cj~?x8&X0=|F<{QZk(KPi6-_3Z?3jd95O8teNOva&JHL?^7O3b8)Bb z-Gngc*8T{NdmB^>`-h0sok~TE>HbnX>fN;?y2nIq5x zK3S`v%uhKEHs zfwJh7%?s1~hi~9izHbj=XWxK5=43H0@U4&7aY(~-?OHKX;W={Kr&)4;>DM(M+kkP0 z5Yd+i59tdy)|-1&qd?=0Su)?J%A%?g6`@ZbR$tCYzJ!g1MUnWYZ{c8^$lZYe|Gtqews;W6rcu~L z)@m>~Ni3=D8_}p4AOob3&&5lKq%~a2E!B=F z&N^~YZNYgTin;e|Gx2_pL3uoGB$qzj3@-rx=NYP885?A~8!$ofqJCnZXf3UIxaz&S z4xEP~beKMQ9N`9t7#=7s%28ptO|6QzqZC@e+Z(gSUP~X!qqlNeuP2Hd+hSPuqR68= zQ%kxSM!#Ahdk9yR9m=_JVp2y>4{<9yhDfR73GUJtt}@{yhor|ZnvWqqe=}(;r|ma3 z4<~b==O_-KtjZFAu#4Z6|fu#2x~4Aa1y72y6RP9p+4|!$hw5iztlfDSV|Z_ z?2%CEh!aLjLk?T{h~8kkmL;-eBA-ExRdM!H6~!T{%W_0>tVj>V`$_ujWPYlKwRxuV zU1|O1wN7>tspxEFwalmnLR`e;0+^85u#?9-qVQmrcAF5p4?gIf}H#$eRUC zF+B+O1`w1bAZvBrV9l$&lowxjLDb`s1h&pz;-I6n~g?glTa#ps6s(#Zk*%TL8{eZNmI@L zY(JZ*wHzbys0v2$KAD@@n-3;Iw|Wvs!4R1BIsW1VJUh8LEW`g*KAe^qE0rJu`x2Sc z^qS-Tbc>MO{&ztGGBTLGNWF(;efnK_*dwX2R*_(J1s3+Vru?#l(e5cO8n%T)j}UkD z5(1i_OO*dcO)KsFLs(j6Q8u1*(A?tla(*DeE$D&Bp6me6e6B5|~5wB@ENj-T-6y!gi{xnSe zN}_G7I21=Knvj)(z>C5Wa4o^`CA3nYq~RF2KP*xBdn4Xr?xT$>40SgYmrnXp-`>JAtE3l^d(vv5frjAoDL|9u!gQyHmzU5;+G#{@5l_3%nL0QcaDNmpFxXJYH4IIhRVe|ABX21N6U6bt^jVYAcWr<`n zjSaiDtzgw5=Z8T`U;;Ln0P~!&y01_rH&G$LP4}GoVC4BKKY1!~l!8B@UR(ngMMW71 zFRnlX!Yr8Iefa&Dfx8Cfncn)+So@!TI4 z3!1t<^pz}E1JZkSjl+$JDb0_ZxWsMfdI-Mm<=!>M)|kW>4_$Ve(ILZo200{}88~S~ zhNf+@l=G_WM((dx?P2jOb0n)=j32Oo=YID}sA)4t5_ld!!^mKti5&8{F>sAXXx9)R zDqXQoUA~BPp0^;&0`ir4d7;oXkLLo}4<+Si^R1EVylIx1zM(C*YUGV{+pa zCFmigRj;miNVI*sgBk`!Mfj$nfarqr#XXqx9rBOKBk{BPi94t|ugGs!^J0H(< zkM`T~^}gg5R;^rn1i@m9w}sEe#2GVdAlJb1Q*_RjVtkr7)_Si89~iOrp`L*I8u^UP zA{G~=7-vdB!k>feYBk$m5@V9!#ztv5CCA8mfLe^mIo&>__|ryV{0a! z_}3z6Q_8NCge$f)!PB0>u>FG{0V@F?*gkx<(A1(7&s!b`)j~-19WWafl>Q!0+#5!# z92O85oID2+G4nKC_HeyxTC zhg7n;aW~Py2p7s?ax2O=iZHj^bV8y}Kmfkq_b%Pr4^mxG+>l`wskK&vWMgb+z;V(v<>OuhnGKIK`-UhQ(4pv2 zp_>Ddwu5CLTvUFxMFm$N>qs*12ze*ar{XzEoc`pJPe5C#Q!9?FCC4`iQUxjctv554 zd&Ydl4>;1oD`IU5!b6^$ODsF7{vh~&Vi0qbA zi2Vi7sfYAOz@p2wr6)g%MDyhnO9_8PV5^cZu_0w zifFRwRu8+*xt$rw6gd|R$5@@*F673r(zWTKw;;R}tF!%b-6`f-GNDJ`Y^`xatidOj zfd|Wwp`oTjxZhtI$CV?D>XlI2K``tH zdRTJ$3Ja&bq7VRSN3!Y<@zCiR^pn7`;gNjhJSyHtm0+`$70tm_zA@mfFQ23`dZ5OC zd8X3WEQS`Zw7d^G|66j`swasFXNtOFA(sXf{*vJH9U zr&#b{3A2VfWMoG(s(1EPINc=^`CL(#=Ro->TX(*c5UBDi7h;U%`LWv1kRxFun#&%N zIg8JZvMVV;ICDLi_;VLlwIN!ayXIq82K)_>ay6YXnB$M88p|CBf$qqQ#2!|{Umt+T zJ%jO$g|2!mh}A)n*><3JYHFgQ0WIhgV``@wj{x?;h$ z19Of2NqkDE*XZN~=+?0`yj_MoSv1eowp7D>b-Psd8+ML&)`Vy6FVZN?MVI|TJ93_v zNoaQQVToHCV#6%75wThVH&*u0HJ(XVB`0kIM6p)%fnfwM@CjEG-=B~Ty=JV|=$XblL{M zXrku{^NqPQpI!NHs^IA@SjTgjLee^-mw+~~kN-09`UYAbZ@e$!AdS1G?z>p9lH0i55_PyQZ4cBtk{J)0()5!A=Uiuqmt4Mt*exUp*G z%#}ii`HQJhH$AM|?WT<`*JrhWp6{xo`9D#6rs3}see+B&o-dv1rbCcWg(NZE@t?g2 zk*DAWT=#LR%pe7h#t@rMMN#Z@J`Yq;KLw$C&J=6u_?eoNGRr*<{{FJHry2Bw&R!VU z>R~fmf;|N;-h|f))A|wtlq@P)@j40DP1EacP*H1igUravGIL_D`Nj=?KaMDy35LC2 zEtQ@H%5mx*jWWWy$x$x=`M;^*cs#~2XbNP1uR)OP5mI@cI{kHKb`X{8$DcG%Z*!~0 zW4A=Yt*fVBl-Bl?K2xwuF*q1e=sMrw^{7bFn_Of9t(3FcZgL(!WQ8}=`2>gw5gt6X z4RJcAo(XhwT*8hM^MBc0%9dHm4W_g|8<=M&BV#Tt_*NO$b}f()i1<1Edl)tx@Y|Wg z^ED%u9=fl{{YJ!8wSIy0a!?zHE{FY2s1dTdv$)lCh0_{Eu00BfJ$s_jNVw&^YCssY zN)0YBE27J&e<p;l}M+ ztnZMZ$Us^RL+btJg1rCItN3YH7@o^-sV&^Z~e z?U@P3%C9-Y3Bu*{Kuotg+CIOqy=dL?5Bhz3Xwar`p`bxaDLLG=rQ@YwB=-DuWDHakW&!i}drxjQztag&>|%H1OPgQNO=OEF#d1Sv1UwGrpP?84yotq!0Wy z&ejG}wTbKUQZ``O@QA%Ss=3^(b}-8EW&;RIE~6J(Y=856+I{fnD3~Vb&iEl&DE~ayS8%sDn-CrFbeomoz73uD2M}9M^HM@OYQj6>pv7ne<%SXgt zSaotJl^h5bT+XGl6Q?}LA8L>(floguK0l+pxDm8Z+EJH@sPD5S zqVT?^mtnwYdZz+v-Ay8ve<$Baooe%}>u$PaqO02nUzL#;Y7!1eoqn`+r*1EO!PECK>aAv|-Q13|TxEJKG+;?D z)E|ltRl--%g|f)z^Uq=lf(wTuim_fn{90 zXo&|kn|MZ=Q1ck}03oXG%ne@CRz?8QR)CYGrtJplk!qM}p;x@VtgFS_qEm`%!?0q! z?Da0)^hC}tBD+9?VNd#vZRB`^R<%)rQOgWuc<7j!A{A*7@5fN`JoQ5)!{iqlF#;rf zE0sb2$G*w~_R-X9B<*_1Ya=t!()oz>y}Y(oD}qma=W$Q7dgu?LS6L+UZ#^X|58?LqdvDC2&sTpWFY5-KB!D?{ zy57^Sx-Y~?R4s}3>>EhhS$PDUQ;@F`%T@yjZnbP;Y^Nkjg=p)ZzKI~El?R)H02JKK z(nTdI3ClQbexs<_Xxj&+xNiQ)EF_=y%z{aV?hXg**ihB#7Fqr#5T3NojkwWM4Pw7H zDyahu_z-^zvFt`z%1;>?Wk2O@$0@ZRNSj|X=X5y1X^k(21~%Z}onP6%^>&o4TaxKN zoS^q4&zqVqL-7q&?C&i`ue5#8io>exxL2(>;|!hQ1x+_ouXGzf6RX~cB8QNK6)ktS zpdr0dYqhN#{Qvt2a*VomrAz=5_`)Ew!%Ozt(p2wmWTwU`)F1&G3hKDCRQ`QvGp6zh(a8X z!lnfBFQTgG1%3M<{iyEqR@@H@zP;bFi0h$-WKz$zAK0(+-p`Y@oWLkW7uaJ()^ib5 zC-Jv;;xpOx7-WYdOh*Kqy2%l>2q9RTZKw$DrxcIsI+zX+F`F+YC2YJK=BwP`$mBJ9uCQfrXZm>LYTK&2g`y9O!y z4I&nQdUo?RL99EFeB@EW2Ddz-5DH24b{{x68FXNXrJ4>V&@l1*QgKyM@q#$^Oc&VB zVF+V%HE>!m2O_v;wWys)U>sx-f@fGHsdVcWkh)@%`$re}fUKd^X7-#>LY|(G&cKw6 z-0Y-m1Cr*PCd@ul=HftitY{CVS)a!McO``jU?u_)=P~1Lqcupd0Cl+4YPVvROkiIq zFPI!%er=$gy-)brG&z|AXx0fw+5<=EI7CU=F^B|`l?f>w2#SgHoH7*+g<+HJ``|96 zo`M$F6#>@xOBDSm_8lN03BgmoHjZ44ZM7I&nT)&HK;G2ygu(f8Dcn!TCn3Rb{(TOw!EXDS^UL`xZk+w! z3(so*R!P=Hn{76YqRq9d8TOl5!oFTuGVb^o57(#^uoT?mF|?TWw}?&8w0&d%p54BY zEa($x<|S#KOwAn6y4s=D7sDM{MIm1PFza^QFE2dpr{1yX<{$+&F9`*?{)xAG_DlAo@n7IO>rNmV-=2WA1Ed9oSw zB5Ql|KTo!au=?SZeH`2dN!Ssy2{bu$r(|aT`MOTw(khi7Rdultb-BL2LVQp-ht$3Q z^EYaVOKC!db~pci9+q_4`9>mD2ty@J=N6}h7h#SU{(>-?wc`iB-+%lT}>C3MwPhG zJ1Qk{sJB>B-#6y)Kx!4nf3q$7JPpdA((A`IereHdymp>{SLhZU3>8L@iUBMfV6syj z8`Oj5on+g4*Tyhxvi$2|TgbmVg-5dOn?T^?Kj;T{!_jD{Sy@<)G0K_jC92u+ECvmX z{3ouSm({FF{v3HW^#L&ABs2cpvndvSnPj)Reip6Tcgoo;3DW+o+MJ+grAu;ii+HMhol3&eS$^C0BHuLapRYy2XPKfNm;QlO zyA=HF1isZ%`-xyqT*}|R9$9Hy_(p(W%Sh-UePI&N&1IpO)+uH(%KMC$$8|m&cR9#h z52N_?93zsRz&_OGo+^6w6&&xM@0}EQ7@_NF;+(5UB^rJsT=SlK zLWquJG)wPS6{hq2=2$g}8HH*z6!QS8O^uh28J>2%T3>rxmd&v`_S=bd3?nQN3O&9< zkCdlW6c`ZTkKhu(N$rAO9z;2M$>QlX-W2_HbCh7PfV1f0fjbGH1koa=7 z!e5fU^JUj>gaN)rO%~)dAfmbU?ET@%3Uw|mGE(Po(z=cFP%E`U@xEK+H39suWb-_@ zx=E)|q%calo`SalnIDFFpLgiFS0$bnwc|l=TZ}=4)UVT8sqj}v!fy6^i;k8U!{&4I zN<)y3Ik6M2gieqh5JRyAl~X`4GED{fN9!Rv@i!2S3PT1I(J6Y7Iy?>6?S@hNGsd+I4Bg-4Q0(*f@&W!7K z^5Hx5^+)ru(Qhm^o=txH5uBshK<+F?Wn)S+1{uR#W9DB=lsIo z#UtkeuS06tCDW=Z1qY)~cObl7OdMCjeN)D`H)T+ny}n$Hp=-k27A)+atr1-Sr1h*| z|7S;L5{$h?fAxB4NhPP_Uci*n^}eg8P1qHU=hjLG|K&dSoA{3g;3e8{=tpcf=O;!% zlVBp&j6#V6`3Qd|r<^C)JF`3Kc@fq{EOVRt5xWvqd?0^bdI$@8%H+720GUG-E}??%~oJ zIGXp4l}Pj3#NKbqw_pLpRNFCsp8l&G!6~g>rA|f=tOY(8MUMX@A`OjTeHy@oTdQ~F z5oL3k;luBxG^(l9DRr|*crq!ar`w2sPhs=4q(}_Sw?;O4O1_Re(+pZ4947tGw#SK^f_uQOK#~;BL!7I;l={XG^5bbV6$U-L=NpI%l!7wx---K7 zR5?XH+9_z20x{?NhRw4Wn4t}W)n9ZNxJ>Qb0cZ2b0}^12N*x*^cOU7@jd9+9an9$A znBRnV(>#ioHmUr2suHUYGzf$hIw0|iznbkj@WZYv|Ir7YNn(q82I~0cM^vj%`=!bnJ*|+*>dDY|-f<3-%l|bf<$F3{Dt?hF*M-xi@z+#X zOlohAy?WIhwg3I~^lebE3|kA(Ib3ep#?DZr%lS5by;jM+BAUy)ts{x&Cz%tto)lXQ zN1k4c)u+z$lm_kX<=`T!s>c zLwQ#i4KT5|KK;>_*}vRxR6MCg&iN;E7oO^3mO@q9QRE|18$$yOe&&JpU`cm>@Sd$L z5Oy_Fx0-IxWLdIjOxPou^0r~cgC4hn8uU4v)Zm}Z)FHc&NHna(j{t{c^|~N>fOums zALiCP6v-S5(x~m*Xafilj?Rd0LCy0Jmp6D7@5iccuX7=|#Cs?O5~) z8S*^+HkE68gi{KORsgLv1t^nVj=x$k08e9=>I+_#RN}~+EoaAksy>WdLKX~pGn7mo z#U3jpYgj>ilu7dQ6mBdT!Os1T$8KJ|v%Q}1ta)&@*&aEBY}o1mMV|3r@o}$AJ^pkE zT2K(8ZDF*PQl0AZZMh2Qq10&B;hbl;c_ipaUU>l3X(N~_csTjvQ0~>op1?2(TbF)u zJqy8?f1zSO@71d}8)!KnQsh=@%FU!YcidNHadxibYOS~&e8AN!j#29fAIS}K|M$HfDuH-Z!K3d@h1}zl zGSa*y%r8@i53s??OGSpXb>U-~eC7DPDKoP*#^RxdO3R0ic^zDw%^>7Ofjx2L8(|Ut z-S6kz8yjz`G}}In!@Y?_(rC|OuirS_m!FD;Z(*S^gD`Ne&gVl7re>Ir zyNX)kQV1pA*YWDK&X?$42l1EAAzkp_gs(T3nVl)QeZ!uzfeV>+^}zt(@y7(*XG3)k zo?~rgJ3>qRe}d%kLaNf~d2hVs@n~1t(npBvx*))1Y>|M^F>Gt85@CnI1eh{Y9v+&3;b0`a&J)HtzOR`_;M0PhpeY86UbX0KvGT$~hWKyUybgKzFR&r;~J^~BB z2OYO*slb*R=%!MKK_b2YVV446;95 zOXFZa0>t9a(+S?knAXP55<<{vg8!qy9FdCrU)54-y%}bcz=-8{l0q|mSMoAlD$U25PK)YCGzJ-O*)CrawsoTlY zV=OaGj+QT$Igb_A$MTP`>Qi<00w4yFxCq$M1}}{8XOoR zI$i;5#?imnHwFK9SII54T&%Dl74Hrf8U z2!8_INu$>+mq0uCPQSsv9IQA}CkOf~Qv=c^Guk9!58Uk^w31aI{NjSh7$e{&?+YcF;j zTnoB;K21!kp7xd993fMPL6M#A$w)KCVL+4sa0hy{@nT&+gPpMzI5(0}xNIyp&4j$4 z=(U?)o?xHTkItgyY)#{X3CMDP#I1)Wzc#F`+S2~}tn9+3$+Cj>o57+J>!+Ac7u@vZ zS6Go#@`-zFUd9guDCuT0A0Am10)`UydIxhYc*vfxzQ=RV+UxOLV_BOaeajKsu;>$` zCV}FFo&Gh~eHXqao#2QIg7D{eEfq17xoHH|jmRr0^pLb`X{x(QQcA{moz)+pJ*IG8 zp~IM8y<@L$7!$^i50H)YJ4-VKf|1{5y0MHgU7(3iR=k$?XigGA1{`1d9wY+Yjt>Kp z3OZCd2#wbo@#+SH`M*R+>DH|c`zm&JN3!k=o6pRop?%sfI+R2f^T|_>o=fEz z$_Gun5Ld3K@plhFy)`98Fx~2J6!u|8N)=zfV3AGErKxhiv*xhDp^Q=C-m!4{ie^18 z#*r_9-#@IXsQ#EeIdliC9m+qp<*^(wKk0d-a;NR&3E9Q_Y|x%_3c{$RT8-f?QMA~- zCr67TT!||b1rqxPb@F(w*(K$-paCrBE|`T<%t5XtJeKpq;#f+X|0K3rh~#2%`xl=I z+*X_SuG(@6;DYADxtsouKJRKI*@n*O-zSlWqw|sMI5%MgELSJaWDD{7?DBjrI8G=M zUO#XrKq#<0y4N_lQXOjKX>r>zvzqT{ve5q_YL-mY z2?-j6w-0;%XF@i*@A&ZR#t9n}TCft%%Mfb?+Qv3BmOr|$ExrFXAZlr9b%U=)wc3Ia ziGn>iih34>|CceSHx7CA{A7dcvl+;l`#q1K;J`X&EN{>VUG;kKC$d!Zz!2)4Wseu< zzZ~~NK?W*yD$jAmp5>O{nPRXfgw>pdCf`D`+dr<7Fw|JqSzkWYBWOsJ(;t>opvr*yK@t@|UZ8m4J9=k|t+b4I8O@u#tgGHX4@wUGGZtwG)lMSigdwaxq05H9dF|F3)@t!+9 zzu0k5P$$cs9DSeRcMSKJ50F$KzDX56dP{6yT$v{g~cx z^p*kAV!VAJEE?WUY~zV84MhCblR)UD0*2RmhP(M?ehZcQpTO@~)EY?vn>@u|YiJ7` zECt|6#!C3@tKVfIq03YyV&W`;fqbd&UZ3g zz|^%>OXjD)o`3XsNSI}j?PH!TvHs|=6d2;4j%_wlz1qVmJ+fN0( z^P~RUb_TdVpUc+Ta>2#=)PpkYOC#U@K3*h zUJxo-=lG_2r%eOQSHDyncf3usO$jetLR7*|0*hjR{!%Xi++Y;dW^H6NRU{46JHM*$ zNq!C9xIM1P&9mkZ&Zf~8@A`D?m|0$q&Hd0mkvxyq~w=v8-nQD0+U zn>(`&wzXF3ua4rEZGTHP9aZ|Qq>xB0W7j5zbVf{J98_r@T7|-5hjY^YfM1f@;8)8n z^A1iZ3MG!7`r;88EO3>O)eu=3e|se}oJ?Z?6_vht{HoC6dVOF>9u)j%iUak$pew`+ zi3f5cb7CyBf8Ylz89!^<-yK~9cN=}L;$agFUH)pomL~Ha8up1%6X0VS!KHI$HPIC9 zM}vo18-6`UntFb_PoG39ghTkg?H!|naF6(x4Ymcyaewr+nsgt^NL~D%qsJ3}ncG*s z-_~;(N>M_ZYywIIRUtacOcc$|Q@)h@oG5&+jdb#y9|s?q+&2j5$)KHm+L9fi42mgNoR{HXoLIMj`ilZSW%9~(04XlAt?b@7A8UHnl}o<0KG)wJeKt)!(%VGy0SeJ{5s zwGr(DN^fJL&`iUfd59>LmG12}#Kc~#7UAsX)3tOE$CpNc7*i_HpfOiDY|HJWw#-_%)$dU3|e2Fs!{DCgyx7}G1JK@ zi?HlN_DlgAYl_L#H?0U^M?&f%3it}ss0ynONhD@_jUrT?uOlZCOaF=Ba!`DxVN1qg zI{7lwp^0-pH4;0e^0#iN02Gs4?TENUA_Ax{#)f`&@B1F`{=AJgM%*!SnKt$9kYH03 zB0P5n5Gz{}ZC^HL+cZ<(g9)J&7o8#wYM2gqcH8+Un#e`WtpvO`#t8=;nQAyYkiEIsiJ=UK&h);RK@u< zCcZrZLox5Z!)Gs^4-aE)BTlxQ1{2wucHewzASmmKecpXvjaT@|^`7Q~>`o-CS+nZ& z!>!p(0G`WE76a2B#YxUA;%depmsf5ynwtbv%{tyv4l6&-U@a$|5_t$H%L?gL&m}aA zQ(*TX!kGRYlpQ#@q-s{bTdcRu>8AIh?W(_=cf_KVAelRu2>bjlh|XdK1QZo?j!z1l zy=Lu&V8c-_I$;U?njyV68gqa0^i2)PFsu#O%8L-WM$0LD%AXpP>enbIS*b6SaoP z{b$YPoU_x3e1!SB!?M9Eg8hpa*;w)pEgT{Ql_WRq$^8v`Alv0r$Zea=w-Q&oq>RIp zS`6-!_sIoKM9y&BzIl5-jnXgyqDl&VVZDKN?BlKKfE4#}-$so|-jEHpq*HBlLKLiR zM~t@fT3fo${WBwYvxSnE>zxC_WJ;4@Sw88nPB9+V2)hB>3d7MvfJAHRmN!7okKlra zT1DAzX0D2>q$J4l1_DeE`J!t*k=$}UU!JImSN@aOtu;+LDDSVwbx;s}lo1g}Ad_294mj}p>*?e3D zDo!r@{KWEle}BCO*{6Na)16}-G5Cf4bsER~>>vAih#O@i$(eL{xAQU{vZm%=m%elZ z7>2+Wv>hvz#^2)V_DS6>o6cq`PZX(6QH?IsNV-g`BxIEaENV?uyY3(6NUFL$P-FY( zN3O%JgGMvUjBoRyN>AimO+!7dM!uhAZW%qTIp83MB?i+)&Gy(*A4!Y87EJ*10_QGXB7el z(;Da@xZM5aRwu9P_J`D&PB9)1GPy&#+gYtpZN6Ai$Jsk`bC&)@$^u}(f#i0kroR3U zS>n@FEn6;#zceGq#OHh6cWWLR?ux8rj@hE$Pz(E8O0u_}&T(wG*P?FoMG>;N+%(09 z+MjGMMvf&(CQZX}@&nH6AT8xh-(H7fO{b|wQVATK@6ceT-?aqdlvQ1QHtGQkpEndN zr*;^zPK?p4cP#11uMoa};-0w*qUx#X@Bs{0JG;{5JYvYvGWKRfUkl&ne=DiL7Sx-G z{d&(w_Bk{k?C(=fm(e#^wPiE$VUZ|10u@pbiWU%CMDUsg2YrR4stk)*ht{R0snD*g<7j zQAyCX%U5JOZ2iQ$-a*Ki1J;<~=LQ#G)8S^iEf4g#W0SRPu2^r9j51*t=q&7(hiRIn zjH3tcBrCrCWcRlo!}R{XSbO=M-`y_P2GZcKugw8&4I~r_a)hz3+aHQtGf}<&WDt*i z&>Vt5u2L)XYk4-0gRe-&=BxY8oMJ-!Fyd=4J#yViakL;~%U3M=HR!wUu0;)O5#syR z#<>ZKl6C5}#{2d?euvTTh}qAZ86cn1cwNI4d$C5E8F zt+%W8E`3?6o&H+9!9%j$re@^SQ7XPc-}(V8Y}o`q2Rz4L#-bDJy|_{}1=*0QIKFXb zw+VB6`M_1shS0ICleWoE!uugmSRdWF=ghP#OgNeT&q6ICw8Znf)Wdcph>D5I85Ytb zq-MUak0Iy*3EY9|s4*&Ys<--B7Y}j32&YWCP#g26Dl`B{?COw>=BhZ2qY~4Sc1zD& zuQRiNz7{uR{fd%{87X|?MA6GV*MhYe6TnfuQcoEr_kAYmhWxmCPk@2=jm>yvkbSrK z+8tBIK5WZwycs&P^{|(yt~{yHsM_r0dV0M->)e^DB-1Q`EI;F*%mu?-`x-Pod+thXNqK;-5Sa6p{!U}8PZ(o z*H4wCxV8OKhT#<06n*dHytg|Pea~;L5ZIPnCR)ggPgsqznf_!#mi!M_ZD*!Uh+3RF zvUGAp8iUB!UPwoQ$bB=@c zlotB_w+H82Xm&MyzNYYh`Z@0J6i+l(ipjkrX$hRQL@~}9*9wkTS?hgn^^*#KyH`3pjqTok#6BAb zF3DMO^m3#a(J#Y8lPyT6Ru*}sR+?eEV@=)rTmTtO-zk)eZ2ia)6ktgPspdllHNj=hv!{!j*O*yTCI>)CT{NSBiiNJtouHmz*2x=G*9N-Y(5lUWS*FZ zOs-cZ;-d8cFPp#IAfW#`jsbVjr!T2}k*NL4%LYLLFn?AzIGeB8rBneu8hR2okUjX5h0C+E9v%%(F!s-keHY`~)7mq$Fw)tc zt0ne@*tU2#YhDH`Lb8zK*hRjmX#0IwOLOBuW$?j(B;CXTMGLj?4UA@c4A0d#F#Vz2 zm*n&0WY6=;u97&8nrxw|#B7_2-aMy?G}SrtryKLEy(?=X;%kD7{lS@5S6b~+=Dr{9 z2CkEL`St{E7YmBl$E&0!qWl9XGdb19tdX(D2YE@O`Efe!* zC-|&M)3fzo`){tSDFjtNus`Nw%t{>_?Wgu9m%!6}?KR8k*izs#2A_&uS&UP}m`((^ zq;3XZ+g$+5g#e_1-=W{sLL|XJ7wkn>k={Gc&9W1A)Uk6?pw}6;*^o%r!QlZO>|Z}a zwWmq^&JvBsWRYa(!C>Rva;J;H+FkymF&_=-EsD`%UEj(iD&JBTGqTlA_f_0^TUb{C zF5dGI4h>4&O^+xt4z<*Tug!yzWe=rO0@z*nN!K)DW7yJkTghp;J#2Axw=7@v z89|WEU?q#CL7)Q8<9e5I8hPuHh}LNu(3rsS#j_62^$nk~YF^rMMoi8vwdH`}-negJ ziDDuM`26{`-pIw(DA(ZZHp+cOhqpKn90^dKpJOlm3QGq`F6nf3dXhjvjn+zRP;2*0h;`xi$_p?D;G^A1O<)&BER~d3(W#q3{y{!l1psnOO8fZ7n!>KK*QI zs55%lnzoyAMc8RI)bP+omG*M0PzMkW?sn%CJUy50y!Z7v07)XnBAG9E2(`E+7rQ#4 zV5+Eqmq~kzBp2LHM*~ATfkoNiftDKqmsLC>_Mq_J^2l3@)E3lcVm?@DY4qTB3*y`S z_R;KMzr)e2FJviB`pM&|kFW-ARyPP(vU{+1l+tn>>5F)ZXt`PTMg0=uk3VEa&X=;NB`fWIjx{A@*8m=+jsp`h` zilH++ugg_@h0XMm=!Z_?dbVdu69m@8SCV5MqXg9pZ9A$1U$-1}Z%#}QeYha~GIq;& z^I`39p;w(N#VX5m>aV!(Z$lO#{5xjGpf5@**WHi78EA9nVuki|bJORNnu2HcdkWjC z^_B7HF+$#byoFzXG{A&x`myxgc9g(D9y?`SxO#kyq-M?c1T3N819Sr(Em%+t8Y;V5rfUCYpVLXTY z4W%ZvX{*X%H;|ke&p|B{ppfaiwO-JWWtob@?1@3fD4zLfMif{R8Lkz=BKPK1Ll3#s zoXobj45vb5mYuZjI%^^TA|kFmlJ9b3>|h8KW0_kUuQ!uh5c#FXl~XB zJzGs=Vxe6#O+ORea7}KTLDWb(@~Du1MlE3l?s8|YBKdp<$fU2LVW}18qz(kdCs@UxG z=lQrnQt|(ioymM@*NEHsLMHzKwH@ES9MhnY=F*ypdf}D%=SR_`ZC)v&shBe;X#zr5 zMF)P8SX$Ib_;3`0gb+iw0629Es$}BzLR6gB->SaqXtQJ>F68>ium7D=dL}}NZMfkH zy2tC3=pvCU1Si?HRRW`4OjHIzOh)QGSJGH^X2>f09Q&~*8(nYIG(D}%Hw(}LLl7@U z&1jk{HNaGN8}48B)6e<;qO9jG^@=t?Hp&4v5mEuTRAJ&rZ`Q67NncA#>RY4lm$S4&wPwR@jR#w# z1#yqW?2v&)?8mJd%9awR%*&aNJ$?5ExwA#VxL$Uqxitiwk5KBqkD9~seRMwBBjL2eE4z3#r=qGq98q0YN5wnEQ;xd1ZFDb*=*?&U4?0W z#PHLb7AJ~dzZ;1inxQd&xIp=S4VuF-{eSEPu&5;o&~b0K$BbH1z-PU%b))n5BBUrd z(CEfv5>TobCnFOXp{j$iP0|G{_r{__E$H`K>E z0~@(#un%W^tLk+&-d@zA*q<~B4{Z$-WGh14y`_FGR;Anq57BFu4!@k|_6Y^%mNG~#Ie4V7Cj^8kOj3>!@_DcLGCVSHa88!GutR5HlcZ6BQe(rZe#NT zQz(^@4%N4`(WrDyq({xEF-$PcizN;YcqU@avugA1daT1?oRVCW2s$IEyA(n=f=>r@ zPCj~3+()V6n2Y^BhXg-_?1#>(UUb&@la#Y|4yNr7tb|=U!wFJ_-<+7Tf;9Vs!fva~syBf)=+}6h`Q4B!JG5bYq^+hr8Ld0Tz_1Zq@)E`oFz! zpx%g<2gKVH_*ZtnwKU69R8K%5#W@@5CTvY3fFrCGe`mk*B3rCQfu{&5PNtYx}Oz-WC@Z9)Y7Wv zb&d_qMp{gD+G%tVaeTgUe|%)cDx4wBI=L&ciymSrR7v3&26ihC)86w8SL0*zT5S6X zw^E}r-+FpNXK1_%`6>OKYs?Gl@J=R5g#(YUR&5Zsy1m&=qldQt?TD?>0(gq+c)n5Y z98JNBl0SS3Wv$ zp!t=6(5{W8@@e78vJKUYDJUg8xk-0B{p%m}c@`4Pv-D0DwI9J+y){VYw!8XT$BXN5Jah(+5 zrdqR=X~aH$Xp_6Q)SXeLCKOlexLhX@zH#-6A*b^SUMFJ2atAeXjbnrEmj1L&xt%PA-wU90|?E2OCx(wQge0@?BYr>&FdR$NgbTfJZcFtrJqY%-06l28rf^bSP+n!nQ9Y3zwPW^|kY5u`0BV>movtpCcVB8Qx_L33+o%jip3rjI=*>!MRgkL# z(GHShCJ&*zg9gSx+RQ!F>m?f+kAj^AAiXGfIqv& zUr}VM*kn2VECou68WPdlt&U~*zgI-_=`Poiw0a#&Ce`)b?F}ap$EG&NBno`10gDo0 z{A7kr%fhG~Jxh%osnBz^-ml87Pte8m_jaXLc`N6@g6}5|B_ZiOO&IuV_hZNYzFMhv zk$D@%;Yul=VXH$p^0;6h%BcEzEZ<+Z@r&^#qqYpW`PFQo`x52epDarz%?$U?0}ID@ z8l9h+La1B{KIBUdzGv9E`i)bDLK1|pSgs*wHjzV>sjJVtY>6pTz)tJ1P@7yf`SV?< zi)T0ZTlBx(C^9lK%;pV>Qk=^qLTi2pIsP*+HnmujT)89zkEgs)?Y}%>{=l(}uk-&T zs9jtrdHuDe&~n9%-WzbyFxNuM$yVlNbx?hw1$Y~zh zmxZ>U4miH5|1zT4HR=Maclou|d|w-hcxA=4U(F2TCy z)0NIVn#?6m$Mh`JA+!fz;rKKNPvc1VFDB)Zr6Rz{UQ)0%h0DY&5PZ{7qo_}_6V@ztcKGFi`0n`5Db(R@4A*x zFFJ4RekB6mqrV^0Y)NODFFGh7ju7cO<*jEyzLt{hM`(Ehl?2_5{~};C?LhnTm5860 zS6y)!V$FLiL`I8!P$DzK2)J0r=}@Jo8qgYMIu|(kX?L4lM>O_#O75T==R34BEU6!_`@q)sHUxDc`?P3advAgfZWcqj43lidw2!?LOZq!^%#a z6}TpQYy)ytQgFB>=QmD&Lv4gIcAYtv={ecO5Gh6X&LE+z#*l$NuBr=V*Mraxet!<( z19K;- zv*f6IGUJslT6ET&5DWRNitnqqVx2@4KlSWbb$UERstrz4R>uJ%ZHT~Fs&u!j?) zWl72F9kPa>Kl z80pjXe;#YTFrU^WBdr`A;)~Ro@D|r3HaBtdpRbGUIKY8uHINY0Ae z8gR;I*X((8uHG!B5#%t5S93B-#kd+wAv~KYi{aB;4$$_b6z~6XaP^hnp~V>^*dti( z-mfeC`^|&D$v~od?Ua;B(WVg*iy=Z;0NYx(f8l2A*7I`)d5Z-0sts^1N?Fe($%=Am zn-ETec^8<_-&!E8CVcsN;n}5q&p7)c-28#~g;%6KT=>~IJPRA>iQ1Nr zPu+7>W-WESPb^ATcSha~+c0o7hdlNH-ENVzxw#m8uWldjWiCcpG-vSt%rjb)%i5q* zA_mLXcgb_+#{TkI^IFE0Sk?Fj$dB4ujfDizzd^O}jriFW^C*u#msap~C78YVZ>hl-WT(syc>}AJHR5S}Ez_dB@>V8q&hnN!V zMr7a|y6H#akw$6YH~nIEUX}+&oWTu+{wANm9|A`y1aB+ra{(xto`l`3BEIe-T+WsH zlDw{KG=rx08uQHfTqh#KTdYCq2UE7wA|52hrWNYfyp*@b=s7v)O$M?kX87a5GWAb> z)Z-r&2BYfS;tM3DYQ2{(f}GtznWT@|-?N@(uO_b>gXWIE6TU9<^z;wIhI74r@+JQj zu&TI`8z3k z=nCBA&yFET8Liyb7M(LCtSG6?!I5|1Xi!ZPAT*N5ncE^$C++R!Xqv`7ol_@_u`*(i zE%`@B1$P(Qf#_p`2E8QMIp0=C@1yw7_|74Ps?G30E23oOmn0+7- zN;w_mO10wQY2J?YrR_mjoRtK3AFw0{K$Efry2ZcsRxVT!{#>egg55Ez!3-;wibN9j z@Pu$AjDWR2;@}53RtL{kK~+@=K}FfcRG8QHWBkXdBwPXDqi)2XYneP1o>r2-&AN8c z+2I^|Z9*+F%i`}}9Y;bqG~!{ex&EC=D_1Xa$rxI3kFRRtz#F2Wl+60`Rzcx*U$H6U zU@V3ce{-6OkyGpCsx=MV8Vq3JwD7KC7JgY$gSEVK5TJR-A;cW`CQUfo)jxNRR-UW16SAy5W$g2DZ?SEyR)3>7 z#UEPzUyQwFSR7juE}8@j?ry=|-GjTkySqDt;O_43?jGFT0}Me2cV~dh&ffPt-@U)i zuYP)_d(Es~wW_P$x5S5q1`FYC_-D$KVs9IE$mx~1Hm30*w&XS?Q@>|2!VvT6qEr0g zPQ`TE`PL^ywMIhGba0+s*Rm|4TNn9@In*-=!sFn=61 z+iD;!T=FEFJzp_Ss6yKF2M%J03N-gX00hK#7UQ@N-3t_WKb)_&+UvJW z{b-Ef>qa+Jh7|f}fwMm?%Hc#6;M1A2?WqTy`r)3I(xMTr$~l)IqgNsE!v5w#E2%gqe; z?0GGiLc-AxoD8`MXk;w^jYgP?82qgKRfd{9$TT$GLt7e=`(8H=qae8C2_w#Fr6w+u z_@bjyqRj_s`)2q?UqqB}nAm6vixLd*O?(R*1R@pa2q~khY}0{q1y=xdBaG>#K0d|p z)k8?OPG3$0)LzZ}v}QBl@W!wD4UZ`;;fByAC;B$+ta17N>RjNji*x$h6Rq3J9qr{^ z?|0e*=P7!u9Q*{@mj-}_Ue*k}WxBe2X z)Th5!EMIwi*>(MC^My4yf@dW|QZh!oLdxPkEiH|bon=9&m~F5Hen3%2KZYwZ)p*#x z+d#i0P@#UvZ5}l-*oq-`09J7*Dfse9n#mmWeKo0UCfAswS{X_vtNW8QFlGQMnhZz1 zaU@Go_j0|dU4z{p#s8%hqxdWjw4oL=XBm%``(vimJMvZ1=Kgu|_fPK{-MKa(WtCP7 z5|4 z@m0Y1h9`fGlQkOVR8ps$3k=zRgAs*ENLa{Zu~LNzf`BM6SWjQ&s)wU3rVmTaFzHS~ ze##^xwP4DVrSHl)`jG?CBmez<$)R~J1z+rDQ-|((B}Q7JeO!6CN=}$Ao{MR;1ZJb<7pe&wjy!UWpMx#T+7BbkOj_5j{UL z0MrF5?8?1i*`kTT;fICkL{sLy)2|_ZBo39U_PzUj2P%B02#R~J(I+n|B`?jBySUQm z@Z!rz9t%_{&S0n%u;4$aSq;bGQdKB(_3=z~%$%z!BHOZY8Q+_~g>GBwUd2VVGa!~vBhH$^_yVtXje@M#WhD&>7v*k{K=J)%695&o( zz3J!?{OyT3cXojs%R7uwK5Gmo*{on*Y4Y#bk2qfKcSYo;I-0{AHboQ@GyeNY#k0GwHh=z8_oBA0EdT(H+bw(|M>b& zc{O+h;*4SME!vjO8!iq>TvQQPo!u@*)baD{#ghC#@gVvu3=13C6ib2O@t>8H5*F;w zNEUYO`%6uPWBtHA{??7}v54Eb^^SWs zS{te+=r(VQJ6#Sp)eK95M0%9rog5wcJxQ|aWz8Hr0P*S~?N*RDNNH+wjojwXVGtooHkUo@oQO|v-YHLqjW(WL5hK3L>E|l%g`zjCYCz^^L zM1cpu8NFL-ux>{u4>-7@5Cnwa(Rl)rB2t_fgy>M7bWx{rMg7YKYxCc@s7j2G=O3G zpuCcLT*=PQS^dxN7AUHhl>+nv0mS{yct1Nr$&-`}h*xFG0&WgGYKY=Q&!?|~+3Si| zVrW;D=BV#yrH48qIO9LQT{%&@&r3`e%#qT*EN-0G3AX!Lzkialg*i|oi#Ceb37-S+ zwQB1mO5Poji??hj6kITC1C1jbIETh4v|Pcq@v+O5+(!8X)Z}T% z$})VLMR#gsA$%}1H#dEg;iO4XTv%984amea@{lURfq!zmMo_0kr|~-yq7=AC1@m*kdAT|J!u$BTFdj} z+cEc?@9K=~Dya zA;2WVD=l$MSF1@>Tj=p85;U3(q+2m}q0lZZgA~Aa+fZQO;(?`zzzJOx}mm)b!N98vtc7K6Hg9)30>pQ&? z$7UZMGL*khHAg;&A)Y>7;%#|#jn6dZsrT3Ny`%ccdld0}GS?PU->@~W)blETeL3h;!$@ z%G9*RJs!E*99fH$QEMwS_kx9Rf0t}s?^xb7j0EhF^K70rRBGmGqd}HD@@g20n*nTR zk_gJru8WHNVt(9Rv0&oU8XFG#{eA?)Aq^*g{7~rnIrtwT*WFKvhe-$B1M-BIMiPR;Y>fGLe{Mvt^w>_WDD0jLhtsq0Lrq)4$V-3cTi!pLR!cHv@8KoL;wO`-l3W)6hl&FF{FxCsZ8<9Huk81)~(!LoFY@0U@^EhnN!FeZ)cY#pBdk z)Si4R5T)RhH;Xq16_px`UCciGucxx}GlXbI7syA|gAaj2;I!