From b5b2360aec9c39a0468dedf60f3dcd71f7b64f7e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 10 Aug 2017 14:14:01 -0700 Subject: [PATCH 01/12] update proxy list --- ...xy-internet-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index ab5af4aee7..9710d5a35b 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -82,8 +82,8 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | .Microsoft.com DNS record :---|:--- - US |```*.blob.core.windows.net```
```crl.microsoft.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
+ US |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. From f5fc54060af7824ff380557920e1839009d5b6e9 Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Mon, 14 Aug 2017 20:07:04 +0000 Subject: [PATCH 02/12] Merged PR 2709: Updated to add Group Policy and clarify the registry steps --- .../block-untrusted-fonts-in-enterprise.md | 90 +++++++++++++------ 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e854d43efb..ebec2a5082 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,10 +8,13 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 ms.localizationpriority: high --- # Block untrusted fonts in an enterprise + **Applies to:** - Windows 10 @@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature +Use Group Policy or the registry to turn this feature on, off, or to use audit mode. + +**To turn on and use the Blocking Untrusted Fonts feature through Group Policy** +1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. + +2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: + + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + + - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + + - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + +3. Click **OK**. + +**To turn on and use the Blocking Untrusted Fonts feature through the registry** To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below: +3. Right click on the **MitigationOptions** key, and then click **Modify**. + + The **Edit QWORD (64-bit) Value** box opens. + +4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - - **To turn this feature off.** Type **2000000000000**. - - **To audit with this feature.** Type **3000000000000**.

**Important**
Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  -4. Restart your computer. + - **To turn this feature off.** Type **2000000000000**. + + - **To audit with this feature.** Type **3000000000000**. + + >[!Important] + >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  + +4. Restart your computer. ## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**. 2. Scroll down to **EventID: 260** and review the relevant events. -

-**Event Example 1 - MS Word**
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: true

-**Note**
Because the **FontType** is *Memory*, there’s no associated **FontPath.** -

-**Event Example 2 - Winlogon**
-Winlogon.exe attempted loading a font that is restricted by font loading policy.
-FontType: File
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
-Blocked: true

-**Note**
Because the **FontType** is *File*, there’s also an associated **FontPath.** -

-**Event Example 3 - Internet Explorer running in Audit mode**
-Iexplore.exe attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: false

-**Note**
In Audit mode, the problem is recorded, but the font isn’t blocked. + + **Event Example 1 - MS Word**
+ WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + **Event Example 2 - Winlogon**
+ Winlogon.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: File
+ FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + **Event Example 3 - Internet Explorer running in Audit mode**
+ Iexplore.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: false + + >[!NOTE] + >In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature). +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.   +## Related content +- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)   From 514ce98df36e8e2f2803ffb098420da95b963903 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 14 Aug 2017 13:17:24 -0700 Subject: [PATCH 03/12] fix break --- ...ew-overview-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index a36ea1a0a9..78c0d14437 100644 --- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -26,9 +26,9 @@ The **Machines list** shows a list of the machines in your network, the domain o Use the Machines list in these main scenarios: -- **During onboarding**
+- **During onboarding**
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. -- **Day-to-day work** +- **Day-to-day work**
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. ## Sort, filter, and download the list of machines from the Machines list From cf1019b14823a4a57485923fe6abdd4d4e23bba6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 14 Aug 2017 22:05:59 +0000 Subject: [PATCH 04/12] Merged PR 2714: BitLocker CSP updated with ADMX-backed policies information --- .../client-management/mdm/bitlocker-csp.md | 303 ++++++++++++++++-- ...ew-in-windows-mdm-enrollment-management.md | 7 +- .../policy-configuration-service-provider.md | 26 +- .../mdm/policy-csp-bitlocker.md | 30 +- 4 files changed, 330 insertions(+), 36 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82a438d517..979c1f9105 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/06/2017 +ms.date: 08/14/2017 --- # BitLocker CSP @@ -91,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is integer. Supported operations are Add, Get, Replace, and Delete.

-**EncryptionMethodByDriveType** -

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).

+**EncryptionMethodByDriveType** +

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

@@ -140,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesRequireStartupAuthentication** -

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).

+

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.

@@ -204,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesMinimumPINLength** -

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

@@ -239,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryMessage**

This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

@@ -290,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryOptions**

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.

@@ -357,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**FixedDrivesRecoveryOptions** -

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.

@@ -427,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree **FixedDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

@@ -459,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree **RemovableDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+ + +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

@@ -500,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +**AllowWarningForOtherDiskEncryption** + +

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

+ +

The following list shows the supported values:

+ +- 0 – Disables the warning prompt. +- 1 (default) – Warning prompt allowed. + +

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

+ +``` syntax + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + + 0 + + +``` ### SyncML example @@ -664,29 +929,3 @@ The following example is provided to show proper format and should not be taken ``` - -**AllowWarningForOtherDiskEncryption** - -

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

- -

The following list shows the supported values:

- -- 0 – Disables the warning prompt. -- 1 (default) – Warning prompt allowed. - -

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

- -``` syntax - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - - -``` \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7d908c4910..b84fdaa3fa 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 08/14/2017 --- # What's new in MDM enrollment and management @@ -1364,6 +1364,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Provider/_ProviderID_/EnrollmentInfo
    • + +[BitLocker CSP](bitlocker-csp.md) +Added information to the ADMX-backed policies. + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

    @@ -1394,6 +1398,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations

    • Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

    +

    Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 23d468a09d..e8a815b1ca 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/04/2017 +ms.date: 08/14/2017 --- # Policy CSP @@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
    Bitlocker/EncryptionMethod
    +
    + BitLocker/EncryptionMethodByDriveType in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/RemovableDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/SystemDrivesMinimumPINLength in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryMessage in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication in BitLocker CSP +
    ### Bluetooth policies diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 70e825b78a..ea9430a79c 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -58,6 +58,33 @@ ms.date: 08/09/2017 - 6 - XTS-AES 128-bit (Desktop only) - 7 - XTS-AES 256-bit (Desktop only) +

    You can find the following policies in BitLocker CSP: +

    +
    + BitLocker/EncryptionMethodByDriveType +
    +
    + BitLocker/FixedDrivesRecoveryOptions +
    +
    + BitLocker/FixedDrivesRequireEncryption +
    +
    + BitLocker/RemovableDrivesRequireEncryption +
    +
    + BitLocker/SystemDrivesMinimumPINLength +
    +
    + BitLocker/SystemDrivesRecoveryMessage +
    +
    + BitLocker/SystemDrivesRecoveryOptions +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication +
    +
    @@ -68,5 +95,4 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - - + \ No newline at end of file From 75a66e2e07867f3e6e7b39a663337cd3c71ed5db Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 16 Aug 2017 02:07:45 +0000 Subject: [PATCH 05/12] Merged PR 2729: Added update compliance mechanics video --- windows/deployment/update/update-compliance-monitor.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 1be2149594..2619584ebd 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -33,6 +33,8 @@ See the following topics in this guide for detailed information about configurin - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. + + An overview of the processes used by the Update Compliance solution is provided below. ## Update Compliance architecture From c972759213d65dddc376b141880346ca07b1dcb5 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 16 Aug 2017 02:14:17 +0000 Subject: [PATCH 06/12] Merged PR 2730: Fixing typos as suggested by Martin Solis --- .../hello-for-business/hello-planning-guide.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-planning-guide.md b/windows/access-protection/hello-for-business/hello-planning-guide.md index 84a8935184..104805b446 100644 --- a/windows/access-protection/hello-for-business/hello-planning-guide.md +++ b/windows/access-protection/hello-for-business/hello-planning-guide.md @@ -127,11 +127,11 @@ Hybrid and on-premises deployments include Active Directory as part of their inf ### Public Key Infrastructure -The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller is a legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. +The Windows Hello for Business deployment depends on an enterprise public key infrastructure a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources. ### Cloud -Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements can may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional. +Some deployment combinations require an Azure account and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiate the components that are needed from the those that are optional. ## Planning a Deployment @@ -188,7 +188,7 @@ If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet. -If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusive uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network. +If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network. ### Multifactor Authentication @@ -204,13 +204,13 @@ If box **1a** on your planning worksheet reads **hybrid**, then you have a few o You can directly use the Azure MFA cloud service for the second factor of authentication. Users contacting the service must authenticate to Azure prior to using the service. -If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. +If your Azure AD Connect is configured to synchronize identities (usernames only), then your users are redirected to your local on-premises federation server for authentication and then redirected back to the Azure MFA cloud service. Otherwise, your Azure AD Connect is configured to synchronize credentials (username and passwords), which enables your users to authenticate to Azure Active Directory and use the Azure MFA cloud service. If you choose to use the Azure MFA cloud service directly, write **Azure MFA** in box **1f** on your planning worksheet. You can configure your on-premises Windows Server 2016 AD FS role to use the Azure MFA service adapter. In this configuration, users are redirected to the on premises AD FS server (synchronizing identities only). The AD FS server uses the MFA adapter to communicate to the Azure MFA service to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA cloud service adapter, write **AD FS with Azure MFA cloud adapter** in box **1f** on your planning worksheet. Alternatively, you can use AD FS with an on-premises Azure MFA server adapter. Rather than AD FS communicating directly with the Azure MFA cloud service, it communicates with an on-premises AD FS server that synchronizes user information with the on-premises Active Directory. The Azure MFA server communicates with Azure MFA cloud services to perform the second factor of authentication. If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with Azure MFA server adapter** in box **1f** on your planning worksheet. -The last option is for you to use AD FS with a third-party adapter to as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. +The last option is for you to use AD FS with a third-party adapter as the second factor of authentication. If you choose to use AD FS with a third-party MFA adapter, write **AD FS with third party** in box **1f** on your planning worksheet. If box **1a** on your planning worksheet reads **on-premises**, then you have two second factor authentication options. You must use Windows Server 2016 AD FS with your choice of the on-premises Azure MFA server or with a third-party MFA adapter. @@ -261,7 +261,7 @@ Review the trust type portion of this section if box **4d** on your planning wor ### Public Key Infrastructure -Public key infrastructure prerequisites already exist on your planning worksheet. These conditions are the minimum requirements for any hybrid our on-premises deployment. Additional conditions may be needed based on your trust type. +Public key infrastructure prerequisites already exist in your planning worksheet. These conditions are the minimum requirements for any hybrid or on-premises deployment. Additional conditions may be needed based on your trust type. If box **1a** on your planning worksheet reads **cloud only**, ignore the public key infrastructure section of your planning worksheet. Cloud only deployments do not use a public key infrastructure. From 0ae7fac68cd7aff3af28a3b58b09bbcd8419e914 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 16 Aug 2017 14:13:40 +0000 Subject: [PATCH 07/12] Merged PR 2731: Clean up Client Management TOC and index --- .openpublishing.redirection.json | 2 +- windows/client-management/TOC.md | 1 + windows/client-management/index.md | 14 +++++++------- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e115963c4d..9ee61b0ad6 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -7647,7 +7647,7 @@ }, { "source_path": "windows/manage/manage-corporate-devices.md", -"redirect_url": "/windows/client-management/manage-corporate-devices", +"redirect_url": "/windows/client-management/index", "redirect_document_id": true }, { diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index 40c24a2981..ffe541cc15 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -7,6 +7,7 @@ ## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) ## [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) +## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) ## [Mobile device management for solution providers](mdm/index.md) diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 68debeba89..fa02e99977 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -18,15 +18,15 @@ Learn about the administrative tools, tasks and best practices for managing Wind | Topic | Description | |---|---| |[Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)| Links to documentation for tools for IT pros and advanced users in the Administrative Tools folder.