From e6c58a178bc3b7fb26c36713fcd315ceb17b2122 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Mon, 13 Feb 2017 11:02:42 -0800 Subject: [PATCH 01/44] Moved ELAM text from the old-ish security overview topic into this topic --- windows/keep-secure/bitlocker-countermeasures.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 89261d666c..5cf31239ce 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. + +Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. + +To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: From bf442665961fa83740652349cb77631191dc93ab Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 15 Feb 2017 14:44:37 -0800 Subject: [PATCH 02/44] oobe update --- ...points-sccm-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 8b193b46c6..33563eea6f 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -45,14 +45,14 @@ You can use System Center Configuration Manager’s existing functionality to cr 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. +3. Onboard your devices using SCCM by following the steps in the [Onboard devices to Windows Defender ATP](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/windows-defender-advanced-threat-protection#onboard-devices-for-windows-defender-atp) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading. +> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. ### Configure sample collection settings From d36e2e059a6118a4b2fcf2f15d80f387f23e6333 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 15 Feb 2017 15:58:12 -0800 Subject: [PATCH 03/44] fixes --- windows/deploy/windows-10-poc-mdt.md | 50 +++++++++++++++++----------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md index 057d16d9f6..54eb632a5f 100644 --- a/windows/deploy/windows-10-poc-mdt.md +++ b/windows/deploy/windows-10-poc-mdt.md @@ -306,7 +306,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ``` [Settings] Priority=Default - + [Default] _SMSTSORGNAME=Contoso OSInstall=YES @@ -362,7 +362,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env ``` [Settings] Priority=Default - + [Default] DeployRoot=\\SRV1\MDTProd$ UserDomain=CONTOSO @@ -417,12 +417,16 @@ This procedure will demonstrate how to deploy the reference image to the PoC env Disable-NetAdapter "Ethernet 2" -Confirm:$false ``` + >Wait until the disable-netadapter command completes before proceeding. + + 2. Next, switch to the Hyper-V host and open an elevated Windows PowerShell prompt. Create a generation 2 VM on the Hyper-V host that will load its OS using PXE. To create this VM, type the following commands at an elevated Windows PowerShell prompt: ``` New-VM –Name "PC2" –NewVHDPath "c:\vhd\pc2.vhdx" -NewVHDSizeBytes 60GB -SwitchName poc-internal -BootDevice NetworkAdapter -Generation 2 Set-VMMemory -VMName "PC2" -DynamicMemoryEnabled $true -MinimumBytes 720MB -MaximumBytes 2048MB -Buffer 20 ``` + >Dynamic memory is configured on the VM to conserve resources. However, this can cause memory allocation to be reduced past what is required to install an operating system. If this happens, reset the VM and begin the OS installation task sequence immediately. This ensures the VM memory allocation is not decreased too much while it is idle. 3. Start the new VM and connect to it: @@ -452,24 +456,24 @@ This completes the demonstration of how to deploy a reference image to the netwo This section will demonstrate how to export user data from an existing client computer, wipe the computer, install a new operating system, and then restore user data and settings. The scenario will use PC1, a computer that was cloned from a physical device to a VM, as described in [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md). -If the PC1 VM is not already running, then start and connect to it: - +1. If the PC1 VM is not already running, then start and connect to it: + ``` Start-VM PC1 vmconnect localhost PC1 ``` -1. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +2. Switch back to the Hyper-V host and create a checkpoint for the PC1 VM so that it can easily be reverted to its current state for troubleshooting purposes and to perform additional scenarios. Checkpoints are also known as snapshots. To create a checkpoint for the PC1 VM, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Checkpoint-VM -Name PC1 -SnapshotName BeginState ``` -2. Sign on to PC1 using the CONTOSO\Administrator account. +3. Sign on to PC1 using the CONTOSO\Administrator account. >Specify **contoso\administrator** as the user name to ensure you do not sign on using the local administrator account. You must sign in with this account so that you have access to the deployment share. -3. Open an elevated command prompt on PC1 and type the following: +4. Open an elevated command prompt on PC1 and type the following: ``` cscript \\SRV1\MDTProd$\Scripts\Litetouch.vbs @@ -477,13 +481,13 @@ If the PC1 VM is not already running, then start and connect to it: **Note**: Litetouch.vbs must be able to create the C:\MININT directory on the local computer. -4. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. +5. Choose the **Windows 10 Enterprise x64 Custom Image** and then click **Next**. -5. Choose **Do not back up the existing computer** and click **Next**. +6. Choose **Do not back up the existing computer** and click **Next**. **Note**: The USMT will still back up the computer. -6. Lite Touch Installation will perform the following actions: +7. Lite Touch Installation will perform the following actions: - Back up user settings and data using USMT. - Install the Windows 10 Enterprise X64 operating system. - Update the operating system via Windows Update. @@ -491,15 +495,15 @@ If the PC1 VM is not already running, then start and connect to it: You can review the progress of installation on SRV1 by clicking on the **Monitoring** node in the deployment workbench. When OS installation is complete, the computer will restart, set up devices, and configure settings. -7. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). +8. Sign in with the CONTOSO\Administrator account and verify that all CONTOSO domain user accounts and data have been migrated to the new operating system, or other user accounts as specified [previously](#configure-the-mdt-production-deployment-share). -8. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +9. Create another checkpoint for the PC1 VM so that you can review results of the computer refresh later. To create a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Checkpoint-VM -Name PC1 -SnapshotName RefreshState ``` -9. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +10. Restore the PC1 VM to it's previous state in preparation for the replace procedure. To restore a checkpoint, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Restore-VMSnapshot -VMName PC1 -Name BeginState -Confirm:$false @@ -507,7 +511,7 @@ If the PC1 VM is not already running, then start and connect to it: vmconnect localhost PC1 ``` -10. Sign in to PC1 using the contoso\administrator account. +11. Sign in to PC1 using the contoso\administrator account. ## Replace a computer with Windows 10 @@ -557,10 +561,10 @@ At a high level, the computer replace process consists of:
``` 3. Complete the deployment wizard using the following: - **Task Sequence**: Backup Only Task Sequence - - **User Data**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data**: Specify a location: **\\\\SRV1\MigData$\PC1** - **Computer Backup**: Do not back up the existing computer. 4. While the task sequence is running on PC1, open the deployment workbench console on SRV1 and click the **Monitoring* node. Press F5 to refresh the console, and view the status of current tasks. -5. Verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. +5. On PC1, verify that **The user state capture was completed successfully** is displayed, and click **Finish** when the capture is complete. 6. On SRV1, verify that the file **USMT.MIG** was created in the **C:\MigData\PC1\USMT** directory. See the following example: ``` @@ -585,18 +589,24 @@ At a high level, the computer replace process consists of:
``` Disable-NetAdapter "Ethernet 2" -Confirm:$false ``` + + >As mentioned previously, ensure that you disable the **external** network adapter, and wait for the command to complete before proceeding. + + 3. Start and connect to PC3 by typing the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` Start-VM PC3 vmconnect localhost PC3 ``` + 4. When prompted, press ENTER for network boot. -6. On PC3, ue the following settings for the Windows Deployment Wizard: +6. On PC3, use the following settings for the Windows Deployment Wizard: - **Task Sequence**: Windows 10 Enterprise x64 Custom Image - **Move Data and Settings**: Do not move user data and settings - - **User Data (Restore)**: Specify a location: **\\SRV1\MigData$\PC1** + - **User Data (Restore)**: Specify a location: **\\\\SRV1\MigData$\PC1** + 5. When OS installation has started on PC1, re-enable the external network adapter on SRV1 by typing the following command on SRV1: ``` @@ -606,7 +616,9 @@ At a high level, the computer replace process consists of:
8. When PC3 has completed installing the OS, sign in to PC3 using the contoso\administrator account. When the PC completes updating, click **Finish**. -9. Verify that settings have been migrated from PC1, and then shut down PC3 in preparation for the next procedure. +9. Verify that settings have been migrated from PC1. This completes demonstration of the replace procedure. + +10. Shut down PC3 in preparation for the [next](windows-10-poc-sc-config-mgr.md) procedure. ## Troubleshooting logs, events, and utilities From 0d1148a8b436ac3543a41818ccb5e034c0113eb8 Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Wed, 15 Feb 2017 16:53:33 -0800 Subject: [PATCH 04/44] Update App-V 5.0/5.1 on VL restriction for Office 2016 --- ...ng-microsoft-office-2016-by-using-app-v.md | 166 ++++---------- ...-microsoft-office-2016-by-using-app-v51.md | 213 +++++------------- 2 files changed, 99 insertions(+), 280 deletions(-) diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index 326877092e..4dba1a2a53 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -81,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.

Packaging

-
    + +

    • All of the Office applications that you want to deploy to users must be in a single package.

    • In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.

      • -

    • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).

      • +

    • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).

    @@ -102,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.

  • Project Pro for Office 365

You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

-

You don’t use shared computer activation if you’re deploying a volume licensed product, such as:

-
    -

  • Office Professional Plus 2016

    • -

  • Visio Professional 2016

    • -

  • Project Professional 2016

    • -
+ @@ -154,9 +150,7 @@ The following table describes the recommended methods for excluding specific Off Complete the following steps to create an Office 2016 package for App-V 5.0 or later. -**Important**   -In App-V 5.0 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. - +>**Important**  In App-V 5.0 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. ### Review prerequisites for using the Office Deployment Tool @@ -190,13 +184,12 @@ The computer on which you are installing the Office Deployment Tool must have: -**Note**   -In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing. +>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.   ### Create Office 2016 App-V Packages Using Office Deployment Tool -You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing. +You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing. Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. @@ -206,6 +199,7 @@ Office 2016 App-V Packages are created using the Office Deployment Tool, which g 1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). +>**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. Example: \\\\Server\\Office2016 @@ -237,8 +231,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc ``` - **Note**   - The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. + >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file: @@ -269,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc

Product element

-

Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.