-V^~q49T`01rn7dc+ zE&@X%35tG_-`=R7fT$+RQ=>@ba zvXlMtV;%m{FdVXvvid^t!CQZN_rT*9yemk)@V-PBgOXi9W(#$>i4_-I@^en_nq7wm&zP$nP$`qGdS|&ihY(VdJISLrDbI z66Kjt$yMi$#N2H6uS8T$%IICNrNB;@BUi`3QO31LIfTFy$aOU1B9v%AB6_LoT5qnc zL0i+%Wa;WUAbGuw15B$popR^NU>hyQJHg2W=2(9XNK>>CWQf%h=S*U8WML^TXEc4q zn8_ZxUkG@_a58+Z^W&93ej5hwN#_Z54XssJ9f_2uxCcs^)QnoaC8(;$+U_Z}X>u}T zb4Tc^8(ldqJ905%DG9H7p0bO6iKyFe9Ls{4P*TUQZ>;a1liXVY#CQWAoLFZ!XnG&J zM|L^rL6}mU|)un_Jr+3Rt)VIfA~n zDh7K@7iw=4!zGNP=IMd zJ%)KW!Yw^EHS_)bP`M)1mwnPNxNDU=TG;3YXB0ue$|Z@7+jg80Et_pr?u0hKV(J~# z75Z7|`@V-1 zyWp|JF3TRzm5F*ob}9XIg(6g{&=KBnIcKd_Ce$WcU%_vascz^YB{fy5DWiLl(`zU) zC=r<=@0#m@IJYA}b44Y7QY6>PhHNEXI-1XiZ$4o&yslGU^}4KTLtI|mqK z3hZRx*(*k34Y6ssQ>Zb+*Ry4aUX}c-LFC2%)ga%QK=;}$TS2qpYB@q0r6tJRb=g)R z*|j8JW33LWcs|4-C-324)F1?J*{@eJs(3U)yoOJuq*YHs=$#R{L`(sH+%w9%FCxO0 zJA}poQ^ZsEK?uItvwirZp10qZJR+9vi{Q7)oaY8aG$h_r$GW`K&_NZS)Y|v2B zZu~=q-YTxi{(RM3M&~Oj0#WimJ9|~^q+y}Z>hcWIaCOcuC|@+{&kP5r*tU*yo4Z*` zzO-;(D};2F4pQtgfO`lEO<$ORlDKr*2_p&5iE4;V1v7vx1vOGrzW#)*I4 zb)F_L(I!4>%GqNJ#;PBVOAc54E_@Kuw0r%_-d{;1OSVs4=I zmMR8yFq`Wj?|M=SbsN|>p_Jg|uDn*lxFWxa{C>)=JHCP#KnrvpXYwo?p&8zR8Jy#S zdH>?6pfK1*+(B4c$cnSKF9=QJ(X|S5u-*DcHJ^?D3QEKCn|_)8>J=M@t7^HXhO}G_ zK{wG>LAGF+o9K=j^^Ukm2Ho8;N1ovT(-Yl537EBcPlXeGk#0%L( zNLOfBUlV#tYh1f*K;eO`;bsOtYqhFym^+<&Enz=zCLVk3+V{-?F$MoII8nv~P^jkrF_f-584b_f z+r)CsMt}Ih;qhi!bD2KbNZGT=SnvKQb@rnP5hoHLlE{~QxI&BAn25_K!4j~>wZB=_?&3w zKiM<1i_Pr=PDrN{1E}~zAwTgV{F}w+@>@w{-Lq_laV3l4_*Ai0;Bb`&Z=hgch|*)R zAuIiU7!^+@^-@Ni^ARs3tiNz`t3@qsbBcBUg0!W^Cn!urJQtz56VRiH6rouUPlVxs zxYMN=XLl%^(ZcC=7mq1I@HqRgiLnjt`DSMhe*Cq}R}NGM*M~vPGx7(+j|%(gcjp#j zQFueDl{j!V`ofR6m)BFR1optgh|Wkb&20`WE|;$);=R%XeT2K&`VRk^mu~^Q`X@!w zqzUh-y;j+`0)eF~lBpnbza{RYcZY_;8fJfGti;eBqbnw38UJ5d5awyOg6@&Af9-vg zv5SG5Zn=)XC-0vViBhAYx&jWK(xM=l=l#za{#l`qrST>a{r3_K8{bMsx9{4KG=$m8 z(8Dr^Mvi|K9dSI!QQ{vPmoz~Di;wBblYC{;q?9Z%KHFa6{NksWd1R=yAeb`->vEen zuO+1aOp0!7bmuEJc+UF3*!mpC%0+a5E{}iH>APPM#Sk(Iijs-U`@!>Lx-@k1r!J`xU!jEqvp5Xnd2KTKa=tb`2P7MrmhJF=l+P)G>O zd)&zImv<@R8vNZ~!MU}rxi0T`6g44QI`4Flej5gQ^Nfd}&oTOl>JNX#@8Pei{+LMp zo(QAOu~Ou~Wc-$qA`)?X=hMN?qg_1Mu<)dw;P$5sqtyjOXSlz=A;sob3ZU1$1Y^HO9YfMdRb9 zLZ^dz^8v=yPtOeJ07-|2_M>ln$Na5VH=>&h# zplJCKb^aQ3UsjJp`k%|gFIQ6<+UrIXZ^J>MNU0!`TrWE>;@F@5?LZbbrh8y_Yx_|@ zL)u;xNDnw#heT|Qy7Zc`l%ZTH^QLt+Mx1LH?`Sk5A*I!_#sI+M;AKr~%A$ZJr(#d2 z3&V<>_~|7_maDe9c2NE6jr3{`*~)V-Kc#lm!_A5}e_OuT-0%g6T34}|8VkT3x!fK| z=XEA1PKc?09`!}G+8ZDE>eIzHn=$y-yx!)CHXLXCEl*4MIF-RjP9!dq=sc6M^tQ^U z9TyW@%%kavJ6A+{C7$GPs}vEnWNQ0unQ#(dDM-79F`RXjcqm|igpZ@5)Sak=;!!-K z;B|LC@TV`(!BZ@HG_ClyC$eEun?gP=2TRz&qG-sJT(&zmKNiqn8YeBO@C> z(S>ukH+E||B8q4oNN}SW5rw^1uawJ$(WljRBl94YL~mmNSX>jzBXzi)=gU~G7Lz-*Et!7Fxor|@u~`**5@Yz2 zg+G{u*mE%6ePY6eL2&@$cFXCW3A9$PqgH_thy@WHD*_)buTpt}%3_V*OO`~SKYN4r zAb!^19gMIrHCZX7?{4`|3x_r&-6M}2ksR@Cdvo{BrxoG~m;>9t{j}2=o~~uyPIY%W zeBJvl*XjOUQ%irq?%J&%vV1jD3G2dD5> z9A!gGo6=lp7sAn>IAUt_ejN+9N<{gMo)fAgryUA!Qj2QvI+C{TD1UAD&n(vWk-uB6 z{X;G1XR=T1rVmdJnkGZggDq5?iYN-zH|f8vm5`U;9<1LTG{d!6YDyucvTL`Ci!eHD~%01$Utm5zzZy7R1fe zDQ2$;Pg#f&dw?ZWov-8hZpkPqi@BtaJM=>M)C#p$OmY2uzDCHN0)CKJZN-ZV*%5B4ozuYzK$1 zLHBwlplin>(d|_0G$*#$W;mMx)#xGkNx8V9`%No%?acjhL$Y)xj;+0LRA~FNNhYvb zcfMq6FA?n@*!A$o3lR`pi&rHY^O_~is8k)HCsQdNbUu5UYw1P41fy_?1GvCcM$ zVY5x~qMYX#jCYw9m5|oG&x2*Gl#lnl3d~iw8lRs(=5!mLt1z7P9c@mm`aD81^{qT! z{o(uQQ9izJyVdA2V`@Yq%vI+KL6lU~Q5!(Wenv*jAFomvV`ZAFyZm=+olSD#4dqpk z*R`nQYM9FZeTn+h42xSH~;XvAg3Vb#i>9eMaV_cB|lPDqaE zD-N&4`tA)NVE?JEe>TZetMcarUi?>IPMHmf@o-e3ZugFm%9}_g{VO)N7h1D4@PVGj zLbT(&xN`Qa+D;~$FFep&j>X1705Uo=ME%h($Ma(p2bHb+K-L%D)<+QYQhLT-;Z!u0H6^0V&acnrCp z@6V?mnO^JBM=Yz)>KYpZC%tXpnv93{6mQQrQ)?KOl(}W6G_XC(rQN-534R6fN3Zt0 zmnhh;tm50v)B)`0s^#_D{4yxPeA-RG5`i-X@)vqhSWB?R4f8M0q|Luwj8=cW-Qu%? zXNG+*NPZ4XMyD60o;%4tk9sxu9PZwdxI$Q!fGu5-7&@f*$y|MYe!-DeCtOT5Vy@!k z+p${h`1)CfQiqlH@8+_ou`=|PG9BA5TW9Svr{$@a?BrOjTH1Y!Ia5myP&RU)S4N`Cz6 zO2Gmal~z7-v{Z7Dap9%>?b*m8 zkv()SsK35JH3z>~r%=Q9TMSX4*YyDp*wqa8_z>EacU^sfMsY~j&GfoVCQo)^C zRBDre9SsTMrQ<7X7aLEZGy`C+c50WyLy{Mcrc4vh4{db?kQj@0m@oTIwv9PUs3n&| z2aW<88Qai?-s|mJMNde6{)#%B` zAmzYl?f{POo|yFukyR6ekgBNDMcoLlBqd47f-eUUces~r^Ms-?>n1Xp4EsulCum=v zt@+dWl8c>7%R*kG#7O8m9||>Jxtq?o!GTqsgJBEpnDoMd&v%wr*O^hi#oVFt{9Jtb zp0S9OSq>3Q#(@3nLKUKUWyeuD&6_gn|!hX_%F$QZh&v(U|Z2nO~HaN1LUxtI4BN4&Gx<_8Jr5Vj% zi6Z^^BN&yDM|c64l#-O?oSoS1n0O`6`$3Qe9BI3USzSj0*L)>zbR$*GP(iVffu=nV z3mV0|dsad14{J!iU^Ib9yEqhZ>{=Z?H!-7~qyD-4D)ee~rCWogxHF8V{SqDBOX!5= zh19>$w7LO-5V=16CB-aDycpH1VGpGyuzq{7N^)u$^)D6_g9V7i+< z{Q@LGsT>emYaHQ^_kR2)&_tVs=JsszzFw|F0I5h_AryDiNk^6e1{5?+hnSzg&;~Fm z7Sb4vKIwM445%emr{oItF~4%%yV$EISmvU$wxteKLFiu}tlMjE^hQY{w|{hz(BTFJ zjo#f{4K4r9BCkN01T&%& zbH_@%2VP#?G__5p4R-rKRlm{daHg+C3V_w_6ydsdEfkh&#rVG54$mO>tTv=l?TXLo zZpaImUv+81P_a+|fxQrdk=(_aSNo|+_OlW5QyI<{Qz$U1HN_#C5$Z!Gqk~1NUcFOT z1gY(9wE~$jdlA#;+=#i1R_`Ww#f}gwI~wMeM|SOyrf9*rqeXhWfe;s#fOs5724?^K zc&Wd>5T4S9&-@`kh~|4xyP7P{oUhLh=8s`atf$;DpS(vS+WKaRgt1uMXz%az1mhdQ zws5B-9zr8M3ez6nXbH%0f;46mQ&P;cWCz??woF$q6(`r+VtZ;?TOKp#fF|)dmPfCs z{iJkk`t2W#e5G(>W%GsDWy}l~x7nA@XD)p3TiU9E*^T{yeDBZSr!NSn8w_QjVQqoBG@8?t6n`WMr{j+BRIOKg^t-Yfg)%C^8_`>I_yS=w4 zB-6SlAJ$-<+%A4rfJ=Fr^t<4IMw3f2(hR%MBy>8>{M6|9g|4h5I*_)E9^#HWdIw_5 z;{%2%0NgO4mdstAjV&TF%F`&+knyZ!DewCgYo=H%n4727DuzwZfoZci?tKkG#O-V4 zk^7_7LNx`pgI%RJqLE_HjEFlUoSFFx?&=hdkSpQ}m3-m;OwnqlK^j}pZ~6h7+lJG4 zL^fYJ_llDI`o2boavo7Z-h(R0R0(QE+g;oQc{RrO$nhv|N*0}hw? zJd$!`O}|EM*VR@@dt)YGQsWXnyq()o_W)O~u}HxFfncyY$mgn3q1+7L?W{+p(P;-N z5B}TLv!Ik(ZFLBC1B>Wd1}^S#Yx!8!_U4+~!DqES3`%Fza>;V}uU^6RyCZcr$CP4G zSkvD6loLmq@fisvA^T?GPO9Gfd{|4(D8ixCrko+zx%LVJ&ddu#_P?(4BDQ3dDxNqm zw5HnYP5BcsY85yCnv%}5q-132w>yOn2ZCR$g*P-7hUDQT@T;&4X>XD&)0!9*_x5{&O-<}mBWA`pbpQ=wFnH_^J6n2x%*( zZ}0(_NQ>|QzrOX#f%+l_`3uda|UfZoe z5!NYD&}(eNR6MxgLxP91=U067U`G1mH&%KQ6Zwnjy*w1HV@Kdnz+ zuo>YNQ9pP_6fNW%mRPt{4qV0Quc~CkusgSHh28=@9+dHpJe`~Wz&nYzFFCOBHD7Np z%wl(jF!hU6CsLX$*TZMj?McLeVS&-fWXt}s#IqDl*F{bj3`Gj5AUemEVAR%mMyYK2 zCs<7v${f5aT7-49zMqwAIz9I1$oAR`!3#j+bbl87b=Jm5c9<*P4pn3;%ob#Ncs;xO zNt@G{&PaGdRtGa+Asm|?fmeQiCC7*Kr=m|~w(VM4PaJwpKR$9Vj7dvpg|T?+^YVnI z6h(!y6-RVj$~v2uWXlf7m3}y>4BV;izx0fE8Z$LFx^jh9?&5jJ=jyk$DxUsdne_iW z6D*<5jrLHbEf!v~na=M^E&SrPH>-~7*xI_Q)d26N<~fwtH~t&Px{`OhrtkN&By#PN zW_)t`P>^cs8V3-cdA@P-GtNZ45o%}bTzC^&ul{kVm5cnd^xG3BkM)z6GTN)WxiN$H0+~Ni zI+qxr0@zpJ29WVz3q4HV4>pG+GY3~}Yok%tyD$2BuzfB@)S;`ps2d>JRY=?U(NgW00e7pS#v z*Qpu8KeYCkzvw}sF{=gt=+5)&kw*8|5fZu>fdIaRmpSXcSd3JWYv4^$!3$>L(waiK zm@f{ijm)}wXXDu|pPRh3{1o?DeTzHV_Oey&u(_?Z6<*eo6seF74-XHD(*-#u!*4j%( zW=+1>ZdLkJ2AyyG13`)1^QdI=t@R^g(}T^@m>x(uWy8vK&Q8Ng$Rk6rKu@e>%HU^# zxY9c*g6S9>eogegE>c_q1O}0qH>&s##S&m*irbc(HgPvfdro?U{q_?Iwsj~jZzXSL zY~RNL@_7+YsoJJYaWO>NJfY1toj=E#F~YsnQ(qAI(No^O#v=wjUk^$2hdIArkE}`9 zqo)ZFN6{>!cl~!_YVX&bfYF85S+tPsF#|PSius0UlRd2%^o!nm0!V;BazuA?N@t&? zi0MHo*@r@z!96i|LB4~V+N~COt>NWLIl?|%Xm=Nw+<7#eSKd*e2UyL3!?O4Lf(oWQW`qw27f^!*i|dV;|}7JXn@m)yTe(?xyoeh~+BdvB4*; z3nh-iC9>Hv--*oKHf8!H_oOkMlZAG0hUK&6LZ6F|p5L5Q%k(#|nf&%~8Et<)7e9Dm+4vp7}BijY+?`1b}Xeza_%$w{@tWL6oa0(?Z zzH&S%^X}$KzO#wn<&Nk*IGQm^mgQY{!lW-Gw`i`fTcv^@3V5s+BD&0?i`R;dJW+B} zuYpG>RB_@XKYN(h>E_+v9mAcjh`r#gR%0#fc_vpwUA1Ok-QCDk?^oeqBu1#n^@&G~ z$TMnM(gCM{RK%8kiUKpCo1M`5%(UbADiJ*(wiq;Eui?!V=$fc!w4BhavCd`SQ5Wdk z;dP6gEST6#GA(36(^Re&-zNareNHdTYWIlr4E*irx%*NT<{dEF3FPtseGxBJ15SnO z8(uu_;klWY%G`dgUhVZ};3#CFLTyXj9~odW1zt|cKeYKAQ;IY2?N#@4Jo-(@ItI=2 zJFYG%Na7bHkmETFpteA#M27w_FQi^v6R5%MgvNK|u^W0!c9|`8R5@$V0 zvh!k5^Z!T}TXIMdxh^FVc{bO57SNB1wfng_>{Ew06_$4vh>PdZEJbnGJoBT${vM z${wCtZ@7zE!z%CpS-<-=0&c&0`A*Z9Nb0WB)dm%Ry(v#Nw3XB8WbEq3yv0}eY+$Vpq$+|?r8_B2mpNav{xtz*z@vChJI*T+gD#`~ zB&J>5cL9@du1nI`D<-F~gDl}a7N}lioiwgRE4agf`3JI;ertQTwW2~mB0HHa)2`I< zX&hY-_v!OUZ+a!c_1VwZBPQ3Dj#>+?Xtknz#9f65s9k+3SuZW>^73*@fnC^_X(T^` z9BvWa^!H7ZTdyzjTPQ^GE#sy@&V{37OvVGVigPJ8>G;HyaIr4Do!Zk9`POL_8vQKS zmB#uxYAW2Zv8#O50iit;ppnyk-*^pcvdAl&I3hnfjlrk_BucR(19@cX7n`Mgsb%(M z5nPtG%TEXIkNB^ZS_{wB$l#>~F(`2$VI)Moj%IYC3(W1pzV$&}n?Sa|~HF2HPUDdEI&ZV0hedS)Fh;*lu} zcf}RNJGwS}m9s{dv_0u8N$L}rJ30v&;PBnHoYj?675n-QzDJxfFwwRTQ8CX00`!HZ zH`6M<#&}y(xMSAvQVr(?nx}-nFZpV_`C^crd$#X>_nc<0M@s1mn2uBEv$*f9cd3oV znwAg*ZW->fNX}B72|DDIvVxrKl?BQqXCx*?~t+|vB;7P)Q08+ zA6*#+quF#pi$C`EOkDNudOw?nxtHPuTik9N4mUAKi^V`gdGoaR-EwcX!YVo&Qn^N2 zYWNI^@VQS2!j$MJ3N1G=9E{Eu=EK#h#wR)|K86`-^3m)*&Q;4VBTmK5?zR~2aizj1Zi3pn!9#e1iBC`O^eTM8&5Xlw>R0~pNO!1CYBJf<< za-}W+5fyulJ`Lzohs)0pdcIdjpe>^V6|}&MgDqylxq_|B0Vez4hA6*5%lBhlEgLDJ z>mvqdI!PNU6YJAI`DyU0vkQN7H@==wx!|z|R@Os~|2B`K>0EecI&{IogKJO9Mi+$E z#}%rwY3JK}Kt2>JM8?F#Y<2{0iOE@f!^T7`tREvhrhPJ%;aXc=u?VrPzy3Ek7qq@s zZ^4K!<`-PuY_uyJw&{RMH+lVoo-M1K|B8_h*Q3Do(!gjv0u9$Y&T^`NYU7fHn9z<* zT!kqCbctqH%wxnn2BHL8~8KGwrU2*=&vx?U;Q)~>(8hdz#w9DXGrl7U}ygmM8vAC${ zrnzxxJ&9Bnk3F;MPPzS{=Y3&s1G2m#u${a=LZe?T)?x~0rFD&^8_E{cmF_{GfEkg& z)2w&3GJBF2&VlDvSbj}ZQgl=CZfqpNS9lsU@}|6w0kjEzSZ#FpahxKN6a4a`-ZsA( zHU~&q z-Oe>(cl}7n(W0;MNVRiDP-xQyGtVXIk1Ua9V1w}dr}SJ6&r^Jv==UT~(aVon9}J33WRYb6S%q{tkt zaz(H1%Ry)9(_!SIk5mR&m@6_U$D}Ei&OJu`gW)>7&go*Z#}%HG6-$>x)h@p=SQ6-> zqh1RYf;x1~*nQnf8&B!vnf*$M&fm@c#$SAR-~x??2ijF~KH2y;TYrubFBF|8RpAUf z7wgzfSxGT2!ctW+APXgRhb(4qYmff;ruNHXR1)*?JyJ-i_=a1_YW=a2F|tSewAZ@xE|788}~v>0VeQvsW*Ma&VMT4n2U?*M=48EeJZnpGZHv?kXA zmRrD9(^#ibf;+?NH}brJfM_S4flb=_R|T;g3pFFN3hD1AUx$Y}KT}s|mff(9m~>b{|IoeYnI>M3InA6)Tn_e4bE1kM51zU!h#9Ir@}x|KbQdVT!;Ed~ zIZKXFk~UN~g;rjho3-1*kewmiMDqDJy-NkYvF^3F^48_OjI>K37# zomxnTN?f73B1|V&7-4r#J5=D2-d;_INZfQg98h@Ys$xDJ7pe!iBsG1^Wq#Tv+#E49 z1Up4Ldvgg-84#I`Q0QS;ZugF|YRz1>bmL5()LBgM@_gDDb+!O0zNC;ApHM7iXo~Vv z#$>RlzEEWiG>VEa>~9B*FoL0CqJ?Y0&thJ8?WGn+tlcJZ?&mluoK zE){o5Yy6j2!Z1OfS>{t44Zx7_wBWyR%ynnHA$GXt*;MS&w(k!={T$WJo}8T9M+1n? zhf~w79^X?yb0h*=WJ0k^yEbijmr4nfKv1cZ0g&Bqqg#wLrQn&yRihXq%N%*Iw~1j% zFL!);^PuVe6d?LhX84Ncc;t;_owgorhb#NjOh&e4G6aV`aK?12(~0j+-`dJCU8H-x zq4H*go+!cE5~KCcZ~z#%N;$>-hT}dCN3wKX-ODMJ4QX0pKDiBugybQwEl zjb=Emx4X6vtbt0$4NS~btI_Xy+Y00!8t2Z&9j%xlec~t6oX8v(h~kxJ=%7(qd3go{ zM%lo?#Kex0j)=#A;u3AYI2`_S4e~ zM~0_AuYa*min?6{r3OQg>9?;DZ)Sl2u1ne0N}*Gkip=GGafy;*ErNrN#4L2^qUzQz z%bZ-R@hKSgrgvb)>8u#ww2A4$EgyZa%uOCOu+3P-2SNfBV%7d zdDPlUs!^<%&TBWXHF}cp#PB11S)whf42y6pf4i6~yjkx8jKfzC$I1m#EOceT!j?<} zLtmH{?}H8qa0*Ut4IU@Z*IG_EM-WcUw9CTTMVCwn7TQ}v7BpRt=9*#E387-(@+4r_)TKkh3+SEo zZHBlA#P!%L)2H#Fir#)#VPaX(*;mT)(Z&8_iTRaEOk!30nQ(=Vj2F%fgPjFE__5jN z2K#sVmg<+3ae{-opG9HE&ne30mRgfIvA=ai0Fz&I4UZot%JdXg2u^ls zfSu=;>u=PNv#fzbcTh&GP7M4bJ8>Z8|D9r4P)KRxo=(Hi9a@M^3ZDEo$)!QAB#(FY z(%pCN0MJwjl*$uvl4~n79shg!Ybwf<#@@SyLdXzs#&CPwd-0JvDf;29(}y3{*o=KE zTh63!3>+iEc6i%k2aa6Y;xh^})r(->&=pjCe86r|r^o^SE+}CO;(wpe_*3N-oGvJC z|Dl17|LK$;sc)8yD5wl)C1a@eNoh^CH01T@kOkX;ICIg`G;Q%$`eK?&4`;d+v`@sI zi%qDW@pdz7lclE1`#JJ@|Ky7M9~HDzqqpz%=_zBYuwF_fDTXre6p_GpIXNMm*Jbg7 zspZ6s1Ys#B`kDDd3${Ndrj8&#JOSLPqpuSZpP;nWT(0{@w6dhHL;rW#m`FtQ+NJJ& z>R5(%;zI+N1d5eQs_?~B@vJP=C-BWT^+^}2T>hjnh>;MG->fZ}Kd3MOFyz)-hE~@n za>E&3kog;l&tTTe3~wF=kqY0zYWwu|7VcUj&7#Hj<~CF2=(?XSP4y3Y4kBZhSgvg! zMn*ds9>i}bS!xBv#DTxXA+Z$lp)hT#xX0?7Hzg6TX0wBEsrGI17AFMtF5AmQ9k@)=go*< zEYfw=>X3^vx@6*PWyw^o;`d&1*&F>j$YWC8L;MzFfH#t{+bP>Vv4pnoW9bpy2Ia+v zgWNhYZZQ6y*556DWg!MQ=u=kiwMK6=Uw`6+nOPsST8YgEe)iy)pjdb`)*Ai{kqJoDNSEKu{#G)SMmn za|tVcW>SaM*skGLu7%q)?~FJ8zS9WTHydMOYQNy};4~9%6DQ=MlLO0@a%xBWhrWgM zqtyh74{%zQ=QYD6{~Van2w$#QJwdf)}A!Ux%m6p4rgB& z*+&zQ^X;&cuD0Jkr>nIWjr@Y*t+jT_W|C=_V?$oQTv6y!y$^)oa&~Jf9{^UTvTB>n ztSLoBdHBAm!I{E!nGUd1c_(;L<7}alZzTV5NbUQJHEgsREn_>+zFgg|_}a1hEp2bv zHrgFQ3-0}N^dHKk_Lm7UI=+6ZbLm!!MkK}UX7;Fitru#7U7dv}ydJ&UswOO#;bi~A zE>aJ^9>T&$xcouN$OsJHnQIo@*mfxudOM(#5mP>x1w?K_TSdF0vNwraqmp|gAzS_4 z+6Q-`srIP;&DqQHG-zvoVH>WSe(>^(Gw4Qlql}+MB8U^YwG2)}(=bCfCz&teDz6fk zZQR4~x#~-C4o<*UUAn;5N>hK!78?MNAt3Z8Gk)J=YGE*-9=&aOM&4pZ=F35F{r2WH zv92RN>_olEfH1-cPVl8F%964E2JQj{dii0T^c+M!-lN2xt)3`>+g0AOy62bGpP{hN z!Nj@u%f!`EaFq5FG%Obi{|{Af*$`LOb?tVVBm{y4cXxNU;O-6u1b26>PH+$I?(VL^ z-CYW(!o6_kt?uVOAI@LcYwxw^9P^rE)H$mBa`})+s~S3M4NO!_ zlrZHG;@4L$tZUhSZhLDk_}1i{D#uO}=T4E<&YH+g6-y`@)$eOi*0#{F z1Qdk%jlPFc)6tCD=n^h5Cryjsnx2M=O*UQ^^at}{z*Ih}i(|m5g_zfKMUeK(x zD8GtkD#4t1u+XgA4oY&YgEUp$g}{|9ia&oZdir!So`IMD7=oGt8n6D#zdySKWP!j( z>dmx3gAHc_?}U>ats!pK5WVM{pqR^om5$|=s{l=#cKkAqBkqb4#5hl?h?I-;FUP7Y z@eyhMV4@Dv`LtIeLCyOL4#%q@0rMl`A64yG5i#9U2xMB~v7z&J+W1CYN8`PE`>`@5 zx;)-Z`gkBZ3*z)@6@`HDw;`4<}vWCgw@BeX=mx1b!v^n ziL9Oqu{N2zVY)|F_l3rObUglfX5{`Lft1+uuF-J%WbDJA!D#y`!kH)p^k2=L$0V<$ zpSM^ryc>!!WLKpKkv=yYPW0ZGOLD!i(UIpgh_m?vw0PB=aj|5FO2)d=Dr>y}$wj|8 ziaz=aw~2SfP~qy#Eup6?dr184u|@ggskYIHt^gs?Cp~1=XoEV}TUJWDo-iRf*y4$T zEOp%V$PBl?&yH`g={LUHts8F5#w_~MI%>`Aa_gI{W_G9P?~LsJC3)G**zvuFgz!p2 z{bc3PtVT&V?VtEoMu+lR;B{`z@KPa-c2yf z_pFL;%wKp?bz1!J1h}hy3@!UI24IV!vKvFCJTCMU>*wkn^yATlI_ArLoLwJ`#471$ zM1&HcI=RXhTj`Ed!b0%Z2d6r9K}5rjrj`{N?7%j*@!3@@9BJRklY5GXIc&Wy;U(}d z?ygX_oi1Y7o`vY=ts21e?Qc%IM82H&4>)yvE9nP%DA@}+!ZkeV_sFvc)(h1H-WDY` zJqt;Orc&~-D)~j6wT!3^Kbh10$5pr)^;wwdd4=IV>+ROxv|VLBwJk_>%wg!udEX0q z*i#Jd-8j)QnPME*8o$V5ytD=Ip-d+FCX-H1L%!ZOe2j`ecy9rUnog#`$z7{TB6oRa z_|_x|(l;+H_~-fOoEK>DGZEA1Z+~o)qUZ*pFdiNDzchm;4!5N*EB&Ca@`72?RbG?F z#5tn7Lx6{Aso8ycIqJ#b-NR_!W5mviq{v!IV@zwTOb17O(sWV4&Aib=P$T!g4k~%ym$9G|L6n()NwTys&;K{rdb@gD3;3M=Rd+q;g3^O*j;{BYW>`m2cN`QUGM z?aqvfB`5IGEbn=-Uf=D0OY#*r8$lY!wS%eU=gQHXK>rgPPBiA2#1=KA+7stnr|s*2 zqSCB{(HLHegp77pC;PX|V}a#-1ZNkCvk8BC2DuCqzvjozp_0F20TDC+Z(~>r6i$LX z8;&bnftG|~i&?!GGLG2PkSm`fb2nLN+;D<-O>;(TG0i+9J}ehOR5mE1Q3Kjkq(+8} z7B12f_D(sq;5lW{*XGA?6UZ|#(@+*Vc>8{dlmv4!{z~Dor!1gXuTN*xFu-tbKKy9w zy@ijVj#9F1RW~AB8--=SLtXleD7W4_r0(oyb2vOwoSoPddL14zoUexlDhv7h!uBWo z@OxAHl-&llV*9H6Mi8bjDkp1YXBKS_&G;!^Z0s)1|5%!yud8BkJuANWC_^2L9r4<# zvKGh3;}fuXiF=ywxAUEYgYji}%)At_(fTCsf_q+o{RXX3HD-D~3vHZ6Of_!o&{Eb| z62lHTJ@!_Xmlev0zl1pn10sB4pO$VHKw-A|)qbIHAt)%8d_p=-qi1>+Y(w0Zd_iOTvz0~HE=@$X+9FxJw+Wq~8 z<+-Nj$Hy;$GZb@zDJJQWL!dOe)a~v`V^jN3tAfzohlyR_W_E$j zF1iMYFcxlGHsjrVyg6eO==j~5K9PliUN-m(x}?u;0$S(&qP6pD3hlmrqEPG&!~iQXA`}4EX|KR%6Iq1PcS^t@8{(V3ELGO%+wkH&ijrXeWSYmm$&qH zt#!s~EyXJxkFY!@K0!ivx2$@lTjicMt&J1*D7;xT?Jbi;wENt}ZEu@YSa0e&GQ$2X z$M~`7_|&VUk?W%Qj;-U1+Nh7ukr5#6VD` zpYd{`_h0i7N3&7f1ix&1c%rw%_f<9LyT3|soO5eI9MM(QL+=drY&hx1qQH+(BM=i< zxi+d#?c)!ZfD`*kJT=n&LFyG4@>bf{m`w%_KXJ-*i^cPoQ`g2D&0;{uT7KrW*4O_Pf?fP`P$#=0%$Mo< zfLw2~gqJy19An(cPdUtnSLyj2nf*oRu{@2P83BF%rtr0I4I)>=i>j_k;htVc4h*cR zgLcPpS4FTd&=E{tX0$4G1tvu{JdkD(ly%W#n&c`or=#)EK0)DZ9@o*bExKD8;FJF_ zkV|p>D#3%fPsdQP)vEth5+kH`eYZBG6QQ3WQ@3mBqE8~l)Gk>>HP-2i%tqH{7EW67 z7b;5kPE;tZb`hbVaQKh+p!(9H3Z8hq?KL*xz2p~imwy)?y?+6(GjGn&EYrLozJRK| z%$xU+#0{ikO`nV@Nql|3Hw@~(?V6A_QzEYGKX-ceu*r(}kFFNMm5PX9&CeQIMRX3p zsgBZym;PlXcX_tM`qaH0(=vqCF$DL856VTEB?&RiQJ%77FCVbxG-PUZ;8fKWj6vm& zDsfxZOjU?$gw8n)RABIV253xY$0tWb-U;Imr$2DxecyGCOD5gD6Z)H;wyUGo(LviV z-ARqG2DfUoPtdqxKMR%U2s@A?cz-MTwiJGWc()!sQ4B>JQY0YI&;vi z8iUYc`=h-sd(~i^%{tH!0D?s-FL>pqahQTJ`g0PZo{teDG5t3IS%3 zgVUu+b}=H8hMwzkwRF4{rv*OX%(gB<`bjR>o78o`2m}rFU{Um}O_#tK6-H!)sQL3W zxc{-;H3Wnyo_Qa4sqx;ZD(g)OhR{8uh2q@j?S+}=qub}Fw$?b)^c1Qjkl7({LdzW} z($yU29HC_0cuT(`$3LrgOlt=nDPq#GDyaV}9K{1Mrf)OdqO~HMnwr{QwO;cUbs?vW z3{NmcN$q!IB4@}%rtDQ&jmqZ~AnQ2+_2k1h^)-&<__|!ihI!Y8XNypMDokB`oVbZB z|6$D$of|*7 zUq}SUf7n15)*H|4FHCeBnbgmuMRi^C_4s%-cJq>bU?FZ%2E70HtBJiB1O5r&XSGUK zoXIy#bo|B~0R&V08G z?Z_i$YQ@&2HQ*L;*#V>;3Vj8NZLSRssTHv%9B6&?(Yv(fzxPKK@P&8Hg$aXwawUJ1 zuI=DRU_ei}u)IunK9SWPS&-+}`Kj{lc0bQ}LNc_m)Gr=j3TiL&(ImBT*E_XKgkMRP z9;Jhgo8y@ht4&&mX4g9B?9CM30PVk4!abYPC^?%0HWsyD!R)q#MrE8IU+UM?DJz@K z-W?Aotrj5X`hW8%lgK482Zpj=ZJNE+4N{f^HHfJt3L2th)T`-u_>532i_(MJ$%m43 z-HW|YB z45U5vO~k)4uP2AhajLC!r1E2`kqyVocCoK&l5Uy*tBQJOdofG2R|RsUa8C}8%?6Sc z49&b2t$8&P$0W>MUwzflJ!uVi!93Dq&`dpOn{VWIm6TlIa+6~T`z8i!I}!BtnTk{0 zA|_({NV7F{TasRMcM;F*uzy`bf2rEN1TaNEE2#(TRS$;!evGz$TQ0>vW-H5|y9&7KKj14H|MY8Ik;1>_Fvfx5wh>F{F6$OTEm;fvjonpKxWYG?%7c9?%J`N{N;HMRCU!zJ5; z`cp1Y#p|Fja*1z-?X78SBA^Q?r)p(j|8`ub@s2moGm-3&IFWg0x|vE{mxR(pubT%y znyZj_I|F%LrM`qMJX7E2v_yeqw5X`x8wf?byI569xZ=vQvc>NRXP?x<=W$^yVj0`Y z{j$9=d|tBJ=E260>_41h5?UI%UUiIoQHzJy7k^!zpTrE zOjS4WV8ew9cAX3fW%MR|*nxL~NP~Pl$(~V9OOzw&`>xavLJ1v=2%2EC$~-Y7bZ47>P%7`2rcY0%j7RaP82$-=nQwI5@hsLsF2ihN`_!r#cyMTZ(4T-%Fi>K2$l( zdJ=hkk`p}$2{A5W8oqj0xkzv#troG zs4RA)+a64UJ_gBrtNW`8T-(^~gmb3LJ5B;P{F_CDkVf0@IXwL6hs)XFSrOZ|2pP?f z{9AsUQF!8mO-QLhqJ9a6nO78WYsvW*W#pL+wtsxHBES%fH>FPKIeI&1#mGO^H7;ag ziSaxQO@IcI?HB8i`R*`PI8H+`*D(7RIX|F7I)^LD*3mo?|00>wax)cE~5N$ z@LsMzChbC^aR*aXDN^g)x-MB1z*PmU@E5uL8UEhZeJ<@uH$$7Nb`muby3!Gt><6>;8x>iE(7XgUn$lp7W)|Fyl-pQeBA@K$~6^{M1^utS;1702_fXP?s)kBs=qC`o$p>Oi0M ztW42g$7*|@nQIFn*H~I{osSpGDXM4{*d+>Jk8OuEr4g*Il+YscPwa2BRRs|O#Cq%z z-0r=;*Tg2P*U2g~6B)&j2@%0dOLzO#(1=@94OG}+V8@jAr|TE3ba;I!GuF0VzQc;y z`ch(;a?jWFMlq)j^ad46#D_LyB}dsoFc|b{g${>kRcBv0vm-CCi$Xd=I9-Pq--9>_ zX+|MH4nms$Z!*Ls7#aeJGCMM8^Y!8*8t0#>f9B0^sB&s-`Li^e7AVH(X+$WIJ{!b# zi~b5rRJ1E3;!$Yhg-Aq<4tTz9?VCBo94ld;PhPlF^HIgYqlztXSVij+KKLPOF^Q-g z$aAxv74GG-X#VUrb26nSX;FPOWvMY4n+cYn&QLtkxUQKhjlN&3bp)MB=oL3cQ9Qmo zv*KFadQE zCy?OUG828`z51_J_R0s{MICdm+Rzg3>^7S(vbKF=V|uMOVoQN70=p46n!fyU<|}60 zl?`V~{9O!%5Yvjhvk_(I#Opb#_fM;B)ajge`(gz8geB5W@5cB_IRmcOuYcLJjuPJ( zMN0(=)1(Cbwn7&-9Z{SXGp)i6{U~0Y{je_Utq16-0->=8=69Z4A}pu!UA+(C30@an_o=K7 zq~6rS-p@*Cbk zzzjy0!m=U5)EH2}WeIYzm4&o}) zXrW_iwo@Q`|GZ02zR}G3n&E??Qb>-`y~?y98MGd1BFVsd)bYxzV=E&gqo!;;GDS+p zx3!%?Mx)-UzWBNs%EO-DCW4&aQmorGw3}E}?A8+b8xwz-QE48>u+aH-PUAu_?bzXW zM$IjZzlEJc9Db7!o4;1n*i;|Wr>7d}3NkMC>=4QFnMQYcy+-?jJ4U0UmiUz;Lc0vP4QU;k=6VgmYgQN{LBN1_2b%jqhA@eG@onjHbW+~+h{bIQo^s1<~sX0&cImP--jiG$8O7_tvsZ^%{QPWmiyJ1n` zfyZ_|LNEGQwM&#Jz1doJeR;jYINH!oO4hks>_c$bawo#lRC6Pmu~LkZMyY}3ZVT0| zp_M|}m^qz(7rN&0Vy+hy-OL&}u|hSRf0AIX*4-7q$@(X-NKM1-hDJzG^se~7W&*au zF(?SXv^glLw`!vNna5$1Vm>#|Ex6o^&sr8M$tkOe2!;DIb9RqJ%+$}de3wdPWl6`m z9kYs^m&Zu26x!I93W__ij*9bmET{)38YZE1+1%i$Y%~?4tnw&1=nxCeEiJq+i(x}p zXO-`VT4O&?}8yirm5A0rpcsHI` z*ENxQ4NF>J`x5xF;Mm#O@wz;)Mv6QqW^ek;bSbl#Kun;ww?*dH7Iv%M>V)PdlgFCn zRzS}_2{kn}TJ>heTbo6*$tPr9Ufx>EduC>X&fdl&j>Rj#DskWXhDmNZOhlYJ)4_Bu zGYd0T$0pB zG4GnouxJ0BY@cg0x#rceV$6DYy*b5=TU(?-2ZU{{Seef<<4F z4K@Ksn`9RkfB9>-sArp^Qw%CuuMGYKmztHL9r%~!(WR@T88p4eq3pO9G#+Hk2D6b;+1Ee>z(*GmuRmW%&31fR+kx2aE3vu0u&<)%AFo5Qk4_ zeQSipKsDM(L?{L{$0_Ib*pn9w%dTr`UkdS62DlTuBeTT<< zt1JdP2M6^2{s3kjYqKUNESF46cLj)rnJ`@XluVI(7cCS0Ety$a$yo2|Qfk!wdGtPi zSH<)H?%?>I53t3{cZQKEnWD2)<n1WEOEf-+A%bN)s1dz6T3QZ=n+`7+@5)Vk+u2pp=f1*WiYI#nQp!d|~X{KBBkJllOH-|FkNO**C8>E)bH-lu77)Fy}Ju-U4#T5qm7Yfx_{ zs}|(t>CAhB7i`zA;@4w*GAF0SAvyWWI%Tg7yP7m9nFOk@Lhk1dg8{N_8LcV2S z?KD?nBBH8@ALc9GFd{#!hRac}3Ll#Qqd%D`qpqPz^HU@FgM2c58H&L4Jm>-^ExN?74J7wHPua`@-4-$En$)H@R>p~L9i;9WI z6SXh6SL@~U^z_jLYVvQiNRtyoKNKrJKYu}Rp=#^9JHvxV^-s%dc5EC%Ar~FR{)#YE z=H)pyz1QSyH=zS%Vzc)*xYPBH(1Mf;y%!(>!XKX1CSR7&7(z(u$OTBKqYWL?9%0fF z+6diH_Az19_@I`?;aOz5FKu&+#7j%;e4Dc7&n4A?0j{mDsyw_Ss(--ND3-p1v2%O8r0zS1l~+B$qS=m=O-u~v z@<~crZ|PrJlH#KEygfGO8r^5<%pKD9scWcbFVkp4oMN8x^6_T#+ocVO!TkdZGb-Dv zCDY5o_T=FqBqH)IGVqnUBN_VL9hk~%)0v*E^~H*+(`}W#oLAfDcoWkzZH|(LMs=ly z6$RyPq1+&&b%pnq5Cj5=E#N>-%hbKReAKjdmseNuI_3-$GnR;-;|*=r5D%uZ2A7B7 zqmz=gu<+yY@$XMUJ5SVg>x_l8mYT&%&Nmgk9}w>1;S zpkQMQPkuF$-o1q=WU~jRmRQhi^3_J6is(ms@n13;5gfO2y|LVa?