| -|[Connect to remote AADJ PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)| -|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions| -|[Join Windows 10 Mobile to AAD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.| -|[Manage corporate devices](manage-corporate-devices.md)| Listing of resources to manage all your corporate devices running Windows 10 : desktops, laptops, tablets, and phones | -|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs| -|[Mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.| +|[Create mandatory user profiles](mandatory-user-profile.md)| Instructions for managing settings commonly defined in a mandatory profiles, including (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.| +|[Connect to remote Azure Active Directory-joined PCs](connect-to-remote-aadj-pc.md)| Instructions for connecting to a remote PC joined to Azure Active Directory (Azure AD)| +|[Join Windows 10 Mobile to Azure AD](join-windows-10-mobile-to-azure-active-directory.md)| Describes the considerations and options for using Windows 10 Mobile with Azure AD in your organization.| |[New policies for Windows 10](new-policies-for-windows-10.md)| Listing of new group policy settings available in Windows 10| +|[Group policies for enterprise and education editions](group-policies-for-enterprise-and-education-editions.md)| Listing of all group policy settings that apply specifically to Windows 10 Enterprise and Education editions| +| [Manage the Settings app with Group Policy](manage-settings-app-with-group-policy.md) | Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. | |[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options| -|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| +|[Transitioning to modern ITPro management](manage-windows-10-in-your-organization-modern-management.md)| Describes modern Windows 10 ITPro management scenarios across traditional, hybrid and cloud-based enterprise needs| +|[Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile| |[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.| |[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. | |[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. | \ No newline at end of file From bdd14ed8332bb3d790bd93db594e7587ce813d76 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 16 Aug 2017 17:13:56 +0000 Subject: [PATCH 08/12] Merged PR 2732: Made changes to PS script per customer suggestion --- .../appendix-a-powershell-scripts-for-surface-hub.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 85672ae9d4..308ce30051 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1,6 +1,6 @@ --- title: PowerShell for Surface Hub (Surface Hub) -description: PowerShell scripts to help set up and manage your Microsoft Surface Hub . +description: PowerShell scripts to help set up and manage your Microsoft Surface Hub. ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 keywords: PowerShell, set up Surface Hub, manage Surface Hub ms.prod: w10 @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 06/19/2017 +ms.date: 08/16/2017 ms.localizationpriority: medium --- @@ -465,7 +465,7 @@ PrintAction "Configuring password not to expire..." Start-Sleep -s 20 try { - Set-AdUser $mailbox.Alias -PasswordNeverExpires $true -Enabled $true + Set-AdUser $mailbox.UserPrincipalName -PasswordNeverExpires $true -Enabled $true } catch { @@ -1243,7 +1243,7 @@ if (!$fExIsOnline) } -$strAlias = $mailbox.Alias +$strAlias = $mailbox.UserPrincipalName $strDisplayName = $mailbox.DisplayName $strLinkedAccount = $strLinkedDomain = $strLinkedUser = $strLinkedServer = $null @@ -1424,7 +1424,7 @@ if ($fHasOnPrem) else { #AD User enabled validation - $accountOnPrem = Get-AdUser $strAlias -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue + $accountOnPrem = Get-AdUser $mailbox.UserPrincipalName -properties PasswordNeverExpires -WarningAction SilentlyContinue -ErrorAction SilentlyContinue } $strOnPremUpn = $accountOnPrem.UserPrincipalName Validate -Test "There is a user account for $strOnPremUpn" -Condition ($accountOnprem -ne $null) -FailureMsg "Could not find an Active Directory account for this user" From 2a15c969728d8b5598d69f2e722edd52ca44b745 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 16 Aug 2017 11:44:53 -0700 Subject: [PATCH 09/12] Edit TPM topic for formatting and text. --- ...orm-module-services-group-policy-settings.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md index 8203714148..4ab3894c38 100644 --- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -1,6 +1,6 @@ --- title: TPM Group Policy settings (Windows 10) -description: This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd ms.prod: w10 ms.mktglfcycl: deploy @@ -15,20 +15,25 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -This topic for the IT professional describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. +This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. -The TPM Services Group Policy settings are located at: +The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 +## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 -Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. + +> [!IMPORTANT] +> Setting this policy will take effect only if: +- The TPM was originally prepared using a version of Windows after Windows 10 Version 1607 +- The system has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: a) disable it from group policy and b) clear the TPM on the system. -**The following Group Policy settings were introduced in Window 10:** +The following Group Policy settings were introduced in Window 10: ### Configure the list of blocked TPM commands From 5b6cf8c46af456840eeb295c52de7343886c6d60 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 16 Aug 2017 18:48:18 +0000 Subject: [PATCH 10/12] Merged PR 2740: ExploitGuard policy - new in Policy CSP --- windows/client-management/mdm/TOC.md | 1 + ...ew-in-windows-mdm-enrollment-management.md | 2 + .../policy-configuration-service-provider.md | 8 +++ .../mdm/policy-csp-exploitguard.md | 58 +++++++++++++++++++ 4 files changed, 69 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-exploitguard.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 406f309f85..2d6046fef1 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -200,6 +200,7 @@ #### [ErrorReporting](policy-csp-errorreporting.md) #### [EventLogService](policy-csp-eventlogservice.md) #### [Experience](policy-csp-experience.md) +#### [ExploitGuard](policy-csp-exploitguard.md) #### [Games](policy-csp-games.md) #### [InternetExplorer](policy-csp-internetexplorer.md) #### [Kerberos](policy-csp-kerberos.md) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b84fdaa3fa..c2218a1fab 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -982,6 +982,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • DeviceGuard/EnableVirtualizationBasedSecurity
  • DeviceGuard/RequirePlatformSecurityFeatures
  • DeviceGuard/LsaCfgFlags
    • +
  • ExploitGuard/ExploitProtectionSettings
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
  • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
    • @@ -1372,6 +1373,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

      +
    • ExploitGuard/ExploitProtectionSettings
    • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
    • LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
    • LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
      • diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e8a815b1ca..017e7eb94f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1002,6 +1002,14 @@ The following diagram shows the Policy configuration service provider in tree fo +### ExploitGuard policies + +
      +
      + ExploitGuard/ExploitProtectionSettings +
      +
      + ### Games policies
      diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md new file mode 100644 index 0000000000..cf06c60c3e --- /dev/null +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -0,0 +1,58 @@ +--- +title: Policy CSP - ExploitGuard +description: Policy CSP - ExploitGuard +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 08/11/2017 +--- + +# Policy CSP - ExploitGuard + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +**ExploitGuard/ExploitProtectionSettings** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3cross markcross mark
      + + + +

      Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. + +

      The system settings require a reboot; the application settings do not require a reboot. + + + +

      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. + + \ No newline at end of file From 18fea0d3b8495628e89c7c6247a264cc3b037c4f Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 16 Aug 2017 14:29:40 -0700 Subject: [PATCH 11/12] Topic re-org. Change H3 headings to H2 --- ...m-module-services-group-policy-settings.md | 41 ++++++++++--------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md index 4ab3894c38..a666d3e71e 100644 --- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -21,21 +21,9 @@ The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 - -Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. - -> [!IMPORTANT] -> Setting this policy will take effect only if: -- The TPM was originally prepared using a version of Windows after Windows 10 Version 1607 -- The system has a TPM 2.0. - -Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: -a) disable it from group policy and b) clear the TPM on the system. - The following Group Policy settings were introduced in Window 10: -### Configure the list of blocked TPM commands +## Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows. @@ -53,7 +41,7 @@ For information how to enforce or ignore the default and local lists of blocked - [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) -### Ignore the default list of blocked TPM commands +## Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. @@ -63,7 +51,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands. -### Ignore the local list of blocked TPM commands +## Ignore the local list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. @@ -73,7 +61,7 @@ If you enable this policy setting, the Windows operating system will ignore the If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands. -### Configure the level of TPM owner authorization information available to the operating system +## Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information that is stored locally, the Windows operating system and TPM-based applications can perform certain actions in the TPM that require TPM owner authorization without requiring the user to enter the TPM owner password. @@ -111,7 +99,7 @@ If you enable this policy setting, the Windows operating system will store the T If you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry. -### Standard User Lockout Duration +## Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, a standard user is prevented from sending commands that require authorization to the TPM. @@ -130,7 +118,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used. -### Standard User Individual Lockout Threshold +## Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). This value is the maximum number of authorization failures that each standard user can have before the user is not allowed to send commands that require authorization to the TPM. If the number of authorization failures for the user within the duration that is set for the **Standard User Lockout Duration** policy setting equals this value, the standard user is prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -142,7 +130,7 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. -### Standard User Total Lockout Threshold +## Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration that is set for the **Standard User Lockout Duration** policy equals this value, all standard users are prevented from sending commands that require authorization to the Trusted Platform Module (TPM). @@ -161,6 +149,21 @@ If you enable this policy setting, TPM owner information will be automatically a If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. +## Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 + +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. + +> [!IMPORTANT] +> Setting this policy will take effect only if: +- The TPM was originally prepared using a version of Windows after Windows 10 Version 1607 +- The system has a TPM 2.0. + +> [!NOTE] +> Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only ways for the disabled setting of this policy to take effect on a system where it was once enabled are to either: +> - Disable it from group policy +> - Clear the TPM on the system + + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 12e1fd6b559998e51ea41814c7526e4488223900 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 16 Aug 2017 23:33:57 +0000 Subject: [PATCH 12/12] Merged PR 2746: Update information about Narrator --- .../surface-hub/accessibility-surface-hub.md | 14 ++++++++++++-- .../surface-hub/change-history-surface-hub.md | 9 ++++++++- devices/surface-hub/images/ease-of-access.png | Bin 0 -> 47511 bytes 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 devices/surface-hub/images/ease-of-access.png diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 82d3fea1ab..193a5d5235 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -9,7 +9,7 @@ ms.pagetype: surfacehub ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 06/19/2017 +ms.date: 08/17/2017 ms.localizationpriority: medium --- @@ -24,7 +24,6 @@ The full list of accessibility settings are available to IT admins in the **Sett | Accessibility feature | Default settings | | --------------------- | ----------------- | -| Narrator | Off | | Magnifier | Off | | High contrast | No theme selected | | Closed captions | Defaults selected for Font and Background and window | @@ -32,6 +31,17 @@ The full list of accessibility settings are available to IT admins in the **Sett | Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. | | Other options | Defaults selected for **Visual options** and **Touch feedback**. | +The accessibility feature Narrator is not available in the **Settings** app. By default, Narrator is turned off. To change the default settings for Narrator, perform the following steps using a keyboard and mouse. + +1. Dismiss the Welcome screen. +2. Open **Quick Actions** > **Ease of Access** from the status bar. + + ![Screenshot of Ease of Access tile](images/ease-of-access.png) + +3. Turn Narrator on. +4. Click **Task Switcher**. +5. Select **Narrator Settings** from Task Switcher. You can now edit the default Narrator settings. + Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md): - Narrator - Magnifier diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 851d7d7624..60353013ed 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: surfacehub author: jdeckerms ms.author: jdecker -ms.date: 06/19/2017 +ms.date: 08/17/2017 ms.localizationpriority: medium --- @@ -16,6 +16,13 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## August 2017 + +New or changed topic | Description +--- | --- +[Accessibility](accessibility-surface-hub.md) | Added information about Narrator + + ## July 2017 | New or changed topic | Description | diff --git a/devices/surface-hub/images/ease-of-access.png b/devices/surface-hub/images/ease-of-access.png new file mode 100644 index 0000000000000000000000000000000000000000..2cb79254f8ce1b7c2a86404206546fcd5ca06e55 GIT binary patch literal 47511 zcmb50bx<5pwB~VlC%Aji;O_2&ySo#dKyY^$0tC0g83;~rhu}eiyCg`kAjxaq+pXGH zyIWiP2Q|#lL-*Xi=iYO^?{_9nQ(XZQ?F||X3=F1{qO3Ly3@i)qlYjyTyh6bFn+te= z_10F9hN+(+KLMT~*h{HN!N4@7pg&t80?$!B6b-#$V6X;Xe_%)5t88FkI@pzDrF8wx z&NqDeRg#dkbD3wa+-P33Oo{&wleTlE;k?CR`PF4s0S zEl^L_R%Yp;&m@fORd7lbPc}`-p!^wR4 z9J-z|OZg3+rrT_hlv`eFYwMrj-k6-%<3lDAsU$Z4d3BgH8K_?514pH6xgF0Imuo9w zUzTLNo(mz<(7optElT>a8F&jPcX=xCpTmm@f>_G=xH7Fc%QKOpwa?2l=le9{dos1( zkSI3+$HB|6+-WO2S}+frDYIZ=l&}0RZ@RH+B9?$NdXbtvwRS%h)BUL{A1K^I6?9+Y zdNIlh%Iy)U65xGY`f_jGs$qNz*Xmac z-C6`Jkw8?X3)mBwq&!2$nFwON*eZBNe~H$tGFrhAZdvvN<*v6#_;b19W7#OLEy zSDotPzerL7xFz*(m*~Zz%RQGJ_t=(x`oQ$4hC-pGrGuIXa_#GDYb4)){4jYDB}sWO z(s@HhW^8Os7vjikN_8@%Fm|biJOv4=)@bkT4ZYeOp21RvgqKRyP*sOfK6HXOwvHZn3=TVLmxpufJ+pJMk|txArIOcOsqP;Gnr!sx`E zHfJF4Xe3jNY0jjlKoE@-sl?urwiu0`$UQ8}AB)FGIwhEH<*?dp+X8|o3E@!U(Y1^| zWRtNgs++M;ZF79c6y|cBm!VK)P6g z=Ss0SlwPUomZW#cXP_zMfq827l{LWfEOLlkp1o@Xl>Od3_P0#RFfM$2H?Xv&G<_Ze#Z ztFCPuzq)_Vq|qs)3(!