+

Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. + + For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297) +

Product ID ="O365ProPlusRetail "

Product ID ="VisioProRetail"

Product ID ="ProjectProRetail"

-

Product ID ="ProPlusVolume"

-

Product ID ="VisioProVolume"

-

Product ID = "ProjectProVolume"

+

Language element

@@ -286,7 +280,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc

Version (attribute of Add element)

Optional. Specifies a build to use for the package

Defaults to latest advertised build (as defined in v32.CAB at the Office source).

-

15.1.2.3

+

16.1.2.3

SourcePath (attribute of Add element)

@@ -303,7 +297,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details: +2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details: ``` syntax \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml @@ -346,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To - Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. -- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. +- Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. +>**Note**  You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. + - - - - - @@ -412,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To -
Product IDVolume Licensing Subscription Licensing

Office 2016

ProPlusVolume

O365ProPlusRetail

Office 2016 with Visio 2016

ProPlusVolume

-

VisioProVolume

O365ProPlusRetail

VisioProRetail

Office 2016 with Visio 2016 and Project 2016

ProPlusVolume

-

VisioProVolume

-

ProjectProVolume

O365ProPlusRetail

VisioProRetail

ProjectProRetail

ProductID

Specify the type of licensing, as shown in the following examples:

-
    -

  • Subscription Licensing

    +

Specify Subscription licensing, as shown in the following example:

<Configuration>
        <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
         <Product ID="O365ProPlusRetail">
@@ -446,44 +432,7 @@ After you download the Office 2016 applications through the Office Deployment To
-

 

-

-

  • Volume Licensing

    - 
    <Configuration>
-       <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
-        <Product ID="ProPlusVolume">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProVolume">
-          <Language ID="en-us" />
-        </Product>
-      </Add>  
-    </Configuration>
    -

    In this example, the following changes were made to create a package with Volume licensing:

    - - - - - - - - - - - - - - - - - - - -

    SourcePath

    is the path, which was changed to point to the Office applications that were downloaded earlier.

    Product ID

    for Office was changed to ProPlusVolume.

    Product ID

    for Visio was changed to VisioProVolume.

    -

     

    -

    • - - +

    ExcludeApp (optional)

    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.

    @@ -492,13 +441,8 @@ After you download the Office 2016 applications through the Office Deployment To

    PACKAGEGUID (optional)

    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.

    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.

    -
    - Note   -

    Even if you use unique package IDs, you can still deploy only one App-V package to a single device.

    -
    -
    -   -
    +>**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device. + @@ -531,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To

    /packager

    -

    creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.

    +

    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.

    \\server\Office2016\Customconfig.xml

    @@ -552,8 +496,7 @@ After you download the Office 2016 applications through the Office Deployment To - **WorkingDir** - **Note**   - To troubleshoot any issues, see the log files in the %temp% directory (default). + **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).   @@ -563,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected. -## Publishing the Office package for App-V 5.0 +## Publishing the Office package for App-V Use the following information to publish an Office package. @@ -629,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a - [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd) -- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd) - - [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project) ### Enabling Office plug-ins by using connection groups @@ -641,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. -3. Create an App-V 5.0 package that includes the desired plug-ins. +3. Create an App-V package that includes the desired plug-ins. 4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. - **Important**   - The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package. + >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.   @@ -672,8 +612,7 @@ Use the steps in this section to enable Office plug-ins with your Office package You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. -**Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. +>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.   **To disable an Office 2016 application** @@ -752,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a 1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - **Note**   - Office App-V packages have two Version IDs: - - - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - - - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. - + >**Note** Office App-V packages have two Version IDs: +
      +
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • +
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • +
      2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast. 3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. -### Managing Office 2016 licensing upgrades - -If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2016 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade: - -**How to upgrade an Office 2016 License** - -1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package. - -2. Remove the unpublished Office 2016 Subscription Licensing App-V package. - -3. Restart the computer. - -4. Add the new Office 2016 App-V Package Volume Licensing. - -5. Publish the added Office 2016 App-V Package with Volume Licensing. - -An Office 2016 App-V Package with your chosen licensing will be successfully deployed. ### Deploying Visio 2016 and Project 2016 with Office @@ -802,7 +722,7 @@ The following table describes the requirements and options for deploying Visio 2

    How do I package and publish Visio 2016 and Project 2016 with Office?

    You must include Visio 2016 and Project 2016 in the same package with Office.

    -

    If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).

    +

    If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.

    How can I deploy Visio 2016 and Project 2016 to specific users?

    @@ -848,17 +768,11 @@ The following table describes the requirements and options for deploying Visio 2 ## Additional resources -**Office 2016 App-V 5.0 Packages 5.0 Additional Resources** - -[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) - -[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680) - -**Office 2013 and Office 2010 App-V Packages** - [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md) -[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) +[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) + +[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) **Connection Groups** @@ -868,7 +782,7 @@ The following table describes the requirements and options for deploying Visio 2 **Dynamic Configuration** -[About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md) +[About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) ## Got a suggestion for App-V? diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index efb700aace..8b3704c3a9 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -1,4 +1,4 @@ ---- +--- title: Deploying Microsoft Office 2016 by Using App-V description: Deploying Microsoft Office 2016 by Using App-V author: jamiejdt @@ -47,7 +47,7 @@ Use the following table to get information about supported versions of Office an -

    [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)

    +

    [Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)

    • Supported versions of Office

    • Supported deployment types (for example, desktop, personal Virtual Desktop Infrastructure (VDI), pooled VDI)

      • @@ -55,13 +55,14 @@ Use the following table to get information about supported versions of Office an
    -

    [Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)

    +

    [Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

    Considerations for installing different versions of Office on the same computer

      + ### Packaging, publishing, and deployment requirements Before you deploy Office by using App-V, review the following requirements. @@ -80,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.

    Packaging

    -
      + +

      • All of the Office applications that you want to deploy to users must be in a single package.

      • In App-V 5.1 and later, you must use the Office Deployment Tool to create packages. You cannot use the Sequencer.

        • -

      • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project).

        • +

      • If you are deploying Microsoft Visio 2016 and Microsoft Project 2016 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office).

      @@ -101,12 +103,7 @@ Before you deploy Office by using App-V, review the following requirements.

    • Project Pro for Office 365

    You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

    -

    You don’t use shared computer activation if you’re deploying a volume licensed product, such as:

    -
      -

    • Office Professional Plus 2016

      • -

    • Visio Professional 2016

      • -

    • Project Professional 2016

      • -
    + @@ -153,10 +150,7 @@ The following table describes the recommended methods for excluding specific Off Complete the following steps to create an Office 2016 package for App-V 5.1 or later. -**Important**   -In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. - -  +>**Important**  In App-V 5.1 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. ### Review prerequisites for using the Office Deployment Tool @@ -182,23 +176,20 @@ The computer on which you are installing the Office Deployment Tool must have:

    Supported operating systems

    • 64-bit version of Windows 10

      • -

    • 64-bit version of Windows 8 or later

      • +

    • 64-bit version of Windows 8 or 8.1

    • 64-bit version of Windows 7

    + +>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.   -**Note**   -In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing. +### Create Office 2016 App-V Packages Using Office Deployment Tool -  - -### Create Office 2013 App-V Packages Using Office Deployment Tool - -You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing. +You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing. Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. @@ -206,11 +197,9 @@ Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation: -1. Download the [Office 2-16 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). - - > [!NOTE] - > You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. +1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). +>**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. Example: \\\\Server\\Office2016 @@ -242,12 +231,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc ``` - **Note**   - The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. + >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. -   - - The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file: + The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file: @@ -276,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc - - + + @@ -298,21 +285,19 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + - +

    Product element

    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.

    Product ID ="O365ProPlusRetail"

    +

    Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. + + For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297) +

    Product ID ="O365ProPlusRetail "

    Product ID ="VisioProRetail"

    Product ID ="ProjectProRetail"

    -

    Product ID ="ProPlusVolume"

    -

    Product ID ="VisioProVolume"

    -

    Product ID = "ProjectProVolume"

    Language element

    SourcePath (attribute of Add element)

    Specifies the location in which the applications will be saved to.

    Sourcepath = "\\Server\Office2016"

    Sourcepath = "\\Server\Office2016”

    Branch (attribute of Add element)

    Optional. Specifies the update branch for the product that you want to download or install.

    For more information about update branches, see Overview of update branches for Office 365 ProPlus.

    Optional. Specifies the update branch for the product that you want to download or install.

    For more information about update branches, see Overview of update branches for Office 365 ProPlus.

    Branch = "Business"
    -   - After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details: +2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details: ``` syntax \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml @@ -355,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To - Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. -- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. +- Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. +>**Note**  You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. + - - - - - @@ -421,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To -
    Product IDVolume Licensing Subscription Licensing

    Office 2016

    ProPlusVolume

    O365ProPlusRetail

    Office 2016 with Visio 2016

    ProPlusVolume

    -

    VisioProVolume

    O365ProPlusRetail

    VisioProRetail

    Office 2016 with Visio 2016 and Project 2016

    ProPlusVolume

    -

    VisioProVolume

    -

    ProjectProVolume

    O365ProPlusRetail

    VisioProRetail

    ProjectProRetail

    ProductID

    Specify the type of licensing, as shown in the following examples:

    -
      -

    • Subscription Licensing

      +

    Specify Subscription licensing, as shown in the following example:

    <Configuration>
        <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
         <Product ID="O365ProPlusRetail">
@@ -455,59 +432,17 @@ After you download the Office 2016 applications through the Office Deployment To
    -

     

    -

    -

  • Volume Licensing

    - 
    <Configuration>
-       <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
-        <Product ID="ProPlusVolume">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProVolume">
-          <Language ID="en-us" />
-        </Product>
-      </Add>  
-    </Configuration>
    -

    In this example, the following changes were made to create a package with Volume licensing:

    - - - - - - - - - - - - - - - - - - - -

    SourcePath

    is the path, which was changed to point to the Office applications that were downloaded earlier.

    Product ID

    for Office was changed to ProPlusVolume.

    Product ID

    for Visio was changed to VisioProVolume.

    -

     

    -

    • - - +

    ExcludeApp (optional)

    -

    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.

    +

    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.

    PACKAGEGUID (optional)

    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.

    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.

    -
    - Note   -

    Even if you use unique package IDs, you can still deploy only one App-V package to a single device.