=_q6c`$HsF;*p!oFY{qWza z3}j2Gn_o>83L@p&!*9JE3^)h0P3;tfdfgnxJ-w;#dkWZ`wK5Mpq`8(n9_>1l_fdG^ z-h4ls?Scth+S8f);8BXx)%I|LWyd@}lZ#A|!EiX=)fWG+stBW*BJHu_0xhmi2i#mB z!@9Gz&bWCn;7=YJ0A_Z*RTu0Ji$wB$roOXVpJ+^Qr2=Md4RHpI!ewG;*oy1;E zdtAov@Tw9F)r<*bMEyyfGTu8XNCy$fM8ONWFcQvW2dV>8u)A=X=*usMr(Vl$*JtD@?f*774h+5wp16+ z&V@Z}niYJsFR@(}*@|-oS@jIMM}Oeo~_@m;NGB*J?juYg8|n;(3zCl=!5xZV}J06=E;(3{HPowyCH)6o}D z+t445&gJbCGGMZ1z~%M0BZPat!MHEsEQ;{be<8cM^A2c#`u5((oY{jRo3N(Y=Dj0$ z9w4cbE-_~!-b#|BNQQb{{sl_b!s`bXhR324>a?`JJ%?{mBs9)+z!}9gGHa6PJT2p1({t7F&_Qgh^7G zsZ6sUTcS2^^3TtDeq=A_l1hMf>F;Q$Q=3S6vYYsnG*S@o-Z+sebLey?78rzf0j8QM z8TfH>99UIUbud>(0cd{>`wJSSTPC~;=)sI=>BxpT#DjN?utQ5Y{T(b2%cS%LGZQTt zq60hbF|thxQ;h=PQt<-4LGZeeXBCrh4#tVR#6H=06Pm!(uvG*?~GWKR9C|A zvDxJFYnuKbtY3~B1Ao>tY-vzkIC#_I2N5gY5YwDdSA8#O2>k~g2bD7Ec+$S2CS0-) zHXMxTMkLZjPfi;iQ8N>FeBS{}E=a|e_7a$_`D|MiP%%HCsPe_M3g{(Zd&k1TA{B~U z`-l7EQ#w*=J?{4!y_O$SXz9it(5nbCq|Xi$#8;GJu89fZ%b~G4a}BtY5v%CF0?9V(>bwiXBnPPyh&?0|3o(xu zX-1OO*#TRhXQ821$pD!=_fI%}L|0qsY=2}I^l!rQ)=j^R*5#Y>?fJ(mR+Zi3HHySo z!<(deGe@JQr%I<{nH?X8Hg0^IY!r7^*d*xxBZKT;p0TC+>CwfPwr*;wQ)fcW@c}ON z?aTlK{420rxa}%x_t9i(hZc$yhM3ya#c!_mFYq0IfKz~=PveVNb3TyRTTr5P zD^#GCxG7o7_F|jIH0St&=|wN1k#Mm4x{xW+&?}xBtV7^zm;x11J9w^G(04}ODidJq z^5*luK^eUmj zDHANcII7~iyUc}$%abx{d^y%AvZTsz#DTS6ZyYNt0>25|gXyl9R0=h$rz(v`lCQ~* z^CB$*zE=(rp(;{h2)_VsebWJPo`J$Wmeh1Nh&dBk(~GqlgoLLnO-BOYn|wVyU``j! z-*osYK_u7;+X_MPv0HCt^9L5H-R3y#Qx0S`HIJY=O%1zwB7#6~e084{&1Ry`!gG@K zH=%3nnt`#+3~?j>-leaqe5Ok|sQ{pGXu zG$J;OfpW|ezO6rf#a-r5i4|M5qfy^l4)ON(X;4;ll1=UcXbOc!8mijTG`u(%KCrEC zCrl}EgJCrjX8R>viBym=v9-``@xHe{t&$%*D7FI22-qg3F+Pb*BcNSH>FA<0vFUos zXG44p{4qETV`&6I!GJHFZu+B|HNq)fMDX}&6-8BA^{r8QjVJyIh`sP6Hs*2vYl97JNgk5+jDZpC0N8dxUsobd@x_FcCh%)noi3;S zcBHk#CuR?~;-}F2tF_{>7ps z>jt#jHdM%CLS-0?wS2cr1{G|@2+L|>(vwzgb1(?E$#J8aoBn?J8d^wQ@?$0yrlH9A zHKWCaNTrX|;coTDmgxk%X(!yvhqn;d0b;vsB=cZs(PrYj1=PJbr*0!c1oz zen_XdR3|#O>_r}bK7Qh>t+m%}*MbgNjhH)}sJS(ug3oM(8A}r-`8)-N7H)osGTBNc zPZ)dI8`(VaU$*f!>;A)mfsa*Wt4o8ls{5c(87&*ulnXDq(HRg}9|`JBv}e7K$xt}V zw5wyvn7{H98e1@$@^)vd!-b8fEz#ouy%2mZ)((epjplo@Zt!#0_5%+x_B+1U&2P zPaM>eur3kF$C!omH|Ap&SDm(#kDH9&6%8HLvKhzc-1V})O>*x$Xcv@jczBh-!*nH+ zff*1viC9#6--<6yf{So-;r`lAh4;vyl@LMq>c~o)tF>MabB&u9M$x-~eofJ8h2wm) zrmM5+6w)zl#^m2ct67b?%p7^W?yLG|E3KZ3Kvj_RpS49fh-T;CiwqyP4U5@GkbDd# zrG>$+IdQ$k$otQ($K`Y1<9m}kxI1}Dzcw8&SbFtL9mf|THhbK8w|}ilYHB|vm8fT$ z35k`uEp+G_YP5AcCp()n{jwMNTnbB)-fH`c+hKwBNV<$3nfAo!OQ384OxH8x25_&LLR!Y7jkX*}r@%t3Ll-}%kn=g8%heR?P+xu0d?CsO68Fj;6=&jwiM-gw`wi-He zAqoHKetk$lo%S#ekPX5Kq0OC{W0C` z@TtDYn=~iAivL<}{S7Qs-KA)yg!w20=L{&?t`>P{Cp(P$?u zk~6TgP6xBJaybt`G|IwJE*kCiOv$kWwfk|z;Yow}9!UGa6!EenKh9@)JwW643}Fp9 z7((Ug(vA<>H$!q6k=|loZva?>;dJIuPwt*Ac`Pm-*8L&88J}HbAlmd6OBCWlIB9|= z=(_A>GByP}YpAl{8KAfTvB-Ews_FSHPUPa2}@PW8SPNK(uy z|8O?maUMljOsJ@}rEHWbw;kuz6%1q{*q zgj8q7?19t2)8bxEMu1l^v}Ko1674v`s;addo(kn|5U7lb|9ZphqxxYqTE5`dw{|Mj z`+nfE0B1XA_?TtL&Ps80Dd+mmg-vV=cce~1)?tmY?m|qJOsdijaCtf#QZIs>yT9kW;>|Ba z)_qH-yRa&lT0i_*_5705h8QnAD}!R_v_$jhJ#6-$p$bZh5LDxh4h$=Un!?M8p(z?5 zucJ>r7RXRZ=frKrH#y%i$AfZscpI!Plht3tD8E{?O#2cb48F9)MV5-d_IL5BOHz>~ zvut78>GuYpBKD8Y;#GZH?g=ugi`Sqv`YC5VDa3RhFj%URCy2$6yWEh?itIJ=4Et548`zFs*0!{$i`E#XWC z?OLH>nD*q{w=In!$NEnSF4r5}6yWQ?k|-eInBlyL7S5dS`zLn<)yTa!OVi%nKxV%X)Y8)0k8sc<&z8IjO=G}~Cua4S=pYpE zHK6sSL0bkmjm_nc9mB_}b}Akn3L@TVSzk6USIkQ!9&srpKUXulme0Pu=tWI|qKNns z*~s5(no8;EJHl5UFlDCKu(Qq&?!|O}HT|%`cQzgsBYg1L6A_6q6fQKUPqM;5@gTNP z{wZt9;IKG-ou3F}A|HM3a06am#6elz3+VCF_pa1egKL`u#rxn>Gka?qj-B&Vo?Fq_ zDw(Iz1&$fK?9*9S7gsIG_R-ycO7sKN|0(FAkbB+y&g{UPe>w;OtCgd58CJvV@~vQ} zp650-p-)G&N;(*7RI2<$#9{!0fAp2jMHU(gh;P>wa2~E?)K)RxOr96uF&2oQnt0UP>6V3}o%*gv5ELaOhl(&Cl~}FAfEVwP%Q_Rfkx* zGc(kPMVl;3_*p*Lhc!MNmkB+7ehrZ8*AzryP)a+)%oM^3x$R_y3NO?>4F5>CS4po6 zP?GTD<{{^J@Ol*waiRl9ucJe2mst-_o^No#gmKmUSu<(@avkU4u5}Y_ zHpK4eB$@wM91=McrPq#*3|T+8a|^Ne9C&7i<)4+@r#e%>+nanQrf@)eyQ?~ZWSXpE^n9~J~jB=LC9Rt^IP5SKhP-Un7&PMBz}DlXYqU;n1~+6 z;{{?hYw2NEZ;Fbkp?4@}_TRr5H)nVCw-9)K%gmhYC&1AK9x{$AZ599)tc$DGr|Wah zXFZP`*yF*o^yGAE8X$<;?674i@;BuIW%On8J|r;yEm+(U-Q=Rh6rFtgV95QZ?NNMT zT+?~mIG*AbpEEaaSf?@&L;mqv zg>jW3iyS^CGe7iOG*bo_ITM+L#>@m4nfc^n2^7krRHjx$t3D=p0NNbRnTzO9C>wT7 zzE=5I>#gX^L}b&(ZZY(^-NU{-WUr`dm(H=vm#W%a8!J3wM^~A9tGS?xxxvz*{o^#%_pqy0Z5- z{^aB{+HrvB)zuyD0ockRQz8qEl(*HE#JX+&Ym2kOo<$HJbiO3kM1?*{2}`!aqmLZ` z*jPUW5NC?Wq%HX$&NO3z){y4dCk|%9PGlx)ky5qKvs_;BMFhpCT`86T_Da59nU{S@ zi_R!dC1disi`&)#$v}9Z-9@H)XcGhBdPC^0-Svb^(aTkKa$#fTuqhoTP_k0X4iITT zaK-fIsQXC4L_kLY=d!4Yc}1J5L`KLu-)8PJ2X<`!c-izAf zoyte9U}8s&7Tg?QN8}oEc?7F=1l8uAT`C{T)8Y7rGxN{6DiEwT~K%;?2_6qkBjZt$JpWS7m5hb*eOTk1w}IAP1uT0!d`U<0&6%I7_ z@7t<)+koaQ-N40+d&Aojpf1Li(RfBGS);mSPDGwC&Q zXs53-oyugxfN*(4V=faFXb!@`ZE824syj4D|5PA(3em^yZ7YQ&@We3>&OBm5a(&_K zA~korU9HI_)0?@qHeBh(i^Oij+?oE6Ew@`qcKSMq&8!Nb@9RYAw4hsk{dAe2jlup} z{%v0^9`jw#Y^5DB&t_n<3qOQ0^6F`RMmT#sCl;IJ!Y@#W$tU0+-x-t;B%-m0(fM$N zQ7MRCdRd@8o6o~HsTe{gdb4T6_Q|zBSS_8^)<2V~FwSEhLk>0sJK4TK7kz&Kmy`&G zf>8G%+TCcxDEkrlo2;ot;?;P|BB~?#Io3cp^;+GZJKuESmpVR}x)1u@Stf zUL~~TXMr#FiXUusSWQ2=f{4oWp59IRMY&#r4HIY+Jd*RoL)fi{aBQZ_J9t5AmIaa} zWP)q#SvwFA&3XgAFgBcBOm(mZg%RTUo>8II2r($DC*~$d+HMNNHMXvAJy8xe&Kg__ z{SatT5#X8x0)>m?aqWl;mU9*+*6_UtO7~3PJ&JqZzv^PruYYu;X?QTW9OYb^B$}St z>DTSJM>IDg4BG+Ag+!-+|GgB-{pkg-cg5e)!NB3QO!Ssf!6O+lIv#RNR>qkiX>@5~hZO?r9$N5H|28 z9dB}lG~f8|kJ_FW!v$pRjdpS*=2PC-US3Z>s3gLMISuQd(eLrIeGRdC_&62cRDDI+><5iJd9@0=O?$}BjY>M5y zYU4kRK!VYIp&k;(?tf9>ZAKT{x%Am6*3UG!I=j2P+XoxjR(qhL(EH5^Iy5;VGnr?j zddwXqKC+@A=p=uNCM)DtDF^!lQ+_kkm zuWC`*Fer&}Qb)VMEb3xMEs_R2(i664{gJ;7c#D?(qFg*_d2e+IH6ZMc=+kC9rXA4= z>BXcKz~b5gFc%$pF_8j4Mws$R3z|%9T?3pI#{U}M@D-(F(cihhW>0t#_&TvN135!iYSPIZ}@SJ`TBiS8nvehjFX2fvxi>rZ<)?mp*xv2^BWABt#PX zG+2yeQgTskgUMw{W!YQYMQXq~cMy?bw$i@V;;>teZ=_U~9DAWgfGLaEp{+%TiQey= zn(S)_)k;}s;qr^`d8*5;t+n(Y$_3eX_#XHzdn)CYR-N>6meJWNe|Y0v68lGHB`~Ng zk0bV>JL}{~4eWo4yBG}msdF(=ocC1ftVDo>7Ssf z7Ri`3JG)H`{7aP8<=edlzj|S8m?%TH~OF7GTs<>fu#4!*4~3NV+S`S5BHg@faMPNh%9E^=um;GGcx zkW{%J&Y!>_!tQmnu`v}my>WBo(jVfHHT?*RW5!Q%(CF#eu#=FnTSRqQ#+Yh-(>9!( z{xys`FovC&DW?k^dt`4d=UP>SN{JaA>;eCxjhrX59-!kmQJ}70te>yFLsl+V?&^n1 z>u#VZcoKux66u5~nZ@1i zmgiIvww2mMU}j}!o@TkpaHJ(>#0NX|@x;T?kJ9)(g=3;PX z{=Mq?)_EkUe8@@NcVriDZV{7*D~|v2a41qVTr&5|f`n_0sk@8R#s2tC9M44{J~!6r zqZnS@gHhqE-%~+rmAN9R)!zBo9TaW4D3P89E?FD%cUd=Z3unwVg}$Q@ZjAXXy~{we zF*s>IDwtjRYp(b|I$y;bjmU?m%k}-!*9$k9Z^40IF_k*a+Pd8nKq>b#kA^ha)9h$X zdp|ErxKX~8i9cp=$C7rd7#S;F-dLnb8^_V3xwl^x+G;Q&#aK%pzkFbHlmiu`>LKm4 zwrL4SZ8|vB3;T-~Fqi5Q`Lebk$MVSsbMZ>D8me0}HHBgPNnKpEz~cw?rA)%lnW*>9 za4*x2iHS6NE$)8d%aI?uQ|WFl>ZMrkKhHzcd=-@MssC*mcdaelnEq=I*+1O(8KI%v zU=;O^41g7ncB~zmRqUTlA7nrg{#fpJ@aWN2=A!Z~17yS&e>JzGE}~PX{|}|&Pv+dx z4wNW5buPyW>J^%|hH@Vh!FvZ`f1 z`K#NP`tNY#FZPby;+%cQLr^^O`4zb5nxPa+0%4xG6Vk7LsqV!p%#>poZoicg7r8|?A8wo`p!7dnu9to90C0F{oyGLO&i;A3dO|D1 zh~S^Hj*c`{%$kl+(2-?i6#2}ixNuTJo$EBr$Z+{9Q2znnA&$M8^gIZh-P99xmz|7gAzjFPS-?6&W!p zw*o$G)uwZQ%&L}dhhr3!Fp{*~I4u}yVQ)O)@p?=mlM_92OD3!;dHro7zOF9~= z${;{1MEp3@nxo8$!VH~_#*&zXE+j(pzR`ru@%>E89vl)SJ0+@8Lz<_dA{s!Od$909 zP1u?_S`^V|`J@5`%WEYS4~Kr}9eeWvKBs~zuKC4&Y+jUjr=}$+U6pm+a`0gxmY-LY zrtBT~yS}bTIY#l%>{*RECS-HLM*0kpK~h%DzM{g>v1T}dP*KXWVUUyP(c5I=Sq2#R zPeCFs5y+sJL{AwLiEf3-_4E}>tK06B&GksAGym17G0^Rmv0%Z?QVkE$s%2#w6;4b` zeihmAiE0JIeD-*>iIWT%)-``~y~TrWd^tj+8Ix_rQ$Tb-L-qOJ(*0bJ&E>SG_D5Jz z)0kp8`SL_)*k2?```v0J!PXREsWZMcVyv&hf?%IyuqeDxRfh55BX)uQK3y*%(NhE~w)X5F` zR)%MP&oFk#ut%b_)LI-q-+c~qACk0@h4@jULoXCXKqjBuvcMorla~$0TdHkel%UDMF z{(iAvBAbF7M7iCeu}Q1!E78=Gd0o4?T+Y8|;!7i4=SbL94rB?{do}-(VgN5jbNXf( zUm_GsCY*T9eqOEh=58uJSDBbkT!&h^|NM$3li08r@0w?G(7nEO!z{f?L|2&#Fy*7Xsv)?^n(L7KxTs3#qQY@oAL(bH|D!vY%bbaU`CDJi+u zgEp)?{%&PZeYwas*+GQ)r zl@s>4dPRxn=91@{&5P@WBd97XOq+We`>*K)Lig;50F0rDZ2 z-3MPc`tuxeD4C9@y{LAz1 zx;FO@_?5eKk;x4fPr>MTIYUvkg+R_vpWIiq>hm!Ovexvscu0@k13tw;RvE~yj9@CJ zXR@~-UQ|TxbTop1%TYF(Yf_%keaCdVx4PBkj^R#zzISakeVEKkyjfeCg(Ca#CV8yi2QNJhdP ztaBU}y{$|luhTT}SWW2hKZK{jWKO>_{6A}zrPqPAHSPZeP#moW=#`qh#1d0%!cacx zQ2>W2OpA5{=8pH*#^0Pu9^W{`Bbi;x{cE2l;P)}_k!u0#s32A9V(oq@kFwLmhgIZeS7z_w~07J?GIT^)v}~uMT)dT2zXM}0>PGA#Su3@+am2wI6dh)e?1vK z1U%UaIts-)u&vJ4`D%DS5J)V)sq@v933qRGW-{;EArf|x85iAr?g~l3U&tRfd#lXS z#04)KFPdPuDhNFImt&ayYc7!-R!_*5mkUeV>ijk1al@sZ#^(4WjEfsi0-wzmmdEcs z3-mj_*!)5pv}q^_Yk_ir#})~uQDk5?HDiHB*#f5cb$7MUYH437c?#CpIN4jN3pNyw zC%*fTUD0kd{xE8Cve-^^U;1d$yH`C4v(iVa*EVBuW0}<+0&BFExYhY~Biwz2&*Onm z7qsfN*&~T28Ex{;;xUBWmGj6QO0)FG%*|o#5w|aTQMT@JT(NAn3Mp6rSL|*l@6BZ! zJMwLUSS3-X_oLZCMzhx)1761WBBnqdYi^hCJFEK$ULPZtstkPYd%V#L9{tMgp)QU4 zh3xS%4@<#!w(Xa5s<-L0favLVJJz4@$DIggf8D5={Y7sz>$N~a#>L?bn}IC}s49%I z%Fc1p;`b%=;XgSdYL3eA7;9x|NjhCiM2yc#@F(-Jdl*?tVlMGqW?X>+LD{XTWf}*o z(}$G#KEp4o^{30FMEhIklnmrigE~aa9&cn$m3x_*H-y{1x1r=u(^gBxl)>-MMl*j4 zi*otQuOc~2chx$=TH^V!zpm71tQZ~XA)5Rf6Vk&bjg+Ct?rx^ArVf-djS2?umW_ZwP{~qJgUEK`MtYe|9R{4LQy^vR_Hc_G*e9M zeXsDsy->w*#0VbadW0hPZf@p^P^-f>NJY!efKx63B(F%0JJVbb-AgtQnq`#n!y z=u3$d7E5&ZecZ2atV~V436Ng<%y-hhA>cthpWH*sQ=|u}!D9)kgiRS3t_(now6x*8 zzDFMH>HlU3gFlI_Zu1SMVOVVuuF^w!m715?lv+tYVRvK$gQ&6l<&9?z?loi*fX0F040c?~KpAq;Kq1Nn`-|AQ!<>Xvqk%y*80gL{&^jxwGVzfa7^Y7P0+GlWEM?)x zJn0zUKveQzTY;YS^;jv_wX57%t^Hw>%OQC#*CRyEcwX^;DZR5x0rco)yJ$k<{Ilwy zIBKpR_1pwO==8t{%yIb~4nafQ$e|;*qtOZ$0o)dO-qAP$`mOX|u!TwZI(s9~!y&iH zwNCSxx^3V1+>cli$vAJE6Xs@^)H~PxiXNg)k1mqh9HUz#k`Y7(Ll5c9(1@d%`RO}5 zNJc!;VhOSvJBBt_SY^e~H;44ENdy${(o?cBbSa^-w?^p2j2C7fE7pHz<*E?6>Rp`O zVe_^GqA%B*jE>9REtQJlcT`a}&t7-mcY|x6dfXT`Y2`+1nvn|Jz`dA6&(yK4vl;2P zf+BQEYkc3`FL=Dc+_KdU`!psqA~4SV2ChhtiEHl&THL%zCx$vU=e;miDx}?VT3*0w z(-nVfN9?CV_}1 z=B7wwJ<;SMdwyH(wkABP)C{j&ey5OxXUYJd4`qX@r3wBrR<)hAc2QADKVm^KlH>b%+75 zYo<+oqvCOpvHVJPDPSnDkU4yW;lDiQTbzneYkx=tW6=D9`M2aGxtMh&hOFsyX$(3= z+$$69)T$sw1I_+gqD^r_cv~7oNN`d3RM0Cg(MZ+N{7wB|MM`ADrtJt1WD{1Ds9)B zp4;8GY~UYDxY;dMU=g>`AUtPw9N{XWUno+XrN+=7=(ax7@r>u-M*dCKmx!K*3thwo4!-~OsG5_VgzHUMCH?{nYj41X<%A}w zka;4YRTl6FD>jshri)F^eL=FL8S0WPt<7^2xVL`*^34)E($rm2fs0}z=1G(UPhp)8xXghDBX7!NsilnH#IoT7yZ_kT4TJ)UF zO-#ATQX+p2*b13>*@%tY07dq{M&y3uTME&ULfjp+zS^2`I(^U_+?n8)gg=`HBUo<= z936|cOk9atFXZInJp5RMqWUTHL(usnKF`-04nkq8Ejr0;bF|a!sG3*iOcY-h*~GEh z{-whN3c7K1!@bOY3ENMvURB#{FfzMU;$muJLa6o!$=^}d9^0wP#II-&B=yjq%;z(#{ zrQKB%gel}&LX1rL0XhfrHOrcwMcK$Tc^~DD1~isA_!dVx#AZL~AStQ3Z;0h|TB2B! zQnB8RQ*ZC)AmQ^ni$yz^Vr%Vn6=Se@A>x0}8P(Wz`z^v|08uVa zdJ#Jx+|UQ^GsD{he+xxt9D1aDI6U#OswT&RrYzBPqkh0UXn+JmA@ntiLYnj@LdRUK zCPmMgns%U`wq3wu+Zs>E4dhZpQ&|S$y?Inc0k)Iex(Q;$-}{(-n6`b}R3?u!`HIk% z@;jm_HlaxOZfsS;gs~OkHV;crnYucn9o`=R>-dmAU*n(;E)Q0b4HtI0GSA>r`@ zMx&n-m|$2~oa3c~?fX&OEE(Pqu>*`qCH7@J`S7C_0zWqiPIx`B-HE#7r@$DUJ7pIJ z`*U5GtY7t^N7-|v$EONO)?`V-u| z_#u;AIBi!P(QQ|-dQBxC+H6g&>@+e|QPff>3O%|(G~0}jz{&FRylX9(HUCT-?!2_> z*4ZL(Qyw%g78pf*d2v&JH)FGW@T%D^!|9_se?_)T|4tR=V3A(6QVjnoYfikF@_k?a zbD8Gk*3CgKryd+P8rj>KF*!O+m$jAPpnlY8YK$Z4;~ntXhx>3T2z{?{5!9TH1kb%p z@qZhM6~0q=NK&HjCB9SFU%)+M-`(N39pGA`R3W#m4y=HsoI){>9o~keHK`Q6% z7DQqA%!z6;#vUX0Mvs&cy27|4W+^G&6D_wBwzpTt(|e2y#hxu2fC7_{RwRCst420> zUZ4i6R9Atv;7&3yWGYma)H5qQ)p!-EFE3(?jzW6iicY;7kkDr>Hh@#R?}|AGFE)S| z;wh4L2TC9!cCdlrIM@h408D!8&3!q2jq#oSI{N+*pVqHbsZ^!h^bPv1F%i05Dyp>9 zkJ};d1AM9gO1XnUB{Vg}Mqi-#a@*w``;sDI%#FZ(LId zi~5^87XdiM48b;Z8F%im=?~1Aqm7PjyfH2M;wd&{RTr1f|cP?b~s!Zvlg!4a4 z#3|GT%bh5ZUU#xs93u}msfZF)Lr~+|AE4zJhzcqvn+q*zl_H)cgo49@J!p1(InrGM zSD;e(rUBi&3(go7uEY=B0aBNtZ*DXs?93?kgLp=>3&Kqq-w)pmL}ykv+Pw_I!d1y`qTt#l5{#F+Ts2!0LF?58qrs`lwP-1Df^H zb5MOb`YzI()2PEnI2)-ZC4 za$Bzyz3iu~CsdkH{n4aSt7}#2vj;itDFmT7oJu~yFH^Yp$!3;2dw>z@*$ ztuF9Q9dF8_Zl5Shr%aCR{DI$tx$E2#JzvxnExwmklb?Rb>#qe~zFXcti0XQ$Y8ToEg+iQ-l z_~FYn1JN$c>oIshX4rJ19;KgV21<7gkA8|t{{eXX?BgCGRB44)Br@9@D8weCJR?q1 z8ox1@!XQyA-wzCv=Qpf@u6fnPY|5V{mdK3Yopa2Xd!V{kLTI;zsSuM?>EDGUAba~C!&meNp|-ev>z16GALsIBT|RS1)M9?FIqw6@zW#JE9dj;}3^x{>nOO zFdsA-?lR%n77T^t^|%tNf@$>+zj(1&xxI$~rccIp0>bgA2=qd-)Vue zZ~XL_Fgrym#+RSrC;kuM_~<^IOLB!M{PhDh=`bx;YYQUWzr}8`+t2tWI8}Ev*KnS? zWb9#^bTm{P4|Pf8#O%h4LG81uT%I4Hr!n`GoA~Xu@`?2lL2-&U(ApD}0!T7Ru*KA; zR`P=A)>Vi|)zaZJHTzOeyCWh}^Z@C=Q2;G&JW}+nKNu`m{Z-BEH@P=|P9WPvym_e2#6 z7ED_KNj|rkUt-r{*5tYR(bw-^`AkNjA|fJ6&Gvc&!$9s-`b!Ti?WN20W>Pvj`2FGd z=EDad^2@}LWEb;*gv9fkM4}e@=auBXUl>X}yoje19aYIfkJy+i>ljugJ0@3V%#0^( zg6_l*##-$B>gK)CO)k^C=+KH5R$b6bBM!|1S=ODwWVwMNt=daD3c>-HTE-!?__?1m zSyBDdpUf<7m?2~^yA>FHmgvONMuBUp&;Tz#Nf@8PWUAfFvOujrlJ0*oA_T|M^G$_^r`em(6T~?TR!Osm*cPd!Vt1ivJAyzokNYJB6}7!0oJKh0T&s( z8BA`7Pgnc_?aZrxmAkNw?XLzd2)cK^R(&p z*zJaZZdA1dvyhZ2jA!vHk`_#6ZzA}7KG?(4nQ8E%Pf0GgT)_~s76H>PJ5RHf87%(X3I;7< z7M#;NO+$ExLAou@j@Wz5<_97RHfm^4=}5h)RJ4d64WKql*J6Qpjl1HP2nV|ZPp_IC z=6KwYzl_}Iqx!n0Rya)92#YLhUHY9X)*Fb#|1E`Q^EeEK!Tb>*iiNbpBfglCso=#3 zqm}gQJIhBTF49Ey)8)cC=d>4Vqd_i)_1gKET3zvH#Vqxx9DduRL_xg>e~h*;Sq#f3 zzM+aE@tZ2zpw8g+B5AtXiofS1{9|1?mO!>S*g~Ftv-5(eE9)3gx{G2yp%Zn<>(T$m z)%PWX(0CzA^zU9$l(J2AfzuszY2)5jAU#%`}KELbPP=KeLt>4bA!* z+atD*7GEp{y_V=GH)|n)+`tK8eL@Aya2>fUkX#%RcZn*N$lG0_H!Qz55+Blc!VO-_ z75(v}p6Pu!{I4=MG%bZ+=wCK~xx7JKT0Tc_F&G|`|Eo8?fDgDwUU7j$v5KqsLv{yp z+KCdKb{*_-f6{D$wic=nSn`qGVDzu!TFX`35uaeE`yF#SomNz=yi=ua*lq)zwCSET zdET4*NH{9Be>}P)+?g+jQl{(0CXaoCD{uF1Y<4P8!^@L{wZBlfy!OBkKn|5heM zd`$$8E`J5_V2F;0d%#q_Rf`QTJq9c=!ROY4O`f3-7t=o9>^*VQ={15DGK&AzDrC}{ z52BB@FnlbzG+jSdZqWASN*cGk>*Kx7pM2ox<@OM zcf#a)PMV7dH#&JZuD4T;6?)HM&q@R`?yCW}eAyvT=l1NzLs^7~D9Q=V!f5;J6FPSG zH%}|&|Bh0_nNBo_ow6thRLVjmi9Rp%r)mWbnQN(N_#(CV0$YT-vS^Rh0=Mw6tJOM| z1E_#JJ^mQgLdJ;qYlq%K(9e?!23;I6RGf}ZK4MfD?(c_r#=^0(Ha{$Ik(JfeUBNZa zp%v~$xl?5!N%S7$aiH1#0LrocWyJ-TKMCtvSHez2x<+# zeCRZ5eoV(#i+e(PF+_!W-tnP*hR60NVbJd8I>MwIoB&Yfy^dZr7B3oqF?+qy(dl+T zvtvvm3^?a1!wH(DbQ>hnSSsXu(+Z#Lo|@+c1M71Pet zv*+qF5U8f%4<4+#F#CUjPMoOX2~Ow@Q&I$lyWiQV3PK+{+?(tp5wwO)<(~JFAPZZa zJDH)F_LUpkOyqULZ(6UK3};G_+~pZ9u1e8qcVO3-eElGjbiUHR#vn!)wi|AC8c(G$ zjp$$wi^y|h{be$qwW;f=kK6E#>2f^PUuQP%Wb{nKAXmmFa;}LkD3=>;X0nb_=obMu zE&ihsjPZl)Ah#5S*KlN|O!G|-PcEkoQPe*pCe=oL_h}YE7q?X;&^8cDLLnoP+t+C=`yl!ArPe-7A^TQ!T;E-NrJ8uPcPBZnVP zx_`%Go|&xD{W(#M6TQW&?6w2Qc`M~vdvZBLs1cPLq|ctN;d`kFPSFlSiz2Xo3kL+_iF83s@y54QZjPAJBftt1$D&eRWvH}b6q;`ebzka#!_zv`ifPA>YkQWwcQImlXtA0#fu(0_3)m+}HF644%H&6m?$e|;ZNr$a6 z4yOgl+Uz&QaaTp3Bqgo2NTxfM+OJ?2RvnGSW_?%q&FBte_TeuC(WY%K-p)PiDOH7H z5xKLCV(T9y9*v2DQgfw99~}wpy{!ayx%Fj@UVau>!ayQN`JCUkBLrk&5GjKuQP4!y zB4Gp2%7z}&j*Ad82X7Ut{K5Ivt~P`yh~?T<75+yX7L41A6G=d9=icIPHVRCAc;x?~28Yo;kCHVmi zjRwM6I7-esD;M-s6Vz(|OZs08`sEtk&pPp&3oQ~(LH||U)_Iqo<){%6e=VIqMw|}f z%xLCF^Ne01P_S7{q20G+0QQj#YxYBk?ba57aKjSfUH4b zT=WG^Tn+b!{P{|S#z%QB*uU7@^HnrIDX^i&F@<(L0`5-=jWQyrbIw-Stfj~!jnA`J zVKkJQmY7}FP^jp7#7kDRw8=0)e55-#hJsg(kzk}Xl|cYG*{&NQSu3D!Fv`U~6X@9U z^JvqwdUt0G&Wi`Za1~aZySX!&5;m>6r?rgOz21)XPM8JL@0-Abp~RL4j?&t8+Ek)Y zWzfJ^Glt*=LIR#JYH=OW#qY|yr%qAEj&SFoAV7KfIJtWxrmjMnR{8OH!QAF_UVU z2c%(-w%H@{C$Y#OYzHwSQg^VmJg$qq%6WG3c|y zTn-0OQt|hN%fsv`|IN1lWY$H99e&hd{;OB`gHD?uDz##QlKf?zTU3%^$wIl7tHqlp zEXfXukOd2(L$}ovYZ(-}={U!e5F^gShSJ$8EKV1`IGL0v5y;R5Y%o+br}Qc#R`9>h zfm%|f)Dr;|^!VEd$Je8qoJqvr%|`*IK%)~ddsCWE zgk}NB-qY*ke#T9|Cw|)-yu15{GanSFb4GY+k#^li>Kl3C0WSuz`o*g)4np-jyzdZh;1)Qq4~*$LoE z6nn<(C<{y0iOc7=8-_KQoIW%^TE0mZWN6cpk)|_JxF+)X2qb~9f4Ms-?OmL2tt~a8 zei+xg!WBPzHnPFo+Tu(CwxRDSDAn(;&)G(sWx>XW^X2KZ@pnoZiQt|&LPrEA3E@uK zD0A;b#dB9p1W@RRi25YTkU^0=0-3JOgglharI4;G5KH9}GH}2_QKlsih)f1NG}TYg zk|+$~8MHu=sWKsA^5b^c*GZCT5HMd|A+bC(iCXL-C5;Hw3*;S(cw$D3x(V~Dx@&{L zh|`P^%WS9!e;=qhWP?4H<6jay37=ks<3w;{{a7es3vEuz*W)8(I#iCFY*7)64jHFk zny1Riy=Uss_2yFp8?7$P9#ghz2=0M-5m2na@j+IZiXV(mXUb1=ANA8FwAMtzgwAUU z%Ly+N`kBN`38vzpgS2k2h0PvJ% z#Ea!}BR)ST#)eBgksNL#U@_IOOa~13?!|_Dq`wg5!h$=&4a1nhnL$4)5sZ zR8x(rmi8s8s##DXg>1qd^M|~QI8ymoW{z|nm#Hx)!~Z3KnaVxp`ICB49f!>CKxR;^ z6vzQqYV?%Ts_RwyT#A8$&gvoW%;2mG(d1&wa@taeUai{fj)A|?0H+Wd)&Iwmn-76M z9z7Rbz`2W$Le*XzvU97l$Wx{k+8{0~l-qRuexxba^Qo0 zm?BN53V0pDgua9&k-v!0(UI)$@`0*i+1<%uRK7{R21fr2sBgz4p^-&QybK0F32+XD z$7JYIN)nwIQcidJatA8t%vgvCYpp@(WUT{OX^&lEZWRH^QH~E{_*43wuvm(uV++qf zJsw<}mcNAQ&tKRBuvDoY%ESjO10*y{5Xk0QiTs*@e;`z64fK)EgRF^zBU}Jl=$~(W zn%#g`Y(EfH5EyVZBIuBrY=a)*H?)H#%ae$aUn(;&r}_#v8Z^qxQh{R8q*KE%g|lcV z-)pS9ox)>Q4l;ee56^4d7gZ)U{D^$lHAoGfcudXa)j9L*!5|HXbFOQQCwb`dIUyqR zCw-o_aOU`=1swd?3 z96~lDC`jg(buJ;al`)fk`>eNXx09L;wirv7e4%rxGRepeuH{ubZ64K>Uh!Xk)L{tc z)5VMCHWAo+IhLx`KT7Oc!j^vi4fyk094a>u%V{;MLIZTfbcQtgMI6GqkMoj`Vp1#0 z?VNMRU5o>Tzq%WGLbsTCuwZH2B&IEEPm-UmxhSDWF& zkZ=RpZI+E^H%>h>EGe$JRLrk*Z$BE$3DpzteUAKKflNGN?n?Q1)ret|cgkX|%RjbT zXhq^N7jG^-1Rak(cKcdAZ?)&04$#1Ugd!;`hoVR|p5tp2@QTP;7ibbr6UWwO=)-b#rGt=~DgZy0AAdWm~%+BWI z7kp^ZJaHPY&tI#k&{)ol%YpM=!+ksn4z7PU8I5AstaU|sGVqxgoWD;}UV6s94a)UU1;roCWBC>6?ZJ4f&tc6Fwsw@_e7(jqrhPa$kl)?L!E3Y@+o zaLD6_9F{K|z9xxtd4*185${yZ=GZk~vx8?3KlRuBw2{t&;PTmDu162y;x-yfX^j{m zTPIoeo^m?8VnxXHR*Dji{bce)@1$H#*l$K1ZEYs{--HGYYG`09kL*Zb6qN5xlajQ( z>RApdDJ}iBQBVFx2~k)~|#YPEy8i&y!I&waT=DsCrgRaT_J&(b94|%AN*G+9o#4 z{1f78MAg||=oZ378PA?4b+Wah>cGQR z63&W?5Ot?o>BMhsuJm-|#DTemjA$s6`j-an5Q={Yc?KZfK4>n1t(De7FKrMwsd5x6 zeR$_`3iq+4q$1|`MWLh#CthI0R$x@CiGZiVX@QFz72)b|3>u;dZO=sy)h#~o0{zIr z4Qi1CfgQ;!te`{q2YS`QQ3NQ`Y9+e%PlGq%pg_NlX%c7{yz`jp=&8W4VD>q|^1LO% zgn)fnC83j&mJerr-I*Q?I{8Z_l`?hXSi3JG=S{*^Op~FqpYRW@cX~Y*t{J;gin4vL z=!loVW*#*$p(?aIok(qgi$sfYoGc8Cb7>_cWWlzD_jY=F;XsY6jq9*X?65Fs-^`Xz zOh(ePm1jjHGC)RA%(xA4>&q`^mQ%)C2J|9l(~f=kcBQc?n_g@*-p zJ!=6LRRM)r2?jnjE`JWe%crz7xm8Y1;kZn&xJbCtEW?F2nML-lv7&*LIvII!|DrlY zxqk3Si|GpQufEZ^i}KKe^vvvh4$@G3#ySVWuA21Z4*h6O)8alVw-A}6Ut#cB=mQis zI|o-_zXtKV2{IZZViW@UdNJ(d9t1enseF)YFt8qLa6>Ia20(I9k0{I6k)NV zKb@dBWiU!St=<1pO34N#L~StprHNqn${1sGoZfx;~?i|K!0&@nM-q*R4fJxU21_KKLuipXEie zFzxlb4zgYYy6}LCxPAUTwj&OEkGh_Jj$tB&FP_?S+aY2lVjG>Le>K`MY0?=Hr?tTf zYK{%mV0oeFF0_eCb9tRX^^&D6GUP?Y*p!BKMq#kqbfZ1Osp;7@W}rhhhNqEy*9yEJ zaiJfc`w;Gwi2+0pt@!|lu<`zcI4M<3Yc6TKb>zJyg@}<6HaY?PuyIn_zA0AZazuSf zN+pG@mDQZTV=Q;{$}vd!a^*kXCEiHS-C1}DCJx$K{CU_>-48cvA{z_3HOP2K6`JYe zrTjTb&IV?><@$$qp%QD30Wzsh!l_XTImnJ}`0%0~_{M9Ui`JoorlBDl>okerl=Wx; zjD&dSH?}VCV7{C~8WP$2HH|7a?Z4hsl ztBzWMs@i|qP-OhbXQ+Yy$Yg%$7pRKOX#{180P`q_;Qx#eD8>dXB1i)?SEQPp zW`_Ey8dwinluY2m&<%fX(A?i-@BNW#bwt3+B+?mbcSPWYNR^9o?te{@41Du|^CNAb z!Y#ehO>CHn3ox5LDX^xN;{L!ETj5PU-&vgDVfM&z2InE~7AlR{l^lP@1g0nVno%uO z;=OxUK#4E_zB6cx^B{*g@PF_yBBEQgpU|yr2&uG<1AiCaoeqb5i*$A4F66rWa}|;! z^JLxs_`IO{u>0muzEu%C-#*2-7m^XJxiV+%-CAj3oy7Po3x&#rBABf28EQl1w0nXm zlA0*Tc8otXRRwoL5TwFJqL;`q|9*sA=b&Rs>R5-6HF8HBh_xip-`WUv5G;$>^q3pv zRquI(PDl_~SRM1)tCkZE!leyd*)q*IZCs!Xwa zZBUDh5aUdT1SeJ>is+e>657_tkF3%Mvi8fKYrcpW{yt(=~mr zb*8LV5adA&T8dr^dZGo^B?K+VXMyVQIK(p;1n%04lzl4TP1*zKF!t~}VK(0F-;Gq} z7Y3O-l?KBwG)}N+L5Lb&q`Y8N|CdWVlhGGG*MTL~e{ehCvAp@lDbke|V@&&v+D>!? z=U1!$GoigcR}f~WWO6*sR|588+| zXqz2RR}>cP9wCI9YQ3Ix@!K6C5^t@D+kPOrALPp+NS1@>JmvLW-cV622x5*v{F#NT zF)QF~YIN^?E2)6^GzcbiubcU$DNINuu7WU=QW?7RQ^DkO)#iln8NQCre8J`fVVMMx z>p_cnj+Ec93Dyu9%_{HSvH%GsDKg@KoI^{A28qUlo;Pl zMx1!D6FaMjGQsidRFwA7vbeW9Yy)F5d$GxD3nUt(tgO4q;*&xp$&2<_eNFEb$#q{* zUa`4#D-4JF)YbMH8&-BpZfDlG>Z`C*Qb^;wyU!QD z3s2|YbT`k5#zz@O*lg}FP5O~So1h{mG1j`=-FUnuu>-m3TFBpVKMjV$!4^$2ApzRy zKLM=SFc1D1-s_o@H7_lqf>pHeR@z)Z{BtE*@1%abZLhpo@rI;h0zdAOW1!S=jJBkT zGCd7pCJRmo3CI8_2$?xt-mf*$l5w$u)d1Ac&z-ZP0l0Uph{uQkY0Cred*~2vE-4VO z)hc#i;FVp2loNk!QEM*DiO)yAo$jG1?