+P7=`8%reS=QM&%$W^Uy`~C8^t&VdcLt)Uo>oR9qX*>!ZWGL( ztr~jnc0~nR(v*Vf!r)rSd7YSslAphQ`0M?av_Q~v*RS_C#W*Xupv}WK0p%8iNHc29 z{ifLM$lrVsyT7_F{tk17rmby05frD$MNJLG7GNEcZC)ZN$uMmvk@7N@oTPbOH+725 z%0pIRTpz3mcw4k=v-bym9*@sly01pe|2=-UHO7cbF$j6yqq2vHqa%*u_%ZJ^v-B4O zOR_-l_pVJuetK(E?i4I|hlR>qF@9;?E6*ugk_rZO;gd4=kTc_obw-`kzUwvV_mP!} zDTet6xUh@?i!{-LESLV@f;OR>foF51SJ*2-i}BstE6OUt|DLw~&Bln^5X@1*Hf0<3 zjVli55h$rN#$)t$bXUku(nAx`wy#F1G)O2s`d}*y-oN4E%>q+%P0iboBMU#+8IE;= zDM{VOPIo?rk;K#Enw4fo@&|*YZrGE?X02&k>Bsl{%OXY5Gj&e=UiEQQQ!Gz;;V7hVc;+JL(`1250@Ew_&9C*_N#r*kfxptNOEDoX|WQ_uaTvm?4(C=M?{|6=np5!X1~ zL3VQ0t~E~tCoVH7QE%gdI7HOPt>YjY3ta)m2bZpN5D9%whKw5mwk$DZ-jysC&q&qs zq#F-qBt`qpTo&2Sw~dpq$aL4*5W;b8pANdQ&LQnXcTVeXg+)BQtNOYigb z?w5t#fq)rBwT_Ab!n{qYQUV2*o#6TAQWbn)**<3qe-&E~(q z_q$Wwt@5W<)co@WBlpNGEc5OYY@0u`G z*5u-GpOt+k#}Z$;EIox?XYv8n2 zoN&=6uKe^@{OO!dn8*F7z>oiN3z!^LrOA&=4WYKq+@|8TN5D9bAORcH&BDAc)@|<`<08D924yI1rfr80z%Z%jvqWy#T^;0R43uLT zDdJr^_;$%h+Zl-6F6xj@VIZ|TliWssYgM2MxtUktY*o`Y3n;(5{#6`935Nmh0A{JG z&tsUvej;68z^HlGh#lyP!#x09Y0a(ok6oVacXh!X1gpsMhr>Mgx8DoC@DGoxsLFSc zb4%KU0=tEX5=)zNvag--@LTf0<6;lEpdzcTR!vrdA5CweC!W26J_x4`A6{zu*3{yd z#0i9pC<5X|Ifr5{<%msN?l*(ZnCaCquW^+ol~60PY34XjvF}n@Ea+HTKianGVpFV= zuRQf3i}wi-p(kO=KaTA{K%)n_HJK+^q2$%$_N1lBLiObN70iZNN(^M2>-m;EWQ&+` zc3m)G$8KFeiL4YUgMa63W&W~psf6CWYY4zRP_MTC93aontfMYidX6C4#LMbCBk?a- z)dHS1c}0%jKwle;8!nVVSULMgYqmD20(FbR8c3CyC9K;+c$Ti)4XRvdz2bGsJDp6Q z>m;;1l1XisIv0;;kE)31kfQ;C)j`bfW6X1rCSh&CVPB&1yo^ljzVg z-%O$_aP*;92P%?*9q0VMKA9Sm4}g7))Tzc`^I9K`ju0&!Wxg5=|DbkrDi*ubO)Fa% zM{Lm*Iy}bZ>%Bw?hryX&aDTY{?ac8-`H)+e7BW|IGG?Dk11EpbmQcQdXKtlB#Dw7@ zn!`Lp(m@-Z_-40}t-Xvp3Xd4|^SX7OEQda#Zgr%SvPo;Jr*~sL8}gKh>`6<)T^K*y zV&|_@oQoYIeIf*PysgVf`7AXw!x6=&YEJCtH5dHg+AYdo!TDLLN zD0TJKFO8{q!ARip2s%_zo|I|`4x_-Ws|0~(;iPsxrA};IW9kGG8RI*KLi~P9dWor4 zv~?0jLsEA%kUF;+m!JujhU1-LG#3_Cb-B4?)-qU6Ac0bnHc@Hn^rH+I6nR2pO_0I) zaU6+U*&!jyL_pV3AIa*%e^dn0l}IuuO|#@@Bt-0R2uEwpM_`l&6g= z`^2rp$lcPU5mttHl`0{AhstrLuvaB%xA z-XCzBkJwCBRRl-_nfv)zll4ZqSxrqO$di5lS?zc`=cc<*s>!CA!A1Lx9X+fL8cA{s(W7qlJQ=}X}0Ag*hUz( zrb|ZI{II%b9zNq`{*$XqtmqvISFr5<+eFJ&=i8Tz^Ah}=S!J;iS{JD9I2fpr)jX+)G}G%Mp<(3 zn*`vl7~X>i7@rVSz6|As(d`3!HT1UQaOp2PN6ND0ZNva3Q*6F0lmhHYDJF!?4oNm8={p&m0aRN83hKxqWe#(C! zXKq=kwnT__LBqEEAkAAXhWy7t#FPCqDadgn$7zHQ@~3V=QRky$ar^4-PH z_aerM%}w>7>+&NhuT9ocPjmd8z4&iZD?Zgiaf-W@B18ycN~BU|)z)GOI!B9C=Gf$%H=~!L<=&1y`p?3!^8f zYX~kHB&qcVr9cfyUd?42Fa(!{vj)k;(ZMew(o;qyz$RuQ$I~8Rw#dbL$LrFi(9T zd6ytO+J<4jb$tEfh>vGgQe zbxqO+x7f`>wMKe+sHQ~Is9Ocs8f7Dhz1{vF$&f&D92_a5{Eq+zCt)KpRryJL9iOt~ zAY4p#+(0znOOQ~_ti@P8m`tk8l4xF_0FOT`vM$~OOlcUUWZ=N%iIPX+D4WjBUFNRL z9`8`9Git(Php08ivhKp1T@{-%ocM{h5P_ZuD5;TCE*E{EB#w&NW7ya1O*zr+cC-<4 ziKvJhJuX}R@s%`^YX`#mCaHccJ5zEJ{9qMo3N(hEMuVsbz5X)TExM>* zM>X0IN>s!+kCA>d$Ac{ zi5`~cfuBpElHr5m#~<&PYEg`&&dH1K#H7iqrJ+4$It$sx+O3HyQ+A?e2W|u zDL1hutonV_CWK_jjhrT-Ao-evn-=G4DP168uxYw`V2E4bZUm>Kzjj4vCzd3DfVioM zm6oz5rdvT}63MD!Hcsg?=ED^AHa9t{inJj3#v#HZ@zWS0)M3wbiM56dQN>Rv5M_H0 ztT=B(KP=Vsj({x1T6gqDbHH2&IIVqp94$3_8iF1!75>$DY$aB*VeBEvya4f>c`JhF zbd>^QZn?EwXh34pwqUC;kgBvYJCj<}!SIVM8jYExGg_S*&j7a|g%7NrF1dn38RhIY zsZ*)m>I|}zl~fUAR}dCl95E`+1=FMiTSgO-_8C#Ap3PSea$eg+iru}PVL|&tmJe1p z8_ir9icS2|rb8qr7#WoY`zXx)Mwh$8#oNaW2NspFO4g^F5zXYxhX9kGoP+44!6uwSscp{ z7XvA5N<|D;XcoRzF>i^!VWk3(yx84mJedkzgvm&ATfGRh)+biH@c!wq=2V zN}+*;%&0XjZ#as|3qxD>$i0E zzYi(lh?WYzKR5Y7e?U#mL%$RCd9q8(;o?{VoiZqfpQ^8FPo*H+^qM~g2Hnt>R(x2jG6z_43K{N zznK9>@E1W>;+;Px9hwZz>w|B}>mEKoeyngG-~;ornF5P%TEPrp>xMYVG7P!nmtGQ zp?%FXdjr%~HW1zHN4)Q{3+3;|qSAAD?L%)$sWt#HwL&$Q$8o;Qaxi+_4uRgL%wMu8 zWrf!>^q>^8LcJgmPytPR=HxsS;eE8mVBlcw24LyQIl{k8C=4IVA};gzY98>a50L11 z;6%xbHBa1J53rQCWLN)NNhtJBUA@ZCnMgL#KS-AN`yhiQ6uAP@H@yYKWzm~i8SkSR zS4T%~mC(ua2hY!%twtq!FFzbgliqLm>i+~X&+AtOXoSoi;WHrrh+Pfgw+yGuG)B^` zJ>VjvpIlBFMHD{$(N6(EJy9AV9oIWi9yKYsfLW6h{TOhR$TF`x5t!KvPP6_$EDNW2kAtoa)_m`RotJ`0FM4Wk8^%MwoZ z#N2b3Fa;PXv!I`?Prtghe7~FCZ+-asam4Gf$6FdJ^{nr6gvElIK$L3Mw8Kd- zz`zRwY7ATB1|W^S);XU84oUT81F*w?A5QCdP+PXza6mKPL64t-BH+|ADCz_dfT=&C$^Q0GxxxSyt3Ab(#M{kuI__rSA)@*I@lX>fDmpZ$M`G! z5|y=vAwAWOP(UVyZ!6?}!$lmJER`CCp@2qXR1%2O7?X(gkj8yh=N`hA325NGuQ#`c z;qUX2M9c^f+Z|?W>PGko9dv=KNau-$k+2>h3X@j$hMi z9{@3CFb4Y{Ak)E+aj`%xOM9-Rgx~r?$b)d%QOtY-UQr@ceqVX;O8(R~>n#`rK|9GynT#(V9JoI75yYNZVJ{Oaa z8nW9FfXCIA(kDX?;(`=?w1b2RiC5YHLowoa5+x7}M-743ovn8-@tc|C{Q83+TaaQ# z`)fn)X zMQ=%YRLVaR>5oLN;{#(kq#jCcaSM z6rKMFy66c30e$*&G$4GHYGW`J8qd_kJ|s`%p6-+PnR{EV= zhl;7ZEY+otg;T{QIT09>Ld|d_PeACkzp`-kVna^eJuCAc_ z!*7LO#~Jf*YKW?O8x&K7<*^GyezjXa_rsUFs~_MG4U|f^!U(R zPH9}@KO4G@*#+#2wAuyOP%`T+s{(% z+Sm24o3OL$tFNYV22yTtFv{@#_Jmg!kTri_^3HZ56WC@}CJ9yV$bz`|0rv@Xvl(=e zMD-S4G!?1`00(AsEsRYuVX&eO3s*=h%gaO;recFHw1=%NEwaU>m0TS2l7gBI_>`ey5DJ^tq4d5bryd0BE z*WoPIj&+}y<)74wA#LhtrRIi0<(Xz_EsW;55Q{1pn@aiOjFFULj4_ihn45rLlzOSf+* zApkdl#32x=$4ayq#9Z~*ZpHMtq<$0R4JkNQK)yXJ-Fzv6^eM*#27bG(Auj+@K#_x; zBS9&U`o+xet5PUAbi%M6bKX38^{Gj~yF=V)c+czEiEJ^i)O2t0!}+lL!7y^Ti6GLPNDzR&6X<~f}bwJ@(g?o&yH8VF)AuT;GUSR(7fLVJt zvGvH{DB@!kcPh*CWq!z@z;0nMAvqa~TnC3vjY)%}SL;m+r5b96Rh@?>83n#?ZFz)M zw)z91iZQnhd*wTuVMr9^xI>&JKOdiiBg!9~Ql_CBQVp{3OX5NU68ylMQXT%PlF^$+ z(MUCn-fSBN80YlIKO(Xi@fvFh1${f+p}`ISO+ps+!1sH!RFO1k)`Jp@j+Wc$*GEM3 zXiPF9%1`YMbF{`}G&tzFb1N%V4RkoT;@;yVNn%ye>8=lp@!~;5Z%vLp0YE^HZ%y}) zF*LIE>LhFkWmb{~)D$1LKkmQyhE_7}q=^(4flV8)P>@7c=D3Y$+KAjWI8z>6XDx>> zgNg+kBI`{OHXa3&s1K^5$&B3uxynqviLI8Q*5gj#q%<}% zDno`Pc%vF;T9lDqEE99;zh5zGfReU@7yz--l~AQ63L!||yChifQO$1b_fh_omp8ne zI{HrWr8>xkkP&v?zA*A(OhLSPNzXX^3P|~DUI6>xE3k~Sn|5Zx4=|za&@{B5v{t>g|ARCQ5wl>>!?%O|5O#t2>%w z9x8+`bqt7#??4}(*0~eyKkS9gn-2lu-?v* zB_8^n&3?a`f=t!5Z9dlf^(6dl6ben-`m>8m!hV$2zuU)3TKWwl$RnuEYpse+iraVP zKt$`v0oxSUrjqqkM0dbczz?b|r0EKTjV7 zKY$T1g1%pO706?~EuF>XXK2o+qs+yX5#0aTqNPlZoEGadQz&76$Gd5!-38ca?k#ij z=L9WYM7n5L5#vL21I2f3Utj8=G9Rw@$L(^-Hc<)kG$dYbUahEX95x}`e$UH2F3CcM z^E8?LXa|cXULwOOsYm z8KtJQ9j5k&#!(cq3g)Zu!C()D*)~$3WW)@c{`3wVKi~fvU?}1%>Ozi-V=k!z_S04* z{^kwHq)3I0Mb}cO4+$bGa-$+!gB*i-sLZ}&RdyH0^x1+xh@Sfc zRnU18N^`1F8b3wK4GKEwa19;5HM#|E0E1^>1__CG+)K55nVHnNNx5D04IXK>rmdU^ zGaR4wCXkNNP>qs4$&H(QDjqq_Fpk}$e7o)YRNNj^t+qaLUT@m>SaEs*XLm;<~2H6TVG2U0Ka*)6cU=nDrP^s zHufXE!c)HhKVP}TK{E5y2cR3Oh4jrsZuNVwvtB8$hkexNQ~j@SS~VV;(yur5-&{(l z?p>v>R~@2%I^ed}+dLjCNU(P7>Aj*aNfF7cc3*+tvNT*Wj^{sCBlMwSOzlR|?WM|K z;ld8Ye-3NMO-*ByR#W}(quukBclr~wmn6U={{^-8z@H#(jy0v|32=yb6aN9Hb$UxI zn>X{CMuKBWAM#w9<7R-&Q9e)8-@LIB=lIe~YsdDn@|0qTODbi2f+Bw0b#>>L2#-scmW zd=~U9Axw%F9dz(N64@eMR|sIh#P8V04f!)^&cCrd_<3@8+1P!0i)8mx>e|OyM#ifc znK1x8Da6hNt|Qy^J$biSXUHWVgpCgKidN4=XYt#;7=IkrB}yv%i27wl)ehOC>I&6c zDi5^}x&=}$e>Z{m$0q2NY`IKDNX0NkYu55T2e=>s;#jTSIoNiN~d?A2>Bo5))#582$*f8a^ z7x>I8Jq!c^KAB7xLm260*L%EE0LvpWQd&4ZgF zsDGg_^Ne;zTck5+&%EFal$T6a(nU-Ge2=ZEZMO55EG}Ypru*7oWzab=KoczhgcNgt zYE%9`E(pS2i2_v{Fn*2Pi+nG!{7l$XBB{|E5|58H0JejD5pogq6_|NJAv{hc2BHt! z5wBPhA{@RZh22L76rX=U85{aaYi)Q5b?-!z9n({z=`|rA3a5II|JFmGJgLvJr+Sd?>2=gf4VRswJ=dBVOX z`rV26ac^{;XZWH9^^_5%?@4C0?t_dN5K+ceY~g_Nw}q@CB3H}4V4gG2Uw5Xk2EO2AEQ_?iH8sxNzDZ$z6 zO+Vh0y#l(i%~Q)GY9mOz`Y1mPWX%s(@$Ll_8d9(NW$n9HP}_cMm)USBd1AC~J#F6W zavY_?8-OpPHYwL7)=MMN+I|YiIpA1A4QPc?wkWye%g!?tf>}SkfK4 znr)-}5eya7ISdP^zZFNTvWbP$M+oeoNf1Fb#Q{P~m7tbvEveM|Fjf^{4Rvpf3^S1W zxP9I{`Bu;*12$1AnT#o9k&hn%jv;(y#E@~@$eD&`7sol5mb&5?rV=a1a6k&~dOhwJ z0)jhJPHZmacYG!k24NnJ7P&B`3To#$I%l66f87*i3$11So<$$3gsWkcbdV5LieOZxApSNkF`sH8?`daBcC`>ADv0;IkxvZWr!r6tRI&+dWI=R zfl2u+uG?449$=~y^I(bCB7RRAww+?Ej=_@4A&qJAW7V;GTTok)q)x_CQ_CECj#0IJ zCKytHlCGU8XO8-AG8OYn+6_ueG8-R*`SUJu-Ps5OAxt#Cv2!3jmB`PGvbGkAd3z2J zC8}aCGiUl|ZatclW~QG640+Qqh?+kcE{1$h6XGzaEB@AGzio?5(smA9qUb#yGJ0f( z9fyiGoJyMRm`ysrQCsL|~9$cAzf)1J6o`);;c_rb?r3aLVgi?}`Q z#DdeLE~fV^e)tTy5XVwwxONNlb}}4S7k+{#IbO*7Wu)7qptF4;y5+m2(t4WEYshhe)NlI3=`eIn- zk_eGDOSBmTRNq&reTBa%2&hl0y_~ddQ+7;#zLPCR&)O(aV@kI41*;oaMf2B_=Hnqd zVyawPRDy)6wyD1h(gwLeMPo6Fc6y(FWthEP5&Xpupzt&*_}dLn98gbxdtYL?bUi-` zt8{CXXTwQDE!