    -
    -
    -   -
    +>**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device. + @@ -540,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To

    /packager

    -

    creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.

    +

    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.

    \\server\Office2016\Customconfig.xml

    @@ -553,14 +488,15 @@ After you download the Office 2016 applications through the Office Deployment To - After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: +   - - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files. + After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: - - **WorkingDir** + - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files. - **Note**   - To troubleshoot any issues, see the log files in the %temp% directory (default). + - **WorkingDir** + + **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).   @@ -570,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected. -## Publishing the Office package for App-V 5.1 +## Publishing the Office package for App-V Use the following information to publish an Office package. @@ -636,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a - [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd) -- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd) - - [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project) ### Enabling Office plug-ins by using connection groups @@ -648,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. -3. Create an App-V 5.1 package that includes the desired plug-ins. +3. Create an App-V package that includes the desired plug-ins. 4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. - **Important**   - The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package. + >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.   @@ -677,11 +610,9 @@ Use the steps in this section to enable Office plug-ins with your Office package ### Disabling Office 2016 applications -You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. - -**Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. +You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. +>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.   **To disable an Office 2016 application** @@ -734,11 +665,11 @@ You may want to disable shortcuts for certain Office applications instead of unp [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk - [{AppvPackageRoot}])office15\MSACCESS.EXE + [{AppvPackageRoot}])office16\MSACCESS.EXE [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico - Microsoft.Office.MSACCESS.EXE.16 + Microsoft.Office.MSACCESS.EXE.15 true Build a professional app quickly to manage data. l @@ -760,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a 1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - **Note**   - Office App-V packages have two Version IDs: - - - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - - - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. - + >**Note** Office App-V packages have two Version IDs: +
      +
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • +
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • +
      2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast. 3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. -### Managing Office 2016 licensing upgrades - -If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade: - -**How to upgrade an Office 2016 License** - -1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package. - -2. Remove the unpublished Office 2016 Subscription Licensing App-V package. - -3. Restart the computer. - -4. Add the new Office 2016 App-V Package Volume Licensing. - -5. Publish the added Office 2016 App-V Package with Volume Licensing. - -An Office 2016 App-V Package with your chosen licensing will be successfully deployed. ### Deploying Visio 2016 and Project 2016 with Office @@ -851,28 +763,21 @@ The following table describes the requirements and options for deploying Visio 2 -  ## Additional resources -**Office 2016 App-V Packages Additional Resources** +[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md) + +[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) -[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680) - -**Office 2013 and Office 2010 App-V Packages** - -[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md) - -[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md) - **Connection Groups** [Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683) -[Managing Connection Groups](managing-connection-groups51.md) +[Managing Connection Groups](managing-connection-groups.md) **Dynamic Configuration** From 24a97936262f669724dbf70e16774205e5d05bcb Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 15 Feb 2017 18:11:17 -0800 Subject: [PATCH 05/44] waas-DO - restructring Removing samples building story in the intro adding gpo-mdm table adding links everywhere --- windows/manage/waas-delivery-optimization.md | 189 +++++-------------- 1 file changed, 47 insertions(+), 142 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index b1701d80d9..0090502c90 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -32,14 +32,45 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization -- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization +You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -Several Delivery Optimization features are configurable. +Several Delivery Optimization features are configurable: - +| Group Policy setting | MDM setting | +| --- | --- | +| [Download mode](#download-mode) | DODownloadMode | +| [Group ID](#group-id) | DOGroupID | +| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | +| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | +| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | +| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | +| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | +| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | +| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | +| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | +| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | -### Download mode (DODownloadMode) +When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates. + +While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. + +[Group ID](#group-id) enables administrators to create custom device groups that will share content between devices in the group. + +Delivery Optimization uses locally cached updates. In cases where devices have limited local storage space, or if you would rather control cache usage, various settings can be used to control that: +- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. +- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. +- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. + +There are additional options available to robustly control the impact Delivery Optimization has on your network: +- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. +- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. +- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. + +Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. + +### Download mode Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. @@ -55,176 +86,50 @@ Download mode dictates which download sources clients are allowed to use when do >[!NOTE] >Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group. -### Group ID (DOGroupID) +### Group ID By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] >This configuration is optional and not required for most implementations of Delivery Optimization. -### Max Cache Age (DOMaxCacheAge) +### Max Cache Age In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). -### Max Cache Size (DOMaxCacheSize) +### Max Cache Size This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. -### Absolute Max Cache Size (DOAbsoluteMaxCacheSize) +### Absolute Max Cache Size This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB. -### Maximum Download Bandwidth (DOMaxDownloadBandwidth) +### Maximum Download Bandwidth This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. -### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) +### Percentage of Maximum Download Bandwidth This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. -### Max Upload Bandwidth (DOMaxUploadBandwidth) +### Max Upload Bandwidth This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. -### Minimum Background QoS (DOMinBackgroundQoS) +### Minimum Background QoS This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. -### Modify Cache Drive (DOModifyCacheDrive) +### Modify Cache Drive This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache). -### Monthly Upload Data Cap (DOMonthlyUploadDataCap) +### Monthly Upload Data Cap This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. - -## Delivery Optimization configuration examples - -Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization. - -### Use Delivery Optimzation with group download mode - -Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination. - -**To use Group Policy to configure Delivery Optimization for group download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**. - -5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Group** download mode. - -9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.) - -10. Click **OK**, and then close the Group Policy Management Editor. - -11. In GPMC, select the **Delivery Optimization – Group** policy. - -12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group. - -**To use Intune to configure Delivery Optimization for group download mode** - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**. - -7. In the **Value** box, type **2**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - -8. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**. - -### Use WSUS and BranchCache with Windows 10, version 1511 - -In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to configure HTTP only download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**. - -5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **HTTP only** download mode. - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – HTTP Only** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**. - - ![example of UI](images/waas-do-fig4.png) - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Use WSUS and BranchCache with Windows 10, version 1607 - -In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to enable the Bypass download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**. - -5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.) - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – Bypass** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**. - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Set “preferred” cache devices for Delivery Optimization +## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). From 776a2277ab471128dfb390cb068013897cc2e706 Mon Sep 17 00:00:00 2001 From: Thomas Vuylsteke Date: Thu, 16 Feb 2017 10:52:24 +0100 Subject: [PATCH 06/44] Update domain-controller-ldap-server-signing-requirements.md This article, and also the "legacy" one (https://technet.microsoft.com/en-us/library/jj852234(v=ws.11).aspx ) suffer both the confusing wording covering the relation between this setting and LDAP Simple Binds. I blogged about this a while ago: http://setspn.blogspot.be/2016/09/domain-controller-ldap-server-signing.html And now I'm trying to get this one corrected. Made an edit. But maybe there's still room for improvement. --- .../domain-controller-ldap-server-signing-requirements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 10001b50e6..9ef4617e9f 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. -This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. +This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). -If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. +If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). >**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.   From d94ef0ea6dd48ae6cf8c09286de78534f0f7b9b8 Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Thu, 16 Feb 2017 10:49:43 -0800 Subject: [PATCH 07/44] Add support statement for SQL Server 2012 SP3 --- .../mbam-25-supported-configurations.md | 33 +++---------------- 1 file changed, 5 insertions(+), 28 deletions(-) diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 8f148097cf..888cd863a1 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -287,11 +287,6 @@ MBAM supports the following versions of Configuration Manager.

    64-bit

    - -

    Microsoft System Center 2012 R2 Configuration Manager

    -

    -

    64-bit

    -

    Microsoft System Center 2012 Configuration Manager

    SP1

    @@ -301,13 +296,9 @@ MBAM supports the following versions of Configuration Manager.

    Microsoft System Center Configuration Manager 2007 R2 or later

    SP1 or later

    64-bit

    -
    -Note   -

    Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.

    -
    -
    -  -
    + +>**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software. + @@ -349,29 +340,15 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll

    Standard, Enterprise, or Datacenter

    SP1

    64-bit

    - - -

    Microsoft SQL Server 2014

    -

    Standard, Enterprise, or Datacenter

    -

    -

    64-bit

    - - -

    Microsoft SQL Server 2012

    -

    Standard, Enterprise, or Datacenter

    -

    SP2

    -

    64-bit

    -

    Microsoft SQL Server 2012

    Standard, Enterprise, or Datacenter

    -

    SP1

    +

    SP3

    64-bit

    -

    Microsoft SQL Server 2008 R2

    Standard or Enterprise

    -

    SP1, SP2, SP3

    +

    SP3

    64-bit

    From 6cbc38252ba57490c940f053f127a4e1bc9820e9 Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Thu, 16 Feb 2017 11:21:13 -0800 Subject: [PATCH 08/44] Default import size for Config File is 4MB. Document how to override for Config FIles >4MB --- ...lication-extensions-by-using-the-management-console-51.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md index 1a49736c59..34ae20a4f8 100644 --- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md +++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md @@ -29,7 +29,10 @@ Use the following procedure to view and configure default package extensions. 5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process. - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config. For example, changing' ' to '' will increase the maximum size to 8MB + + +**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics From b0107d3f8f729e0f69a759d019f50830f31f61f6 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 12:01:39 -0800 Subject: [PATCH 09/44] fixes --- windows/deploy/configure-a-pxe-server-to-load-windows-pe.md | 3 +++ windows/deploy/windows-10-poc-sc-config-mgr.md | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md index 9591616e9d..f0830b38a4 100644 --- a/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deploy/configure-a-pxe-server-to-load-windows-pe.md @@ -163,6 +163,9 @@ ramdisksdidevice boot ramdisksdipath \boot\boot.sdi ``` +>[!TIP] +>If you start the PXE boot process, but receive the error that "The boot configuration data for your PC is missing or contains errors" then verify that \\boot directory is installed under the correct TFTP server root directory. In the example used here the name of this directory is TFTPRoot, but your TFTP server might be different. + ## PXE boot process summary The following summarizes the PXE client boot process. diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index d9278a15c5..5d553fb969 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -163,8 +163,8 @@ Topics and procedures in this guide are summarized in the following table. An es adsiedit.msc ``` -6. Right-click **ADSI Edit**, click **Connect to**, select **Default** under **Computer** and then click **OK**. -7. Expand **Default naming context**>**DC=contoso,DC=com**, right-click **CN=System**, point to **New**, and then click **Object**. +6. Right-click **ADSI Edit**, click **Connect to**, select **Default (Domain or server that you logged in to)** under **Computer** and then click **OK**. +7. Expand **Default naming context**>**DC=contoso,DC=com**, and then in the console tree right-click **CN=System**, point to **New**, and then click **Object**. 8. Click **container** and then click **Next**. 9. Next to **Value**, type **System Management**, click **Next**, and then click **Finish**. 10. Right-click **CN=system Management** and then click **Properties**. @@ -194,7 +194,7 @@ Topics and procedures in this guide are summarized in the following table. An es - **Settings Summary**: Review settings and click **Next**. - **Prerequisite Check**: No failures should be listed. Ignore any warnings and click **Begin Install**. - >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored. + >There should be at most three warnings present: WSUS on site server, configuration for SQL Server memory usage, and SQL Server process memory allocation. These warnings can safely be ignored in this test environment. Depending on the speed of the Hyper-V host and resources allocated to SRV1, installation can require approximately one hour. Click **Close** when installation is complete. From ff7c062b3a97e0516d44915de530ca505790039c Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 12:10:58 -0800 Subject: [PATCH 10/44] fixes --- windows/plan/windows-10-infrastructure-requirements.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/plan/windows-10-infrastructure-requirements.md b/windows/plan/windows-10-infrastructure-requirements.md index d92c0e8afd..ff50a10a6c 100644 --- a/windows/plan/windows-10-infrastructure-requirements.md +++ b/windows/plan/windows-10-infrastructure-requirements.md @@ -43,6 +43,8 @@ For System Center Configuration Manager, Windows 10 support is offered with var | System Center Configuration Manager 2012 | Yes, with SP2 and CU1 | Yes, with SP2, CU1, and the ADK for Windows 10 | | System Center Configuration Manager 2012 R2 | Yes, with SP1 and CU1 | Yes, with SP1, CU1, and the ADK for Windows 10 | + +>Note: Configuration Manager 2012 supports Windows 10 version 1507 (build 10.0.10240) and 1511 (build 10.0.10586) for the lifecycle of these builds. Future releases of Windows 10 CB/CBB are not supported With Configuration Manager 2012, and will require System Center Configuration Manager current branch for supported management.   For more details about System Center Configuration Manager support for Windows 10, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). From 8e511f5c254f7a0b45d94b7e708b2394883ebadc Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 16 Feb 2017 12:22:14 -0800 Subject: [PATCH 11/44] fix cortana link --- .../group-policies-for-enterprise-and-education-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 40c5250e62..0eb86b635e 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -28,7 +28,7 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