&KpUmoG{EjmTSC#GBskXvpm+9MkNjv8a>u z5B%d-sjl$6V2f40Z`37M_zTXAY`24JpmvIuirtNN6 zZj&nvQJWyb14B9K#)VTD&ibd8!|su+jD)fpCP0fe#CiIcGbIwd%Lz}V^==W}2GV)z zfrHcuH51gi4Eur4I&+t6$RGqK?ic6Z-4;CW^ z2GVYkkj)73qBrt^t%apfY#GU(sfwWN{o|P~xv=|^Nlmp*v?8lAsoSOBA#?@4?urL`GM4yf5}@P&y;)nRlPA@R=-ki$06~*!wQ<`rat_kZw&7On%8Lv>Cok z2>o57xx6|52^jbx!Qo*$t|@B?a{=awXiHoPtYH0Npg31f9|W$Dxg}vk*%Pkvw49sr zQ#=lAOXkJ%3pcmgxq)aq4(KN-oGGVv>r5wgF8y~APCR;u2qvJpy`KIvOV=loWlHCh zGvgt;&2HA;@;t80?gov{o!V;dpfg@w^Q!VSSlNkA@*$E?geLCQ`%-c<1zV*M%5*D; z8dasld^BjGpBKtyEl@G1tDbGV=zWxtH|><6nj+w=qoUwwx*g}F%>4mioJqZteUgNP zuJG;3bU|7+1NS3r5nsiG?4#4wMh`Q>C)*Ch90YBBP`L9o=HrmMYwd(UkCK6Z1QxA^ z+9HXXVG~$bHJWh^`v!ii|tMpFUkW8u9~&E|knQ&zzbr2RyE` z9?Zr{1~C~O;2#H?=5huyI*Ij6UN7iHVR@qYyR0pkuNv5BOy;W`Q<)feanjpJqSsqs zPWxVY_IK(C6bhqucAVsb0~Z)j+|QTuyv&|6Lhv8%TvLKEhkd`Ru6y&MjdHTxF$}o8 zc{mxL#@FASP9`8?@NN*|w*5vWT{3D6UrDAOZ$P!4`!FVOdErIh7i6ngC&#qjgEp)yp0&ckO(9Ez{2*{qTy9?JmCr3QRAzwhHA>-q+!9-8FVKp zDLy{to#FABeu#FxgX~Iwyt90yf3A4EVq(gD5q7>K^>%VuTc-Zs;L1PTNBtlAixbeO z?KIGj09LgvS&XM`IY|N?NsL8(7%_${VuJ3xKOhc@mQ;_=bm?bDQdh4$s}*V+3~_Iv z-?x)kYGlDE(f>yHS7if%CKS9BaYN*!Hk_;yInW(81KhZ%s6~j1%vzU9RC~jHV3;sS ziR^gH2vdp}IZOF)RMb=8SL8)WG4Tr)%|(nf60`Z2kz8*5kLYx|5Y+|Y56>@Z3;6r9 z#D2%>ZH#e^s*s~K#0?*-Fikq}+~d_Mp`U!MJ}YT(jw#R^GUB>+T_2k8T2jR>mMA3s zB8f*Th;ZrEL9cf_6MVR_nQ&=)<#!@VHi4CG1)mlK>Xz5q1%!2q650NSi(h*w(uMe;#N+MVo%=-#<3I-lT&?35 zU5*|*O#I1=vkApq{VOmMq;xGzNB`g6E>aIBr&$^{y8dU)aR7B@bqdodi{sS?8hkz* z9;psQf&6jd$?c|Tg}wmjeJTCX9Q0xrwxAs*_fT}AyEAKEqH*yCZ&d8^gl2;)jvw|0 z4rP2kNg$ax2P#@pYXjwyyl8_eJDqL=w2MVd&+lu=WX&LIJjo}6fdXdL8Xt25 zx_pjs+5eDGz@rY3i|>DMO&C)ORs{^&2q${leGuJ5Wc?pQzps#O5DL=PPAx%ddtxjy zdo}S_;g6=(EN4ndSyWX330jF~WWt(qJQR#=pb(s;Nk1gxwnR`-_^1iRdSpP#2ghJ; zjz=c}sG|`z7(!$zj-a{r!R}YLOMF6^18_CfTF6J-x&DI-{iY^p@O?SAEz1b~EwCbYvBvc_qMU!shNe4v=S&?GNA ztW6aD0wUfIF(*;g;+P`e!9k>P`saxL_Id{&1PiwxLBrL_2Gx=hiB0!ht3lgayu}Q!UKjfef^p z`|G9gAPSUjTw2Ni%>iT;)}-TN<@mvV0N1Yr_=K)(S<0LlPmyM%(3z;YRD+Qy`>8Y)FC|qyX1~oecC5py40S@JH zAftGw-uUCWE8>Bf_C+@RikkfPwA+f6gR}k3wgvpGZ(kjJJt0t$r%3bfN_EpCv%`1U zyI2Df3a zBp=ir98m#VGwW=MzVE4WR3D#eeyFaS2<6h|;MX>tT`zKf(-`v~d=>j2y$-E}xOo23 zF#^c7w*UF}UQN3(s?S%!a5Sa`6s-Xi*>T+pN=!!UC&i%GQZnYzJqMDYN=GsCvScqS z>|AuINdPKfN$!DVPhJ0T`fXmOF-y}((k%>O-`kR!+6SS3no>Gz2@RSGN*sq5RzFK* z+ZRo<2yr{Mx~IzI!13jZM_#u9*}!)ORHh){(zd4legF_M8S1PW^)J^Z0Mz2F1BgEs z&rIl{vj8WjO6h*wn6s;HxM0yTB7ZNt)f3GE=#|3|qi$|3;O-!?eLKeO&2f`bb3hF9 z$(pWz^j#h~)~HiMyBoh69kE|5QIv?y=1-)}!7%(Nbh?BjG>IF*2CUxhtJQlrN+p~a zYwN9dz|>uDL<3g;9Qa9KjgnS*Fj+8Y>QRq~UT4lTJS;wo-9qW0&CcfX8-Gh-*5c7O zL0Z1$att$@&k<$VULxK#U?pbNXe|2NaqAc2bB8-Je?QVTAwqL1idYlHCOl(oqkD5AyZ6gt+%AcEPG z1*56-KLM+8={h@TBYb4qrV!tTkYb_$Lt4iA8#g z+LQnOTsTm`%uQZQ)?XN?ViCsO0%Iy`-ZD~$f@v+OE=o%E#l=)5Q@n-?HeS?a0X^;t z)}aex;uF+te=>73ZOqMiR?ns#OyG})xCrOYK~URSvGVxO4Xi62Y2|J$In%)qG8Vaz z+!wFj_pvn5mX?MnTKq#MfMh>)S9jBV-LOd+yavyCVG$8s-`v zo*tqlP66TVRN2XBu;Q$VxhLW6WNAZ#!T4N4N@~`#7>>y2eU%m*?3G%$v6E-J>1{i6 zVS6ZELI``m{GsQ9tuMZ+!7y6!_@9hk)>FM(67<8%Mg&Z)E>fqiw%8FCs-#J1#+Wi6!opO6(2!s1PER$CHP5?nyuu1tDL_{2|WrdUoP z&0?&q`wfz_7re});wYwX*WfR{bI)&@`5(b)f4m{T6JM}-Y=5aLgdu-i%Gp1xD^b9m z7>d?6Wy=`Ql}pcT?1Dq9myyT(b+CPFkk6t87zZrn){u@fN_dZPSU?CxJ2%OY7^2C& z6)0;BO?!J1$9>WZ`CryG^lAB*cHfBAl;z~HK%-6-Axx>aWicUN1F5w-Ve9nUM1^zv z<`20zZaz~GcCKNnHo_oG$P(LG;+d-5!PFt5B;NjeZOqt2g8w7~-T{%W8NCCIA$bb@H<}})X5IDqy`6i5fHYexY`c&tCc_TUw=HEXQAZ-A5 zszjw>v^sfd!>wv$42DsvN417lm0A#+-^`rm8zC8IeQqAg(W&&vP2|(y`ujfqptMW% z<1_8bR4sRNW^G9*GhVU* zle`}GiZX_Okl1RKem^h^{yx7KfLu~x0wE*dbA;w_Ru}?mL)w! zQri3cR;lwugmwgt&R-%Z_WXdNBaEcZAH5*<6@_e?WjL}ED$W>@83akar+DxKdX__S zshq+Cts=O)6ocjn%YzT#NH-KSD8{VX+X!%PMxO5G^Q&-Q_0{Y%ZS=#~Uy5h!~> zB|iRLY;zzI{&7 zcU?-3z<3<6gFLI!^#!5M3nE#CLKyYF_y8Bl>fKm z?KqAFjE7e%$}~opK;;j}L@?vF$1&56p*34ByiK>XAb|}?Qf|Fq$V9WDHff&)LD=^8 z2SfLBVVCAb;}u_sYz$FxxIJ#378I|r5oK3j{<|AG5Dh~IOKmhHgrDL8SKr?PA^4K1 z=Wm6;{EC|UMH>~hsJGdB8+4%{nU=|@`@l6uv{TQaa_CQwX$<#<%c>o)63DYYU+JI* z+OoKok;biG-mf(xIeJ+WujUuDYwc(20Kt~F3d*q+SPI*D?19UM6#p`$JpOUpd|N_H zXyyO;M}mh>`xAxVWMZM-bogRa$Ui*m|8EHeUp5nC>=TXa{S1b+1!Deizv=Io<>Mdi`Y?dWV5q{|gpWlbu_;g3U^ zr?k^YU14W6&AEi+mAI6cq)$$ayAg79+R@5tNAlTLL)QFa)=^wIP{iIkVe`w)fM-%<97OhviG{0O1{ zSoKSBoY~PhE3ue^Y$BBrrf4R5z((h~Z6WAEo_5Sr6_h1=UA=-8z)w%;X41FGzfa=x z-8(-t{6hvWTVf;6Bb;MnGqNmFH%vQGA1e1PORnkO2G+myF!c0JhP{W@qhZ(%HqSFj zzvJKKvIO$H#GdTxRbG;$c)`5E8I_)m*xETWgntwoDD1xmj>5uT)Iz;W$q~%BW8X7D zgXT9ZYzE4v=fFYvSe!pUEl5~MsM|ODNynyZamMgyTteD=LUH7ny&5IxV@Kt5_xRqe z$xO#0S{9R#fYpQHkDtm}=LY0wXaLOL1N%nIue{$V-X&MNJ7RV+LWKVC^?mN56lPOR z?j&Ph`kQ<63Ny?lbYTBp$i;2yH^5f%8RV*wINgY5f58^s&$e3h=+5ULWg=0&ahR-L zTJym~QEO&%ik)7Ejm7;+5&?G=*g*1{_KA%7R}j~v%|mM3RDTM(_oiAMjwrtqLfos| zfI)~{M6I+U|7Um)t|~&^IQetRGK0ya>kYnk2&RzF(;a5a2j)KfHJ`^0!a%QyZ+wwS`f`46!i~%yQQ*!qg(uh5o`DZsH}BI(eYBE{*)!qo8&#AMZ~P$miSHti z6OuDUW#VJNZ!%7Yvk-3>l*6z4v#XC9q7AX|lN3)Rx=@1=WYKbLPpW{EPXLfB(@d%D zXGZx=RV=usQ+N7<$ny3)hcjC?FEIw7vt?IiO)&ge6y-C$?4$REC+zN$D?=*$22Ufz z*T%eP!aTLzoiDj9ghdD2ii&ojvI3HY=Ji%S*=y+C;y5iWKJnb%DX`a+H$k%U*FeMl zs<9^N#Hp{2HT5Z#HgjFNOS`ElHFv6%&>U_-dPQAJ0wo+Jr*QqrlY=A|)|17fK5oz? zXKrg=vemP&%?g^cwO;|gLrj6;$^n6LNSA@p$bi3F=f6mYj#~(l?*ymYzw2LwFk1l+ zBqUQenuxYX$w&;#)?yjsJdT+kx6!OrXO~`&tqs?|KqU{X22Qs}@{!vvZtjj(OB<4c zfA@)im%(Lx2_9rnuG$k8^hNq!C|wtZF2%z*QDZg9tO?28<%(W%*3lOlQ}}i?y}8$!xEjuI|I+Yngf*AutU&0s)mNw)Y?jZcUy-{S@72v5A)S z{p_McMIYWvR#w~3$G==L4JHJ_S)Qtmg~^EM`BDPMP2?_@cLmbtTfr%9;e$CM0p|#i z7%z}gXsoTbg-w3J00my>EN5rco$XGK0iAD}OL0teJN-d_nSlSYIUt9UpqF5u)bH3G zMEV+1f1OVw@WExbVJ6#JxxuLs@ZdRx6^+M(aj+9G-=fC2rq9r$Q7nq0Wi2?#cs3a- zLG&})rT}H5$uee0A>et*leCHEA9tP z`UepscEq|uo4K==OLj28LN&~IJCGJ^Jt|6**BsaDxdzJkVja>&8!_`HCop^FUP9=J zP?3fzL3qtfkJBm!7XmrU7+}W&?Y0cOWHld}#*g;mZd(xcUR`n;fncd=fIwQG-RZfb z2w+FA)Zvt>$6~16dxp>EuStgm4Z~`_m$d1XnwA5h)ExD_%rF7pu;;IQh&5 z2`jx4oZ7h!ZC7|ULIRK#P9j~CE0_wcf1iI>ctx>zWAW%a{~+0ZRA7w7*Vm+|1_oV{T+V=8BGiTu`%0s98NC-2 z4#dI%E}fK^wKA6e!evQCCO=46d9g$(=l^?Pg0fxdop4l73j=ParH7id8X=LzJyGj; zMwQcqb7A+Qt%XpIw<~fW@#khU^(LGRTV7DP1W{j=DIViD<>Mb9-fmQxNk3|>I`T;1 zZSR=)D)DiL1IGuNjx6C}6CIwdSI$F?PB`Aeg$nl5Am9{|@nQ#$&paJ{de_U<^XyN8>-bcJhZV#}Ztg z(4=%EUo0D{5Ap|-U7T;ozHNXPB{p{~AMl{omphFTvI%KtD$VifJ%kG?(1h8S z)u&6*y?&xurrobx+(F zij46fL7#HQ1UiTFP1>7`I%v1A&m2DXV$`WUDBkD*{(^ z$WQRf81_mHF0g%m`XQ{WKWj3JbX53fJB)s@yGq=YPefhsEzT0NzK0w~DSv=|QXqMj z5C;vI)_iQ%9Sb1-+^a3t_wseg)r<(37lrbqjuc1~k;ePDrOEzCNqMX)Pf2FQWfv() z@!WFTUKQ0}4?ot*T{IevTS;4_)%t<4Y9|twzq2bdYAjqGB7zyRU8;F=Rwk-p`1N>7 z_+a$1d=<|cCe&f8;gY_^j>ryy@AGr=5%yvgidtjW{xcb+V(--}2Qj>zf=}0bNDy+I zKE60PAPy+#Og%Jw;kJ7g*y-OZN)MWtoWTiRRTGbNH<_pY6SD)y zq;awW3w3aE4V5hqN~(vCa1V=yC1~t~Nc%B33f81A{7xo>X%~|}a`!JRK*_dZ0PJ+0 zy;N%%3WQ-(as)Iu)A(1>WOg0g>cW42%0?&W$$%HHA$#giiA(;N>rRh28kb5%CDf*; z1DR|kSe@5P}$07wO-KI}^JEp&AG9-Yl?u2IJjdi6=yu0n7$ z?kw20dk^hLXYOAp{$5A=)uc~MA3qR&s5W8AGMu)w6@=b-c~1^E8nBQk+A-473%yhQ z1nQ&~pQiKO+a;-0I=E$%zeca8<)L5F26uLXTbm06iAj>LHIU+IpS7Ituiq#y^44}5)Xt3Ao5!0GHCZ-Zd)SQBDD$FRD zotNV*v`YCSG3jD`xe9AshnlHB1yyMvaT(xx1Tw*tARYy&y1bxKFuRXIRRs|r4Vfid z^Fulh`}U`_dt`Wdooi9gc;+D||BW6j6F#yny6j7~*qEgey3h-;?*R&RHB0)$Z7_Ng2L$mKDqq?~lC=0vjZw@C20<%KaYM#DH= z`H!aS4+`x7s!i&Pqc5%cJgRVe_fNgId`y^s5)s8nr+pvfuDzF{*Kfnn)BX|Mw8r&N zXva*hirV$|Rp9%rR$#~%(-4ET5X%jukeNx$(nX(e#O4KV|6@YJpWRVM!P=sE57-Rd zI5Fiygi;SX!!53UKqSRCEGja@cytnZ*LU3q5I4%@#?bXRzxl72UcnO!P^K(RxGuQ3E zgKNPu#38Du0iR8}!Wv}_2B;`WD4$vH6plk3av;u5vLhDUDOzqfSqQ`RMQSc6Sm}cn zwdX3Qj}a`EE_K#?9uVME3P5Y^2nV^=qnDq0NLGWSww+pB_z;loa|Y+~N=)1>&@fne z2Bvq)Sy0l>LP$;~CHQ}G0=@0N5Wfy7E%_`$FeRd0T%2*RGwlO9X@*^3{==Zbms2X; zt1jONHv0C*l!^(RFLy57IEjKUUmq;Qd2?okOO!>dzW3Y?AEmRp5sOPgM3>KSKe7|J z-%W@`nJHY}x;sm6lk+Qn9|}vMV)4GjAm+o27`0ShS>D+i6mY1%;`oZ8O2){Eh2{F; zx4#zLlbddUI4QWTx1ClsxUs=df&3n8fE?yL(@seG1G`$eCUWM0CM*>AVI^&Ybn1v!5U#|^BW2))Gj^us)RXRiFft(K5X7?NW#MglL@?__Rn>xyCG-zUTf8g$ zbX{^dZNi->Pi!nmsB@p!Q*$oao0tJ=`GVjx`$#A4+GY?V0i+{PnV*8=TV(3X?=|6B z&C0-8M$w*_UZ$BTHDR#JtJ@4ZTc_Qg-^xOf3)yX%m=-Q7ikeMtff*mor!Ih@|LeG;WNL*v1xmjqh*Z!xtkM&}j|{ z@%AjS26`_K_RG_q#64kWjq5QdM)R0tDxvbIcy`YLYR|i#vy}$#f%$iywiSl5+~t6n zPOgF(8_Yj;SG+kk(0h6UfsST_Do{cq*vDzCzTF)HpOhPk*rT}PRedQ zbvfn2c#-ilxIYZbYqFEtK~o%I#U@UTl;LedH!U(lkG|nTcER^CKJ;U^SiqCP;>c`1 zk2KCD9v(w?8x6?vGy5IO*ctA&@3m`(suqM|{3tr)WfEdff2i3yf1*LWsu z?C`>q;qaEnn477Uq}z(*)pgqkJ4SV$`XH`z*e>5GM!QVEku;j7HbDMyf7~K{4bBz* zkj4AfvBlF<%u-?S7lRIQikuNUcaf^6H$FFdBJC8X5xXt?iSD z^r+jvMEoZo@0jcsp&sE_9!>vxe1x1!`gr-Woxt>dG>t*mpCNo3!IoXUFJg#QzmjDnG# zvotPME=im_DaydeFYkbcY?}iLD-hf5&JD#`Z=7LG4IY;k14^`P!EKG*wn45{KP~i| zjQ|%^R*v>)3`42jQseS6xdCnc5r&Q8h_qr@2DNj6CXzWHO`)lC)rbV8sfEiL zhK-j3?v2_zP;zi|6xDW`t+>seMm;<|Tk$mGH+UA+A6KJ)B&C0c zpwe$CvRRxr;s#c+e34MIN{6e%&(iW4;-G^eo-sD%R%4ixwmbOww&XSLp*M=ZeT{$F z^gM1+;Vw}|R|ApI!T%tW_sjit#=2ar)y@wE zJT;w!3}nA#A~h3>*@stB`2}g`^=hU4|2};$9OC6AS(VW7j8c$01o>y|K`Hd7b!9SgbSVwd7!VKxMwQl+B`;NVm_4r%CK2& zD3O;}m>`*>4binmFdX{&Db^rz_>Q@AV%V^Q@Bdsf+UJCaAW9Vdoz}fVU852jy3)ze zeHdCtrEa3lb$-ig$iBtC3&m$C?8sr*t*-qg3aBgZHyjumJJMY;*t65*W$a{M_CXkG z@Bc@Y|Gmo^Bgx8hvCDpRct#{z$m1K7Z0qx|GHwRo>P{3fx&QG*>zhJsi4IG1353td zKvR5om@4gNXoBzu>5(fgVpMoy%ohPq7D2|pmbCx=CpP}EyCkvT2%>xUWnfxxatN#n z`2gz2%r@ss$677!%f5i*2YMUtfkuJV8sn)wjDcT|GVUCgxbl2CAs2)EO?4wVueNvvu(B0~hWLD< z{2A3xIue62fd1~x=eMjVH(v65DF_5vN$HnJ|M#`QV)?l12Upq(*uEM#zv;6Ma z)9MYW8Vtug?Y=zV)h0^NqLNUMLIou#6;N#dK4Efn$OVp4)f{fI?GnaPqz5L`!*=<8 z=pt92C-O&zs5b4@G8Jh&+LCSn^)!yorMlGPRHpF{%E3D9NPLgBG|XX>48(f44=~k6yiS{Y|L?fjbV@?Pu>;aU=amv;$tA-ij%KXZ{Kd*^1UO zu0ldrqD;#{9{1as`x-M*IE(}b{cYsIJ{Af`-wkwr#G9dUSy@J(xu)Tkv*W1q999&E z`41C@LX7y+V$%mK+i58Q-X&N;DoUvBWsv-~F~tL>7RDE+(4HqJO5XD9H;rt zJNkGA3=_Iacx<+tF=-(^#-UEgPh@bUYZ=_2KRqX?lxYqHP3_RVoiF1fVWDkv@lw5g z0>j@VuS}mPki7MclZE}r2ha;IpMji@tHPR$x3Ya!7 z7FZc=j`={A>0Kmi1&$=kUsGpPW#LAM8wukq+s8(R7qrY$qlnNn_<>9#1dQUDxw8!o z-Cbha)PqwW7s?~iw6B$BFy7~k1_>lkTjJ=4+T}LPcGL1jq&D%aW#i?v6CFF+9qT9~ zBLfAX<^KmS^;n&IY1*DHE&+1tfr8a2!$hXsGtraM z%0_Jl17Vgewww^b<5q~_h}m&Qd3V9g5CeYxM!3;4NKU>+O(v&r9@Eu7JI9Sev!yb5 zh*Taw(dxtcJ%uL!ecsUk;k|LyXq5A%La4X$3P^oFfwrc(yoi;V*Cau{glQ(q&I2vj zeT~g2o*VE@Sg!8Pa~O*CPny0w&}=wjF*E;qSs0hb5MsE{W9>p}T)GE5YDif#dicnH zavb|x%GF~jtK&WqB%Ox`e>|_7@I>i`?-Pi*?8ZIwGvnHR9T>Q$WtIKdmva5FuU}Qg z!;&5WK9Zzceu{23=HiVLA#Oj7*Z|`3i0_R=)*mfIKk#w!_0a-ysN}1|sWX?3bZ)8( z?JSi<-|w$fAEuqQeO(?(V0G=fdP3Owo@XNrs(Y8bu~{0hb;V3B_MCCfd`II}r;KJw zs7B}y!`7t=mEV$r(p5qmzp(urKPG*t%=2%ch+?oY8XIm-pYVTME3JT08$6j~B_*${ z#!}eER9;h#^$b*W-2HjF zjD59Z`@VU+K+Es>rPSTeMJlR*K9oO9#Azg?Gd)&*>PMN-csLNdKfy*q4Ma*n|CuNu z7$Ul|vvoU#_7`5f;zRJl6bKsw=9BV_rz&06JQ4#@b+!{s>pko^b@JKvI(o>{HMJ4C zC2G?bW+|2R79NI1LlP?rQBy76#{=OGJ6Hna#>9@Dkhnc*p@&J|eLWS?ptHv|y%uIJ zSDpP7dpgC*W)XI?#A*B#@~;o0cXa}tWtgiI0KYDk9LXf(bmHcwEiTy@&D`*mZgL4? zZISCP$QkiAzWGFE(WtYR9|s(Z4TMnV z;q{C#4EQj$eG8K3GJe^z$d<2r_vllpDgheX4;5_8nDWc88m=xwDm%NeGcMB(-qH-# z81A4Wv?uo-Oc_2SeJg(-_>p1}k5*aVnd5Xx>(hdMujkk1{;NUY``{ZN?JF!REqI$^WqU^l49i*6cX|ZIn+=M^7 zYs-?j%!xX@8R6zy{M@*Q-RXw^10#2c4z3v|E_a#@$etUu7^!HXbixcYCsh)Rx!mmlIFLp%%4sZnoV!M}0-9lG;}UBO^8P_HPY~1Y>Ms z*KfJvw_kKZY@0{+Z1j6ut|+LfN6hobE5}Liwq)Q$J~oCQA;JBKEMfAq%xxe?2U^aU znii_9b4Akdw5loHz}ZO=$T)H9(dA1*x6KM@2kBQny+rowa)0(2{-AcmLjcd4_TFwC z1V2(zBpuOurhVzynbBQg2&V0A{%LxWzWnql+kVf@Qx@)9*4n|RY+>S|ICJO9pQ>2M z@1DZ?u{uq^u_tyuUTExvz%%a;*ZU0Mfx5bYfmK%;mO?np!&ng6883*CgM8a7ccbx3 z+c{Aj!qL5{AI#2t&N{r1ZzH`szMGtcu{C)(S>@(Rskkp!w8(g0okP6i6CZjtrh`ZU zy%&dXSwuq|4xv$%W}ObG<_J@BwmMs8;d%rHMD`5Ai<0`>PccG2ns0-euOr-U7!)wfMzB?6J`b2gp*aTu`P}4 z4_W>OmL(L8jP$47JR~%Ekc4b}SXxDWLM^;gEs0)!BbCpjjks&YvCFE@zi=|(ZZt*m ziEJR#GOzHU8Qqp7WIjv0;rLQ)u5jcbW@}~tK?;f1eZ@FZA+Ob_*CidF)V{0#C%4rHgF(#-V=o7&!PUDP*mtA5Zh3 z&q4axg)I*bQZ)y+u7Jab2}%3yt5TEmy>1)f`{i!CP=7}kR$PSD5WaGCwTt`($QkAL ze7~7@c5(bm-_Y!Qf60X*SML1RCls!xNpa0udsM$S!CxLnD%34tUUn^m#Z$5oBJFh@ zB1BSg;2<6WER9_S+r1ItqvRKA%{M+q!jYaWW{6yJGsnxcABa5~u2#$20gpLRMm@hA z#Lcl=9=y~1!!q5V=LN#_qrw!GQ)OgFd47hQ+2lLtyL zqYS5R9qS8657qF||?q|PIe`cfYwjC#KnLm!1Oc6lEx`Smoa!a2t;ijBi?;F&a@JfHl zGC4YAgk@BZ?m#hJd+16}=VsJD+C?2>bDb-SJ40TdE%#N3hYR(&0n^*)CIKsp*bkBM8k9MDZos zNE!_|FrBKO&S#66cIL{fpbH{Y7<06X;{L!OhqmQ+jCEcr2DghjdOP#9@Tlo@g>+#- zMYyaO9!7udw-Pb?`Yb}Lb_zfKn;$Z1Xlm#ArugCNGyOp-pGV(@K=VTAzsi2c_itJ6 zVNd-GYC(|eUx+E1?o=`2_b5F(SDXH>@?!x)A`&Pynpli-lDFaYbwT`z?a9#PqtFdO zZ3aAE+Yy+${LyHuKOPx$Ls?JbG~G$gj8~5fn%R^TYFX2@%XTPjcselS#(%rmIiP{| zYQSkJiK=43Y;wQ3Y{ni3#qk3dh|=HBkhg9vtAKO8fyKX4RQ(1K<9f5*!~1u*;pik@ z&Bx{FK{!j9+@59!KKVBu+(Ci|!|z3(z86G5Car%t$eW7f&1rPY% zK;=0GY8Rk{Jl79j>H6S@0uMBbWE-`=L{F&H%X;F&I*Yd!wjK~OZJBfRiuJln+#}Nm z6%_=iPU7v}1neIgzS56R9O5f4!2LrvRP=WL%L zfd9Ih!Iy%6t<5{!Y29)o`*!b_Zm9(~-D^7*9CY48Ff4cV^+nm^Ztv~`usz`GJY`5jG0_t4pFp)`-Z%)E zHK=00<@;`8qHMSLeUNZl9zO}6+fKEzQc4Q-ZWm0%XH*^-8x`38?)C7r=aS^S96U;E zWq7zl`boX+$WF))=ue_jYN0sUBKwv(9}!jRO-k&!KUnENAfEA!d0>60Ab~)ooM;0t zFjBoTuu1HIWS{W<;}RG*OOXKdH^sg07BiL?)F*=XK?Mg2d#7TrQkx1zNblB1Wxppn zd_Mc!9D?m5zx1V&A}@0(w|uxF&?~nyVB8i$Gz-;Y{+%B_iUk_=%Wr=O*+(P$auk+TLSd{C?Jovg@ScNvT1jRg&DK1GV2|>MO zwJvS}^1A+pS(GEK%s<9YLz!1!{~Pe`VERjoy>Tls*#;y9oEORiKh;h#J8$@^-A=y2 z%2IsilFRF!SnHb@{2C}s87@s8q)feg#ceyMs-|j%*m^8)z#R6>6ro7*V0VzpxQd0Rzn}V-iu3udHJA6 zG|&ObCYH&YQ^W?G0ml}zWN+)bV%n1zY5XW4QV~4cBN6&@>*NwoCmSsvyy3alJNaq_ zOWq}obvaDQ$A)Q{p_QE_MlU&7$cQ4HgSu%O2Tc~c^+T|0tXaQWthGdJx*{2Y5DL82 zxrVP1U>vKsy$w^P89uOHH0tRToR)+jq~qC}>%7#DIEC8T1Z>uqj%Rwr+&0U`(dYPW z^3uWxn+n)G#QZ?ygaE}@Y~<<6?39pp78r}^LH9%g)Bv6g}t1LObNGwIYRC@CEXhP{Ka;m|?jz|KwqDu-9a@f8>T zxL6o+03_zP<>I)~_}sAaBV-@TxeFbZK(3HCm?G6`q$xYDa+xL^HAv`c6r$w;7#f*X znrtlTB+IFr?X1&pAn1+Isw2X^8lCzAFrhpXhzu}DNOXwTyr8B>lK@CPAON21cxWkP-6{Damme? zk@s1hL$6Xh*G=*A`=G`2k%&}VseUxhBcognNTdMt$0r16R$@c(XOEu!x;S*CkHi?Y z4UO~hLFO&T69sr&fDIw=6F-rwtrSTYteuunNs2-6J+$oMj40mijrKdF4*)RWCMTTF zTS~CKS}Ai0@f5bjNE)umMSo0SWkK+`-Jgq{VnQ02L*<4Ehz9maT-^qNVtk@^<EaU3`zEsxrDa|qot)Gi!Ch3)aV<; z9mJjWQ#+Fz3;Nq5GCAqJVcScHm13;64i;zE^Aqdp4Tfq~W1!C~ii_}pvP{~5 zuu7`J@aGc#f4|Z_aZH+1?(l~|cxHsIgvQBStNr;Fhkg6S$Fu$X4FF$8;uTCYbpiFS zgAx74_KzwbI#=C`s@3ES#9erLE0#{G(&R9&nYgD6(QNnNp?w;$@%x`I2nlAMoq-p? zs+NajVMVy@aNr?M<86FarFy4jgIwRW7XP&y-lr};ySoP}Bly106WQp74@Lov&a!!y zoG%GY6W!nUrvGhJyc>qx_eqh=epY3>vt5lSY!noEdxc=mH?U8>at@oZ2~?&JlTKeX z9(j7~CqyHe1gn>*d3L2I6H&vAZNo&C=(V!!DLf+sKr^wizZsoXl!h+B1hNUfSB<&wT26MMLKe$>0 z8<9_SJRk@!p=nCnXRkMq3n4YaODRpS#qE89(wsXa&M5)OvpzI-V8rd@z=TA^7tEd$ zns>jP9yX_OMs~Yrg3s#%37pK8B&D%eEEaYXg`C_#FcJOVUe!C9>+pWRcA;Qa>{TDp zj??G|Du&2}*;3;R75>8`J0PVh@`E=7=Q%%k ztr}7-BaTMDiAt3$1I8tW(e<4#3aA)G$EC&d1+8!UrcAw)7a#Jd#q9uYv5hey(((R^ zX9Qnhv`W+FY2g1o>}ceKxWe}KN-}X0Pz!=}UP;U;wdc7# zaB*)&Q_*ekQF!od$+ubHttp|(ce|E!aCH*B)pkuleZf`-ld*2>>vo{QfWMFw9*u-e zINthLMFP&Bqw>`W5!4tl!kJ~H*0K}zLt$$>KS)CumAZa5-mWR=&MPfqp-j6G{A9r@ zxm*`h<=(!RI2mk3jb9$CNH?BNo}A&|I{F*zg1Ul$1jT~ugUI?!@&EV7!CzZBOk%c6b%B8x49o3t!` zg&|4;L>1DT0-zF@Fk*=0%MJeClXKi0aeQ|Pg3?Y(-{90T_~H~YVil6{&Hj@o*@#N` z0h~6uAabaVG>)`LU#lw1|FrSm$r-V|9h4(1w#7 zx`>ff5ym895)O(yi&AiY;C7Q|;R+r0sioL)#hTH)6+ci=M`$@>us&7~-1D+TO ztE%rLRRL1gss;1=p>nD%{%>G*>)x@lpQCyQN}~SL;Jm-fXyjaEgD>zQ%9^Sy{xfL! ze9mB8Rr-CI5_FqdU0C?ylo-@10OU#hp}}J=$LCGIfzQ~jo`p1&MS(4zd-4*ky~58t zvMW|3#w#N{3})!^`)ilml!=qs?gETNRxOiwT$2QYjn*19{^ukXH)?xH801W1gs6(w z&NRws`=BTf%iFNLB*^r1&O*P{sBI1A0w(0cW;gGQ}fG zd9;_03_*fC@u5?g^ps!&7osmpQDG4PLAsO@<4I2-8IF9lj6{$J26T5kinIbQzgI#K zX|JDn{! zc4iEH64d9l`S+7adVKJ}9kot6(*o58Pi+FlnVy+ewca$zoc>63C9$DDmyuPSzOwBY^mIDu z_$;)1W4PmBJrmtjUfJJzbQ#h=!I}BKKSly)9EewSweMEWK$JyY^qbdI#VBeb{6j% zX<&sE&WgxK$d!;1*}@#&L-vkkWPktYp^>Hx%H|oF;s924hdf5iN;szBUoq(PF9O67>nxHwZ5# z4vAn(00gDLA~C|&&%nZP87St@sk_tG`35=vAoFtq!G}Yl*V+Z<`i!>#VMQM6C`iaZ z0}6xkKps)j5rv+Ryp51d^Ay{P2+DQ&CSB@Ye_AdHUEz^Z+69zei@y;QqMua053JcE zk>aGxf$RFFg35qXsDxNyQ{WFRf+_2lP^gDRY3F@WhZg*v9t3%qSY)ch!}f&h*a{KC z=iIgo`r?C|zsuJ>I?Qp@7&#J}ef@_PD^&_Un6?HjiAZZmnsjbHJ^xz%??7MT1zWgUNgUiguQ%7^2T_?)D0B7f8r{6&EE_Xx{~ zWQQD|(_;>hJVOA&lF20+3+nDa~c0MdHT7Pa*z_IaRemV=(&=Cm!y5j*7>`aU2XQ03LW`cwQO;i@8g-YqMW4Z0NXQnEm;YIO?v1;< zySsBb-+%5M_u%D&PDGb$Y_8YedN_*=>53QSwOaX1o)AvM@zB4_{C{8u%=nn7I z+Y3#-kdGs$HOw%R$}MbsCT1(+2~_Q5%=!4@QQ);UFIg`D@sm-1v-E}yJr@`;V;*)* zd5V6t3aM#L-tkw1m?5;HH}1#A<*)Vc`r#06&yN($G`Nfwy3M_r5%!-tL}w;iw%xU< zl-Xp2g5w}{(!Bz{p*pmnQ|G%U;BY+*qh_vj;+$zU3T4E2Uw#QDxpy=@psjx|{3`I4 zPi-S%=3sCW!VWs0WP7c(q{VL}>I;s>d&c(RyH0gf>R~*SC~mBnEVTv@w!in`Ae4V} z2zKbX!YQiV=ZV!(rPdneFoaw&o;G`;1_<{upY>4Uwt4$)>UT|`+Sx-BW8 zYmoorf3B5ZhDlGD7#*j<*sw`zs~0Sw!{*GQs}&o+qe$W^GOM+D<6Vcqp%aKDCL+Ii zaONd#u-~hs)>d@cY;LpyXP=V3%C899OFAjxPt0JMZ}35>y?P-W?4cXcc-r%pEqLwsdN9)LJx5+n{qPh3jfe(1W%y?( zBt|4ysNOoo$JIAqllSnV9(p_3soGV_RP9_`8lT>Acez9OJ?|I2Y|VP#)V)+zNA_Pl zzp9qw(k3zl9uYKx^GgEbD=(O-h){>@8AFU>>!z5)XcP#(ngM!>#z_}>dAcpWR88 zwx|Dc4nzOa+8Zei53%dO-^m?gdu^>Xg6MRwU?V}>O|@ZZ7u-{2v0OFY?_|uR6w)zt z;X?{UA2^f(dV_b8+u>9%yP@1_wakU_NzHTW_N-9+C)lL+6XBg`^Lmn9DFSMwNROY3 z6Dmq>l4opUcwlOLjjVu~Q87tbQ+*O}t(C3SMpBj-mO-(S5&JWYMtfnT@l|wxh}{Ad z8K8j9uCc!&IA*eYEKnpiepafRmZP5ZT5D^+pkY_yTttWQJ92&a`hx>?>@R`@9rgbF z`D6HSzUKRw^?vp)qHYI9Q9p6fmRh1_&Ss7^e&b0Yt9fnUbl<@A z+KBH&X-P@iOnq?;6X3z)ALiasy>x8`p7AnP8W=!M507^>R8UN|hCq1k6`;8q($3#j zgjA*U$LY8Y6luMRX&^NpLY_qCpi4IDy}np43Ih2757(Dp9@$7jX$r7A+$AcEwS&9z zSUGg0MT-$CA3H=yliRI=6K@=?;o*`c;Y6XC4fkY69|uwr*N7Z=VaXT91_x(1$$^}u zZ$Jt1e_qDBkyoP8^oQjnDht&l9tpwA!v*O1?&M>(*7ZVHi}4~PCx;|T+{YzE4K421 z>`C6tFJKzsw&4yJC*{4#IhS=E$H@M0@Ol+A0#;XSMiVLj+rpJE79BR{t`a{3J2W0X zxk8vwaWk}guiXRT!JpIU@PU!bk$QeYgc`W){wJyV$zuF-P9|y*|9ti*9P?a==cI|Q zT3Jr!axIF)<7PPIFR_<*DPt@aPZnC~dLoYe7#R__QS?6tjFriuwx8ZWernDFkfDgD zL%zCoR}(CMQ%P(yW;AIq!qExrL!0@)#bXm}iTqn-AYf7TW{;TD5fhdNurfwfQ=^|U z0MOqt%=Y`0qaE6q3lhsTGUsFrPzr5u9kR|7P6B=l0?q))X7us>xJ-mup+WIi@ zaMYxB!hAJ!m}rAPf4`wKyn&>Jt&Itjx zT+3^s`(TmToF;heDBw5w{$fH?Bo)$1gRny_6H?I08#2Bg+5+wP`L1;fPZ=((z03JW z@fY0{f23_mVH;(0&+TZYu zS>MxDe-t+Rco0cRQeMqEZ5?S2rW*o@Iq0^F+k_)Ru6@j2|I{<_`2x3sZ4>X=vQ?N!lCip;_TiVVu7UUpl6MGrfzs zT!J`1{~3~$XbBP2ODtb_{lKoR`*2G;Qur-6+!HA}7=HulJpLP*{3o)w!)CoPnMtk< z9sEvTvux_jE%&c_iC- z1|z~{^&wFk;&Qwn@C6f7Gx^`u`AayGQA*`2|3YxJ!V2#)iHpO0L>;o!!%7=~ooRJmTPt2ds;HZ(h*ui|BJ+U{#2`^GMS3gt7o&>QGfyKbZ! zCK)0)#^5KrQ)4Pj5aLmNzUqpK{`O*^!Bv2Bo>(8ilaRM*?;c>2VLF8PTLu`2c_L1r zlHcn2iW<+hdT`$w{bQmlo-%_pDS~^SQEYy-gn-zv&`G zpXvRvkPjF!7RuODCCcEXnRCJ8WwGE9WWrk@4@mdh%Nq z@J+GR#X6JQaRBGqX43LCl*DKA{KU1r_^o(cG*MYxw1sHFyE_GLKKvFfA zH^a1G$4Zq9XX2oX1fy){+COiRgk}!PS(r>@bK>#F$*Z~Yvh*;8;j3#1BjSvY^aV6l zWPJh|=H%KZp=rTQoEdrAF{%XnTMru@)ykSrd855P@zBOltN9Le)1e>o=W=H2El2aF zL0`HXy)Q@jIzej1tco>td)r@3iWim+Zzk|iUX5%yyOGiM7a?{!K?q6=F;|OF*kpnF ze7U3|go(`e(E9zxEa%DR@!xe*y*m@=uyPPCv1k*VR?=q<*MJnWEGr;{nR z=8gf*wtin=(ji&`szNoWwz8p31Bn?aE%UvtwbcHj{k_{hnUZEBR-wH(T)oF#Q4bi1r33G926|j zRan+E*(766|5d*43lKJC!