#S+>^v318k3}|bj;_HAso5`95Q3`JUwmrLmn_Acx;r`lK{B{e?N{Z-CVa)BFYzdVjv&EmIj z#rzZodZtw6-w{QIAmsWasEi9jK}2ls?Hp^BdXdqm-CE zFXc$77E(_RC$M#X?3Q7{lJf}Lkc^P1z(BzB@IMoa`@LYZ{B6QSsY&r~4@k{p=ZKa^ zq#P=f*5t@1()gsKJ$x{ts=daDPQlWNFrb4fkYZH_HEw__5iFEMvc04s*q(ob?)R9# ztZ;W@B(HicMx3|c3 z$SBa~7?lBK)WovCspL^fMpw=oGdC&%jF4eQ`h!j|!Mgsb5&A7^nU(SY9&{6AgA`?? zj8O+VWx6}(exfg5rt31Ca&=@1rX9xQ*`2gZk&kl}ayJifUUz}fMj+QW6Wx|YA%WNW z=ukiQNhLznH+_}t=#fd{k5U`U$=R{=Lo*Ww*W|Bx7mm@dRtHV_Gg$)KMYPtAY{CyG z_8utSvN5gznMbky++2@IJ;?edmU{#bZ;ly_b1I(C3f@u$r9wRYBPEC06y7y;x<(^P?QIN~<{{^MBT~f>fnP5->%m;SY;p%4Kqs#QF*A|=g60}w zX)A*F2<9ysNLP)cxgQbQMMEBMwhcZiAPgW;q&&*kNrO@)S}8~=SQ$20(_-;}oQxb~MXy4xk73JQ=qZgl3W;e7TXTmKo#T#5 zRDcet#IQC&G0EJ!o1RE|XA?4GV?U`y5#dkcNvX`DhKAufayZp%%sQ-(;iqCAYOAEP zzA=D1U1Bd3@~&_xk}{ho?IL+=5QUMv#|wEYR^bt2c}diPH|`p%PJZ@DF}lF!M>7gn zin{kIwQ{`%S~Yd*;x2FcG^`>AX$-o!RYaIS->{rIANw1efy9>OQ)8o;)?IRdvoU(h zW|B;=XBf+0&~DRgXyag^v@d{lKx7LK9rTm8!n4M8>}4_VBFX8fN+$znA6LL&`z(ltxzJJRjvWcctMCqkSwV>j z!9#SUFKR0IAz!l1{a(?>idGCgixH$J|m;&jNIlmls)bL~<%_gvg$W@WcR=12Cvx3*anTCy4>(!l;_ zcghZAr82J1Tm@;mE(wu46>(n-6j}NWYZm`~l^OEBlQTYW*lU_-h|gm9OjbAVWz~-X zQI{$%ZnH_$`vcm6sNU3+_UBLu&oxXSm?P-rg9s%-xvZ6}L>xxd=||2oaiKo5UT`gP zBl@{CItQ6YwX@&rZ#;)XMfLvlh%6CRvL*&5AljFg_B{1u)mrJb{@l@HrqwJkCOqaK zEtLXQ#4Xig*=6Z0X;MI(E=fKGotXpy!g4v_E^tO`kNw~J4IMCp>&hROXkMI{dLL`$ zmWofm*P7uRuu6Dqn*WIo!mg19MO8hvRy*03zie8qZObB;n|mvtl$V8CaccAT!ihV~ z7L{ie&R?&X{t15pNB}oLLPDnSNhJadg|YJv@1v16zdAXd!}@F(cR-E;S^zFzivyq@ zt*pNuJimG=eE4#kK5^l>Yy3&wnZuy5sOh@&7h%4^u6J9=--DY>d zYZ2VR@~j=`SS7KN(VT8Pui}Oei{0XJQ@lIQRQOu|zpQ=l*=!vhcw`e-n()K(tqnb8!XOubB4rrmldw6!68ee%;ehVz@g_q zzbQzCVU)0$2Pzk6B=dklguTTNnvmOX^D%F6n2ViAagZM1Uw85DMvYR@$<$($pb(m`tzEK0w6$5l^!e& zfeMZt-oaHV-i z;e*Dfi8UC!k8RTeThA>E>STa=3G_fz^0ByaH3F*2q;H7dz=M=HM^zV*HXK(C!=#+n zYtI?r8+!qzJivt<0MJSB-KssHZR&yTqpb)Z>{B|AG+}h1>=5|ytEX#`^G5gwHNd_* zUuojI09;eR#}0=dP}u{nSq6iVi(qXU+%!Rou%^J*K{? zl4bk8N!C*&ZSfeDooS{Fa6(}Ua&Yio-YT}?zt*@rQn!HzEkFK81uWX zwE+6^Pgqg>Qti6z*x?*1ON>tTN(}MKK6sew71rphR&rq_yxA1maTrF!n>FVK25Utr z@r&-?#|Y9DGhlA`J3w}P``!#-U9Lp@Lt0n?b5Qj5_e@+EZ2b@Ta80k8a4-PQQHTe( zpMR&~wnCU{$DatgjEDzZQh$KWvFjyWP-xTRc0&e=qL(nrADS(u;SHA2^a&?JuL z9w+eTh`d{K<|Nkjwx9lV`=zZ1(@iOvQtXqG9qufw^%^CoaU{uyf1b41^+^I+7 z?*ZqBxbKrr8!}55_FL!&$6L?2rw;u&|hvUB|>)Nm?!}y9MG-pD>FWJ$C)9X zkPG`%p*!hbWNHVZRu$^k_I)OzENfu@08~j^*V%2aLgK{OYa1wFA;nDKx+IbbsAtP; z=h}ZhkyDAvJifw=pfs(alhde~`c%^S5$!qb<=uA^c>i@V z0Hd)5>;sAa0EocQD5BqZ>v0*d43NF{AA#aF5Qugw=~6@PHqIr^W$AqyH4el|pr>U+ znOQbGznmL04dJ9++ln;|?9|M5oIjxuwJ@UFrZxqv?u+azrBcPw!c#cE5^(>SBhAbbHhI;3w8J{4dkz}9!h2pYS^7Ht9K z|33iI&HuOG_KIS;C&qs^Li6$*KgR{WSwWw=PU##L9JD;{c}=#&=Nl%j&Y%y{Ju3IHK#<_Ng`M;q)GNRhEd?tzr% z7DlP|Dbiy zuu_Yg2W(|U4r-xwi1RV+C0fHD_kEN_anFjZB|l^aZq z1}}nOqb1iq!O2&ds@wb40TVxJ{!{lCP=65=DI6CdK~}p80enMN*&INW{?Fgu@ZXq& z|Myou5GV9J;2t>yN!(SCu!`R+e6GnqJ&w;m<{Xt;3Uv={UC5J$xfPXQTF%4QJ;*HA zXMz53@ZrfS{GAL?3oRxRRrh=G6pML=<=aJ{kI+Cub5i{ZYl$V z@;85arS#-3g(9#DO7&3f3GhZh@{e!q>Q#V@@qq2a`l3B&PS z-{v?wJM;26Emi^j|7gsi_uf>MO1-6}rM>^b+E+$J9rb?#qEeDWhje#0NO!k%cQ>eX z3`loKcc*}Khag=_cSuPHg8uJ3&#OJV`(n@8cj`Gf!_4pA`~BqYCL2+E)G@xETv*il zt5=O)m>I+?s)jaH2hkSe_$XqK=IQOdxVX3-DQqsOsEGQE9eFcBN|2i2b2)kdz0EU~ z@AEYi?2-fB~E64 zzgP6b{oS1-8FMr(HV@ID+z+ZjRD4zlvyfT9Y4h*ZdNA_F5%a}mH#ROn3rjiunpnCl5#A(y)5L_zW{B zg_1Q~s;C7$A%}Sw#RNq+W+^mC_EApL$&zdm&bk1I=v!fE;Tgc>)w_jSw@30SLW0)7 z!_E{NpPKTO;Ey~m8}u#UyUkRL?GwZz8CJ^X{fH(S%3vu5zpiifbhCspab)M@M8mu< zVZ%L}{zCDWI(2(5oS7vYtqApvyauj=I%R7q4wvExWc<|(Ir{F-*KKmt8)Ur{fV|~# zqF319=`2DKcoC_iB% zS+n-A4aVmSm+`thcYd-B!usGlOGlf#nOUuj^@g;Rj@f%Ow*c+ zblkHY1nvhJ`_nA`6Z-x&C8SCz7?FYXp=JpBl|AN#CP;s_{`w~N8Vzp2Gw_7+7N$4G z;IrY0xa}ZWn8M|W2qN_B^9~m6F{5B)l%hH!zJw$5-3*4!+Ls4!UOgWLlfqqeavVCtBbb+Qmx4oGtAxV9+BK-c*H{#O&_H+f! zV~`xDMupDj6u*i&j2@q49~obiYOGpu{+m!4zkRq8$#dPx=%Y{!(KcW@TiKDbdQ0#{ zu9qx|$90^Vm?3p&o?hg40S*?gC;0xqN5ClR<7}yh#Ov>lLT^$RnOC0OJ|wkd+3+&E z+I}u&7;O&A=p_>EDAms;*lVWuHP``7_(wv2r0N9GX!~7KTYhKh5geXDNO{ z``#9f{LSr9Z`2cI2nA@G-WkjV%8xZuXiv*2y#f=tY!A))GmO>lP$S@7h6zkZ_}ro| zI_+=@VI1ZkAn?u>?GZ?ZvZEmR@j6HkxK}q8nsO#-tGm3)l#3vg31+M|fA$OsRfy*J zCq*QQ`C9<{B$E*S0`)e<&$BUdC6QQ%FHu4WhTKntd4)D896I3`~dXR8@BOA`iDMie$=h@GgL;a8hSP#D zzc3CjW}+(K;3UJ_e%^zrY8KzQa|A1T(1zEo%JyA0i+of$uiZL zX^l*q%WNrYIn<$httKYM)eouRQWb^o1qpw5fSAi)VD6>32W#OOCW!v-!w_tc+9*6vgwn|hY(uJu}L}9a)sYl={?LyIUV==*;%vu5V<1=eL)>~0%lX-6Yq8OXTAnX^paG2?JrnoLPJtr2pdw;x*N=Mnoc+s0xQ}H zv6EBczXB$vz4reFuk z0~%2e%(~>tLXL9Xg3noRt#Hr2BQ#Jbe|7ts!k>@jdM55AqC!^!t$0a@(5-w z?@V8xn_~T38uBTC1&BZ63iF0aT3%{!^ZTh!#Z-XlfM(HS3i)bg-UaiIh5 zcVM<;?v59}Lb62Zz$atCwP7*Cv7*Qo1Bjd&h43IpIcYkC^`B*v~dl|v0S##48m0s7{bDe;slRD#Y|)vU>=(G{Zqru z_7dOA2(m7yo_~+^398f$k^eOL!zbiowRBnNQ-5soyZ|n;>3Q#0DeLc2W`V%DRU`Ee z0J6(MMV41OK1c`!UEb>Mk1G!_U44)M!w!=vDSyIUa*Fg#vLj_HtGd|vGy(;yx1#YX z^1G2#s%Z)*2(vbZ01CTJ-n(17vfLNY-*Fvn&--F+kC%Je(2={U;*MpX9TF8PlkuB} zdQ7l<)`J-Sq@R~ptM^D824f{qNaZyN$Rj;7o`CTN2`AF;Dtk%|mCimqj!60*RxV>SG6{26Uxi1kJKe9w~i}mup5X zn<2nY@h72C(q>`eI_ibr+~J#r%uCKo6yalgj0WE0!*do=wA#nL+bUh+LbBNftRDHO z@i(Mj2vcUro7&VquN0Tlm!G$}izC(fPiUfY#D^XNrUpW2A1!j)aI|1k?g(vv zgu^#k(JQR*A@mswVmSW!)lPe|2`)uBh*hM!VjH>Lm@SJXSCpMo>{HW70`14s>#yS` z-&2_KODg$?jFNYgv*alX`ydSTx}K+Q3oll8(|!@m9i5EJa_uajTs$+CccIii(AFBxj}!+>=!T|*D|{EQCQga>z;zd)r6_@H*&w#&Mw2rK3gE3^i@y>aFi11uKbX2nUt>es1zTrk|Sf!`S<0?Kq?0DYQz&&B)Q}Ttv z#U!WS`tHBo4;hY@}SmrljY_fy^A|QonvO~Dx57a7{0a*CF+jjy}F_R+~AVd zZt|YqcK<%@KG~Uu4X(8wRs*!DcKk=dswGN^yl!S5gN;GaeZ^I zechKc!TU|}m_w`!=$7{M-;O{0sPvWu7QbOL+?&6^b~E}OU$M_kW)n4wOR>BQK@NLg z{rSP874@r>nB@+sr+b4KL%Mj!Snd|Thgv;OC6o0DiuhI?oh`XHFUywYi7t62;Hw2! z+;Kv$IuAyjdME*E*Q*zmE$%~9n((oVE2WGE6Xk}9W`UON zTv6JUc<59d%Gb7dsufn*UW9Pc`v?VlQV~0s;j(>Lgp&J>ed^oCOhRshh_bG}<3j$n zP586(ptX&#$iWd`4Q1m zn}$*o5Z=17&${FmynmlNC%S^HPt#dH2HA2X&8E(8uNgOtN2Ia3b1gkkQ zNvXIwgiZwu9-&N*hjWPs2EtrH96Df8n{6cI!kC1UqIm3#E@R<;O>-;7iC=n=SvJ(teJ<}nQ*3o1l{k9u4&k(Uq;V?PbwtIa8CdqQ) zsKcA}vm`hnP`Cu9orgZG62Jxc9YCt(_;IK{hH3wJBTavksJ6<>dA;+U@jLT&=_V=- zJPu7x4U~yKSnhcsr>R|O^`HK1DLq~= zagIxQb8?;zni;p@unyu?bHT7D3;sz|ZnsD;gy<5g-1rjfow=ZjPe0t7jA8%9_ z_4uJOPBbsc*21=3MNO%~y)wQ_XhPZ0Ss^uTC-M>MbWZWK2`D%Ec5@qnhE0b6jOSvA zl}QUT>zwp5>Mrs>p^y3NMO|fw*Ul4#CwL%T#sDx_x*9>*HkqmiI0i1rJ=#iZf_(@SR%Kew6v7edwB~Oi|1g*ZxG8vt9|Tz z?DYF36GtMSzu&HUh2m6IYRGyA)5icd(lvA&0z(>m*;RI%SE@;e5l~Ru+;-BmMW+i| zTU)Bl>dE07T%K>xcOK2r*4VmH6j5zy4rn?mmxoNh|oB#v$t0#2-Sq;dZ9a5Aune zH$7)#77H)rPkygJV6)LaAUL!nYeBN_q^{>LNcLs&I%P>v&(wr?CYUdbROK?j{vGfF z#qY`9UH>PxyP#|G1mM_i?UyrX-eNc*$_kvsZh=S~oFZaE@2mwx#>pn!fKg0IDT(lF zL@&P@`yX39P$evPeDKFOUk>|Z;(a^{(Pr-Zha*@^4-9#(gUs}$WCXXYnH$eSU&@cf zJzV9gf?mJJwmD$ZegcHQ%fF|)`1k;1wHX{A75h|veqG+F zBsFLhwEPE(#A>Dxsr?~0!2}VeE}+m6R97B?;lIKI*poHgLB8B>>t%UHa6kK%jxMs< z7~roD0F-#*>)d*E4x*Ky72pAkX@p*wrevV_jm!EgOuJP9c)+a<=pz>GpITr7w1${i zdY1609WJ+(4Y1CGA=Jhj2)7u4o6lf6+wOZ{?EMQ$8T|nOS^*piOpE!Qfrl?$XJe1b z3@;yFtBw6Vg}Du7(BK5*Auc%E0kb6nR7O~jYrhplY&X*qCE*!$5GXp`ht(c}U(ja= zSC<`zqIW?acB{(`NPmBqM?_(-`|7pmBM_rr+97Z-fx>1G{`}?O53hTXe68`}*Cbya zr`0$>&c&YMMG98{*sTN*^(JVAw1U?JQQ0x#EQv75;p=Y9J^NA=nN)qXSKpTmJzk-K zxbT@4L%X(oF(hE_*=XAyjNEtxz;h@Am|GDqdT+oOLUAg96?6e$7?TP8KR{>|mv;ot zVxs@|+bhnJ(xvPbe;jaoekh|#sn&leY0ym9xL;p(^PX0lV{5_4cah@-MDRKSe zh+75hWZ-f2_ZjNCU5(+r!O7zwNAxlvLAo=xv2$qxh_dyFN+!1c5TtR75b|96k!wes z3z}iazB?ssaa)YU(ZtU+xdJWD3P`@x<&SC8!H9R<_)DNwR}@&_8(*UtiY{RKf(BrM zIHD3khG>|z8nkh(uG}%dq*H`*)#CEV3%rt7;9apyE=lc~fKPKR+18Kh)X9rgEKOIs zVR5c8=3(o))FT|5x%O%Hi6x$}fW4lCyA42~=Y zmMz-OKIAZZp4ynp8v;Ku|7%;E;OXk_B@x8kQcVdKYE4^#7S??1B?D3?h|Kudh)qfP zFz~LZ{rIT=JI<$*s#Ls4q70*BSHF8khPa~SD3=RVgg@lj&vMVMiQw$+Pi7zJ2$=OF z`hEchh(5{V&`5KdBeRHQU@PDQ!Jgma)Fij`1~gdDQV%7Keu&X2XCWGaAj%i>?>hH8 z+OhBy3wk34$7XP|dpPU#`ap}=*#u927vLI&8_mr2a7?yQ#pWvmV8MS>L5POJ(U97| z^Bhi5T0_dxb9EZ%{o>?ty z41aMdi>E4{P6F&mzQ+f51iPPOa&+D$-;Gb;0XG5A{186%7ov%RoRjfq%k~qJ`ZW+) zhfxt=5!p~6*1FD)NWYmdfM@4%0!$37v9oU<91L9DEVVBfdzz1g5UR`1A#i2CeI4sO z0P~rN3s@vM_6Y6;{%+|vKd+DGV5OTkTkd3Q6)tM{ z8OVEs*NKh$I>?c+u>p2bb{t#EveG4Um?CM@$Nx2U09(DLxJp%>MTf!57a&A60v0N& zW6~c$a{GgrOtL2c+ECo}t zkf$E#cIQio6W^qv6~k9j1d_)d?G}OJc;GK;I-?*YiTdcd)Un?M@=#A8zRBr#wW|o8 z{3J!zOduT%V2GW{D13>2n@zj>*C^6u+9wo0{sQ3kEb8SL=Fy}tn^ z+5=1o+Vunq9Lcjx>5BxnYJq+OlQ_%eBD)Ea+iYB4*81e*r%|aZVV@<8frM4sEk4b8 zaa?rDII4iI`$8W5JMbQqgJ0Gk`FME^`OIz=Z!BxB2nq?wYW?-br)lQl<1trqYLojF{PB+wdSauVOH1^g5E-u_ z6DnLD(6$2wFIE*okT7;7(KFC{^w#o$3FR zr2GF?{a>?x&T;)WCFO9$qGcod;jaKXQ|{lu>&6G)s3`68)^W68T?%aRq&R0yLz(+78bI_u%cb#*IjOH&`sFr>CA|!eo|8Erxa1Rd;xN9e02B<5JCukF!b44(oNnvpg z`nW}@?l182@I<4*E0H2BM0F`dHF=NdjI)y>^MP9RqXyoPX`j;?k;l74A|j$N37yf% z_2sv$2fDuqgZKG&lriT(03Is_vrg;p^FHJo;kqRH(?74HjENzOGO{(2u(J6P^&%PM zIJJEHs6PZ@UZMO<2#V>fMqn%L=2yz$=h&X6YS=G77u@^RdlnMv3oL{h;e>MH#V-Q} z%VY~Bsz!`+9>D2F!0VWy@}o|NC`wc&5?k;OnZlRvK3gqs4DsHO&Ul^)1JB$g{kQoK z1s0zQ+E86IW{IyhfYjgn@T0Jq3AGyu&xpt83+^wT39>T-sQHjyKdLcR@4eG&xc>Bk;6 z7G}99Nq*~^Us{tNX%y22je0E}S1K^|n&$6%Iqgh+;D6hE`}Fgtu8C5yziGU72p*^H z%`z8c+2iMYfi3QpNY?_^ST|~&XH9wrL@+KUA_(l^isHFQz|Q01?7SbP&VhA#5c9P| zx&E{3mW12pmkirK-R%ycF9J~s$mNTnaXE3%0W8>e?X2JcCeSeS_Nr^J}jexs3pde8mc| z9xx5H2pMQHJ31T6ohHA3U11X(OvM}a6lL;IPK2|oK2aA{r_!83QRj7av?