    User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app

    User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](cortana-at-work-overview.md) | From cb6889d2e87502d60dbaf7d4dcac121c94799da1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 16 Feb 2017 14:46:42 -0800 Subject: [PATCH 12/44] update toc order --- windows/keep-secure/TOC.md | 43 +++++++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 3a3d3bcda1..374e888b9b 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -722,6 +722,7 @@ #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Preview features and updates](preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) @@ -735,21 +736,53 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) -##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) +###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) +###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) +##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) +###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +##### [Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) +#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) +##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +###### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) +###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) +###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +####### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +####### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +####### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) +##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) +##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) +##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) +##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) From ca23d271824246f5840e61c1e2c8ec7a97ec8929 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 16 Feb 2017 14:52:56 -0800 Subject: [PATCH 13/44] Revert "update toc order" This reverts commit cb6889d2e87502d60dbaf7d4dcac121c94799da1. --- windows/keep-secure/TOC.md | 43 +++++--------------------------------- 1 file changed, 5 insertions(+), 38 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 374e888b9b..3a3d3bcda1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -722,7 +722,6 @@ #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) -#### [Preview features and updates](preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) @@ -736,53 +735,21 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) -##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) -###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) -###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) +##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) -##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) -###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) -###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) -###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) -###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) -##### [Investigate a user account](investigate-user-entity-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) -#### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) -##### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) -###### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) -###### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) -###### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -##### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) -###### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) -###### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) -###### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) -###### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) -####### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) -####### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) -####### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Check sensor status](check-sensor-status-windows-defender-advanced-threat-protection.md) -##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) -###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) -###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) -#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) -##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) -##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md) -##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) -##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) -#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) +#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) #### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) From efcfec78dda9220fab392e08f9e8e0dce2d37816 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Feb 2017 17:27:05 -0800 Subject: [PATCH 14/44] fixes --- .../deploy/windows-10-poc-sc-config-mgr.md | 101 ++++++++++-------- 1 file changed, 57 insertions(+), 44 deletions(-) diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index 5d553fb969..ff0b497b45 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es ## Download MDOP and install DaRT -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso) to the C:\VHD directory on the Hyper-V host. +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -292,19 +292,19 @@ This section contains several procedures to support Zero Touch installation with 2. In the System Center Configuration Manager console, in the **Administration** workspace, click **Distribution Points**. 3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**. 4. On the PXE tab, select the following settings: - - Enable PXE support for clients. Click **Yes** in the popup that appears. - - Allow this distribution point to respond to incoming PXE requests - - Enable unknown computer support. Click **OK** in the popup that appears. - - Require a password when computers use PXE - - Password and Confirm password: pass@word1 - - Respond to PXE requests on specific network interfaces: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. + - **Enable PXE support for clients**. Click **Yes** in the popup that appears. + - **Allow this distribution point to respond to incoming PXE requests** + - **Enable unknown computer support**. Click **OK** in the popup that appears. + - **Require a password when computers use PXE** + - **Password** and **Confirm password**: pass@word1 + - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure. See the following example: Config Mgr PXE 5. Click **OK**. -6. Type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: +6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present: ``` cmd /c dir /b C:\RemoteInstall\SMSBoot\x64 @@ -340,7 +340,7 @@ This section contains several procedures to support Zero Touch installation with >You can open C:\Sources\OSD\Branding\contoso.bmp in MSPaint.exe if desired to customize this image. -## Create a boot image for Configuration Manager +### Create a boot image for Configuration Manager 1. In the Configuration Manager console, in the **Software Library** workspace, expand **Operating Systems**, right-click **Boot Images**, and then click **Create Boot Image using MDT**. 2. On the Package Source page, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Boot\Zero Touch WinPE x64**, and then click **Next**. @@ -357,13 +357,15 @@ This section contains several procedures to support Zero Touch installation with ``` Invoke-Item 'C:\Program Files\Microsoft Configuration Manager\tools\cmtrace.exe' ``` - >In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: + + In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: - ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) - ``` -11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Doublt-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. -12. In the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. + ``` + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) + ``` + +11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. +12. Next, in the **Software Library** workspace, double-click **Zero Touch WinPE x64** and then click the **Data Source** tab. 13. Select the **Deploy this boot image from the PXE-enabled distribution point** checkbox, and click **OK**. 14. Review the distmgr.log file again for "**STATMSG: ID=2301**" and verify that there are three folders under **C:\RemoteInstall\SMSImages** with boot images. See the following example: @@ -380,7 +382,7 @@ This section contains several procedures to support Zero Touch installation with >The first two images (*.wim files) are default boot images. The third is the new boot image with DaRT. -## Create a Windows 10 reference image +### Create a Windows 10 reference image If you have already completed steps in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then you have already created a Windows 10 reference image. In this case, skip to the next procedure in this guide: [Add a Windows 10 operating system image](#add-a-windows-10-operating-system-image). If you have not yet created a Windows 10 reference image, complete the steps in this section. @@ -534,7 +536,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi This step requires from 30 minutes to 2 hours, depending on the speed of the Hyper-V host and your network's download speed. After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep. The image is located in the C:\MDTBuildLab\Captures folder on SRV1. The file name is **REFW10X64-001.wim**. -## Add a Windows 10 operating system image +### Add a Windows 10 operating system image 1. Type the following commands at an elevated Windows PowerShell prompt on SRV1: @@ -553,11 +555,11 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 6. In the Distribute Content Wizard, click **Next**, click **Add**, click **Distribution Point**, add the **SRV1.CONTOSO.COM** distribution point, click **OK**, click **Next** twice and then click **Close**. -7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar, click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. +7. Enter **\Monitoring\Overview\Distribution Status\Content Status** on the location bar (be sure there is no space at the end of the location or you will get an error), click **Windows 10 Enterprise x64**, and monitor the status of content distribution until it is successful and no longer in progress. Refresh the view with the F5 key or by right-clicking **Windows 10 Enterprise x64** and clicking **Refresh**. Processing of the image on the site server can take several minutes. >If content distribution is not successful, verify that sufficient disk space is available. -## Create a task sequence +### Create a task sequence >Complete this section slowly. There are a large number of similar settings from which to choose. @@ -567,37 +569,37 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. On the General page, type **Windows 10 Enterprise x64** under **Task sequence name:** and then click **Next**. -4. On the Details page, enter the following settings:
    - - Join a domain: contoso.com
    - - Account: click **Set**
    - - User name: contoso\CM_JD
    - - Password: pass@word1
    - - Confirm password: pass@word1
    - - Click **OK**
    - - Windows Settings
    - - User name: Contoso
    - - Organization name: Contoso
    - - Product key: \
    - - Administrator Account: Enable the account and specify the local administrator password
    - - Password: pass@word1
    - - Confirm password: pass@word1
    - - Click Next
    +4. On the Details page, enter the following settings: + - Join a domain: **contoso.com** + - Account: click **Set** + - User name: **contoso\CM_JD** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **OK** + - Windows Settings + - User name: **Contoso** + - Organization name: **Contoso** + - Product key: \ + - Administrator Account: **Enable the account and specify the local administrator password** + - Password: **pass@word1** + - Confirm password: **pass@word1** + - Click **Next** 5. On the Capture Settings page, accept the default settings and click **Next**. -6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package and then click **Next**. +6. On the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package, click **OK**, and then click **Next**. -7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT 2013**, and then click **Next**. +7. On the MDT Package page, select **Create a new Microsoft Deployment Toolkit Files package**, under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\MDT\MDT** (MDT is repeated here, not a typo), and then click **Next**. -8. On the MDT Details page, next to **Name:** type **MDT 2013** and then click **Next**. +8. On the MDT Details page, next to **Name:** type **MDT** and then click **Next**. -9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, and then click **Next**. +9. On the OS Image page, browse and select the **Windows 10 Enterprise x64** package, click **OK**, and then click **Next**. 10. On the Deployment Method page, accept the default settings for **Zero Touch Installation** and click **Next**. -11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package** and then click **Next**. +11. On the Client Package page, browse and select the **Microsoft Corporation Configuration Manager Client package**, click **OK**, and then click **Next**. -12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 8 10.0.14393.0** package, and then click **Next**. +12. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows 10.0.14393.0** package, click **OK**, and then click **Next**. 13. On the Settings Package page, select **Create a new settings package**, and under **Package source folder to be created (UNC Path):**, type **\\\SRV1\Sources$\OSD\Settings\Windows 10 x64 Settings**, and then click **Next**. @@ -640,7 +642,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Click **OK**
    . -## Finalize the operating system configuration +### Finalize the operating system configuration >If you completed all procedures in [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) then the MDT deployment share is already present on SRV1. In this case, skip the first four steps below and begin with step 5 to edit CustomSettings.ini. @@ -670,7 +672,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi [Settings] Priority=Default Properties=OSDMigrateConfigFiles,OSDMigrateMode - + [Default] DoCapture=NO ComputerBackupLocation=NONE @@ -681,6 +683,14 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi EventService=http://SRV1:9800 ApplyGPOPack=NO ``` + + >As noted previously, if you wish to migrate accounts other than those in the Contoso domain, then change the OSDMigrateAdditionalCaptureOptions option. For example, the following option will capture settings from all user accounts: + + ``` + OSDMigrateAdditionalCaptureOptions=/all + ``` + + 7. Return to the Configuration Manager console, and in the Software Library workspace, expand **Application Management**, click **Packages**, right-click **Windows 10 x64 Settings**, and then click **Update Distribution Points**. Click **OK** in the popup that appears. 8. In the Software Library workspace, expand **Operating Systems**, click **Task Sequences**, right-click **Windows 10 Enterprise x64**, and then click **Distribute Content**. @@ -705,6 +715,8 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi ## Deploy Windows 10 using PXE and Configuration Manager +In this first deployment scenario, we will deploy Windows 10 using PXE. This scenario creates a new computer that does not have any migrated users or settings. + 1. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: ``` @@ -718,7 +730,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi 3. In the Task Sequence Wizard, provide the password: **pass@word1**, and then click **Next**. -4. Before you click Next in the Task Sequence Wizard, press the **F8** key. A command prompt will open. +4. Before you click **Next** in the Task Sequence Wizard, press the **F8** key. A command prompt will open. 5. At the command prompt, type **explorer.exe** and review the Windows PE file structure. @@ -745,6 +757,7 @@ If you have already completed steps in [Deploy Windows 10 in a test lab using Mi - Join the computer to the contoso.com domain - Install any applications that were specified in the reference image + 12. When Windows 10 installation has completed, sign in to PC4 using the **contoso\administrator** account. 13. Right-click **Start**, click **Run**, type **control appwiz.cpl**, press ENTER, click Turn Windows features on or off, and verify that **.NET Framework 3.5 (includes .NET 2.0 and 3.0)** is installed. This is a feature included in the reference image. @@ -927,7 +940,7 @@ vmconnect localhost PC1 - Task sequence comments: **USMT backup only** 4. Click **Next**, and on the Boot Image page, browse and select the **Zero Touch WinPE x64** boot image package. Click **OK** and then click **Next** to continue. -5. On the MDT Package page, browse and select the **MDT 2013** package. Click **OK** and then click **Next** to continue. +5. On the MDT Package page, browse and select the **MDT** package. Click **OK** and then click **Next** to continue. 6. On the USMT Package page, browse and select the **Microsoft Corporation User State Migration Tool for Windows** package. Click **OK** and then click **Next** to continue. 7. On the Settings Package page, browse and select the **Windows 10 x64 Settings** package. Click **OK** and then click **Next** to continue. 8. On the Summary page, review the details and then click **Next**. From b3dff896604b09450a3d01e609ff34c1b7ca8ddc Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 16 Feb 2017 18:15:35 -0800 Subject: [PATCH 15/44] waas-DO - changes following PM review --- windows/manage/waas-delivery-optimization.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 0090502c90..fcaf02a4f4 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -55,13 +55,16 @@ When configuring Delivery Optimization on Windows 10 devices, the first and most While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. -[Group ID](#group-id) enables administrators to create custom device groups that will share content between devices in the group. +[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. -Delivery Optimization uses locally cached updates. In cases where devices have limited local storage space, or if you would rather control cache usage, various settings can be used to control that: +Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario: - [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. - [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. +>[!NOTE] +>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). + There are additional options available to robustly control the impact Delivery Optimization has on your network: - [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. - [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. @@ -129,6 +132,7 @@ This setting allows for an alternate Delivery Optimization cache location on the This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. + ## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). From 8d94c01124b675c61573382797f09f9a2889c1ae Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 09:49:18 -0800 Subject: [PATCH 16/44] Fixed dism command - the word syntax was displaying --- windows/keep-secure/credential-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 9d3a33d12c..0303e6b968 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -178,11 +178,11 @@ You can do this by using either the Control Panel or the Deployment Image Servic 1. Open an elevated command prompt. 2. Add the Hyper-V Hypervisor by running the following command: - ``` syntax + ``` dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` 3. Add the Isolated User Mode feature by running the following command: - ``` syntax + ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` From 8d17f3496bfeed4d2bdd837358ad044a2cc1625c Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 17 Feb 2017 13:04:18 -0800 Subject: [PATCH 17/44] waas-optimize changed sccm client peer cache note --- windows/manage/waas-optimize-windows-10-updates.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/manage/waas-optimize-windows-10-updates.md index 08251d8c02..a692f9ef34 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/manage/waas-optimize-windows-10-updates.md @@ -40,9 +40,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | >[!NOTE] ->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases. +>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). > ->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx). +>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). ## Express update delivery From a9d7e872526b6637c0f318337e36a4f425221f49 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 14:28:12 -0800 Subject: [PATCH 18/44] Clarified how -UserPEs relates to UMCI (Option 0) --- ...e-integrity-policies-policy-rules-and-file-rules.md | 10 ++++++---- .../deploy-code-integrity-policies-steps.md | 8 ++++---- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md index e61e798a6f..e1046621fc 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see: +Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see: - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies." - [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard." @@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure This topic includes the following sections: - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics. -- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. +- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy. - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted. - [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied. @@ -31,7 +31,7 @@ This topic includes the following sections: A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). -> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies. +> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies. Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. @@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy: -- To enable UMCI, add rule option 0 to an existing policy by running the following command: +- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: ` Set-RuleOption -FilePath -Option 0` + Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. + - To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command: ` Set-RuleOption -FilePath -Option 0 -Delete` diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 2febd90862..82ce96bb82 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e > **Notes** - > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:
    **Set-RuleOption -FilePath $InitialCIPolicy -Option 0** + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - - > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. From 87dc84d81a5a375794265ca4308f1a9a6ae92772 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:08:43 -0800 Subject: [PATCH 19/44] Add Windows Libraries topic --- windows/manage/TOC.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index f5417ba0f7..70f2e9290f 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -162,6 +162,7 @@ ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) + #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) #### [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) @@ -221,4 +222,5 @@ #### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) #### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) ### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) +## [Windows Libraries](windows-libraries.md) ## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) From 8fc55f52aaac0c7a8c50bc249b66bfc2e62e76f1 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:17:57 -0800 Subject: [PATCH 20/44] Added Windows Libraries --- windows/manage/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/manage/index.md b/windows/manage/index.md index 61fd0bf61e..bdb730b559 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -72,6 +72,10 @@ Learn about managing and updating Windows 10.

    [Windows Store for Business](windows-store-for-business.md)

    Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.

    + +

    [Windows Libraries](windows-libraries.md)

    +

    Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music).

    +

    [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

    This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).