*kHO%=QRlm1ocO95mL<#mL0x<`)H=F`zb5iu{iwjRX8w zn}zvWq3tInIj#AF&Ne#2@62IW)b-|Hh!3rXd$hMC>wOhFT;TxP5x@9K@8VmuVH6lnPL3=vJzFE$;kWSvUMG z(F8fEdNYQ1<%W3Y$O3693yFO?{i^v&yydThf%*}XW?8L`|0VXnQvFMwh>9hIJUz{N zy4n&AvgP#%K&((|#d#nA0Aj@uaY)&3IethHr$Iq7{`oZVAm=YOs5yd1f@78~acMMK zfs=T9EhW_K=(Bkddm_^uU7D|5Th#`2S-33P3S@@ces*ScwSehu}I$Bb~Ww7rM<3PplZ2 z+lt^m%wAJhh|OBjaB&EvKcYlm_7s1A)vN0p(0>K7D9}CDTei$0sHJ5hM$Vo9b*TWy z^Ib#fNmJu9L<++-r$dg6KD~7`LU}@Tu4?sko1u6n(!!*1q~m>BPD+mXIb4z*Eepj0 z|0@=BMfaZ!MZ#}Qh#kgo?tjoN_jolkK%-Ga3lMNwv_0^a8RW4TOrKyK;7Y4{A{en~96lR=>y(<}N!cO(NKO-chAT^@ebT^(-$NCRoo< zZTyUY>EH2Uz=aPEl(=Bv)t8l*XhQSpxOQY=;*LX2z$x&jtkTXIFF z^!u8upbD0dy0=v%=Z`N-?D=o$)$k8k*(51*a0*J*1`cbBs`*b@re~~`=0Lbw395>iRnqu-w~Brn>nHr_6>)`WzVrM5e}o}3ob zcuhDnfEoPXT+h84<_Ips!@|bNk&Z+~Kjf7yuw_~VH*hS+{*Y^5i&14i14p%>UaM;% z)Vz~|r*06o6wWyg20R6^NGV$}-ULSc=WGV3PiSk*ogouFBd>m3|fa89cR z3cl6afwnOew+G4`YwfodmS{?Ny%1aXP9m6hN9b2ybp(zhIj!irOTF2fuj&HT)yQns z4!RQRYVFh1T}1?{z6m6(&Q{PVP~G#pYxQoDt~TDP1^HZKzf(ZHtO-_$@}du~$Ydag z$|0Kf>9gg(xFSyeOkAT#21?Lle(Ygs-@K8NG7r`f)wJhj@w(+~afO!}OuqwtPS=zo z%KF~jFYKSAI?}M@-Vo$YJ8o)py}?<_wi~h z7^qYD^!M-Hqp3W*F1qvfvIex&5~uVH^JS!!6g^)=aSwYwBT7bGB%v+z&^QgK zoG9N$cBHR7u$D4_plV_S{f-MUa^^!D0G{-B6cHZuC!~fp*%^4AH0MH3BuKYECK%aL zl09_{@pcJ%aJ2{yHE!~F*-vE1Os~zTRUhdUe8l{1ZEQP}q{Sen^-xq*4!Nqillk54 z=ufottrU>fWo32;6Ds+${`lbN&<%`O%THF#=5lc~m?KtSdv7uK)P(?+CO*c-jAzcv4VF&MD7>II;NQ6qog2sQNb$x{@RifW<31=pWl4&K% zIp-w}LE2sHAEzERo(wsqm$SNv9)WdlbVZ1miLf8JP#x{yCl(1j#pP3iapt@p#h1Zf zLSkxK$bF;c9xJXW#3>iPZU*8cP-aV+tG-ZYXtYE;i7 zqEX^eN|j_!AfW!%=4qDiL7JOhl|X!au(yiR#;Zm)TXw-v!IOW#f~M~w7zNAJvnQc< zZy;l#FVCnMhocp-oi}vncwStz|MTXvIyOg&yGU}1i1A;05pwjM;(^{zB6c=E;l^WU z3c$@moJwvpeO~PXu{+mr0vClCJe;EkenZfyssi&Afh_m0riXK*5Mf;%g_^;(zD(WL zk;4j>&idUx7tW)z#-pZnKP6&R05R-|iHTuW^gZ|RQc-ZAFaiGl3ymNh_Y*d}9?C2^ zpln_b**%~MZku&*gm`POzHq@KIf1DE>q&%NdP=0__*uyAq0$B0dC{JUonw{;=MgFBZvcF-wC)Vvm?y^-6^L@qkzKx@=k1Pvp9~wRRmIr}2lZOe?rp zRKd+w5=)n8o^TGeK~&L#WjsqWNMNn!YP3rzwJmLEPnE7IHo+KY`hhnn%O?dQVZ~E5(SHD&G~AVH+R?V@tUkxzVb<@%5f|>8ACX=Fb^< z?uflR$6J`Y;WDKQhx>JNy(o~_`<}FoY)9c)8^bC% z$^1r`gQo$t*D)oSRJrZ*5as<+S8lIhQyZo>zkAp5VGFh1IkB1lD6@;DpH4EgxW;DHx2SLKr7hZ8J8<7Ud67Vh^0RJhrrG@9qmoNHD zwI*TV;ljegkUq~x)NHovgju|fANN+vv9tu}= z%EUM%E}$~uFx5>Bxq9Nd8DL)?n~s!kPhG4~2T+0&}pIdA^D61}@}hitDbWG=C{ zk`2&atmcBgyT*bsvitG2&}~L)aJdw$%b%p}EF{iz`Pl;TQO-!7VmS6KZBK^vC4-Qh z641$mN{`2^BRV?z8*NJ$wL=y4=CqIlM{scnW)Axb&u^f+RdCpI%7X z0PtfOBSmtVa9d5|45A&2AY(t96;_BGBm}klen3+?y5aQZ6P@8Cqk7Gc=Tl@ckiB(cQj;<( z3}~Tx>JSaY5(Sbx%<1>~I~*Dl%y;VBgNvO`aP1XtjWW0o*KWP@?6urt!XJqiL$@Nk z%Dv#|S*@WwzI-CfBQGc5I|J=Kd@ed_U32uk8+OQTMB#Kj^84Eq19fZ24L+NnwZPW< zwrM>1_qy`*utn0J3Zx^aKSM*qJ-l>k2J7o=#zQCsCYT=Xsyf+Xu3S@mG!P4v)LT=C z;}YLT296}-z=p-D>$jY!?}-e`k>2@ezu$gdHOU&UCdE{V%A(HCz(#|2@Fn*#a?oS0 z9d;9wbC(T8{Dfm4!|cpOL?G|NH?E`qUBlH$(hPw*ziuGRg{6AXCMzRsW>1_KeUdk* zj@pbT@bBDYNN9n{im}uAG+y}7kReY1WEQw13D{x=3C zSPDNPm1)^$EwZz|fM50BY+FwMuKZb+w{T*B7WgMFW4w$Vf1(lD!`uY5PCyRkcDWYH z7@*8tf(hPvV8hA6t|6)Rm%UmgW%GbiaPuWtki4}XpT~M9=vNlp0XB5n<5O|JdbJ%( zj+Y3sZS|i`u-PY%oXO`~6m(VLRo-qQgwCqx^Zv~5|B9)a$*(QPGEs4GZ#PSW zQQkKDTV5J6o-1K(f+sanmWw?y2QqAz3&mH|{i%u4pvsry8X{gC3WJh}1t@51xi7J+ zz%bB>p3W!dTD|THM6t=h>o;8DDZ9B$bGg#IGX!2w8!FGM=c)h|bS&?!q({FUvX%T6 zv~D`rfp%@`*mA1_rDyrLPTw{RiWigLD9tk!E+Oj3_(TW~ zwmqXyBZ@jo(X&~eXe*V7gp{y~=650oyPvIeuNme~tArma&lD4DAsth!g=C%aeDr`& z1B)DC$XB8BDv@{_UV-J)w7W#Bv1=<$h7!79xGEK}tPyEjEGuF21Dn;wR@kEBQ`QP) z*HO9enJ6`g;kdk8pR4Fu{=bC^I*8Uow37$K#W_kJi0>?$3#$?-%8bK+gF0+jpYi)Vnj+!3viGl`!c**yL#;a;o9R0l*3~gU`lJa*Sp6?#Ip>(kKLMb)}IFO$!}7=z_Mfrq zEjV4uwZb_LHo_1+U2#^kPI?=j}H4% ztM@tfhsy##Mo*9u7Gv6CI(}lKn2ld7s^dqoaO$8G_an&)eTG3gj6^wGDG~ZEWCuPPhbT!w=ZCtio*5!lv7x z4w1xDrR%O{wn><+uhkZn)De@!gY%=1L@8arSI;vhH_^iK86T#MEq`;Z=!=EX`xo-7!SNFAW8_8Ujy7#C5Pts_dnNo|dd8b_2k|1Cbi zR4yAz)(r|q$C=-TfCG$4bu?s=sZY0M6U^95Y@b|;$2@-p zueh3Io7MkxTT=h;Y?+Zt2y()sDZ75y%4I-NyZsTO5+vu217xvD_@lyGbM?SZQ_3t- zwLtdKC0CfZm}t3%7>S6s-iDpu8xRMyq(B(q%PQwS<#6IJrh8Yf!F47Z3cC-5+tzeC z#)yS>#K~7RHcVQHxa+JC9?M}oQWZX6?2S<2-2~vmNl*EdFJ{M{XKgF~R7X-W|DxF^ z9+u-O*l30`bpHrvyN2F)Dp)N*N#YL)X_r=}kF%1raJVu@6@~u|Ap=LgKl#(%WEmk% zSsi(eECv*^P5Fy=`?OIjqKA_l!oW0Tr|<~?qM-q)(|VO`U83T;l&Ahj*TV)=h**bi z3U-F-M+m+ICPx%0c}{~_ub~&WbDHaM-y4S~!hYrQaTYmGv^v7oycVW{`pZEbL}Pql z>h1eytej;P7qH#=;Q9Z-w^75x!xXmYE>OmjRbM50T?H#uD{Yfj8L4N{8SEdb$;j(R zV%Fti#0z@f&oXN4L5#|gy979MNN+H@K|ywy+Q}C5?*@>pkzAN2l$8=wEm{|(W{pY|SuUcPBNUR7d!uh4jn zP4vDMx{Pl1kmQsBjHIrG^CoP18xNShtfetRqHi1fwMJY{`GbjBg$z~I0QZr5&MejUr=*`jMTvj*}wYr*F>z*UunrdU- z6eiB&sSABMoFT-?umfS zO08p^=f0>YPJy*o)@w1cUS*`_bJ5*?|`QHIH}G zPn#q06rK#Xu1qJb$mkJ(Ww7uQ0r1JS9+Z;p5d^nW4p64V1j47NqeAL@# zkhv|S;?k2t;-%_Xy>GWtbyga4OG2!Jjy^QTh$(X)I(8VE%TV?AN7EK{HoE}wNIl;c z?z(iJLRC(l@G;TKgIoWgy-a^gItqaj6LM7pkTdX)XifW#M0w{|?%}9-AVPS`B2#s| z@%gB~!8%;m8Sr0QenLlAOxO_{^&LSj){1r+vd(qkCiwjRhnfi!4jx%74(|A5zEaGl z0j6n#8-~n6qQJRJLiD3E!Z*t=W~jpcV$pZh1xE@S0^ zgLWU-S$`Jul|PirDBkK{%WRR@PJ+#HQ6hvLGH~FIxdxSJ=(BI(l<@`Yv7Ia2o#1$M zuX2A1Y{hh^0{`GQXmtvEX+t$8e(nEfX7NLAeK-A30GYnTvme(D>(?@^WTb=#dVFvT z+K$MK#~TEYJac*9?nKSf>+9JF`P?oGVSwjHk|%&dJ}T{x76<+Fzj;60u0#BrU(Cu_ z*Yrj^4&3E2ow9~Vl4WO-M$nW?ao|pP@vBy6Wz!ZWEqhmt?oG35I|zL|z&gA@8#S04 zcg|T0E;cLgj?kXqYhqW^kjSn=4G-(Pz_jg`$e>l+WE3i44fPTOhcuuNa@mc(edL79 zH27fco??Bt2$h>%Gdm-Gi3sHf9{GtEV^x$KSDeoLy2!ejYC9K z^tQ@CQV_+Z^&r{&g9C4N@9yGS;DqA}-+0C?|C@?~16XOql(+bOlAWxb9q4Ohb6Cpf za%x{Gd46VZf@p%l&kLJZKH!-4`;=F7&8FHxLssk;I*dkVu+)lDTCvTfzV}wVck}U_ ze7jQDraco)ETSl}9`lY?pY|I)$EmPSoaVp#IHBHtAnxT(3>b7e@ z`yLwhNFK; zm%?K(ZeJ8Dn-xV$2Dq>6AxAcRQ@L7p-R-{}!4cv_evOyKuPn-;Zad){DRQwm)**jN`3)q0JjYZOOhC3Q!p<3bJ(+Ct&T8rC7;+v;U_ zuiGo!PSNujcyKh!-++$&w3Px*C9WHu7g+y&-E*^Z2|94y3YIt9Isgl*wkf(or)YzY z=cxP-`1BbaJP-Ikhn(rozDfAlrw1vV*3Fsh5r)Qru6;`(qh9Ehm+{ z{|IPiuSdJvV@jV7*~2t5LGgo1t)x#<7i~t@$s8y~tz?h-+In7g2N2pmD-@}GCJ4ms zCd@GF?C5Iz@5ml75y6R{z)XX?RywfVSxU}BD`$=Q(t`f^$c)bw)GzhsZGNg>kNZ@D zTPE}p2{JsI5H#xXwe8uK*=$fdSDg2k3JuUJ-dcG=RGjDXUdKR3C*u5X8mS$B{V?L# zc{7+3*Up)RvKEoOB)Eh8?F-Reig3EtfLhwYxz%xe) zgV>CqyBmQX&WY&$JrP@>SN5u&tS0p|fcrYppgJ#shM-RnT~!A3BIml6A4(t(-boB~>59Yd;7 z%?6*ZgQo1+miQm_~GsChjWh8lh?zlBdWmrqmk{<6%f25S-hW}iUNz3=E}4< zufDHJ+AI(=3BGaV_kK4(fESl_hi*KV>wZl6pdOH(e9Nc1T>*AN7o)UYHv zH4o{S32CPGpo1J=-MYDZ}JAMQqwJjchuJl+1i0t8soXvs*$xhW6sl zKpkXKLrq^;qQy_*Fh%(ex57*2 z$g(=Pw;?2Gg2x&%Iq~NjU=lM-4i{|y;_MDyS&?EJw_czTnJov9oX%IpfNyz7r=P%P zk)?)Z*t=8~<=eH6_-b?MbSu?Vn(b*;6M5MsSyY>~Ade-(Fh5*n`?1t3vn|@6_A8!s zp9`W}tGr->*0_Ww03v{Y|NnEVU8k)k41ho;A5j^nO;4Y^pxDo!80Wr+22O{I=n0)! z!O<&?1x6n?zq8eRN)F8P>x5ffbS8l}k%lsnHF`t52oRh|t&nQEyciYZ7qNYP9I0(y z@BwemxGrn*kEX+bZ0vuN7{u~#63;$`bJ1 z?O}|zFyc8=P_#*BLbYPT(k)qK%b}w3{ib@4M(?HPd+PHXM1Qe)K{?3N+jv*_TcA+U zj#4Ga3orPJ1(Cp_t#Odptj(n`UO5*Yc6izgW`lR{maDT5Zx2P0jy7PQmeQosIy>Q0 z^xP>&llGcDXQLl?LvvX8egH#fzLx!{5=yB;Y*P~Lu-=u#o1{Y{xclt$)PS@Qbojg0 zwSu)u`XJJN4w^yXh&b5PUQ1EA5GyA=o~Qo3O9>1g!p5ooMQP~vs%je0P6#j0%O3I@ z;}U-u5@&ne@vpwzVTkH_bE=MJAe#-K@YVMo>Fms!*V6{2#aywRIvGk=LKoqrGznF6 zSMyH3JPZflrK7L|27&(zfZk1Beq^MNPgvi z)#ix&H0Q#3Elp2zJ-?DJb)q*f20rIIdtVAMr_jguUkas5e-*j$@(_$nLXFh+d*)&W zK0>`abPAm=wxPd}x9Xq#9^g)}S=S4>?^L(Dw3#@l%+E*3qB1S84HYV1R}7E+n85)I zaM|~krCnMQ`00F2!u3(%%Rb$YMa)@?>~rxrtx3N;iS{vnun>T0MD;70kI12IDDkN+ zaxEYx8IuCFy3=YC+xDF@U^kc9GP@)E-oXBI zf$8spxIcy{n$hTdxcn7Ikp3M@I{7uMQpdKx(K?}BIwwC~Q`AQzX#0c81Mzb)5x?$; zP;sOGVuo&XjT-f4WsJwFAlav)DagTz^6zDi1y_6hWX-nV3c<3PSgq0OE@p7c{J+B^ zUq1I3I2($mBcCrMv=iJtT8p7nKDVPZh4a*#Ye82YV@Ir#6IdLV53+sMuPQHYU^jo4 z!g+Q@5l<@N?C%y{bn>KctQzSKn==)~V{_a7gA>N99;G#(Iz=rPsfW7!``Xy@ux$d2 zQk~e=sk6eol5=u$Tu&c|P-_QvJGcpBb(fK)nUKZ8hENh!b{bJM`RD?=PN&`o7;-<7 zru2xrD7K~FKSD%}j;bY*va_kB?ow}LF#aG#c1Ia(Jzg&$m}nHthg-rn3_RD^PcE;O zOlL6P&AWL$)unZ6DOum?ba$FB zt_`G+gjWW}0-TVfQy5k5pN!^$jgV^@`N0@txFvdSx^UeO^6hFiL4Ip)VO>PU8CxnM zqTi==j2B%0yu@KAc2w- znn5S+JLFv_bB20?*ZlSo&+&&9BtJ72pP#qBI|ddndFvuGGv8mTQEPLgOi5(Xj0l~_l z8R7}$qb0aEcBGxijJGm=yMMm!3K}-dU0By_+!%|a@wcc8%mDYBy2*p-{YMXF$F{|} zAl5XvHvA5)7??bf7@{(J$F~(afHNE16{86dC>W9qf3Y7y?t(Q$ zl4w+wT7YOB>06&=x`z^BOAyh?vVjFX*e(0+<<(X@LBgbw0?vp?!l8{Onl?d9jv?Zu z-SLN%bw!h=>#-48BX5wjz>fNw?=y-!hm^pG3~EGnucj6^d_HvZa_~WmI1Tlke}2<+ zV0S~^efKTbWC(2ePQQ|yPP9DE&4S<7{#On!rNQdjhOSbYjTUz3_yjh9t%Q~L@~E1t z$VY}?3JE|-DBvd!_F?7!tv~A2F;inxQ*vtRgCH27oU?O-D_t?beVozR8Qp23Q0Q*Z zM!T*ME8*NWu*&Q-^p_W{Va`fmKhQ z^m1>U&iFSH=e7dX&!HBrW;&s3;qfic(5p0+*H*vYKUFZ>9}9fu&xtrRo4)L9)elMk8I?El5bNJXZ@gj0jCr6;B5wX=5TP&s*PdvL+kH9 zHBQVY(?w5r=0fR2lU8#Gg4~A;?ej;Eb%cY?dqjw4fQsbDp;7xEt<>ll$!6r{UI^si zLa-D-5BdKf!?=qyG((ZZIPHZ|qW}^A(P)H2Ag!T4qdzH8k*~ zq@@)#RUwm9QDu!t;J8%Cb1f}Ux1;3`gh09f_a30U@b4`MFbza?omt^`1Wo#Lwa|~I zaSA!R;4L+&TYX$uv@eTf&0n?E@lQ-WrF)Im6{Xf zz|imC7)Jt&+tBDV4dlOD+7nEh@P#3%nswF#ly+Tsww$>1U7I&a&}a}=C&M;9H)C^Z zI4ITNk6ClgB92T}P`f53P*;310<(Zck4LRvA2)krYYgN$kR*b2vUEd{1;={)<1Of) zY-j~iAIXv{*C=~xgyARW#L`kf&ah-snbB{2UWsUJzxi+rdM|i*Jq>+fvBhvPQz1my zVAal;<&b%LMI@vLCy-=2?3C_3-WG&E?nZulavK0UY{m9V=bs&vq z2z)XPBW2oOD!sm1OJwT17wob1Jyk-%K>MG>mR10k*fa}-?FVc|GXzO;d|%Py83|)J z;$XPMQUz3KlkoSKrFH>WN^*e^b8!5n2AcY}UerptC|f5>iBBYYO(JxJpb+ z1KUH-03e{}yAC=}4)5 z&%c3X93)By^u0x#Yn0h9kX)#hy%(O>xicJV_TY%af8*JeU8Bbls0|kpBe5ai&1@%R zYo&MfiFJfNdb&H~bgI3U8Q^QR6b2pXGtjlgS)k!31>et_S!N>i5TDoTv%Ke&Zxnm8 zSzOy~5+&5+Vlc>5g}uUi&CZ>Lk~#AM_1T=Tqy`G0#|QB;^D_}#$LHYoy9~tdvy|;{t ztLwT%A-KC!XmEEc+!9D|cL~AW-Ccu2C^Q6uySoP`xVyVM)s^RczpqD+?jGab`}e;4 z=NWZQowK&BwdY)O;j*4ALYu*P4l!2*O`Qd)my0ir+ghwzvu{bd6j#*e4h94w;#2As z;!QMqGrh~lNvL&4;k8+TRsDc@S4gIY9`;{-pLeLx+p;?O{RJ`>0`X7ByUp5ljrv=J z{XGE>kqMN74WG^Rgl_~_{O4n}xIG!IX5l@z^gInFBEp?y+OyLOXRVWA5bZoubqfT) z7TG!B&?c=p)9NVUtu@9uCzLNvDf*-!bNP^pN{ zTMO`m2YDzcv-E^-Q_APXY`R zC4W7zYs6s$6UMYZ5;JE%A)%}BZ?N@%Q)fGKC#qTi>Qu=i#}B>RJ<4_(1?H7&2h&9uPdEGoVV3Ny4pN$=zOrKesskQM!nAS-ycc0Ih|_`}WT3z#~YvTQIV zx4vwyVUXyF!bIsG614mmlH{X;jRt|u295j~o34W?zR1&z%hj1mBVH-$1w{mNeHt6e za))WN{k#ewj;cAUl$H%}hLtIk=2o&&ie&Ba4g*r^8`jEMmHlv}x#{ak`vu!_sAs30 ztb|XNN9D?g^`z+UXW zh*=sVJ?V3xMs8k-iEooWP$VYHs|N+e*@QZUEof>7tUKNJ#bLTQ9ImLZgJx0KyP1ZFRlhZgCC*JndSLDPZvnhC+MwUEFboC-zJj?y& z+ixclb&7VO`{bU8e85Y5!9h~+^QGdMkZkNnp84)}`?$ss;^^i-LG}aVp&UaSESA7j zD<->aZrng+=(WV{FXa$YLiNMDTv;Cppvz}H@s&HlFQlWPa@&@k1Vrob-LYUdQohH> z1XVpsKOY<&?t33uA*_PsQVvlE(h^?32%cKeJ{fsVvW{Dob3F)v3im$&)L~Ft=KCM= zHFPdT<>4IjX`oYH9nui31)t)EUV zl}(bk6w@=vfL0?nst_+*RvkPrSTT80xdeVxjw^P{3Z?ZLF1xHZG4=1S$?nIC|1eBw z+&PbJu0!c~^DJ^lZra`LPro|BJfG>T^ccaFx+RPaMObYr32nS!o3VL-4fK5rUeq1o zDASE-#P#sBkOwxhYx#U-#ePuazL;a79DT*o zhZy}br$t;+sQv-PG8mcleB-h7df#7oC1KEQrzjk#bY@cpNPAFxs@ZcTe2G6ldtbTc zOOyR-Q|%7Xb?*DV0Ni#wSDU6^WrxA?mGLYB4)|3;83G;Z-H+_~t*SU^5ZVRnuko{x zNo4dV;kf+dZxvvs2v$Rb3`K4g06F2~@x5CC91Hi`Oikq=71}KT>_Viayc&M}VSv`R8##3n z`(hpv?P*LIILxxOLe(@9z`8%O+<(}A9SZ;0%L>zINI^y2BlXZo%`OE?^~ji|p*Aak zxynp7Rv=krd}spOV29wJvXJ^PVO7si$-oKGSy&{Rj8sUFDa3a*Kq=6ecL|npm)cM9 zH~&pikP^@#s5s;BC_ojaX(v1=bPtx@X>Me!+|GH|f;;(4=7JM%@54W)np@o6io)eM zAM()zXt1bZ3h!bi_&iT41sJ`UPVe)xQGyq}oTr_~3}oeNo;vmts_-kv=JQpKR5qM9 zzTsvX@Ub2QIR~~9SU8+33dVped!+9lj5mCtKg`Q?8;@h4o#x7-tf*VaPq z8K8ZK$<@P;2Jb85Z^mr}i9!1m2IcnD)~>RyQ>-nS$f-?kSpVgMFFSL z05Qqj37hcEHJdNk@BC$Z{$l#zJ8m@q9^&lh%zvTOr+mw$2h~Lm%IvxQNrm+)n74`4Nrg{0!^TvKV2v6V!ir#;r~z*oI}Pz!Z2LTIXC0e9yN_+tSIVrV zF-*dJzw#XCOg6JD)A=`Hb`1^~c=DS3leIleROd*5U2dkwq6Y3jJ_q@ z)XB<-63Ym4|HJt~sqxIOO@eO`_8K1J!?*Ej#-l=_4BLNJ2<&B)DzU_V^Ah$wEn5S3 zqeZ>o9lK=;Lnpy|wpX~k7Z2M6#v^IuUPS?0W9#`6KoL)W|4Vy(7e?W)<-gVUPIY+E zYztmf=K1z+7v&aHkgR|_+wNw1K0SFk2A?MM%0Hbxxe|LdDk`O(JNJW%cMuGd5&@;W zz+l$5jR>VvnXYttJziQ;Us+k|W>st*Iv1(vhcA5t?*DnhF~q%>t`tldXY${$0*4D`fO$l2tl5YlRxJk_zh%c z94r8(7Q^kmo=D7^!$kZc!XO=1S?)(w>NtbqWWx)(pg_O!USO!i{5Yu1)DGyo?~2HK zh)KK*Z$GB9&5}myVY4GW?2PVxf&wcmJ^W^mSGl%Eq+jVTP6Xae!J5qW$EfjpC8eZA zOMFI^&fBN{c==N4N#%%r#5>B9 zklD&z@~cYl?e$2a=?$WPuA21}XAW%Jb+%>9Dl z^q1K0ZZuk%w@yf^AtG>zP)g-bKa~*=)h0^Yf4N&;r7yer1a7ksIP-qi#r=9J{dmQe z;4;-K_n6^M8D{?{0zf~D8-rjMEiuvnn5_0DNd5&=WhF0iWzA!;D1ZbQKMmkrO>z`F zNxddG4V=Y{`Vj}hT%{tK7Wvf0tD0T|N^%^(Fn4^;ZD<0DhmuL2b#=>4tbP(S^q?e- zBlYQA#3>NXx#W`5^p8^!sCMU7*@!P)g4-z9o#?N6Htan%9P4khOkzJS6v7hPAu455~>Fe?u$T_W5}=_@BX z(4;ayWAW8D=9>qJHbgqS%?7PIIx z-DAxT3)tbXxZh_iIw1NrU@eMoI@~7xu<@JZvhVY&Fif5zC+$QM!`r>uVtcl7? z$RMi~=1pc|7p{Nt*N2gtI;3I-wjk%*A`h#tl&O_kL04!f(iHwu8GP4~@(%OXs+Yr> z*B39bkxgzZ*F)n1*$uE#QZs~vf8x8pa)4W*+p`gmG@{|Y)@l(p5U zLSXQmNs4(SRG`n#)0_O>%wP@X?{^}pzIU8dXpAq})Yh+dpVnA{p3n%4rrg(i7G!uC zD+jjP6$sI4rdvHmGhR5o?m7_3g`MF_z*=m4VG9-%zSlZ73z~7p)Pq!7K0UH-&8X`> zf@CE}Dt!(2dUW5j&$?_UUNEX`dNi~Xz|`mw;YHwS4D^vrYPh_q?Aj+$KQPSFO$*}u zy{Js>ZGQ)_8cViOrBQ=tOI9$9$%;)viix4Iz{bsYW=|jj}Hx`FdC4T_G z+Zj3yS>L3N{v4nBE+`4*@QFnfRn8mG?jR?)C9**woug@egaa)SGlf*0ZJyC}rRxBZRA-<2DQ^6;Cp zmZg(A$(=V-DhDuIn8xpdO#03lMBw2sJLF68#{z|GP-HN`&gQo69j$~y{trV!uIZ~P zFrXas*Mby#Q1lp0*IaNZ$IVrD(`~ordBTW=eC)Ju01lVc8ZM5D8P;f;G>V3eB{ueGmcbUTguTvooxJ#V=TP`gXMvv@-d^jS>;`Zt9Yh9T8^KX@(1Y&?qQBel(2y8JRqkJ> z+ka0TH8qP)VCdxTQcSMryVccE8pqb$LG*ACbRohXMkU3HPnd6 zBfR99AC!A6VMw$5p2=Ac+{1)0=MPPW`eM_X59bDX-;jn2{_wA!N@+O+#}Tvz>X7AB zc4FFX4cc!7V~7r%WihAM@@^Dn5EVOVZ4j&)WEipu$^mu16cRfpC&61%EIHQ#Zg_yVD?J)ED)-@9_0^Qa1hV<<;K-zlsc@XjxsmN}xXeAZ zy@#LQk!Aa_q9ardu0P2oN7~N(FuGfk171$HHa%{OR+;U_dpI?jx0=8VcPa||adr6K z3$#7;I|0E1@^ad*imEw>I(NiT>u!6S(cfFQdk2pu638tlUlk(=8UUK>kNi5Qemj%( zt>GSxyYpovd#?>7-$ncpJAF2q(fQb+w61!Q%}5daB^o@~k76CpL6Io}Tek~Q?8hVV z8|TbDi))&D8{NSvzHeHtn_9tT5L(I3V|(_e5AM;Gh#bFYv^rMd!WU!C^fL=;exhS! z&tnmAqYQ+YeaFgIrd;3cO3;{UYSk1v5lskg(x7yRFzU3cg`;dmPC3nr(eE7VR}?~S zR~7U0d{y7-nstv6KaD%TT%nuhFj;_FVYeboRrJAA1%TT# z$rVK^Ty;4DMZt-K?|QX4dFK65X^iMiH{-6d*M0f!0ndvU$DCY--&6bHa6!!SdBsrh z?+b$VL-JSctykbN&bv0@Dd*Fco8f1}D83!Gr8OKZkQ?@1Bl+!awyU%itVRc zktFO%uc4A+80tZ{*Yrn(+oMsI1JZKkcgduFj22-m--Q7swuTqbw5yBYNucVVQ@Lj8 zY?j&-hV8^=nNJYkftx~wwRA3O*A>y)9q#OeAjUBsy}u6Z5-wLdczXU;#%!Kyz8y*l z_JvD@8L2LRPlSPrs6L!ryOs#81>S5Qb|#r&T;VvyXuCA)HCQ2;bm@yg@A}Eo>~V>v z=xh=S)S_6>6P&UAUScC(sh+nFI^Rwu*kin2d)`vtVfFc#G4Hivp5Q*o`l~Fc#@0%Nve*qRBd2_wx<4fq+p5$EqV&EFiJGLlNZ#@oX(9kNo?q& zSwuW)cbpE_)9q&|ZE>2XTl?4)n%RRDPU7`6jg2j5oZMP9z)(=)GgXwU=Gq=wW9+Mz8wy_`?Rp&)W>Z{>nmM)(rR zB+iS8tgVKx;>i0ghYfL(wkNd}-?oIW!1ZBsB7)>i2#LMEcU;7Y6m7JN_=!tC@MB@tk7j zCqpo(>8}eDS73@Ap7K6RaNnJMlpbmL z&F-oDnc&NhEa23{BW(C z!jH4hl0MIO7o`l{Z=9_UL?+7FIgu)951yGk2l!xAy5qsFK$vQ$T{#FV@0l@ha+yE_lWaAe#G0%#Lx6|ZdU3LdH zH)C=Cr-G#@HeSMuJ+Ku!6&--L{z2b6r*%m?*xav$00iHt{uBJI03D&`TAGHNqPl zk?|4ZAMR_KJq*av!0-n_!?~s)a(UPhXqZ&UTnDhLEghkUy0#*+{h4K%=pXg9o?-x! z{o3_p7qX$l{Sz5C2$ugqpvF3Zx0G{#63A95FZ-NJj5WhEsZ}<)WTO;$j$~Djc>G4& z^zPHed`p6cW#0wEC1LF)hJ|#y%ltZ6o`3T%oa=(mFZhEi6lY4ipEl@$CsO#r+mF%8 z=IcRnt&dm}B__<)5~UdIje{fQ6`#Vp0x# zk_O$o4nTXpPVbq>r9oY!PYUV+F;<=Z@)g1Wt8IKq8@AeBT6c@B=#2avjQkvQ^jxl8 zuYuZLvXQ?IT-bz7>@pu1y1iHk4d!nu9)KKzI}4T;t6P0h!`sS=NFC0&6l?#8wCw~O zU?a?!E&NbQ-(`lhPa!s%gjLX^Q?w!^&_fsjqb@yMfV!*v(+D?{3G?GT%7`^HCO6d3OiC3)kiVkBk~-bB z>6R}O;!rMAP{vj%Z4V%gZQpGkzCwcDl;iS<+($e7w1fHVS5-_$z$`zgYVB=eScooO zm@$dBOI1Zr@;oxrQ0S{>NQJOofPUDgp=i`xqozHG8Sfd zkH1Tmdpw(MJ%P~o-c;QHIciMZAu44&`m;uZvRPx+WQNOiH!^CL=Yzr_$+-O@so~R@%r=vkpU_T8Dl)p^Oy^I71A3{E5ybd(zgO zvi*f021OZ%$$Az0dO$dG{+-Z9g}v@}16v~d(=~jr`Nt+_FV2DSqYzC4m#uPf?~9yl z&xiE@(zd5$Xw$FmefrbO0B1rzE+Uw9NX;$NY;ozq?UTjT-GL63weQ~{@V^LzhT)>| zZERY8RDGCb{>o}3#d>(R{m(SxRka`+Tr8#?5$E8S1k_*l$w5E zl1%(5O~&x;5$D;+-ubSHwx_=L>+4*6IFLPe_Qms&&zvk^^RWGZmtjPAt7kjsME0VV zA;Oad2JWl&-T;Uk&=vF<5CL#qqwp$wW3A3+vF&3{LZBl8M(; z!36u!Zq#k|%&X*iF~XHPovan=d3<$(f9ZFY?rb4%WdzPIu|4q+7?v>xf_qypC97eI z%cL9ARE@AlJ};=0GDAoppx#i5QaCeD1yuhS<~Z6kL2mww-yiDjp*8Jt~0U&e;5y zd5*8`p7`jR7VK;~w zKy?@;boX1w`djthpI=yUC`~#sygAV1Yk;Ei!*>$E&N@QS;Q7FJ@0}W6R3Blyry|vh z^%Vb#Xb1_$KO8c=e8LopuHyirETA-|e%cYz_YV`H_&IR>;4n1&P1Yt7PCS}*6AjUZ26(&GHBSG)U3&TI>5F=sSrV57^O3AM>f0;=Z|Ym>fRlY(Qy za=0q0eI|uk^iwr>4>Rk!x=7%K2WDI8O^(wlJ4WU_o-?K93YklU zptb(F-OYklM5n_*HST)c9{ri*^jrHc%xILjHvRnGqpoL?ql;_*q;KAzDc%hfZl$y) zZTJaenTp73rapeX^JAWa%a=I0H=AheV>vGrpOXRgMyBzq8Sjq(E~OA)S~?Q~X%uOD z?>gP8&KSGOJ~gCMQsr+CLUuV3)A6D; z5-v#7HqW;D3~KoCSGpH-#)(l2dM_V>vr7k-VcrSjc!{peNrW0QNh>+GUW#>E6fS_w z1_Fr@unj&+-pE^OX>WAR`S8lySqTUTr1ROYaUAzlhb`8cn{E%pLZa-9URJ;G-9i(o z6Fy4Dm#R5(rYLI6G~A$srpaxR%uuR2=^q}bk`_K8=6cEDycppO3$Qz8l4in>)Ph|1 z>D3;lSozYg5zoa?2*@d4Y3P|t1}2f7C+#Exi(zhWVLXnuKA7n>01uZKF@+_7hTiaW z#8r)3L%tfUqD}!tej#<-lpF$3)x(ZhfTt%<^kLt|!LVPFy~&Qs;um@tI6u#887DkU z?-3OpL*bUCUoGg4WM`r+)2r6w^qa#c`XID{R~*O=enrHjQPx#u-0QGx+X#SUCh0fY zf!t50r*kr|qZD@m6SR2;k6&=x{*bw1)OYQz*Ie5CB#9>fB=J;GeMRMArrfAYvn2^r z(yQ4w;v6FD-^B#j_S8^+_iStz@tGlul}?UCPb-J!oma9rT9H=Qj_|iql~$}}MqKTQ z2I);_+s(IPCYgGXH?9U3Clysy$Jg6=^1rEBO_u{C9R6=UX8J{cYM<6ikx=_1Xyp6i zsNLY}7rc8`n_i^-Z9b`Y8=8hs?>&TfGu#RBjFvX^Xq$)L8j&&Us`PbGyJ5U(AmRj>AV{J@4uAlxE`F2$s8F<*=RZa5tCmT(vI5uvM}@1azpnl28P-})*^zO)|nVJ!K=OzoP%;P{*y7}34-FA^k#w7JuZ$(XV%%eneXg9 z-Bx;8?lya$Tcsh%Y!qt&`ZMu58EZ7kIVHq1Ma0UYUn*74TUTRF&~K5L)A8FY|L3|5AlJo#jzngO0WM-u!T;MOSW{jM9=!8 zlsUm-*`g8q%kix!5J*Z%NlC{uwViD9M|(P9U_DT4rxfjO>Y{|d&q}L*|mXZ7AcVsOK60+Ug4zii(c8hzh%ySVwVT#5m%$Qha1GX!pBqkh!iwWSRLJz*Z zzq^Mjbe7@Ki4vS*9Z+SX?r)3BKa+}VQJR=gjQ(MPqXQr1t36XBrA#L%y7Z6q`|H<#;* zVs$Bq+o$81;NduCEpb58vb^{C)n2;kx3@mulqHp`I=lhN1AgkA06E;4^utV4K*_vh zIbWCAe4cI$K$rZ3xN@w5rQ93c)oAO(N>v*>QkWz4#zGBBMHUs|83|JPNL1D-kH^;o zowkMtaTl`06aBxWQi+_^Fxvt>hwnX*dU*>gf2qAtstH*53s@?q_<_1U!U+gRQWvQR zCogEMCoG(K`_BL@v$EjnvxjS=`d-Uw$@@K12WeR`=UwT^HGbIf5*-U}J7!-x1XlhH z0+TBd>c3GM%HObnhgm^Lj)ljh*si5p2WBvDttdi)9BFmy;(+g7tkGIX$qGiUY)cu| zp2I-*Yk2)q)R?7LTitt7VqJlx83bLcRR^r zKcqEth*m?ssj;&=m0(ZC%0C|xF*IM*EChK0Nc$H57uEQuU19xyA~Qqi<`CmRnhz}G zbN>BMqyIegKQ@JM-2OA9{-OL!N&UY`5BUH2j8enH!?O#Yjk!HEOaF!!bjUZr@K-iC zPlKx$2V|?qN)Qwjl&kWqji!i}g#}GoTKWY@dF9l)I%&ZTA>hV0!fHXhWEBM|vMYOK z7Z>it#Kbllhy-87qArU}I{Wss!wf5FV z*o8LF+N%Yv+qeUleHTG2BBIE?J}G-7tf`FSgM@M1|IXw1f7DSfb1K$#lgA6yG!Swh zI^=)zr_<#MMfO1a9`5M*1;29nGLu_1Vd3C`6~$L^F=I9$a-LC; z1m5*tdq*j$A_k(#QaO|akS24_z-GKN(Im=sjge#4if`lYQyUf`NLflB>0;jWHGZ07 zZ|=L}aXNTo{&ex;8bfU0C;7!@jOzv0VLQr509lCQc{>zA%yX7FWMg}C{k!fLF{J3g zIot9?q0}hrnT5)HV%p_w(@gF;OWa2%;g9onDDCG(uEoe5rwI~F5(H7cz`VP-YuDU5 z{7vHU+=Re>Rbr5S{Tr1(#_Ql_03KQ&u3Q7fTAxLxjUR8?pbcr(65b*xsqT}2OWedytS;chcG`<&riC(Y(wzeXMcfso^ zpkjaQq~`E?!G#SCGo6juzZjxp!Xm;7{ADi^LznG=?k@6xE8+!K&zdjb;{CF0Gf|Zew_5Qd1yuyxri8b?s%O$TKb{)!Z zq-u|sU~P7|5V7rY#z3lM|L2zvK21!>496XTbH<_L2k}t$TppfbuK}~<(f(Qy8SCH} zGjh=Y4tF37sI!w3BFb3I@i*%n1f8XThrRrsicT1ykg_*fe}LYK$Jz>D5PIvHE7z^I z)kGfUaa&kbuz2mo!rAB>zoB|x9~C~mi5a+#)QGruHMMIZR>T#uus%`(@OXJWzZlFc zEY^NwQ@{EQ1%)X8QA%8mmX+`s7y}JGN%B(dc;*4*Zp0Vz&xtDu0`kW%-P-c1~(5{+fR zTpd4*8wUwR=P^Cqog&9h)9mpptD1*@M48dD39nQnSQrM4(=+nCyu=olRs;xE33TW- z;uKOPoU=AWzSv1uj+}`nx>9F@odhI;-=PC`tcK3mVW%cr^xGB5~ryA}6sCck7u zY~}bjWeha1qkaB_e^|5V?O`L&&vdP1<`|v388%=PG_D;y`l3P;B2-pC#6%w|Q!1@( z2e0?Wagab7Kk9ph+V+r?>%zGowz`?9dvB9|;6i(6S>6i8Cj5l&RBD5Gqq@C}RM{12 z!HvP&W!#uIOcr4{_ZoG$ZQs2tuYyHtq^6U^uU|t3MVmxs*#1oAR7TqeFW@+Ty3PI| z>fU42Sd|LlHT(li3x56`P%(R$Vm&FXra7Et$AgWt-JeW+^~VL0Z~DUxQfz^_>+W