+^dKF*Z8 zEsXt|?C6(@!`%+HbGjR5u&p1aFA_jcHS~m#-p#1sE`s zn?jP1gOCBC^WnZQZa*1Oeo%GNFTsqdm-&D~%j!D$S4LEdIMS<^liz$h{3T9rC!q{x z7|nW!k}faklZlMR`7p?M-6K&!1hp?4KUa3Rvi`BSSUSHBrU#f(yQUtn)Ekt;%Fa8zTIcgCEgo zEZaOGDVKHZvjsjM)K`1Ek7lZvG?^*x^{{$;5bM7O z5}DrtVRt%Zz~w0ECpeU2v%KZ-oIRNl$hSC-YP0 z37$4n!Ou8^aw?{6a=cgkud`Hh?>7tOsZ~jAy$2$IDdulQS7@tm=k^zMnx`4ruJL z<3B?HqfvR&BQQTM0VpQ|4rSHAZ5-eY$Zj&J9IEz;l@ce)_pO)hXLSxS6>mEB|5MCevU_y0GM6=oB?Ui5rDRI z*W)19WNv%0Z9~HmIsbOEGmvt<8hiJ>fGqF=);|VwF@sluTTfOMMGnKBsxn2YwxC9z zfu}C3A@w=A2j;i-o5i=UJ-%|lI#qMkBqPwk9R&NpYgU8t?ocx6AOw{)>NO&)%t+Xe zM=g&Xb9(mnEUH2$5R2Ik!08Uh70%29=pGgV(6zmXFmJ<%A0c7Kmv~uAH14G&ffs!+ zQ67jisy-7jtQ|;mGiMnvVA>6ekYFfm)iPPRcoPWwyyk;ZUYtk`J#Gv0viWTwu>TWO zQGk4QI{GvHiVch~8!zn0T15Z1dnv!QW?b zPIr3|T5c!aSgvG=@M3o%u+A&Ds1ec@*_jT|Qv`PrWs%a&Kh}Bb)Uu#s@-UlD@(6nt zt7t9b2)Ty)Wb~q*`MNjA4hhO8#g+kMl4k)*I)@+2XDx{Z7tpqMy-mjk3Ma6yQvFUK zZj4i;Sgxb~OHrTOfE58_))h%E8&vPJ&6TO@z8I3-$Ba4Jgf5PaR?C5gB*+-MY)U}L zUtm)LF3QjT1NXpUeTJraZOB8j0%lK)fQHxR_F@SmZAG_-29Z$?uOFr(JE#1PQeF8& zHs65Waz>8f1GL!R_x23wmGIySTV*+(F=GVmd~j1aomv4ar8(hWS1)b?MRQ{ zqZ7RvrGh2DErweRxj{)3vDqVVVV?+R0h2uNtX7i`4tmAs@bennNOp<>rArn}>8x;G zz55C7V<}uR+C9%Ogk8a65e1Fb7kzA99)CYzN8z5sUF@_$uODEoEx`G{_|!M4pzqNO zI>h2&CUscO0Jhw~&fXsI+%J2p_%jnEJD=ia!k=cYLBoDQro< zBysHpDnG6)E)DKYo#XZ@EU+|Bw#l8ZmQn|ge2{w=ppF*gY10a$-FSL?yH zoIqhWD&R9llO9!P+acX+c1~mB2HC=SIWK#vJqGC}UhpZ)0{*)OFs|CstS|{Ozxfu~ zwI`=@v9yN0-U^xu;rn3l4VayGTBLti>OMABOe7ZQdRh|n;5Fd07!^zvoRP=#ltb(6 zw?}5k?se5~q12-8AMwjSEK72#>In-*gCTWm3OQIrqR#Rd_12Y=Iq)vzKwVfQ$%h*Q zTw!KXDws_vT6awxtakl8;2UbYHV(^ts>gA=NhB#4Zpmd%k{G@R^IKO{ zj}qZb%AT}S9yy&#Erssktjbt#d&x$=f47R7^J&mnN;zXwSvKbATH=z0NX>J!#0z7L z8VfTM49aq%cdUJG{{nBqXefK%F<`NEq1%#5YS6#G2!|83?DoelRb9qGhnp*;cP48g z3r9Y}OxAcvVzy4KxHV~^Cf86143iMwO_Sx262Y!Rz(#c14OK&g>=YIc1rLam(hsNT zKC2-k#%fDVBG(b>8rp795c#3Yq)nAi#aYhxYe8~Pt6VC76&ZMOEz8S3*J|b+&ngV4 zBX9ouR%!qJOR|RA`Do{O=$sH_hIPsBX1eN01(e4c5HIsd=jE$6SkT=l+1la8KD{TkSQ ztdnXHK8k6Em_u%a|82A{wDM^WPt5=7j40Q;$NIHyUu3eEk{%d` zlbdhfGyb9b)=EzMm(D73B~<%<;V(2N-&bnpd`-qiU}_@oAxz}&pf109U{68Al@Hp@ z&S%2y^k|9FrYph$FE6i4hgbZFa!D?>w&nKh>OJl4e&F&l{!t5U(bB$1&ofh6IYLL!2`{{aiCGj#PKN zVK$B{ju2CUcqiQchC+QM^LSeV9#pYvPAUG*xS(lCWchgR9yy1l7t-u6UlBo^0lG#W z1sHVjA4pl41unl%`_9u%Y@l&Jkbfya6c|svwR5pGAT48$g_DN#{FP+~W8MdR5=bJN zKVgJb$$VMIXAK+J9c{4F^0=z*FKqn3-%ED^2UH_Gk+d4g5GppJoXKXG5Lx6aV%n?> zerQ<&@@Lx@1nl93Qu#|dAJ0xF)addQOO`?6_AoaJ_6beJEh8rsui77%x6;R6*r2^^NNL0vJJ zyc{>jy#s#_yzU0=o&P|I74i^h;xrJIQCLQWu!BjD1ihOydQL$>&FbYC&fNBQ=d0hd zLAzkqk%vb7j464R%r;P8o$~OjdxQ^tAc-D)I_Lj6_H@B~wjs~?Ch@hwXv*6wS`}K& zF!@i&A7$rS$UY_&L`HxF2y&r_5FkS_1P}9pR~e~;8pqR?x(C4QmyDZ%L7yFcN%th~Voqn=e;aSs7JV+!T8A6ED1x!~-Y^F#oOHFrk1uwcPUlF~zEw zc~AxkFo1GKXQRQntRJy!jM$PK1Il0x*uJVqO{|keNWk|6qrzk^)$*eWVYzTt! zo^Q=lQ?fL4!x&gOP78Yft@Y-9{y#Sr{w#4u*N-h_!>w73();q?=1sW()1A$jUdl2jFTYuG@1GcvkO z(G_ZndN!q$Fptqx2JuibS%2dY^QzQXkt;=oL^Q6~=@)9Os`7HSZ=rSq$2M!4Oo$V= zs3b{eFm&|e*^uJw1U5sQsYW4EvLVN==!<9M@WFJSd<(BBe*sZ3L4BmSBL4%ZTY|Y& zVUHYYgZ+Lz-}3`tK8Dr(7#V>-2w~X-IkCF|;VM59TY4Wrxn=vR8d#nX)}st!J`KE@HZnEa%45hoJku)&q0NF5$ByGMuA3DusNtc9lgXj=GRQwNk&^`mh zv0h@uA*?-0Z4{ej$@d)q;0k>(l?`?k6}al^oah6neFovfC*X?xteEvjIJ^hAYYQce z0lJlVIad3^e7)&nBDxrne`w}(J{c`8qs>bw!_>xZWi)3uUq2hnv(mM1NL4DY|bazi~Lt%B)!!dbMxZJ*Fdrh z?d$X=xXj`x?Bg+aOsFqzGCnb?z^9NsssDgFT?f8fWw?vSg2 zo1JdDfSZ9v2V11CFc4BBs|wKU_csEhCP{S;^R9de@Aw6iu>S$y-|>tTT}l^RG3=^A zR-~i@pezdle*Sjj!v~k>)_q{pLrY2G4&Mda!tgu!ZPS)Qd%_R*?6r4n`)KdR09UvZ zp-H`JPv`tj#*0LNJ%7^|k*nsA|9jXUFvTayWF#s54(eNBYs6$4lS5enpxDh%%E{Q0?@R!|lnMYFF!ihkv; z)6k5L-u*EVMc2p+mw^3ydsRO>-0xJWsvwl5@}GR_ian66?x3JNY$vmL=l} zHtPvF9g3!AT6buV0p}DapP7~Z5RPDf=dxqdq%VsDyv9*XlM7shkNLH8yWam@LZh+G<7Qy4T14Tj!?1UtI4?)X zTX{2PA-6a+y+Ot(8CS8y=C11Hfs zfIy_Rw=!|7j{XU!+(xL$t<)MhEt|@8^$pX`AP?k!>9b|Bn~UQHeP0%e)SFS<(A<*4 zeC+}*3PgAOOe>@F1pOjj9CH*Uuio4~=0KvY&iHH8t@OpX#b@Lh+7O2+h}ySgGTPwS9^QQeT=(Y-PYn~HKU%){ zGjVp4P9RgD`GY1?8;(u!H;4|rpFTD%S`E;3(-7}w-dX~^e=Hei7H(t|q(!H@Y~g4g zrBR=L;OcFm0dAYpmbjV3D(X~3)|JhsHPKL66pR?aNh(^nCTpE>hWawA;~a~AHZrMP*5-Z_6!-H&@>r##Vk6R#6pU(Uikly=xgpX8>&h(Hdl@aFhdbmTc(x?7paevWSU>(H&Vql$g( zn6>Ma`rI06Ipgwk4>VE_YS#Y-S5K)f6s8xSjJwZXjAS;Ou)I}U?!w}NE^=K zu!xZMy9Q^9s_P--)!jPm(n-bkM;yWibLzO3C^tfmS!~bQf8Yy19ku6kuFomu~q(Y;ZP#^|DheXQ|!09?OeQhEIIyplrKY3rYh`DgK{PFj! zwkD~hs8G^ksPNJt^;s3!&(dxk$5+xn=rNui3hkW{QIbKcxgU}6HU^UZs>+bxU?)4n zLstzr{v~rpIMm508?lHG!rTUFbW-aCWsC@z&pDuI`3mIml+L4u{ruD)HJml&vmEkh zl`>4}&{o*tn&>BJJ|9`@C%$-hJ6)v8e@2Hi*TJ1F{Z{yR&{Jth(_oOdjsWT^@IWhS zvNll6c)BIJN3CoLC(qjy*-3F0#)0n07PjT(iA3+SZpUKzi;{VYlqFE`Z+W9(wO)&T zeiWg>nbfDtwM(;!e%aE-1P5;g-!5y9=}dwE=qXkm14m+U)DYyY3*ICda<<&?nbv1) z6UBALu$}VRS@};9?2h@P$L}fv07n?-i(KxC)J#H&S)Pv~%e)Ka z*$Qn)#OR3b8%$A-fTq3|#8Rc>azzCSvMF9Utd}MDG1$EJVqdLNJ3n_&%puR23Z#xh zihdVtNR8BU+B%=+9ZjgWRWH!tM9rqdcQr)XQ4lS=M7b-%VeC03SQZYRByd>j=wVxj zJqZe%GjVs|RW@2b87sloHfGDd2j9PeD-jnze1~o28?VGPKv8vsh>FsSQT(1c^w_=%WWb z#&_Xk$>SX4jEoBOC(xEDS1i)QQ_^OIkl|P*Jw?^gXGk0S6Jk5Kl_hk3V?+(ZQO zO>ww1A9sSNwlS;f6F9W=bpd!Dv1GL9XJ-|nZKDlBY<9EwOhTy&*JHmRu09AA(mt*D zs`ASDYAWG7RB~<#g;_5NA0@EQtW$PZ?~?UExFpPkj0(weo7&4zC5xM(A5?c-=pp63 zz~YT@PrSA*oLR;~cqXlLj(V%}t6MgU3$eI5IoqW$)Z|8uIH{bkNf1&K-Ei!#nHFF; zgNCp_d|m14+5DTMrC5`mHDPJZT=pfg*STIxbK|2xDhL#f+=~ULVpCIzztj?Ij&arX|s7YFFbuzVNX=M z{)C-d86QR^Ey*tv%D%%vohaKs^P1kBUy!XByv z7#`2pbQsLTu8VNy|0I5ehMD9V$8@Wdl z${%wl(p@`^_Ru|lGGmp&O1SK}Dy`10-U9rlHkxfz#hklu_+y`p*^a+7y^G&cRKmh} z2{Tj@9H|S|%-5~6YCSjZG^sLj5SJsdp3K@?MP_)w9%#v_nAjVxT)$&~HI%DB=%qP= zeEcPVjUJQx?%IC_b+$fDZl2P$kfJo9bVnGWf3t2|PJ(SVJY5n|N8xtDZD;7~cgLKQ z^=U*)=}-_e$CI^jYUAD9!iMKa#5R+k7x}t38*pcbVRP`ew?BHHP^< zvB6&;c_J|-D!Z((MDwOgwh&wm#F+2SL>6BC8Om6bBHvwh2Q9han_?+GJNn$x0vd!4 z$u}W~{254t)$7f(*9}onfYLq z`REABBkQt$|MoiZm4O|n$c7o;<{*0}j;Tk7V%wWkReL{ChpNXzq@{_)7JNxz_XEf3 zz+b$qQVZfY-rlJu4)O{s)Ju8+uJhFt+7p<;VB$T@g z+AZXi3E#@w80m_>CD|~DNcixx-O@}m>6ws66ejlnvpbDgF}3|7)7 zanZTiRJ5Zh-qePrT55x~*e;35B&Ch_Tn;78vxcW#W^8W_?EG0|nf&jdt~DF;LbOaW z);!BqY?iIYdj8%LKP6pA7CQdEOy2gEuT9vsPg*pbO`XSuel+6Y3GcA-aw7eBU(9j9 zo5jrXjX8NKuj8P8dT+H{pKR|25djp=^q%3p0ubor( zMNM4m+yxF@7`Wg0RIe11iIygZm3%6?waU+@7~cQ9`RP<^>NTA<#;R!ero@CJ-BaxD zOYX{w=WAJ95vDv#1Cj8;jqlchcGo*xs%Rf3UQ>aHwTA{I~qvXyBh_ zvV)e@ulA(x`_ohA3`eZHop?+5P-Va~AEVY>{RuD*Z_2z6_3)74@m3*Jw_jzl+hCvD zf9~Sj`p)*9u4XMuQxEIof=V@?=l2%!gx2Kit+OH8)1#V_Z#KctTzZ-$KdaPg+n%q%J zt+`as%*VVmyQay^(-JfewSbt(#Ldw08rty;#-O|-hT z#U)eJU7n@$FAZ*Tn}mfMo49@DeeRhU?j@Xj8ff$8@!WajJ!-$y2J9ylPitxNG3wf? z5XtiGMNEA#*HLb8cAbkF6yY{WKdN+~=jBc%B2L~P{+j=wq{(Vxaw>O~d&x7+^H8Vt z@?VM4yVw6x_tNL;uRh$Qo_LBfba;p8`0$P`S>|`{uGNN&JKjekDYWz&GJkLa>d1ps z)nj|w72i@!&CO3mnWd%kR`rIn(EB(e_aXCEz3&S-@-KMkay1v?uU@ivs!sTPeZ4MX zEw?sWhT=g?=Q1to<1OG8(~^1hZ4i>QNLI_zv@eDlAKM~rnx(>HF@7TVJoTWV+I1C%x1eq9`}HUO*dSxxC#!P%8a?PIIX zIREAZMu|BqA%~#fLuPRS$C#C1nd&6l+Z^r%HofNGCmXAD`i;$9UT-v1Jvb`3O1|v6 zr;Vjw{RG7;k6xo4j@vbL)r}X>-@4s_BR)STauw9ZaqG&KPD~oE*#7g&R|g=?ql8<9 zI-ve>R&#uBqI=gGZYZn!QOZ#{f|m~UHQ~~t+bNzJ6)EwP%CrrX{RbW38zXKUaJ_okBCsjT9RNj@+9nD#*3)&!P$o0!QxHjJ{A*<;&O zxCDu~C&vmk&C^N}ui>%G$B*y+ipB&tu)=^CkDancCZpD-Yev zxTERLMr=LPtgH{cPe|BiSJxfo8y%#&4^MLx5+}-q#^sFM5hO<|- z#Q_t=9!Jx+8t-fre>Oh82{`AsIzjGfyBL#Q{iGse?fu1V@nesW|4#g4t=IPE^U!0( z`_)izPHPYOebk^q{ubr-)#@S^L5$&I(kLVbU|CgE{0%K;I1Qk%^=4 z2OAlCSGnlaUf>7reHAY#-rc#NKEUMY_(ExQjqQ&?DV`p@G=BsNPtbSN;M3rlZMXvLlN`N}tQP%eVsC86%LDnCH4-g*7;iv}7oGR-I@ft)4Y^ z9?Pd_u|TpPgXSdBcYgJxG^Ql>3S_41Xw0|y)=n}_%AYA6tIq1x1Mw#pg*tqVnr|ef zfx?Pv2}MIn`M%`ja>%X>WO3i!wM7RC50R`Zm~9WoE3TKaf%_Y9()s-9Wt)D!cPl7A zcaHHp8+Ltx#8ny3n9L}TI-lk|-^pKyW{qRt@kx6)vf<2UsZTKqosF*t%@|WVp3|G5 zh9|;Smq9!aLiR@K=;3w@jV*g2ReH`kFuDtnBtIK17L}@#;9~Y*b@^ zs|`XA8!`q*4<+c6JfkOIljD1;&gLQ6B_k{)eSL;*Zu-l_mp8vlob2nR$PsA@FVQzl;!Jn4P83g0+JI*6m7U@<9;V+SbCbm<5m?c(gdjcEZ5JsF|BX_4LCPY72L| z8|L-=&C!$9!)eja3_Cd7*1;J8A21QZ2~;gnMA1-%omZuYSC~bDyCQRx(~=|o<}UcX zvuG%JY(8mXVX+udg2%ks{$RIZ4J)Z8{RFATq$jGnCN(vM$@c6Aym8;+)#cLRdb8Kw zVWs30&oav6*AJHxm(W?lat)_s$~f0MdXe*xcy44%bEnk?KxaT7r+`(@mf)x@Oq~dl zg3dZ!$W(HgEbrPn)0QWAQ0MOE2W$II*t)~TRiV4nEC@u)BPD!>V|iYTKB{>=dSei| zfN7c9wult0BH-<>&=`2WK?CDylYSrwtn{UDSP%Pwzl7B|T59(_0kqh1^*zd^jU9H|~@79P7_|s{=g)J)O zs@J8@|HIMAsh4~NV#TE`9LTAkuNYO>c8+Shb{ErC9KYO^rJCP)&XVO zYFa)3utnDm3)9Q z-wM#3f>k#~ra4N)!U)EVqHxATqri$>T%fS61T0(VU!~Q{Z$IZ+7^Qh|8yQ#r?t7Lw zAuGn61iH2L(?yG0)gsmIsY4fR`&T%(Z8Z5vwquI1j+LXz*OkB7EeNYQm;pu+5 zT&6HLtcRFg8h#{sS)sNzCVij!AiVQG5pUB5i#@Gx$RyshA@PEh9>g}V+$DE0DZ$sDlRJ~_i zK0dM^OeNG_2(tf-9@8$EHt9%P%<;TuU(tecn|mS9;iw%!%R|m3VSb>oMh!WiJ7gTV zVA0{s!