    From 3acabd95d597dd22cf46c8fa91a7935e17379ea4 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 17 Feb 2017 15:20:35 -0800 Subject: [PATCH 21/44] fmt change for consistency --- windows/keep-secure/deploy-code-integrity-policies-steps.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 82ce96bb82..19608b040d 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -40,7 +40,7 @@ To create a code integrity policy, copy each of the following commands into an e > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. From 506e7465775b9d21595cbc9925d5926305fff845 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 17 Feb 2017 15:34:46 -0800 Subject: [PATCH 22/44] Added Windows Libraries --- .../manage/change-history-for-manage-and-update-windows-10.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index dcbdb109c3..13a0de7e4f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | +| [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | @@ -185,4 +186,4 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -  \ No newline at end of file +  From 39c722ff6c447c5ba008ba7b76293661e41e0502 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 21 Feb 2017 07:53:05 -0800 Subject: [PATCH 23/44] update author fields --- education/windows/change-history-edu.md | 2 +- education/windows/get-minecraft-for-education.md | 2 +- education/windows/school-get-minecraft.md | 2 +- education/windows/set-up-school-pcs-technical.md | 2 +- education/windows/set-up-students-pcs-to-join-domain.md | 2 +- education/windows/set-up-students-pcs-with-apps.md | 2 +- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-app-technical.md | 2 +- education/windows/take-a-test-multiple-pcs.md | 2 +- education/windows/take-a-test-single-pc.md | 2 +- education/windows/take-tests-in-windows-10.md | 2 +- education/windows/teacher-get-minecraft.md | 2 +- education/windows/use-set-up-school-pcs-app.md | 2 +- 13 files changed, 13 insertions(+), 13 deletions(-) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 0bc2dc5bbc..e83f98b49f 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Change history for Windows 10 for Education diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 200b8a1ce9..91345b72c1 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -5,7 +5,7 @@ keywords: school ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # Get Minecraft: Education Edition diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 8668054826..421bd5533b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -5,7 +5,7 @@ keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # For IT administrators - get Minecraft: Education Edition diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 0eabc87c57..bb0dc144ae 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Technical reference for the Set up School PCs app diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 90829321ad..1c3d6361e1 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: CelesteDG --- # Set up student PCs to join domain diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 04e110de10..55da4e77f5 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -5,7 +5,7 @@ keywords: ["shared cart", "shared PC", "school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: CelesteDG --- # Provision student PCs with apps diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index fe7767a997..16a30c38bc 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Provisioning options for Windows 10 diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 7e3ed9ca0b..32d45fb353 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Take a Test app technical reference diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 2eb0b2849a..670d038a5e 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: jCelesteDG --- # Set up Take a Test on multiple PCs diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md index 5b6d36d46b..7b982a6f0a 100644 --- a/education/windows/take-a-test-single-pc.md +++ b/education/windows/take-a-test-single-pc.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Set up Take a Test on a single PC diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 40850cf578..06129d0ee1 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Take tests in Windows 10 diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 362d143475..211c2913d0 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -5,7 +5,7 @@ keywords: ["school"] ms.prod: W10 ms.mktglfcycl: plan ms.sitesec: library -author: jdeckerMS +author: trudyha --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index c4ecb5351d..b6303d21a2 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jdeckerMS +author: CelesteDG --- # Use the Set up School PCs app From 5123cada02b7979d96993f7fd04a26ce55b3d3f3 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 21 Feb 2017 08:04:17 -0800 Subject: [PATCH 24/44] fix typo --- education/windows/take-a-test-multiple-pcs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index 670d038a5e..1b80672e68 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu -author: jCelesteDG +author: CelesteDG --- # Set up Take a Test on multiple PCs From a59e39b80a361aee0e338174a992a0f071c53fc1 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 10:57:06 -0800 Subject: [PATCH 25/44] revised DG and CG requirements --- windows/keep-secure/credential-guard.md | 2 +- ...nts-and-deployment-planning-guidelines-for-device-guard.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 9d3a33d12c..3bc0351b4d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -98,7 +98,7 @@ The following tables provide more information about the hardware, firmware, and | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

    **Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | > [!IMPORTANT] > The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index fad266b5ee..5ccb7b399f 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -50,11 +50,11 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

    **Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. From 98eecffba53526107e6fcc5b09fbeed13bc169b6 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 12:29:30 -0800 Subject: [PATCH 26/44] added new 1703 requirements --- windows/keep-secure/credential-guard.md | 5 +++-- ...-deployment-planning-guidelines-for-device-guard.md | 10 +++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 3bc0351b4d..0a07dfca35 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -126,11 +126,12 @@ The following tables provide more information about the hardware, firmware, and
    -#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) +#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703) | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service musty meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify xceutable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | ## Manage Credential Guard diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 5ccb7b399f..8a2a5ff86c 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -76,18 +76,18 @@ The following tables describes additional hardware and firmware requirements, an | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
    -### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) +#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703) -| Protections for Improved Security - requirement | Description | +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
    - All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.

    UEFI Runtime Services:
    - Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service musty meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify xceutable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices From 726038c9c4a970f19e9f4bd47d9583164c0d941d Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 12:38:12 -0800 Subject: [PATCH 27/44] copyedits --- windows/keep-secure/credential-guard.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 0a07dfca35..766a49ddda 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -130,7 +130,7 @@ The following tables provide more information about the hardware, firmware, and | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service musty meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify xceutable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify executable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | ## Manage Credential Guard diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 8a2a5ff86c..9320fcb6d1 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -86,7 +86,7 @@ The following tables describes additional hardware and firmware requirements, an | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service musty meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI bootb service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify xceutable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify executable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | | Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices From 1748c672005eae33c50e6e123e0fb06aeca9842d Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Feb 2017 14:24:06 -0800 Subject: [PATCH 28/44] Fixed loc bugs --- ...erprise-guidance-using-microsoft-edge-and-ie11.md | 12 ++++++------ windows/manage/cortana-at-work-o365.md | 2 +- windows/manage/cortana-at-work-overview.md | 2 +- windows/manage/cortana-at-work-powerbi.md | 4 ++-- windows/manage/cortana-at-work-voice-commands.md | 6 +++--- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md index 4cabfa693f..fefb61f858 100644 --- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md +++ b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md @@ -29,7 +29,7 @@ If you're having trouble deciding whether Microsoft Edge is good for your organi ![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
    [Click to enlarge](img-microsoft-edge-infographic-lg.md)
    -[Click to download image](https://www.microsoft.com/en-us/download/details.aspx?id=53892) +[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) ### Microsoft Edge Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. @@ -50,10 +50,10 @@ IE11 offers enterprises additional security, manageability, performance, backwar - **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control. ## Related topics -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/en-us/download/details.aspx?id=53892) -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/en-us/browser/mt612809.aspx) -- [Download Internet Explorer 11](http://windows.microsoft.com/en-US/internet-explorer/download-ie) +- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892) +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](http://windows.microsoft.com/internet-explorer/download-ie) - [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) - [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index) -- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-ieak/index) -- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) \ No newline at end of file +- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index) +- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) \ No newline at end of file diff --git a/windows/manage/cortana-at-work-o365.md b/windows/manage/cortana-at-work-o365.md index d58663dc00..764b5638e0 100644 --- a/windows/manage/cortana-at-work-o365.md +++ b/windows/manage/cortana-at-work-o365.md @@ -57,7 +57,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo **To turn off Cortana with Office 365** 1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. -2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). +2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). 3. Expand **Service Settings**, and select **Cortana**. diff --git a/windows/manage/cortana-at-work-overview.md b/windows/manage/cortana-at-work-overview.md index 96064364c3..29a9ab3bba 100644 --- a/windows/manage/cortana-at-work-overview.md +++ b/windows/manage/cortana-at-work-overview.md @@ -59,6 +59,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro - [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) -- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) +- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/manage/cortana-at-work-powerbi.md index 98b90f572f..979cde3b57 100644 --- a/windows/manage/cortana-at-work-powerbi.md +++ b/windows/manage/cortana-at-work-powerbi.md @@ -19,7 +19,7 @@ localizationpriority: high Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] ->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). ## Before you begin To use this walkthrough, you’ll need: @@ -135,4 +135,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from ![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png) >[!NOTE] ->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/manage/cortana-at-work-voice-commands.md index 766a5914ad..2e2743fa61 100644 --- a/windows/manage/cortana-at-work-voice-commands.md +++ b/windows/manage/cortana-at-work-voice-commands.md @@ -19,7 +19,7 @@ localizationpriority: high Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions). +>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. @@ -30,9 +30,9 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. From 99146436995e717dec7f0a466e5afdbcde1dfe5f Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 15:43:12 -0800 Subject: [PATCH 29/44] revised headings --- windows/keep-secure/credential-guard.md | 4 +++- ...and-deployment-planning-guidelines-for-device-guard.md | 8 +++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 766a49ddda..0f8956b7ef 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -126,7 +126,9 @@ The following tables provide more information about the hardware, firmware, and
    -#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703) +#### 2017 Additional security requirements starting with Windows 10, version 1703 + +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 9320fcb6d1..71bfce33fc 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -62,7 +62,7 @@ The following tables provide more information about the hardware, firmware, and The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) +### Additional Qualification Requirements starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| @@ -70,7 +70,7 @@ The following tables describes additional hardware and firmware requirements, an
    -### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) +### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016 > **Important**  The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. @@ -82,7 +82,9 @@ The following tables describes additional hardware and firmware requirements, an
    -#### 2017 Additional Security Recommendations (starting with Windows 10, version 1703) +#### Additional Qualification Requirements starting with Windows 10, version 1703 + +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| From 703e455fdaeed041d5747af5d301dada730dffeb Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 16:03:17 -0800 Subject: [PATCH 30/44] revised statement about TPM 2.0 requirement --- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 71bfce33fc..5e1ed8a469 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -43,7 +43,7 @@ The following tables provide more information about the hardware, firmware, and > **Notes** > - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). -> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. +> - Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections From a72a5db01aec0b8c46fb8f6bf1cc63a6281bcc63 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 21 Feb 2017 18:32:41 -0800 Subject: [PATCH 31/44] updated readiness tool version --- windows/keep-secure/credential-guard.md | 6 +++--- ...y-device-guard-enable-virtualization-based-security.md | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 0f8956b7ef..33c5ea3eb0 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -214,7 +214,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot +DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot ``` #### Credential Guard deployment in virtual machines @@ -283,7 +283,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot +DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot ```   ### Check that Credential Guard is running @@ -301,7 +301,7 @@ You can use System Information to ensure that Credential Guard is running on a P You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Ready +DG_Readiness_Tool_v3.0.ps1 -Ready ``` ## Considerations when using Credential Guard diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9f7be87cbb..b2d83a318c 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -33,7 +33,7 @@ In addition to the hardware requirements found in [Hardware, firmware, and softw - With Windows 10, version 1607 or Windows Server 2016:
    Hyper-V Hypervisor, which is enabled automatically. No further action is needed. -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
    +- With an earlier version of Windows 10:
    Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). > **Note**  You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box. @@ -91,7 +91,7 @@ There are multiple ways to configure VBS features for Device Guard: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
    For an initial deployment or test deployment, we recommend **Enabled without lock**.
    When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
    Select the **Enable Virtualization Based Protection of Code Integrity** check box. + - With earlier versions of Windows 10:
    Select the **Enable Virtualization Based Protection of Code Integrity** check box. ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) @@ -183,7 +183,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` If you want to customize the preceding recommended settings, use the following settings. @@ -211,7 +211,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc **To enable virtualization-based protection of Code Integrity policies without UEFI lock** ``` command -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` ### Validate enabled Device Guard hardware-based security features From d90f346963a22d1a7e7b8672f506750170ae3875 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 22 Feb 2017 10:32:18 -0800 Subject: [PATCH 32/44] added version numbers for MOR and HSTI --- windows/keep-secure/credential-guard.md | 2 +- ...nts-and-deployment-planning-guidelines-for-device-guard.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 33c5ea3eb0..ccfdc89578 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -109,7 +109,7 @@ The following tables provide more information about the hardware, firmware, and |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