I9 zsMsyi?*B%M+~qb|VrdvT{zH=U0vPJ7Ty1r~PlbXMKhhv0DP5bIQoF!F4N)LdYG-vNFcFk*(sp5N_S4t#nBmc zE&f&O!Tb5MgdZ01{;=hirgC>Xs1_g_u0 z7D$pTuvB(73?2k#Y$c z=zv>(dwovPt-8Dp87g?gw}F(iyh(*3;j>d4_C(>O!te}_JUFnZvzi_L#}0x|_%@K| zLGDC9?CM@KYk~jxssGO6Juv)IE2ONgz7G=o*YJf5{Hf03svp>`(-55!+5Zlk zp9uN~!}8Vz%Kz7kDarFj6CFP1GvEH(OMH`-X-D5QhF<$c{jZ7icP>TO5%Z`yco)UF z(En%!n?V077N@cT?y9>EF_l~?Ag%GAxwYn{f+G<9ixd6^+K`s1V57z^NZ0RG1l(-% zyU6;O2CWb8`d{~|cuGU^G7^tL*p7PTL2`vbI^|&{`T0GkRhiWy?Wnaik{o7DbYt@x z>hvg>Q;Yq(ZoQ)HA7UN19kW&Q?c;NH|;=wCK zraQ0X*Dpt=ZarAn@)6|d{&(SojmrQztu%`}C`@Vv6C*)9wu@vTx9z9Eg;5>YO@dX7Tn?RMB`>g^H%i_qQ6N*tVV7z R7N8*QqqKrlg@jSi{{Vs%s)_&r literal 0 HcmV?d00001 diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index bba42e5d55..e225fb543c 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -145,7 +145,7 @@ The **Set up School PCs** app guides you through the configuration choices for t ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) -5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page: +5. To assign a name to the student PCs, in the **Name these devices** page: 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. > [!NOTE] @@ -191,13 +191,17 @@ The **Set up School PCs** app guides you through the configuration choices for t 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. -8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps. +8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following: + * **Office 365 for Windows 10 S (Education Preview)** - Your student PCs must be running Windows 10 S to install this app. If you try to install this app on other editions of Windows, setup will fail. + * **Minecraft: Education Edition** - Free trial + * Popular **STEM and Makerspace apps** + 1. Select the apps that you would like to provision and then click **Next** when you're done. 2. Click **Skip** if you don't want to provision any apps. **Figure 6** - Select from a set of recommended Microsoft Store apps - ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png) + ![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png) The set of recommended Microsoft Store for Education apps may vary from what we show here. From da0fa02c279ac0a85984f04e36cad8e18745f9a2 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Jun 2017 15:31:35 -0700 Subject: [PATCH 09/29] TFS 12109167, Policy CSP added new power policies for RS3 --- .../policy-configuration-service-provider.md | 94 +++++++++++++++++-- 1 file changed, 88 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2e94c38cc8..529bc97a23 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11653,10 +11653,23 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Turn off the display (on battery)* +- GP name: *VideoPowerDownTimeOutDC_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + @@ -11686,10 +11699,24 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Turn off the display (plugged in)* +- GP name: *VideoPowerDownTimeOutAC_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + @@ -11719,10 +11746,24 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (on battery)* +- GP name: *DCHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + @@ -11752,9 +11793,23 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Specify the system hibernate timeout (plugged in)* +- GP name: *ACHibernateTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + @@ -11825,10 +11880,23 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Specify the system sleep timeout (on battery)* +- GP name: *DCStandbyTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + @@ -11858,10 +11926,24 @@ ADMX Info: -