*REb29rHpEM=X3-eN>v@}jL}vQW}%<8&I7Gk8)u*u?l{7$`Lg%atVRLassD zf}>Wcr^U@(lWHB1@wBOxalTLUav{h&(6|Vc48B;vo8^7$juwlLOgF>wXuu6yh4l@^ zhBoXQND&{H5A}^qTB4Fy?vAFw1|B=9Lsel9GDPO&x_sjbKt0|`x-qJ!SGT7W{mN0c zGKL*f`gHuT=fmgY&D(EfOBOBo@Ke?paafxmIGkRV&D|}g&2?dTM52U*yP1}%72{b2 zSJkSDP&xW;gKz|8fNp9yY=yf<$5f)@0PLW?)7fzopLl zazN4>;^nnTHgY%Au(fT#3mhH4Jbm-J6jg?scvg3lHKX#$R?9ezZG{8b+M0{Sk5Mwc zajH;VEM6Q2JAR&Iy)Qmx!(B&07DHe=hF_ zL}PYlKTeGthYbdG$na;%*uVCz7I$0ztnj3<23wFYB$!E=pSBKT`XLcY=+92Fmm!+7 zCV&Kt0}XNGwb0|l3L_>#^Xi{AAeeCKAok1K&-S4K(iP=`+#-ja$y(59VNTDK{$Glt z`oP0X1Q_WDlz*TS7A;`GYn@a5zb1Hq^$2h<+3Z0f-)L#R5yG=4DOO&hEgY{!YypN< zU#q;@qVUi`#Tx)jx($K6MWZ{n|F_HRFa>SqeCC^tVcBf^BMh!H=VXAb=p_HbLy`Ch zgLx}9si()KVqyJd8v3!V`q8O8svc^N3_DsdXx_g z*o>uXTU35Rbo5y=;yry>I&X3%HNDHtmKq%T>fP-j7Tg z28`wJZ1T#;O-q)_1b5o-!o@YE%YV^9k}b{G*`E=dDkV@1KToU18eZ}Tq%9a}NDztdC+z(1bj zS<&$q$zn^a*KrPdv%c*BYJ8nCGZdm#*tub(^R?9V`AU7(?Ffjk{+JK-ca7goKfdK z7&XCx>za6N;7S^J5VKW9;dNk-N>i7{v8}mJIg!8bKj3188(A21Ngrlt21r7L5s2fn^)V5Ls~Rw zH-?ANl?G;zv$B9wty=HG7B_`q(>9|5vV!SNsytp2=Oc|Lsg>w*>2>Lcd^hMC8DbM( z@N&-pj^9{x!iapKeXy^&D%4MMtD^u-wZWLdzCaaUt?Xn4|LKnp+ns1`#q-H{O@fKF z6QexJw0x!N;Mty8*V@{r93u`Kj!7(}uo|z|)|&Kp)Wh%C+lE76-F0?o_u5vZV!t#dbTG2D zh(kPpuVA{YXbOQ-7aV;Q(BE{hqOR1SwwvuneH$>#1F~}ExJq#wwN6voNz2RPtnmI_ zlk0rI2d=-FzkC2iaA9ghI5NdN*zuzHoDSLV$JUrJ@X| ztF%{?vwr}Iv%iw5S{Y#-F;k{fPQZ>0Cua?Q$r?`iZK`WQH?pWq=9F`{Jlw3`ixE;< z{dV~-QIar{-LgOWsk1s5U*cNIx1<$K81KmtK$ro5N!@N6xHfn!0VI``j`x2y!PXO) zCs*x!MZ1}KQE&ebi$;Spsh3-N=BwpWoXtYCvB!kV0LEi~%wRnrW&wY)NAK-|OA8Jv z<>N#U>C{QDTk}({UTkj3eVlQ4+)1uJnje>Hz_0K1=eQ=#X@{*+ zEl~_wxy%-ELSsnwc%QBEYd}8ZiXeWjfRu}zZk$!@ zsuOnrqxVvUVx7~$0*xCV;(qfe9O+(AI;NDUQ^%BjRs$U2(~?dzfm^qxy*myB4}aAf za$f%(qa+Jp)-HFd1|*7 zp;na;hq<{Qs#)Tq?c9n^KnLAo-AnGorl}i!MfteA`gk)tkH;V5-NV&;K>tENqW0T4 z32iuogg$`h-b+Ej-H;XqPI?jEG0#)mofhMHLibige8Tuk$+`stfs_{ z|K1Pc;0w>F5Zj61k6|ta&x9Fs2*x>M)+;jM`T&twU_V60=q^+xfIyV z;LXnkuB%h|V}Y;N_LKzT+%(5opS)`3qi@9WF^*eKv|42a2ywb?ahy*v^U+}^3QI1! z0-sP5k4v#2&MDkx;yS~BOCW~r?xp~`_H#I`)oh*e zdUuG%T16{Wt%~s*Lf?nHu`7Rs$GNFH+Z{{ntbnB%x})(2W4Jgmwkhk0a;_A;r;G1- zj^}#z7jmu14f@l{hsCp{_p&^m%t{66hAqc)Rr7`IZyf>X-c6qU&c>dDw&sqq@i>%y z$HoF@W(lEOw`1%9BEsHQZrWRYv?90fDNqkx`hbbE^z-w=jw!q64D7Krx=)V8^R@Nf z+b+L!!{sZAu#PE#kihN`qE+q_g=c-e8PvC9Ol!?>4~dx%28s4Mx< zMtj5BAbz0>a(-5ajp^X0i@QakAx8mi_ky=qWRLqp{Ov&r({7F(tAz>>2CJ4n&|v`F1M4NKNlRt(aPfd;RuI4D_p2u-boLKtK0Tr#IU91 zLVOSI?u$Q@wTG(05tc}hPM2cP3|`-!L!3L=+w!r~3Rp2Sm>@+A^=gZ~#HQ3gPS_xK z3$ls1O_Xip6MfPYANx!cOvHI`HB3K?$Kide1)Du!ipM-&8lxO{T#1!i3(7UUyWzW> z1iMh{AErB7i<8sRxjTKE8Q^`L-wV!ztU|+V`pnG-QnU2>;8vv@6}|V2MJY*k)KI#5 zOX6UjauCIp?thfOaEY!A7lO<9g)XjQ5K$gA@U6O?3&RZ|eaWlmsx!;s15YY_OjNtY zq-4L6m7IGGr7UO&tMPy_DJaF?o#IQ190m_6Zr94ED{y$HMdFgdDhd-FOSyl6t00p3 zhv>9i@ufd{l9`a^;vZ{O7hb|@fztV%)=86qX%P%SH0)%&2v;JQ2#<(!p}HGGRp@Km-x7r!{K%%jq}oZ(LnWvU>}`D)sUh6y%#=w^(J{d8r7n?M$X7BTaS)>|X3r(d21ET-YZBPC~( zPCMdqB^e?X(Ms83u#l{1q?Bj|nMIY^PnxwuE{@tB3mTeFid}wGQ)C8{v$I)5Qt>ti zWpB7-hd!BGI#JzvS?)cqHGowYJ3Bcx|7!ZxssfreOM^tpup@V==HUvdL!t#i7~j4G zRO>Tt@^1#U+^74BRs@04y#v9>nw#~;jmPfG*_mza#pPxfm6+W&X&;qyun>^O6*oEs z!W*2ukwx8(4uYzZ%@zU+QmP7FQzF^YR1O;2;XGEp5Y(Yw7F1G z`Xb&qKcBeUVBzTzi&biVk*m-`CECc=s8AwI<4owQ(xDVFpIcJYFEUHh)7sA61BGQ# ziQTuBwY;`iG7-k8E8R&k>8M=ymqvpq@Aw{vD3+`dI2a5rzz{^zmfYO$m}u25==8>C zDmpasTRMh#^xw@Z~W-js-^726Ytmb!|`Bit>yvj4{f4kcq+^I zeInmPAB+AK*Gi^887Pn2U#y-sSRe0)D~zn)-YWf}s=da|1#Eto{`l984H?{)5lFX6 z>t&P#|W-b^i%^Nq*eS$XfgVHy4M)ViD%=g=K(j)g#Kg8xsdnC+Lhh+Gg)vLje zefEBSKQPw1tXnjZ}d`vz4qY>ZA+0hh;{5Zazg) zCy|VjSZB`171r$=J#M-KBQKz7u1>|;ccSd1=I>P1_&8S-_u*@*fF{RCR`ONOmq`fC zr@wRX$r5vt5K{hc)z-Kk#Vv118@mD1&Z|6R@^HiJ-*sJm*_mtFS9*K2JPElC*}>ML zZ_LhYml`!6-pJKS98Fij|BCzA`K0K6F>PyjKE9i+E~W9Q>2VlPuStDzK5mr?=(H^sOs9)~ScN)ynn^Q5ohUmrR9P9!ktcM~?_Rb4Um6@yagJ$N^5<-y6! zA-k~z*caW)goj)&43I`zB7MtK^!vHK&IMRP=ul+(gIR^71)Bod3{bKbL#JE>y4rs8 z3fV^4Sp2-Fcvi=Y6OeQ75y|;YZPx5hCq~+GU+1-4vf4EC5YMQ_aOW zvCbsd+Mh)`@EUi9K!JYHRD^gdw<&I8^3;jC7=W6vHe#t5T8F;5cprE6q+< zF`vKe?w$c{|G)jrx5j>yN(zfuGyZA5Z+NByFq6R7?6S;7%gpp)7=;WZ?&z5rS$2kf z!k4(i6=~WLDwOxRMGj*Xkq`vLclliJr2mfuOaVEP6Ee`BLb@qc#h__hJ;-qGzL|kk z0h(h#ch1F0W=zCRD<(s$1(PV2(TMdOzIKGX~1=cbVFPLmqXe_?l(L}1%mY`o@4 zVnDji9bi&Ji$Xw=n@9DTKNU>)=j~sDiFU_{&I23q@!S%nq@_Z!TlVIl#4sQ1zYqky z)_-o1*{}QV=*xTJoE6db-0|v0rL6I>2W^E&Q!=e4ITS$QyCH(6L z(R^)5mT*@NzxZNAyBKUlCQKdc;QV-$YGKf|pw+UkQvj6XNH;56+@RSG&X|3s-2a(8 zVcGRer~XbSXSU=jK^t)fNxibe!)(i|tHr&yTrZ>DKvs;U_zzoZ5CGfG_IO$7DAR zhJ=!%*Zg`Q!Pr4dX6kGu1Jyao`1s^tYhM3$C(F`u=Zl46?VpQGxjMMUZ(bt`{kE0Hx2A-qK7^6kg=ZElt&A~ z=7mxk!^}2EZM_3S-|>I{E*3WWCgN{EkhnD<+&J=`26|1VvE52LIX1;48=t8^gA`uO z@=kIicghu#%%NS_AgJCo;SoPvGQ8B;boYvisR`YM#KV>1EHW(m(|Aq0r8f7;z{;Cz z7Nj#koou+z#Y02f^j~PCMK7Cq%G*??K`q_aOd^XGOff5yK9wqOx_8+w!X+LHKloej z#B=_sSwr+n(rYm|LeW^OAnFB_{$&|$QPb%VEq@l0osjaribC*2n*R5q6KKcU_{oCA zNiqh83ni-OJ;Enoo)MPizV3`Xv(9Nlr=D9YQe+k2ULMxt$PQ*ijeADS{M13}hhap~ z$^*;g&|@1%Bj%U$a)Vm$qag@Cd~oA?wX$Le?dIyur&78ps4~68XegT(+9un3Ec#Gmra?(>q}GL6uk{3UT4_$WPgZMpI zaenRi#z@z}5aH{~Z}UHQmeOvrq-Ck%utsbR)Y`OR85$rc%2rY&-=-iD6wx`VC~t9G z#G-Tt6!y+XUSK}0-Y8QcfN`#5lrWPuF#c`WhRt+iBu4nv$`VwlVekdi?*mGt(bgtL#Ye2Ks|a zLWJ4B9^6l_(w|xk3Ix@E5t6cN|NB4fa{6@xnf7sDn3&lMkreI&5NAsZ4Oc+`j?Tz0 zO&(Ex`_}Wq+i?m2K_RmIQU`?t<$wf)Vy?sFmjcNJMMW!17@X{-u0UH4AkS@$(@cS# zwDjK;z<8iS&n?+&E{$6JZ)zzCruv^&4myp6jOcIdL9Utity@aHik19L(gw|gigLGS zKrK_+&(1{Jl;5@rI)CY?v)v+Fcz5RUE#0Mg^(Abb_xAO$loS4!;%E-7|Gga{!M(Ft z6gOY0r!2@Bg1gJJLoH3-7y2f)oqiGOXzE?8Rw&MHvPO5<#VjX(yD4wFtdzTUG?r0m z$+NSd0h`|rH(IT)Yk%n=%zpH$)pkQ<0*?6;^$$3|FxyO&IsYBOC^|b~RjInzN%uz8 zi>2k|WhymJHmet!78Ca(>vR9#uV5*qH-ZO?7S&P;wF-+qPr)RmFXR3zPg z`t;QFrfaTuJuf@kx&z5SzPszoFoD4)q;?Ot0orAW=Vb4KX?J%w0)cRyO?y=%3+QJ6 zP@jeSDXyx@G_SJKYk8>P;r;u+mCxPQc{SIbX!FpClq!~?;3sZ%vG0*}(|Z7l&(QpB ztgmG1(`_l1*+c}Cr=pfM23ZoPSukCIXoj<-v@~yo_rk}1$OC0oKv}w_5r2;|G$idh zQv66@733QBHhH8T5ERzP`5Fqh^AYd;*NmIjyhC;-XfiJ+SOzOskv6mRyHqShj9ley ziZG{soYstoC9_Vibkqj#eZ(07(LP8@M^%^c3b%-tJQc z)-fH(GkoPUbp(V^NP7c{pBVXoz6gE%TRPxuvHJr!GXb&2)ZZB@UM;&EI-uQ`FYWT| zy3am^xS9j%eK#* z0ZGmf5KY6(J+d1l@jpvfT}whic$n{PgIIMpRsK{!dJ0aqtI24{*6r1?CA4J@=GIxhVMJd?@#$SCwV4w;#{s1KuD&4i-V` z)0Ly-{#*n2AnCilW7bcs072#snL+3cVLfT*jo<$B_XD0bbMM#1YNyWBBfv28uIufE zd-CIn349r$YpQRs7`BGXVf2_H54~1F>-bS8+d}()hdq*iEGYh+z3a#57o|oG$s0i<3)&34wP@+V0r{ zLQ?v7mVju=&4+xv^E?jhMWIPmLe&X#Nr_KJJ`G)cJH^h)dZ%hpE7gI@qi1nXBHsCS0X_+=kG^tz77KT)9@JpcIV7i`2GII zDdBr6M|BVqyc>1r`*_45==WGQJPv;oY(Rr#XGivOaSYy&yP=2L2{Fid^1phumhkcWdXnE*=&N}1n~xL z()Mr6)xk^ut+fC8qgi}kwZA}1-4RHUWIcBIVHrMm-+v+9aSA}#slXdPRn!6^nr%Sj z7;=jAUL`EahnwI5V)9+VlkY#T3nn*wv#v#4=K_Z+>I4o30db4}`2(3iv_SRyiZf>+ z5r$R?OoQ8UK=R6K^jMP=|GRS?r|{=GVeww|3*tZiKxCHZZ!jQ=Dba>K-)VV%zh%lo zFvD&%=LQUYgIxI#qMW1ImU_y*PQ40evBUx{Vndj?N8L7{TI~STNeV!O31CBc&-<1y zx~KpoZPw)ZKK%7etW{#H#XA*JK=RMx%g-YMrfUA=vJB=_T~)hIqEx+E%*|2&?3^E> z{eYX72mvB&r?)TDPla6hUt~_f@6X&;yB8;#+6wu_=l+rk+I5>Z97X{GfKyjhN8C+8 zsM~oB?(#sgd|*Zh5J?MZ+tJ~fa5iA~@27XTT7?;-s452kAgH4!su z&@~S9SkO|tGSlvhXOa-w+qXTZrY68yy8?jys4ZCSc>?k+8ECaAITBz(34cev2a;!v zTmp;5%a?KYfgtWcu zh*keRK%He#z{Ba`BX*|RirdLr(dvuAX^_o7J#PUk762BT$@JN$+&&AYe*S}_318If z;fQg0JNfa}qd^)g96;9HGaNI0QVH9KRKLc-Gae4_StJC`0*}q77Hi66p97c5`KStf z+r6N=)Aa$Yeg5y=BPyAENpgLAC*#BnXlAt#>#xOQ7M18Tsy7~Qqzb7S-ERLkw@WA1 zuBngbUlmSGX4>_S$z3{nnYTMXTt6qpI~zpg>7^5hR=vM#7QZYqlpM<%!YTVDz(*8R zTHkOm|NA9iMx+HS_HgSz1I=?kl)tEIb&^Az9Qkrpegv5Y4n2JI*VVRKz`8W&d9xZh zym3)+kaQ5SR4;uymg;uq;wyE-JIDdd-zrbZ$$5I2p1y{){P&asldn(9x=;RD{vfOP zIqqYbd3|8j4=yQfw~o<(16soyOy5X!gD3pp;y8= zSzT}2cue3CqgeRC?%D*=PXgNEbAbZwM?eiqAHsI;w&=!)nARF zSJ_)Hk_O>?u91(n{B)UR;RU6^+kX-T2KY^pMkT!)eYCvbo#mUMwUQlNOZ=anto!Dr zc}zE`aYCQ%pVei(r})7KAZJvi{1iKm7P`400f2^tcnr9GS-GEj|N8F?3P|T__prU# z>+^KRH~kSWz4?H?u3$1+Y83`VUji1enpe}cKBQ3Z+15|4qu2miz{dx92YiA4+t(GZ z4UdbyS97bPbxDCnJ>?+XjlqnE0+C{MW@0vZ`dPAxZSg#|rF&yTo|8)`RZ}(|<)N6M zRbVGFx$rN-yvk{8K|cV`GFsXFNtn0wqx^i0$3ISZHR5U<7McBlh`gf% zdXY+H5wtY$FToxm?}J^$4fb1|zzRr@xiO`4Lp9?=Ofz6_(fJ}bX`B8C$+R&^@DdQZ z=pU0LUflyzxON;PrNsj*ec&~+z+oe{BM)b-*rS7PMDc0rC5Rz=nQGDordI#1l)m-y zMk*>FdAA}-fS|&w(0sSV1fsA%!d-UAO|MCb82cKOHu$d`d5OjVR$!Iu=u_&;#!xYi zW@-1q=kYG}0Zx(B*7xTH-#9(`%TKNU(X%Y|@6v;l_s(T8=U8Jr5}KpW;D$TTU%F(n zrT*bl!DCG;-K2)%ch`fMqA>CtPqX`G2Wr~FDDpunA2bXC-*;J+IpxOTF6R7q*4~l- zr>g5`{f@#*=GVU&I57iQxJP!vVBuTUz*kA{0Ro{5@1 z+m>d&HT#Dn<|%#upVaPm5o(=G$4Zg6rAUQ&tIHX8e_}5E(+3s3)ObL@Z6kkp`(Jek zx#vArx9F4N^l!7jdzY>}jCV?A9NHrWW0PHoP5%Y|VOfBwvr+KfuNe8$@(2HYe-ZO$ zm1zI|n*5&^J|wVB16g0<9RG;DF?Ad_-hQn$&i|hG&W*+)T<^uT8?~rJ&*v9uml87^ z4CJ2=;ygu#s5dVUK6_JY@R>C_D544Qc(0tJLrj#xAwM6mlp;*pCxr(LlHPuMN$rZM>zLg6~eo!;f|L;N~?3nPGm)VcF z+3EYLy^R4w`l2FtTk4NDM#CD9^;zL3YjVTEw_e-i3EOJl_cEkG(ZGeiS3Q8kBZt3$ABdXXbF9j%cmEGJ_+Q=t literal 0 HcmV?d00001