    **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation

    **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

    **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
    diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 5e1ed8a469..ae5adee427 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -76,13 +76,13 @@ The following tables describes additional hardware and firmware requirements, an | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
    -#### Additional Qualification Requirements starting with Windows 10, version 1703 +### Additional Qualification Requirements starting with Windows 10, version 1703 The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. From cc628855e6f9c48424d80ed0385147b1d3f8a97e Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 22 Feb 2017 11:43:25 -0800 Subject: [PATCH 33/44] hello-identity + hello-why-pin - removed passport Removed a few unneeded passport mentions --- windows/keep-secure/hello-identity-verification.md | 2 -- windows/keep-secure/hello-why-pin-is-better-than-password.md | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index a1e391508f..de233a49af 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -115,8 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi [Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778) -[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928) - ## Related topics - [How Windows Hello for Business works](hello-how-it-works.md) diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md index a7606f0264..55dfd73fff 100644 --- a/windows/keep-secure/hello-why-pin-is-better-than-password.md +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -32,7 +32,7 @@ A password is transmitted to the server -- it can be intercepted in transmission When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. >[!NOTE] ->For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928). +>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).   ## PIN is backed by hardware From 4affc4ac96d7a5170361e0b44a47e7e03c8456fd Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 22 Feb 2017 14:05:49 -0800 Subject: [PATCH 34/44] updated references to Windows Hello for Business --- windows/keep-secure/credential-guard.md | 2 +- ...-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index ccfdc89578..2c631c1880 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -317,7 +317,7 @@ DG_Readiness_Tool_v3.0.ps1 -Ready - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. -- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work. +- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. - Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. - As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index c3595ae774..cbe59766be 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -61,7 +61,7 @@ For VPN, the following types of credentials will be added to credential manager - TPM KSP Certificate - Software KSP Certificates - Smart Card Certificate - - Passport for Work Certificate + - Windows Hello for Business Certificate The username should also include a domain that can be reached over the connection (VPN or WiFi). From 3da933e04fbcd831b1f7eeed08be2d21a114d96e Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 22 Feb 2017 14:32:43 -0800 Subject: [PATCH 35/44] fixed formatting --- ...nt-planning-guidelines-for-device-guard.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index ae5adee427..c00e795566 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -42,15 +42,15 @@ You can deploy Device Guard in phases, and plan these phases in relation to the The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > **Notes** -> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). -> - Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. +> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). +> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections |Baseline Protections - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

    **Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | @@ -66,7 +66,7 @@ The following tables describes additional hardware and firmware requirements, an | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • BIOS password or stronger authentication must be supported.
    • In the BIOS configuration, BIOS authentication must be set.
    • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
    @@ -76,9 +76,9 @@ The following tables describes additional hardware and firmware requirements, an | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).

    **Security benefits**:
    • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
    @@ -88,8 +88,8 @@ The following table lists requirements for Windows 10, version 1703, which are i | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify executable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    • UEFI runtime service must meet these requirements:
        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    • This protection is applied by VBS on OS page tables.


    Please also note the following:
    • Do not use sections that are both writeable and exceutable
    • Do not attempt to directly modify executable system memory
    • Do not use dynamic code

    **Security benefits**:
    • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware.
    • Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices @@ -97,9 +97,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being | **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
    Lists of approved applications rarely change.
    Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
    After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

    - Code integrity policies in enforced mode, with UMCI enabled. | -| **Fully managed devices**: Allowed software is restricted by IT department.
    Users can request additional software, or install from a list of applications provided by IT department.
    Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
    Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

    - Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
    Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

    - Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Fixed-workload devices**: Perform same tasks every day.
    Lists of approved applications rarely change.
    Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
    After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

    • Code integrity policies in enforced mode, with UMCI enabled. | +| **Fully managed devices**: Allowed software is restricted by IT department.
    Users can request additional software, or install from a list of applications provided by IT department.
    Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
    Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

    • Code integrity policies in enforced mode, with UMCI enabled. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
    Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

    • Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | ## Device Guard deployment in virtual machines From c71dc605daa5fa89d936b75a90c2fab36a83526f Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 22 Feb 2017 15:22:53 -0800 Subject: [PATCH 36/44] waas-DO testing adding a testimonial --- windows/manage/waas-delivery-optimization.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index fcaf02a4f4..43a0a170d5 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -71,6 +71,11 @@ There are additional options available to robustly control the impact Delivery O - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. +>[!TIP] +>In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the “domain” configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. +> +> For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. + Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. ### Download mode From d88fa311847bc426556ab4e95f564a2fd91a2601 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 22 Feb 2017 15:56:34 -0800 Subject: [PATCH 37/44] updated screenshots --- windows/keep-secure/credential-guard.md | 12 ++++++------ ...rd-enable-virtualization-based-security.md | 8 ++------ .../keep-secure/images/device-guard-gp.png | Bin 47736 -> 33074 bytes .../images/dg-fig7-enablevbsofkmci.png | Bin 48308 -> 33488 bytes 4 files changed, 8 insertions(+), 12 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 2c631c1880..abe624e67f 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -94,7 +94,7 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | | Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

    **Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | @@ -108,7 +108,7 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

    **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • BIOS password or stronger authentication must be supported.
    • In the BIOS configuration, BIOS authentication must be set.
    • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | | Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

    **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
    @@ -120,9 +120,9 @@ The following tables provide more information about the hardware, firmware, and | Protections for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
    @@ -132,8 +132,8 @@ The following table lists requirements for Windows 10, version 1703, which are i | Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    - VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    - UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    - This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    - This protection is applied by VBS on OS page tables.


    Please also note the following:
    - Do not use sections that are both writeable and exceutable
    - Do not attempt to directly modify executable system memory
    - Do not use dynamic code

    **Security benefits**:
    - Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    - Reduces the attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    • UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    • This protection is applied by VBS on OS page tables.


    Please also note the following:
    • Do not use sections that are both writeable and exceutable
    • Do not attempt to directly modify executable system memory
    • Do not use dynamic code