Added in Windows 10, the next major update. +

Added in Windows 10, the next major update. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. + +

If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. + +

If you disable or do not configure this policy setting, users control this setting. + +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. + +ADMX Info: +- GP english name: *Specify the system sleep timeout (plugged in)* +- GP name: *ACStandbyTimeOut_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + From 065333f4ed850e065c35c99e0c2368244bee2642 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Jun 2017 15:39:56 -0700 Subject: [PATCH 10/29] TFS 12109167 Policy CSP fixed ADMX information in the new power policies --- .../mdm/policy-configuration-service-provider.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 529bc97a23..b03b85ac87 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11666,7 +11666,7 @@ ADMX Info: ADMX Info: - GP english name: *Turn off the display (on battery)* - GP name: *VideoPowerDownTimeOutDC_2* -- GP path: *System/Power Management/Sleep Settings* +- GP path: *System/Power Management/Video and Display Settings* - GP ADMX file name: *power.admx* @@ -11713,7 +11713,7 @@ ADMX Info: ADMX Info: - GP english name: *Turn off the display (plugged in)* - GP name: *VideoPowerDownTimeOutAC_2* -- GP path: *System/Power Management/Sleep Settings* +- GP path: *System/Power Management/Video and Display Settings* - GP ADMX file name: *power.admx* From 454468cb2e5941e058ce68d402f57eb312da20d1 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 12 Jun 2017 15:52:54 -0700 Subject: [PATCH 11/29] Policy CSP, added prerelease header --- .../mdm/policy-configuration-service-provider.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index b03b85ac87..22b0ccdf16 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11,6 +11,9 @@ author: nickbrower # Policy CSP +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. The Policy configuration service provider has the following sub-categories: From fd5ad665151bde77b3c6d84bb552df68dc418d6b Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Tue, 13 Jun 2017 08:56:03 -0700 Subject: [PATCH 12/29] removing file --- store-for-business/add-profile-to-devices.md | 81 -------------------- 1 file changed, 81 deletions(-) delete mode 100644 store-for-business/add-profile-to-devices.md diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md deleted file mode 100644 index 7ced700353..0000000000 --- a/store-for-business/add-profile-to-devices.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Add profile to manage Windows installation on devices (Windows 10) -description: Add an AutoPilot profile to devices. AutoPilot profiles control what is included in Windows set up experience for your employees. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store -author: TrudyHa -localizationpriority: high ---- - -# Add Windows AutoPilot deployment profile to devices - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -## What is AutoPilot -Windows AutoPilot simplifies device set up for IT Admins. You create and apply an AutoPilot profile to your devices. When people in your organization run the out-of-box experience on the device, it installs and configures Windows based on the profile you applied to the device. - -Windows AutoPilot deployment program sets these items: -- Skips setup for Cortana, OneDrive, and OEM registration -- Automatically sets up work or school accounts - -You can decide whether or not to set these items: -- Skip privacy settings -- Disable local admin account creation on the device - -### AutoPilot requirements -Verify this list ... -- Devices pre-installed with Windows 10 Pro Creators Update (version 1703 or later) -- The devices must have access to the internet. When the device can’t connect, it shows the default Windows out-of-box experience (OOBE) screens. -- Enrolling the device into an MDM requires Azure Active Directory Premium. - -For more information, see [Overview of Windows AutoPilot](https://review.docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot?branch=dh-autopilot11975619). - -## AutoPilot in Microsoft Store for Business and Education -You can manage new devices in Microsoft Store. Devices need to meet these requirements: -- Windows 10 (version ... which???) -- Specific hardware vendor??? -- New devices that have not been through Windows out-of-box experience. - -You can create and apply AutoPilot profiles to these devices. The overall process looks like this. - -![Block diagram with main steps for using AutoPilot in Microsoft Store for Business: upload device list; group devices (this step is optional); add profile; and apply profile.](images/autopilot-process.png) - -Figure 1 - AutoPilot process - -## Add devices -To manage devices through Microsoft Store for Business and Education, you'll need a csv file that contains specific information about the devices. You should be able to get this from the supplier or store where you purchased the devices. - -The device information file needs to be in this format: - -| Column | Data | -| --------- | ---- | -| column A | data type 1| -| column B | data type 2| -| column C | data type 3| - -**Upload device list** -1. Sign in to [Microsoft Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Devices**. -3. - -## Group devices -Info on creating groups. - -Why would you use them? - -**Create device groups** - -## Add profile -Info on adding profiles -- need to create one to start; can have multiple; can edit later - -TODO: include info in this topic on managing profiles, making changes, and which devices those changes are applied to -- or -- have a separate topic on managing AutoPilot profiles - -**Add AutoPilot profile** - -## Apply profile -Info on selecting devices by group or individually to apply profile \ No newline at end of file From 832f521b7b475cac0fbc107d116de9ed79f8037c Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 13 Jun 2017 14:21:40 -0700 Subject: [PATCH 13/29] add kiosk wizard version --- .../set-up-a-kiosk-for-windows-10-for-desktop-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index e7a7a025ab..c302cdc63f 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -21,7 +21,7 @@ localizationpriority: high A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. -- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). +- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). or From 3833a1b8c9d835df1b6ebff6f877bb2bc994b226 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Tue, 13 Jun 2017 15:51:50 -0700 Subject: [PATCH 14/29] Policy CSP TFS12109167, added the MDM policy name DeviceLock/PreventLockScreenSlideShow to the new power policy descriptions --- .../policy-configuration-service-provider.md | 152 +----------------- 1 file changed, 6 insertions(+), 146 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f5b66571a5..155df95bfd 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11954,29 +11954,6 @@ ADMX Info: **Power/DisplayOffTimeoutOnBattery** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- -

Added in Windows 10, the next major update. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -11984,7 +11961,7 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. @@ -12000,28 +11977,6 @@ ADMX Info: **Power/DisplayOffTimeoutPluggedIn** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
-

Added in Windows 10, the next major update. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. @@ -12030,8 +11985,7 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. @@ -12047,29 +12001,6 @@ ADMX Info: **Power/HibernateTimeoutOnBattery** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- -

Added in Windows 10, the next major update. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -12077,9 +12008,8 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. ADMX Info: @@ -12094,29 +12024,6 @@ ADMX Info: **Power/HibernateTimeoutPluggedIn** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- -

Added in Windows 10, the next major update. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. @@ -12124,7 +12031,7 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. @@ -12181,29 +12088,6 @@ ADMX Info: **Power/StandbyTimeoutOnBattery** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- -

Added in Windows 10, the next major update. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. @@ -12211,7 +12095,7 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. @@ -12227,29 +12111,6 @@ ADMX Info: **Power/StandbyTimeoutPluggedIn** - - - - - - - - - - - - - - - - - - - - -
HomeProBusinessEnterpriseEducationMobileMobileEnterprise
cross markcheck mark3check mark3check mark3check mark3cross markcross mark
- -

Added in Windows 10, the next major update. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. @@ -12257,8 +12118,7 @@ ADMX Info:

If you disable or do not configure this policy setting, users control this setting. -

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - +

If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature. From 1479189fb8cc916f4eb1867b571b0254f02971e7 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Tue, 13 Jun 2017 16:44:16 -0700 Subject: [PATCH 15/29] Block list edits --- .../deploy-code-integrity-policies-steps.md | 469 +++++++++++++++++- ...-on-the-device-guard-deployment-process.md | 13 +- 2 files changed, 479 insertions(+), 3 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index d13224f45d..5049f022b1 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -20,7 +20,474 @@ For an overview of the process described in the following procedures, see [Deplo The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. -> **Note**  Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy. +> **Note**  Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. + +### Scripting and applications + +Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed, and Windows Script Host (WSH), which can be manually disabled if you do not want it to run scripts. +You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + +Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies. + +In certain circumstances, if the use case is appropriate, for example if your operational scenario requires elevated security, you may want to block these applications. For example, if you have a code integrity policy that trusts all Microsoft-signed applications, we recommend that you block the following applications (optional in the case of cscript.exe and wscript.exe) from running on your systems: + +- bash.exe +- bginfo.exe +- cdb.exe +- cscript.exe1 +- csi.exe +- dnx.exe +- fsi.exe +- kd.exe +- lxssmanager.dll +- msbuild.exe2 +- mshta.exe +- ntsd.exe +- rcsi.exe +- windbg.exe +- wscript.exe1 + +1 Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that allows scripts to load and run. It comprises two files, wscript.exe and cscript.exe. When WSH is enabled, scripts are allowed. However, when Device Guard is enabled, the functionality of WSH scripts is restricted by default. + +2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe. + +* Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: + +
+ +|Name|Twitter| +|---|---| +|Casey Smith |@subTee| +|Matt Graeber | @mattifestation| +|Matt Nelson | @enigma0x3| +|Oddvar Moe |@Oddvarmoe| + +
+ +>!Note +>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. + +When an application version is upgraded, you may want to add deny rules to your code integrity policies for that application’s previous, less secure versions, especially to fix a vulnerability or potential Device Guard bypass. Certain vendors may or may not intend to update their software to work with Device Guard. + +To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the Powershell Merge-CIPolicy cmdlet: + +``` + + + 10.0.0.0 + {A244370E-44C9-4C06-B551-F6016E563076} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + +``` + +### Disable Windows Script Host + +If you are using Device Guard code integrity policies, the policies place constraints on Powershell and WSH scripts. When Device Guard is enabled, by default, PowerShell scripts execute in “ConstrainedLanguage” language mode, in which neither wscript.exe and cscript.exe can invoke untrusted Active X controls or COM objects. However, signed PowerShell scripts are permitted to execute in “FullLanguage” language mode, and trusted or signed wscript or cscript scripts can invoke Active X controls or COM objects. For further information on Powershell language modes, see [Language Modes](https://msdn.microsoft.com/en-us/powershell/reference/4.0/microsoft.powershell.core/about/about_language_modes). + +Alternatively, though script hosts are safer with Device Guard enabled, if your reference PC does not require any scripting, you may want to completely disable WSH. Disabling WSH prevents all users from running any scripts, including VBScript and JScript scripts. Note that some applications may require WSH to be enabled. You can disable WSH by configuring Device Guard code integrity policies. + +### Disable Windows Script Host using code integrity policies + +To disable Windows Script Hosting, you can simply create further deny rules to add the script hosts (wscript.exe and cscript.exe) to the list of blocked applications in your code integrity policy as follows: +``` + + + 1.0.0.0 + {A244370E-44C9-4C06-B551-F6016E563076} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +
+ +The June 2017 Windows updates resolve a vulnerability in Powershell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following Powershell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet: + +``` + + + 10.0.0.0 + {A244370E-44C9-4C06-B551-F6016E563076} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + +``` +
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order: diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index 3e922b1c6b..2ab4faeb53 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -25,12 +25,21 @@ This topic provides a roadmap for planning and getting started on the Device Gua 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - - What software does each department or role need? Should they be able to install and run other departments’ software?
If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management. - Are there departments or roles where unique, restricted software is used?
If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy. + - Is there already a list of accepted applications?
A list of accepted applications can be used to help create a baseline code integrity policy.
As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + + - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? + In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. + You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). + + Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. + + Security professionals collaborate with Microsoft® continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. + Depending on the context, you may want to block these applications. To see the list of applications, and for use case examples such as disabling Windows Script Host (WSH) or disabling msbuild.exe, (See [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)). + 4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). ## Getting started on the deployment process From b0bdc1c8779b38f0890abafcaab8d065179bd9cb Mon Sep 17 00:00:00 2001 From: John Tobin Date: Tue, 13 Jun 2017 17:27:32 -0700 Subject: [PATCH 16/29] Fix note and syntax --- .../deploy-code-integrity-policies-steps.md | 10 +++++----- ...g-started-on-the-device-guard-deployment-process.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 5049f022b1..932cebc339 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -20,7 +20,7 @@ For an overview of the process described in the following procedures, see [Deplo The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. -> **Note**  Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. +>[!Note]   Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. ### Scripting and applications @@ -64,12 +64,12 @@ In certain circumstances, if the use case is appropriate, for example if your op
->!Note +>[!Note] >This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. When an application version is upgraded, you may want to add deny rules to your code integrity policies for that application’s previous, less secure versions, especially to fix a vulnerability or potential Device Guard bypass. Certain vendors may or may not intend to update their software to work with Device Guard. -To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the Powershell Merge-CIPolicy cmdlet: +To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the PowerShell Merge-CIPolicy cmdlet: ``` @@ -153,7 +153,7 @@ To block the listed applications, you can merge this policy into your existing p ### Disable Windows Script Host -If you are using Device Guard code integrity policies, the policies place constraints on Powershell and WSH scripts. When Device Guard is enabled, by default, PowerShell scripts execute in “ConstrainedLanguage” language mode, in which neither wscript.exe and cscript.exe can invoke untrusted Active X controls or COM objects. However, signed PowerShell scripts are permitted to execute in “FullLanguage” language mode, and trusted or signed wscript or cscript scripts can invoke Active X controls or COM objects. For further information on Powershell language modes, see [Language Modes](https://msdn.microsoft.com/en-us/powershell/reference/4.0/microsoft.powershell.core/about/about_language_modes). +If you are using Device Guard code integrity policies, the policies place constraints on PowerShell and WSH scripts. When Device Guard is enabled, by default, PowerShell scripts execute in “ConstrainedLanguage” language mode, in which neither wscript.exe and cscript.exe can invoke untrusted Active X controls or COM objects. However, signed PowerShell scripts are permitted to execute in “FullLanguage” language mode, and trusted or signed wscript or cscript scripts can invoke Active X controls or COM objects. For further information on PowerShell language modes, see [Language Modes](https://msdn.microsoft.com/en-us/powershell/reference/4.0/microsoft.powershell.core/about/about_language_modes). Alternatively, though script hosts are safer with Device Guard enabled, if your reference PC does not require any scripting, you may want to completely disable WSH. Disabling WSH prevents all users from running any scripts, including VBScript and JScript scripts. Note that some applications may require WSH to be enabled. You can disable WSH by configuring Device Guard code integrity policies. @@ -250,7 +250,7 @@ To disable Windows Script Hosting, you can simply create further deny rules to a
-The June 2017 Windows updates resolve a vulnerability in Powershell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following Powershell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet: +The June 2017 Windows updates resolve a vulnerability in PowerShell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following PowerShell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet: ``` diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index 2ab4faeb53..d122d6450b 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -35,7 +35,7 @@ This topic provides a roadmap for planning and getting started on the Device Gua In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). - Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. + Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypass vulnerabilities may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. Security professionals collaborate with Microsoft® continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. Depending on the context, you may want to block these applications. To see the list of applications, and for use case examples such as disabling Windows Script Host (WSH) or disabling msbuild.exe, (See [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)). From 6abdf69de7136cd58b916d4aa15d66c54dea614a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 14 Jun 2017 07:39:50 -0700 Subject: [PATCH 17/29] change MDM protocol in TOC --- windows/client-management/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 57e0175c71..40c24a2981 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,5 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) -## [Mobile device management protocol](mdm/index.md) +## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) From 2aa4b8f40b58e8b9d6c5a48ae0975c5e2f92a3e0 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 14 Jun 2017 07:50:11 -0700 Subject: [PATCH 18/29] add MDM To index table --- windows/client-management/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 7dc6c63ae6..226c9237e7 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -28,4 +28,5 @@ Learn about the administrative tools, tasks and best practices for managing Wind |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options| |[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.| +|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. | |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. | \ No newline at end of file From 0f94759eac421fd3e0a2ba59cdd981db94ab2306 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 14 Jun 2017 10:21:54 -0700 Subject: [PATCH 19/29] adding file to toc --- store-for-business/education/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index 2e4ef3a73c..0d7c5cb939 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -32,4 +32,5 @@ ### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json) ### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json) ## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json) +## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) From 1465835c399ee2f02d9cb4cd35363339d22cbe45 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 14 Jun 2017 10:22:30 -0700 Subject: [PATCH 20/29] adding notification topic to toc --- store-for-business/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index ba2c1b8c8a..514ff6cfea 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -27,4 +27,5 @@ ### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md) ### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) ## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md) +## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) From 640a04bf64e961f1b299d4facf4c312f3ef03381 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 14 Jun 2017 10:31:50 -0700 Subject: [PATCH 21/29] removed topic about how Windows 10 uses TPM to allow more review --- windows/device-security/TOC.md | 1 - .../tpm/how-windows-uses-the-tpm.md | 274 ------------------ 2 files changed, 275 deletions(-) delete mode 100644 windows/device-security/tpm/how-windows-uses-the-tpm.md diff --git a/windows/device-security/TOC.md b/windows/device-security/TOC.md index d4f7015047..9305ed157e 100644 --- a/windows/device-security/TOC.md +++ b/windows/device-security/TOC.md @@ -649,7 +649,6 @@ ## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md) ### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md) -### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md) ### [TPM fundamentals](tpm/tpm-fundamentals.md) ### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md) ### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md) diff --git a/windows/device-security/tpm/how-windows-uses-the-tpm.md b/windows/device-security/tpm/how-windows-uses-the-tpm.md deleted file mode 100644 index 9c4c75440a..0000000000 --- a/windows/device-security/tpm/how-windows-uses-the-tpm.md +++ /dev/null @@ -1,274 +0,0 @@ ---- -title: How Windows 10 uses the TPM (Windows 10) -description: This topic for the IT professional has an overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft ---- - -# How Windows 10 uses the TPM - -Windows 10 improves existing security features and adds new groundbreaking security features such as Device Guard and Windows Hello for Business. -It places hardware-based security deeper inside the operating system than previous Windows versions, maximizing platform security while increasing usability. -To achieve many of these security enhancements, Windows 10 makes extensive use of the Trusted Platform Module (TPM). - -This article offers a brief overview of the TPM, describes how it works, and discusses the benefits that TPM brings to Windows 10—as well as the cumulative security impact of running Windows 10 on a PC that contains a TPM. - -**See also** - -- [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/windows-10-specifications) -- [TPM Fundamentals](tpm-fundamentals.md) -- [TPM Recommendations](tpm-recommendations.md) - -## TPM Overview - -The TPM is a cryptographic module that enhances computer security and privacy. -Protecting data through encryption and decryption, protecting authentication credentials, and proving which software is running on a system are basic functionalities associated with computer security. -The TPM helps with all these scenarios and more. - -Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. -Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. -Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. -Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips. - -TPMs are passive: they receive commands and return responses. -To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. -TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. -Before it can be used for advanced scenarios, however, a TPM must be provisioned. -Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features. - -The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. -The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. -The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). - -OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. -Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. -For example, software alone cannot reliably report whether malware is present during the system startup process. -The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. -Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. -For example, if a key stored in a TPM has properties that disallow exporting the key, that key *truly cannot leave the TPM*. - -The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. -There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. -In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs, whereas others do not. - -Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. -Although having a TPM is clearly better than not having a TPM, Microsoft’s best advice is to determine your organization’s security needs and research any regulatory requirements associated with procurement for your industry. -The result is a balance between scenarios used, assurance level, cost, convenience, and availability. - -## TPM in Windows 10 - -The security features of Windows 10 combined with the benefits of a TPM offer practical security and privacy benefits. -The following sections start with major TPM-related security features in Windows 10 and go on to describe how key technologies use the TPM to enable or increase security. - -## Platform Crypto Provider - -Historically, Windows has included a cryptography framework called *Cryptographic API: Next Generation* (CNG), the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface (API). -Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself. - -Although CNG sounds like a mundane starting point, it illustrates some of the advantages that a TPM provides. -Underneath the CNG interface, Windows or third parties supply a cryptographic provider (that is, an implementation of an algorithm) implemented as software libraries alone or in a combination of software and available system hardware or third party hardware. -If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG. - -The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software only CNG providers cannot offer or cannot offer as effectively: - -- **Key protection.** The Platform Crypto Provider can create keys in the TPM with restrictions on their use. - The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. - The Platform Crypto Provider can also configure keys that a TPM protects so that they are not removable. - If a TPM creates a key, the key is unique and resides only in that TPM. - If the TPM imports a key, the Platform Crypto Provider can use the key in that TPM, but that TPM is not a source for making additional copies of the key or enabling the use of copies elsewhere. - In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use. - -- **Dictionary attack protection.** Keys that a TPM protects can require an authorization value such as a PIN. - With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. - After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. - Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back. - In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. - -These TPM features give Platform Crypto Provider distinct advantages over software-based solutions. -A practical way to see these benefits in action is when using certificates on a Windows 10 device. -On platforms that include a TPM, Windows can use the Platform Crypto Provider to provide certificate storage. -Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate. -In mixed environments, where some computers might not have a TPM, the certificate template could simply prefer the Platform Crypto Provider over the standard Windows software provider. -If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. -If the certificate requires a PIN, the PIN gains the TPM’s dictionary attack protection automatically. - -## Virtual Smart Card - -Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. -Users insert a smart card into a built-in or USB card reader and enter a PIN to unlock it. -Windows can then access the card’s certificate and use the private key for authentication or to unlock BitLocker protected data volumes. -Smart cards are popular because they provide two-factor authentication that requires both something the user has (that is, the smart card) and something the user knows (such as the smart card PIN). -Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. - -In Windows, the Virtual Smart Card feature allows the TPM to mimic a permanently inserted smart card. -The TPM becomes “something the user has” but still requires a PIN. -Although physical smart cards limit the number of PIN attempts before locking the card and requiring a reset, a virtual smart card relies on the TPM’s dictionary attack protection to prevent too many PIN guesses. - -For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. -Using a component that is part of the system rather than a separate physical smart card can reduce total cost of ownership because it eliminates “lost card” and “card left at home” scenarios while still delivering the benefits of smart card–based multifactor authentication. -For users, virtual smart cards are simple to use, requiring only a PIN to unlock. -Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access. - -## Windows Hello for Business - -Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. -In addition, user name- password solutions for authentication often reuse the same user name–password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. -Windows Hello for Business provisions devices one by one and combines the information provisioned on each device (i.e., the cryptographic key) with additional information to authenticate users. -On a system that has a TPM, the TPM can protect the key. -If a system does not have a TPM, software-based techniques protect the key. -The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition. -To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. - -The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. -Windows Hello for Business lets a user authenticate with an existing Microsoft account, an Active Directory account, an Azure Active Directory account, or even non-Microsoft Identity Provider Services or Relying Party Services that support [Fast ID Online V2.0 authentication](http://go.microsoft.com/fwlink/p/?LinkId=533889). - -Identity providers have flexibility in how they provision credentials on client devices. -For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. -The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): - -- **Endorsement key.** The TPM manufacturer can create a special key in the TPM called an endorsement key. - An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. - Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM). - -- **Attestation identity key.** To protect privacy, most TPM scenarios do not directly use an actual endorsement key. - Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. - The identity CA issues attestation identity key certificates. - More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. - -![TPM capabilities](..\images\tpm-capabilities.png) -*Figure 1 TPM capabilities* - -For Windows Hello for Business, Microsoft can fill the role of the identity CA. -Microsoft services can issue an attestation identity key certificate for each device, user, and identify provider to ensure that privacy is protected and to help identity providers ensure that device TPM requirements are met before Windows Hello for Business credentials are provisioned. - -## BitLocker Drive Encryption - -BitLocker provides full-volume encryption to protect data at rest. -The most common device configuration splits the hard drive into several volumes. -The operating system and user data reside on one volume that holds confidential information, and other volumes hold public information such as boot components, system information and recovery tools. -(These other volumes are used infrequently enough that they do not need to be visible to users.) -Without additional protections in place, if the volume containing the operating system and user data is not encrypted, someone can boot another operating system and easily bypass the intended operating system’s enforcement of file permissions to read any user data. - -In the most common configuration, BitLocker encrypts the operating system volume so that if the computer or hard disk is lost or stolen when powered off, the data on the volume remains confidential. -When the computer is turned on, starts normally, and proceeds to the Windows logon prompt, the only path forward is for the user to log on with his or her credentials, allowing the operating system to enforce its normal file permissions. -If something about the boot process changes, however—for example, a different operating system is booted from a USB device—the operating system volume and user data cannot be read and are not accessible. -The TPM and system firmware collaborate to record measurements of how the system started, including loaded software and configuration details such as whether boot occurred from the hard drive or a USB device. -BitLocker relies on the TPM to allow the use of a key only when startup occurs in an expected way. -The system firmware and TPM are carefully designed to work together to provide the following capabilities: - -- **Hardware root of trust for measurement.** A TPM allows software to send it commands that record measurements of software or configuration information. - This information can be calculated using a hash algorithm that essentially transforms a lot of data into a small, statistically unique hash value. - The system firmware has a component called the *Core Root of Trust for Measurement* (CRTM) that is implicitly trusted. - The CRTM unconditionally hashes the next software component and records the measurement value by sending a command to the TPM. Successive components, whether system firmware or operating system loaders, continue the process by measuring any software components they load before running them. Because each component’s measurement is sent to the TPM before it runs, a component cannot erase its measurement from the TPM. (However, measurements are erased when the system is restarted.) The result is that at each step of the system startup process, the TPM holds measurements of boot software and configuration information. Any changes in boot software or configuration yield different TPM measurements at that step and later steps. Because the system firmware unconditionally starts the measurement chain, it provides a hardware-based root of trust for the TPM measurements. At some point in the startup process, the value of recording all loaded software and configuration information diminishes and the chain of measurements stops. The TPM allows for the creation of keys that can be used only when the platform configuration registers that hold the measurements have specific values. - -- **Key used only when boot measurements are accurate.** BitLocker creates a key in the TPM that can be used only when the boot measurements match an expected value. - The expected value is calculated for the step in the startup process when Windows Boot Manager runs from the operating system volume on the system hard drive. Windows Boot Manager, which is stored unencrypted on the boot volume, needs to use the TPM key so that it can decrypt data read into memory from the operating system volume and startup can proceed using the encrypted operating system volume. If a different operating system is booted or the configuration is changed, the measurement values in the TPM will be different, the TPM will not let Windows Boot Manager use the key, and the startup process cannot proceed normally because the data on the operating system cannot be decrypted. If someone tries to boot the system with a different operating system or a different device, the software or configuration measurements in the TPM will be wrong and the TPM will not allow use of the key needed to decrypt the operating system volume. As a failsafe, if measurement values change unexpectedly, the user can always use the BitLocker recovery key to access volume data. Organizations can configure BitLocker to store the recovery key in Active Directory Domain Services (AD DS). - -Device hardware characteristics are important to BitLocker and its ability to protect data. -One consideration is whether the device provides attack vectors when the system is at the logon screen. -For example, if the Windows device has a port that allows direct memory access so that someone can plug in hardware and read memory, an attacker can read the operating system volume’s decryption key from memory while at the Windows logon screen. -To mitigate this risk, organizations can configure BitLocker so that the TPM key requires both the correct software measurements and an authorization value. -The system startup process stops at Windows Boot Manager, and the user is prompted to enter the authorization value for the TPM key or insert a USB device with the value. -This process stops BitLocker from automatically loading the key into memory where it might be vulnerable, but has a less desirable user experience. - -Newer hardware and Windows 10 work better together to disable direct memory access through ports and reduce attack vectors. -The result is that organizations can deploy more systems without requiring users to enter additional authorization information during the startup process. -The right hardware allows BitLocker to be used with the “TPM-only” configuration giving users a single sign-on experience without having to enter a PIN or USB key during boot. - -## Device Encryption - -Device Encryption is the consumer version of BitLocker, and it uses the same underlying technology. -How it works is if a customer signs in with a Microsoft account and the system meets InstantGo hardware requirements, BitLocker Drive Encryption is enabled automatically in Windows 10. -The recovery key is backed up in the Microsoft cloud and is accessible to the consumer through his or her Microsoft account. -The InstantGo hardware requirements inform Windows 10 that the hardware is appropriate for deploying Device Encryption and allows use of the “TPM-only” configuration for a simple consumer experience. -In addition, InstantGo hardware is designed to reduce the likelihood that measurement values change and prompt the customer for the recovery key. - -For software measurements, Device Encryption relies on measurements of the authority providing software components (based on code signing from manufacturers such as OEMs or Microsoft) instead of the precise hashes of the software components themselves. -This permits servicing of components without changing the resulting measurement values. -For configuration measurements, the values used are based on the boot security policy instead of the numerous other configuration settings recorded during startup. -These values also change less frequently. -The result is that Device Encryption is enabled on appropriate hardware in a user-friendly way while also protecting data. - -## Measured Boot - -Windows 8 introduced Measured Boot as a way for the operating system to record the chain of measurements of software components and configuration information in the TPM through the initialization of the Windows operating system. -In previous Windows versions, the measurement chain stopped at the Windows Boot Manager component itself, and the measurements in the TPM were not helpful for understanding the starting state of Windows. - -The Windows boot process happens in stages and often involves third-party drivers to communicate with vendor-specific hardware or implement antimalware solutions. -For software, Measured Boot records measurements of the Windows kernel, Early-Launch Anti-Malware drivers, and boot drivers in the TPM. -For configuration settings, Measured Boot records security-relevant information such as signature data that antimalware drivers use and configuration data about Windows security features (e.g., whether BitLocker is on or off). - -Measured Boot ensures that TPM measurements fully reflect the starting state of Windows software and configuration settings. -If security settings and other protections are set up correctly, they can be trusted to maintain the security of the running operating system thereafter. -Other scenarios can use the operating system’s starting state to determine whether the running operating system should be trusted. - -TPM measurements are designed to avoid recording any privacy-sensitive information as a measurement. -As an additional privacy protection, Measured Boot stops the measurement chain at the initial starting state of Windows. -Therefore, the set of measurements does not include details about which applications are in use or how Windows is being used. -Measurement information can be shared with external entities to show that the device is enforcing adequate security policies and did not start with malware. - -The TPM provides the following way for scenarios to use the measurements recorded in the TPM during boot: - -- **Remote attestation.** Using an attestation identity key, the TPM can generate and cryptographically sign a statement (or *quote*) of the current measurements in the TPM. - Windows 10 can create unique attestation identity keys for various scenarios to prevent separate evaluators from collaborating to track the same device. - Additional information in the quote is cryptographically scrambled to limit information sharing and better protect privacy. - By sending the quote to a remote entity, a device can attest which software and configuration settings were used to boot the device and initialize the operating system. - An attestation identity key certificate can provide further assurance that the quote is coming from a real TPM. - *Remote attestation* is the process of recording measurements in the TPM, generating a quote, and sending the quote information to another system that evaluates the measurements to establish trust in a device. - Figure 2 illustrates this process. - -When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. -Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state. - -![Remote attestation](..\images\tpm-remote-attestation.png) -*Figure 2 Remote attestation* - -## Health attestation - -Some Windows 10 improvements help security solutions implement remote attestation scenarios. -Microsoft provides a Health Attestation service, which can create attestation identity key certificates for TPMs from different manufacturers as well as parse measured boot information to extract simple security assertions, such as whether BitLocker is on or off. -The simple security assertions can be used to evaluate device health. - -Mobile device management (MDM) solutions can receive simple security assertions from the Microsoft Health Attestation service for a client without having to deal with the complexity of the quote or the detailed TPM measurements. -MDM solutions can act on the security information by quarantining unhealthy devices or blocking access to cloud services such as Microsoft Office 365. - -## Credential Guard - -Credential Guard is a new feature in Windows 10 that helps protect Windows credentials in organizations that have deployed AD DS. -Historically, a user’s credentials (e.g., logon password) was hashed to generate an authorization token. -The user employed the token to access resources that he or she was permitted to use. One weakness of the token model is that malware that had access to the operating system kernel could look through the computer’s memory and harvest all the access tokens currently in use. -The attacker could then use harvested tokens to log on to other machines and collect more credentials. -This kind of attack is called a “*pass-the-hash*” attack, a malware technique that infects one machine to infect many machines across an organization. - -Similar to the way Microsoft Hyper-V keeps virtual machines (VMs) separate from one another, Credential Guard uses virtualization to isolate the process that hashes credentials in a memory area that the operating system kernel cannot access. -This isolated memory area is initialized and protected during the boot process so that components in the larger operating system environment cannot tamper with it. -Credential Guard uses the TPM to protect its keys with TPM measurements, so they are accessible only during the boot process step when the separate region is initialized; they are not available for the normal operating system kernel. -The local security authority code in the Windows kernel interacts with the isolated memory area by passing in credentials and receiving single-use authorization tokens in return. - -The resulting solution provides defense in depth, because even if malware runs in the operating system kernel, it cannot access the secrets inside the isolated memory area that actually generates authorization tokens handles. -The solution does not solve the problem of key loggers because the passwords such loggers capture actually pass through the normal Windows kernel, but when combined with other solutions, such as smart cards for authentication, Credential Guard greatly enhances the protection of credentials in Windows 10. - -## Conclusion - -The TPM adds hardware-based security benefits to Windows 10. -When installed on hardware that includes a TPM, Window 10 delivers remarkably improved security benefits. -The following table summarizes the key benefits of the TPM’s major features. - -| **Feature** | **Benefits when used on a system with a TPM**| -|----------------------------|----------------------------------------------| -| Platform Crypto Provider | - If the machine is compromised, the private key associated with the certificate cannot be copied off the device.
- The TPM’s dictionary attack mechanism protects PIN values to use a certificate.
| -| Virtual Smart Card | - Achieve security similar to that of physical smart cards without deploying physical smart cards or card readers.| -| Windos Hello for Business | - Credentials provisioned on a device cannot be copied elsewhere.
- Confirm a device’s TPM before credentials are provisioned.
| -| BitLocker Drive Encryption | - Multiple options are available for enterprises to protect data at rest while balancing security requirements with different device hardware. | -| Device Encryption | - With a Microsoft account and the right hardware, consumers’ devices seamlessly benefit from data-at-rest protection. | -| Measured Boot | - A hardware root of trust contains boot measurements that help detect malware during remote attestation. | -| Health Attestation | - MDM solutions can easily perform remote attestation and evaluate client health before granting access to resources or cloud services such as Office 365. | -| Credential Guard | - Defense in depth increases so that even if malware has administrative rights on one machine, it is significantly more difficult to compromise additional machines in an organization. | - -Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. -Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. -Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). -IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements. From 9a0c467cb5ca1690d9149fe3c29ad340e6309f96 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 14 Jun 2017 10:35:14 -0700 Subject: [PATCH 22/29] Fix notes --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 932cebc339..805870b876 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -20,7 +20,8 @@ For an overview of the process described in the following procedures, see [Deplo The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. ->[!Note]   Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. +> [!Note] +> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. ### Scripting and applications From 89e2e5ded93aafa3200e7e120eb55aaa284e854a Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 14 Jun 2017 10:49:59 -0700 Subject: [PATCH 23/29] What's new topic. Updated change history --- .../new-in-windows-mdm-enrollment-management.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 6c95a92a67..f7fea58e82 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1229,6 +1229,15 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).

  • Start/AllowPinnedFolderVideos
  • Update/AutoRestartDeadlinePeriodInDays
    • +

    Added the following new policies for Windows 10, version 1709:

    +
      +
    • Power/DisplayOffTimeoutOnBattery
      • +
    • Power/DisplayOffTimeoutPluggedIn
      • +
    • Power/HibernateTimeoutOnBattery
      • +
    • Power/HibernateTimeoutPluggedIn
      • +
    • Power/StandbyTimeoutOnBattery
      • +
    • Power/StandbyTimeoutPluggedIn
      • +
    @@ -1305,7 +1314,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md). [Firewall CSP](firewall-csp.md) -

    Added new CSP in the next major update to Windows 10.

    +

    Added new CSP in Windows 10, version 1709.

    MDM support for Windows 10 S @@ -1819,7 +1828,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md). [CM_CellularEntries CSP](cm-cellularentries-csp.md) -

    To PurposeGroups setting, added the following values for the next major update of Windows 10:

    +

    To PurposeGroups setting, added the following values Windows 10, version 1709:

    • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
    • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
      • @@ -1827,7 +1836,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md). [CellularSettings CSP](cellularsettings-csp.md)

      [CM_CellularEntries CSP](cm-cellularentries-csp.md)

      [EnterpriseAPN CSP](enterpriseapn-csp.md)

      -

      In the next major update of Windows 10, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

      +

      In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

      Updated the DDF topics. From b79b3326cae10eb0521adb512d163af14d97aef1 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Wed, 14 Jun 2017 11:02:30 -0700 Subject: [PATCH 24/29] fixing toc reference --- store-for-business/education/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index 0d7c5cb939..1c2ebc03b3 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -32,5 +32,5 @@ ### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json) ### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json) ## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json) -## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) +## [Notifications in Microsoft Store for Business and Education](/microsoft-store/notifications-microsoft-store-business?toc=/microsoft-store/education/toc.json) From fd5621d2b00197f5ecd2a1fb7ac4793e2774b95f Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 14 Jun 2017 11:08:12 -0700 Subject: [PATCH 25/29] Policy CSP, added version 1709 in new policies --- .../mdm/policy-configuration-service-provider.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 155df95bfd..600a6bf293 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -11955,7 +11955,7 @@ ADMX Info: **Power/DisplayOffTimeoutOnBattery** -

      Added in Windows 10, the next major update. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display. +

      Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. @@ -11979,7 +11979,7 @@ ADMX Info: -

      Added in Windows 10, the next major update. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display. +

      Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. @@ -12002,7 +12002,7 @@ ADMX Info: **Power/HibernateTimeoutOnBattery** -

      Added in Windows 10, the next major update. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. +

      Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. @@ -12025,7 +12025,7 @@ ADMX Info: **Power/HibernateTimeoutPluggedIn** -

      Added in Windows 10, the next major update. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate. +

      Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. @@ -12089,7 +12089,7 @@ ADMX Info: **Power/StandbyTimeoutOnBattery** -

      Added in Windows 10, the next major update. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. +

      Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. @@ -12112,7 +12112,7 @@ ADMX Info: **Power/StandbyTimeoutPluggedIn** -

      Added in Windows 10, the next major update. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep. +

      Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.

      If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. From 4420622fe3db0973e65453256228f08c9708f087 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 14 Jun 2017 11:13:10 -0700 Subject: [PATCH 26/29] Fix notes2 --- .../deploy-code-integrity-policies-steps.md | 64 +++++++++++-------- 1 file changed, 39 insertions(+), 25 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 805870b876..343e6c4c8e 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -248,9 +248,7 @@ To disable Windows Script Hosting, you can simply create further deny rules to a ``` -
      - The June 2017 Windows updates resolve a vulnerability in PowerShell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following PowerShell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet: ``` @@ -504,7 +502,7 @@ To create a code integrity policy, copy each of the following commands into an e ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` - > **Notes** + > [!Notes] > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. @@ -520,7 +518,8 @@ To create a code integrity policy, copy each of the following commands into an e After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. -> **Note**  We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). +> [!Note] +> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies). @@ -528,7 +527,8 @@ We recommend that every code integrity policy be run in audit mode before being When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies. -> **Note**  Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. +> [!Note] +> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. **To audit a code integrity policy with local policy:** @@ -536,7 +536,7 @@ When code integrity policies are run in audit mode, it allows administrators to 2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. - > **Notes** + > [!Note] > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run. @@ -544,7 +544,7 @@ When code integrity policies are run in audit mode, it allows administrators to 3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. - > **Notes** + > [!Note] > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access. @@ -592,7 +592,8 @@ Use the following procedure after you have been running a computer with a code i ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` - > **Note**  When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. + > [!Note] + > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. 4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: @@ -602,7 +603,8 @@ Use the following procedure after you have been running a computer with a code i You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies). -> **Note**  You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +> [!Note] +> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. ## Use a code integrity policy to control specific plug-ins, add-ins, and modules @@ -634,7 +636,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. -> **Note**  The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. +> [!Note] +> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: @@ -650,7 +653,8 @@ To merge two code integrity policies, complete the following steps in an elevate ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` - > **Note**  The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. + > [!Note] + > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. 2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy: @@ -666,7 +670,8 @@ Now that you have created a new code integrity policy (for example, called **New Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session: -> **Note**  Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. +> [!Note] +> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. 1. Initialize the variables that will be used: @@ -678,7 +683,7 @@ Every code integrity policy is created with audit mode enabled. After you have s ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` - > **Note**  The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + > [!Note] The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. @@ -696,7 +701,8 @@ Every code integrity policy is created with audit mode enabled. After you have s ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` - > **Note**  To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. + > [!Note] + > To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. 5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format: @@ -712,7 +718,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules." -> **Note**  Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. +> [!Note] +> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. To sign a code integrity policy with SignTool.exe, you need the following components: @@ -732,7 +739,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - > **Note**  This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + > [!Note] + > This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md). @@ -746,9 +754,9 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - > **Notes**  *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - - > Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. + > [!Note] + > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. + Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. 6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option: @@ -762,7 +770,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - > **Note**  The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. + > [!Note] + > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. 9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy). @@ -780,7 +789,8 @@ If the code integrity policy was deployed by using Group Policy, the GPO that is Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. -> **Note**  For reference, signed code integrity policies should be replaced and removed from the following locations: +> [!Note] +> For reference, signed code integrity policies should be replaced and removed from the following locations: - <EFI System Partition>\\Microsoft\\Boot\\ @@ -831,9 +841,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. -> **Note**  This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. +> [!Note] +> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. -> **Note**  Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. +> [!Note] +> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. To deploy and manage a code integrity policy with Group Policy: @@ -861,13 +873,15 @@ To deploy and manage a code integrity policy with Group Policy: In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5. - > **Note**  The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + > [!Note] + > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. ![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png) Figure 5. Enable the code integrity policy - > **Note**  You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > [!Note] + > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. From 6e2b5a8c6767bd341a30f926d34367fcbbacaca4 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 14 Jun 2017 11:57:49 -0700 Subject: [PATCH 27/29] Fix line validation warning --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 343e6c4c8e..82621b15ac 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -683,7 +683,8 @@ Every code integrity policy is created with audit mode enabled. After you have s ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` - > [!Note] The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + > [!Note] + > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. From a7fe44380241b84db676578549b2c88fa9a44015 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 15 Jun 2017 08:45:02 -0700 Subject: [PATCH 28/29] market updates --- .../windows-store-for-business-overview.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 51740377ed..430cd5c616 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -472,7 +472,7 @@ Microsoft Store for Business and Education is currently available in these marke

    • United Kingdom
    • United States
    • Uruguay
      • -
    • Viet Nam
      • +
    • Vietnam
    • Virgin Islands, U.S.
    • Zambia
    • Zimbabwe
            
      • @@ -489,18 +489,11 @@ Customers in these markets can use Microsoft Store for Business and Education to ### Support for free apps and Minecraft: Education Edition Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition: - Albania -- Armenia -- Azerbaijan -- Belarus - Bosnia - Brazil - Georgia -- Kazakhstan -- Kyrgyzstan -- Moldova +- Korea - Taiwan -- Tajikistan -- Turkmenistan - Ukraine This table summarize what customers can purchase, depending on which Microsoft Store they are using. From 3a1e19b50b6f98f4a730568bc7e4c3add0aeb39c Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Thu, 15 Jun 2017 09:45:07 -0700 Subject: [PATCH 29/29] Revert "Edits to block list process steps document." --- .../deploy-code-integrity-policies-steps.md | 531 +----------------- ...-on-the-device-guard-deployment-process.md | 13 +- 2 files changed, 26 insertions(+), 518 deletions(-) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 82621b15ac..d13224f45d 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -20,473 +20,7 @@ For an overview of the process described in the following procedures, see [Deplo The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents. -> [!Note] -> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy. - -### Scripting and applications - -Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed, and Windows Script Host (WSH), which can be manually disabled if you do not want it to run scripts. -You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). - -Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies. - -In certain circumstances, if the use case is appropriate, for example if your operational scenario requires elevated security, you may want to block these applications. For example, if you have a code integrity policy that trusts all Microsoft-signed applications, we recommend that you block the following applications (optional in the case of cscript.exe and wscript.exe) from running on your systems: - -- bash.exe -- bginfo.exe -- cdb.exe -- cscript.exe1 -- csi.exe -- dnx.exe -- fsi.exe -- kd.exe -- lxssmanager.dll -- msbuild.exe2 -- mshta.exe -- ntsd.exe -- rcsi.exe -- windbg.exe -- wscript.exe1 - -1 Microsoft Windows Script Host (WSH) is an automation technology for Microsoft Windows operating systems that allows scripts to load and run. It comprises two files, wscript.exe and cscript.exe. When WSH is enabled, scripts are allowed. However, when Device Guard is enabled, the functionality of WSH scripts is restricted by default. - -2 If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe. - -* Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people: - -
      - -|Name|Twitter| -|---|---| -|Casey Smith |@subTee| -|Matt Graeber | @mattifestation| -|Matt Nelson | @enigma0x3| -|Oddvar Moe |@Oddvarmoe| - -
      - ->[!Note] ->This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. - -When an application version is upgraded, you may want to add deny rules to your code integrity policies for that application’s previous, less secure versions, especially to fix a vulnerability or potential Device Guard bypass. Certain vendors may or may not intend to update their software to work with Device Guard. - -To block the listed applications, you can merge this policy into your existing policy by adding the following deny rules using the PowerShell Merge-CIPolicy cmdlet: - -``` - - - 10.0.0.0 - {A244370E-44C9-4C06-B551-F6016E563076} - {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 - - -``` - -### Disable Windows Script Host - -If you are using Device Guard code integrity policies, the policies place constraints on PowerShell and WSH scripts. When Device Guard is enabled, by default, PowerShell scripts execute in “ConstrainedLanguage” language mode, in which neither wscript.exe and cscript.exe can invoke untrusted Active X controls or COM objects. However, signed PowerShell scripts are permitted to execute in “FullLanguage” language mode, and trusted or signed wscript or cscript scripts can invoke Active X controls or COM objects. For further information on PowerShell language modes, see [Language Modes](https://msdn.microsoft.com/en-us/powershell/reference/4.0/microsoft.powershell.core/about/about_language_modes). - -Alternatively, though script hosts are safer with Device Guard enabled, if your reference PC does not require any scripting, you may want to completely disable WSH. Disabling WSH prevents all users from running any scripts, including VBScript and JScript scripts. Note that some applications may require WSH to be enabled. You can disable WSH by configuring Device Guard code integrity policies. - -### Disable Windows Script Host using code integrity policies - -To disable Windows Script Hosting, you can simply create further deny rules to add the script hosts (wscript.exe and cscript.exe) to the list of blocked applications in your code integrity policy as follows: -``` - - - 1.0.0.0 - {A244370E-44C9-4C06-B551-F6016E563076} - {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` -
      -The June 2017 Windows updates resolve a vulnerability in PowerShell that allowed an attacker to bypass Device Guard code integrity policies. Powershell cmdlets cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes. We recommend that you block the following PowerShell cmdlets and merge this policy into your existing policy by adding the following deny rules using the Merge-CIPolicy cmdlet: - -``` - - - 10.0.0.0 - {A244370E-44C9-4C06-B551-F6016E563076} - {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 - - -``` -
      +> **Note**  Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy. To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order: @@ -502,7 +36,7 @@ To create a code integrity policy, copy each of the following commands into an e ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` - > [!Notes] + > **Notes** > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. @@ -518,8 +52,7 @@ To create a code integrity policy, copy each of the following commands into an e After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security. -> [!Note] -> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). +> **Note**  We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies). We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies). @@ -527,8 +60,7 @@ We recommend that every code integrity policy be run in audit mode before being When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies. -> [!Note] -> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. +> **Note**  Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format. **To audit a code integrity policy with local policy:** @@ -536,7 +68,7 @@ When code integrity policies are run in audit mode, it allows administrators to 2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**. - > [!Note] + > **Notes** > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run. @@ -544,7 +76,7 @@ When code integrity policies are run in audit mode, it allows administrators to 3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. - > [!Note] + > **Notes** > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access. @@ -592,8 +124,7 @@ Use the following procedure after you have been running a computer with a code i ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` - > [!Note] - > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. + > **Note**  When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. 4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following: @@ -603,8 +134,7 @@ Use the following procedure after you have been running a computer with a code i You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies). -> [!Note] -> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +> **Note**  You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. ## Use a code integrity policy to control specific plug-ins, add-ins, and modules @@ -636,8 +166,7 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. -> [!Note] -> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. +> **Note**  The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: @@ -653,8 +182,7 @@ To merge two code integrity policies, complete the following steps in an elevate ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` - > [!Note] - > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. + > **Note**  The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly. 2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy: @@ -670,8 +198,7 @@ Now that you have created a new code integrity policy (for example, called **New Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session: -> [!Note] -> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. +> **Note**  Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic. 1. Initialize the variables that will be used: @@ -683,8 +210,7 @@ Every code integrity policy is created with audit mode enabled. After you have s ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` - > [!Note] - > The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. + > **Note**  The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. 2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options. @@ -702,8 +228,7 @@ Every code integrity policy is created with audit mode enabled. After you have s ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` - > [!Note] - > To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. + > **Note**  To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy. 5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format: @@ -719,8 +244,7 @@ Signing code integrity policies by using an on-premises CA-generated certificate Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules." -> [!Note] -> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. +> **Note**  Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers. To sign a code integrity policy with SignTool.exe, you need the following components: @@ -740,8 +264,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` - > [!Note] - > This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. + > **Note**  This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. 2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md). @@ -755,9 +278,9 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` - > [!Note] - > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. + > **Notes**  *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. + + > Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section. 6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option: @@ -771,8 +294,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` - > [!Note] - > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. + > **Note**  The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. 9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy). @@ -790,8 +312,7 @@ If the code integrity policy was deployed by using Group Policy, the GPO that is Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. -> [!Note] -> For reference, signed code integrity policies should be replaced and removed from the following locations: +> **Note**  For reference, signed code integrity policies should be replaced and removed from the following locations: - <EFI System Partition>\\Microsoft\\Boot\\ @@ -842,11 +363,9 @@ There may be a time when signed code integrity policies cause a boot failure. Be Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**. -> [!Note] -> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. +> **Note**  This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic. -> [!Note] -> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. +> **Note**  Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment. To deploy and manage a code integrity policy with Group Policy: @@ -874,15 +393,13 @@ To deploy and manage a code integrity policy with Group Policy: In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5. - > [!Note] - > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. + > **Note**  The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers. ![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png) Figure 5. Enable the code integrity policy - > [!Note] - > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. + > **Note**  You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository. 7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section. diff --git a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md index d122d6450b..3e922b1c6b 100644 --- a/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -25,21 +25,12 @@ This topic provides a roadmap for planning and getting started on the Device Gua 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
      This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. + - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline code integrity policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + - What software does each department or role need? Should they be able to install and run other departments’ software?
      If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management. - Are there departments or roles where unique, restricted software is used?
      If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy. - - Is there already a list of accepted applications?
      A list of accepted applications can be used to help create a baseline code integrity policy.
      As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). - - - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? - In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. - You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker). - - Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies. For operational scenarios that require elevated security, certain applications with known Code Integrity bypass vulnerabilities may represent a security risk if you whitelist them in your code integrity policies. Other applications whose older versions have vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. Once applications with vulnerabilities are fixed, you can create a rule that only allows the fixed version or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used. - - Security professionals collaborate with Microsoft® continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. - Depending on the context, you may want to block these applications. To see the list of applications, and for use case examples such as disabling Windows Script Host (WSH) or disabling msbuild.exe, (See [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)). - 4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files). ## Getting started on the deployment process