    **Security benefits**:
    • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware.
    • Blocks additional security attacks against SMM. | ## Manage Credential Guard diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index b2d83a318c..b03c8c1332 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -30,7 +30,7 @@ For information about enabling Credential Guard, see [Protect derived domain cre In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: -- With Windows 10, version 1607 or Windows Server 2016:
    +- Beginning with Windows 10, version 1607 or Windows Server 2016:
    Hyper-V Hypervisor, which is enabled automatically. No further action is needed. - With an earlier version of Windows 10:
    @@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** -After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections. - ## Enable Virtualization Based Security (VBS) and Device Guard -Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). - There are multiple ways to configure VBS features for Device Guard: - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. @@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard: 3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png) diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png index 169d2f245be210e8306e752823def4470bd97d10..6d265509eaa54186b44dd9c3263ee298a8ef5897 100644 GIT binary patch literal 33074 zcmdSA1yo#3w=LRO&_EI(gkS*@2p&8*gy0(7T>}L7#zKNiaHmPI;2PW#+}+*XwQ1@X1TC3)oYgSdTqP)aItmjxD5a^+lO5Osp$v;J#o7GAT5|t zxPd^vol@^bRNVCT8*NHW&7Bvg?aiX0u~KF<5T!hDSDy*}=?7&OiSAhTr%#i6RPvPw z6X{-2aCGUY`w@0tm_Fe%G-)+?(`EMD5Rdgq4N^1c9R?+o>o7dyx9?ZC$H;p$?~wyp z-ys{P22~0RSOLGgnuEOy=7(MvJeR3n@aE|2;>Pszs>{Y(euU@Yw&x(w%)fq?N^9?W z>Wd;O=9?jScaIc@9vSr<3AkD^P<;I2C*IvnbpH^Lh}YfK+h;1M7&|DyRm<-TDq%&6 zyPLQV2$4Qt^SZ5&_?$rp1qcwZHEKMc6GzBxTkF}PxgdOc5WL3@fzJ}#{G~IK-<*@PcX5jX+X;=5M`LK}|0v(fBa9$P+ ze*lzg5xje|{s8+R|7kW0VphL?^;`)4S=)QV+~WdY4Btka(>B4jCX2m~hYR$tUDcaU!V4%o z*I*Futr5OO_sASE`H0FI`~BM9x+68mJV--7USad@}fLMKJeu1s$)+&Jynu1^c*nZre)T5s!JM^LOX992 zFx)pzY0>WoM*?2s!dDy^MUdZ*C7h;pHlM7!&ch{$^iRJ}HY`DX5P{xn5|B$G#16^8 zO?ExvkI!Y^tRAe>wh56p*?cPmzc}P~gxPvuD&u)=+1Pp(Wt9_mk-`Q^z|4O^U(+Wf$Aps_$7Qt$Q@zj zeX^i`)5!u|L|iOF>k%s@xBdDEKg5ch54;3?v_T|rEmLy4!P0O&TRjh@fOjKquS6j? zOSZQgwia4aWxX(&is`q!bzIUr3;(*o=OuqLB3L@DqbaNLD)_s=bDLFI)84Tu@&)nen;KED?fxvcMNh z5CuM~5zQBii%`f-g6mC-zV{~L3QrLF*#|n+kJwvmTta|PrUwx>v=j|jB(@$gIdN0O zFRo-Npl^cos?IqK*we6a(m0!*wRS4-yVc?A(ld2%vZbJCL^5k1ZGWX4GG!HKAK^1b zUQ}~%Syb0h4S7YSmQy`#bcW6@Zh_${UqSpk&0~ykr0p?LjP<8jwwO_`rMSji}1iFzww%m!)=FBpH%m_HGW0JQ&!P`BTYl92nH5O#^ySe;q4i55Icy#68~(jT@Z7 z1AUY`_8}O6uUu>!hmWd&>qMYeLmz(5E#^OOTJ*V@@bTy^;=XB5Kosa-WxINvZ~B}U zL7-=c-q*?ryNzKp#Kma&nan#mteBk#;Ky&)JcUXY2ObHbM#E(U`1i#3Kc zUKy^(AW$l~ZtlzBib_iIzDNWxr3yhf0ODMQ;x)ltA@CNM&{a$QBD{pf3sxN1d>No{ zv#oG*Q!?j+Xmp)FkFRckR{QJ%ILYmODt8B(lIY+)Oibqqj6?Q1Pm8;Q$uhH~D79QxKl->V1w6 zf%^xh*IXw@-UikS!4dQB#|*$Egf#5Ol{D;EB|wA_*S6qQlIJrLO}+SFden#rEn1O; z{ZcG>0vzcqcA8Udji)8+`!Al3RO)<{>QvS2jDF@aM%NUYojY@o>Rgb-bfs3M@=NB! zv0t|MdYVh4wPG2qp8C((MB{Oo7K*WbQ>8cvWS9SCKM()m4A$7e?};dd0n3;#d_e$Y z5_!Y$o3GPLnqaGlgI^R^Gy8|IR=x$q7R%ygJ7Ra=$L_1Qb?}>SDNCu3yJICvr9p*U9!Xa{fBrB*8)CQ$#_1y>I(=7mioiq>YEb*#LcGn zfpdu`)9qydcS95G6*5S6olTDhh%>XoKzwZq0YK1|+~X>=r0%p@&jSX9z_KS1Hw-?v z#t^ro?Oe!&DacH`X%|F!UxdT=$NyzW2C4zsz4?jpXbc^=^7R)H^F8XkyZQFbe;UT` z{{8RD{NFNz|DsBdsgM`_(kK*sxQD2#>k{?4{R;AzOf zm8}nKN8plw>YSoTsc*;jQD03zcSQZp+{c)Q!w`1w1v=NaqssQxY)4XsIrJQ>o~8c% zuAp4ZtQNZ$Xl6)C1~2YBO-vSxf0GEJf8)B2;xhn;O>838E$EgMl1v=i_HW`o)!`1G zNo4SoYtcS{zDrtYV;p~;68VsLi5KR<_q8(jm5iuSdm%0{^XC@|N$>2jCM(a>Y&63$ zhb>Kv+YNW=yGPe0*^gsNXP>$i*>Tbnkk?hFnw;*N9PaK}&N+mRdgu%?w+N!py&;wK z)AS{H7Ie@ESOQ@{7|T{oP#Qy%iv2_(2Mrxu^*GHd7>CD{bJq%!uC;+|^!dh#Gl%Ny z679wqsnBTxwT8{6x3tmKMn-&-VN%L%uNIR@;%y3};`12BTA_(1u$|;-Lnyd(5g0;r zC4;9g&>lP)hzJ6VKGl3ZULuI-(D#`{_uj3GOP&iJDjR|WTT530T`Ri-@m=dY&6+dl+s zf`YzuxscVBhtanOin9+!JZ$8SG?>#cxsHD9avaU~bDmxlThq{|04=rKkAWT)oMZy4 zG2yf2@XP_h9{kHrb%EGBq2CBdlvj z=gql@wWLGuTWpBe5s~*Y5l0brGc=Ni+<{M+?klb8wj2&BOZ%juCb-T*UZ!`Lm|EKz z{D~T9+h}c&MvLbuM$R)%8_{b3ksPzSnk z3Ax_6Y&wN!41*!}P#7goP_5pxHeXQC*?7U8< zYi-G@O9zhT)E7K0O@DK&JNo}P8d)FFGbxEa#{Q_N1@Oj@z?cO__#4cew9O}Gm^k>R_gV-2F zX^EO>0SvzppcrDazmhZp~!P=hYR4l<;AGjz4QO4Zad>F^l-W5)giPc zp}AY1z3F<&TnKhGNj^*%sn8c{w=r}Pb2qR5G5kJf5{npzs|Apo#=$7utG!&I^MTId zbe)=`Mj>e5F8tiK@jxH3v8#8Q!=Ud;odrsS!1hV74JdJBv7oWKH!^&zAJ~LKQ)c=yzf(@jzy$Q|Gq(Plqf1gv`Xk?1U z>kC)!GiM@Z9k)%d!-icOTUhwwRrut*`zDZnmAn8%0tVujXj@q-F@v(4w<6^78n-cJ zzqVG`XC=^Q)qk>S*%AJ*e%Hnb*|%oz4uYCU*FnN3i!8b~vRWp|p)K7|Pyc5btz42w zTHiA-qDlnX^*0cTS5N;)EVy3s3Bux70+p|O7aOEC@w`{OHigbKuIO3yi6OA7#^r{1 z>V^;WGB-};LS7K8D7y{im*?LJpg+)dgSqvubgm{)cm@~AXz-XiKy+^&!8N$=%@qkh z7P{VsK$FnPudWgh{XPVAM|G3%6$tozp|kmjVe#sguL<5&tKPVy3V{wWKwxv5B7m-N zy&Z>Khg~}eIb9uZMYqt&RtXOwPmtK6JQ#GS5S<+uOXMGPaoIX|#5}&F1z29|n4k~#Zi*9APNO>r(UI|lOr&c9tg{9h<8K-$Bl_XM| zS19@7sbBNo;Cnplta$tT!&U zd3PrgFrdSrkZTag07W(d8T>^JX)Q}ZI-0M;{P!BcY?vDBWQcojl&<|7-O2|?QUhES zzlzs?l;m4lYhVqH!w$SV8$BMJs;?fF5#c}RI^V#ifSzogTiwWtVu6>)VH1Lr8S5qB zQu=Y;ooS#fJPO-Zz~`9tG%b)|it#T^r{zH+Ga82A+qh?1se{Z5Xxf+&xZiw-KGF4Y z8Zl0gO`L;PjDM#< zLJuzkpM_F zT>15``#~1y7z1)}ApDT!FosirUV1c$2cehHdwp@6g zNhir+>C`!GUtL{I4|-orSD0@rly_%Z88FukEOb=kynB87z3G{K8kq3A&p1)6hoE3B zLC+7j-uajRsy3E5t0hK35E`A(u(pw6+hn)=XR;Z7&Y)gA1Tl#Tyiwpk{?g(1%aWo7 zY@L#VYf;uJMTWa?R~Q=8zqG5HUEM@puLRyP2>qfk{qJfG)xTL$Z&)D&Xh;~2;kV7I z*-x3O;q2*GD+R?ujvHTTJ)oUFH?#^(Fxr8ew)*rN{6_M=YC%|m&<~V!XtyUqrLlEr zj>7GCceT9U5lZH0;7J>i&$fimnz~Sd`fl`qp2R^|VEHLm--4>g>aqiK*YrX?*k_LBkfp+onORN8 zwxI&3`R=U@6vLtYtN>4dRGY7%pYSWa@Ss|V+Y?_3@FM`SKX0dcQk?8U1~k31A4F-X zsgf|7N)Ir&aQNL@GJP*Vby}0~(ZoH(R5CardJ>k?kO*qe*q{((21Q+#Aaoo#arWSP+AXS6yo)r zw4)zZvxP2iT_174Ed{0k@c+vWz)Y!- z@)KKvb9!BypBV)Ht+X(fuNU$^oYUb=EHWMF0`p%@z{&zm(f+NLZ^#Ca{~r|Yu~u3d z$(HHt>;y2gVlZ7m#wS{iTo=WF=5Kvrm-M5BfKOhrxOew+FM^lc){}ox2ucYN=EzM+a0o&+iH$K zDFe?xdfbUGXj966tKjc&1z?tE`f2JWFz4doFSS!EwY+i-PV#W*?6&S$matHrE^dI* zL>w}U$8ac+v;Q1|EnGHPIlO;3v~zr1Ce8rZ;%~9z&bKSl&kKPrMPmtU@(g~!d_;){ zrSQ2q-Ysd?%Z$5L!R_R^eH?_&_cgdxM^j@1C%!i*odC?2)q?ytlLEN6)s?USI1(Y6 z!MDI0U_2;AGYMTgAW^G4sZ$Q%7)|nN8ZsS?QhzCNw_UV=s~QC-dpAv@Jz#-LV9|mzAeA<5}YUDjlyG0yPz*{MZ7Q zGZ>qW`~$=l&@)^>$hyI6G$qg;{=deFKoY4` z;cx!%00ey{0u~JQzkA^a%z6z!)v_)W|LbXq;&cS7Xs#i6ZTf)jXe~yeY3&tD zEp#J=1<10`f$7;3$8bhFy+(<^SK$9{4=Q~4PxKWY@cvOM5X{ zX*3%JS~nJy0s7=^Qz zW+~Awi2jAichn)-syJ#v7tjXQ_ogeJ7ZpY$AIJ`twb_-@qJ7JSo~#&~KGG#kcSVPx z{L48^X`AU=XkEQ^{xL7(L;pE1DgWhfcQEqTyv*{#*V2V*A@Sx_RPaAK6RwHqeII6# zzTYnvATz#ffcI~?60>fd(`i395LFiwFtNH63T_dfeQ^)mM%2yS>}vc|jaMxX*ZmS% z)9_DP7p#yVSQiifO^Vv6pT=Sx!l zO^7_^!vJ8w*GuC6csV~e1YSS{)KT#x#ro@As8&`@s(m#rcXpgF^cYx~ zZIK07KOvm+>%;w>QR3lyS3VN#6VtLKQNKyfaOxQV{z*c7_q_?zX1(3*jF42L)BH;=kKoB%b1A=r6|G@#lLO1Wy-~7SM1G^^r?0yN z(WI!IU(x)iU+)9&cR7i~2fovOgnxI>;=TB(B)O3=HVfxm3YOp8-v*}~g+SKil71+n z5g&ZuH1+Q9t5czxb78VX?r%hnox9t1R#e+nourX?pLieTq<9YE@GG=6 zgRaQH4VQ)i^7$TTrtXGq)3fGOY$&6DBJAev*VESvoWCMAjnC!n(KmaJU7*MG2NAr7 z&wclSqW9>AmesQGJGbD;puD55YcJEW@H#bD!$G9Ix${2GK~Q9+^TSd{eyRu##Zyy% zh7bu)UAjly3zbNt#iV7Kf%cn7Xq%7eXw$eiw&*RG+Dk`UNS-_jOHkDpj*$DKC7`W2 zK!{_wCpXM0o*_9Y`P#U4Mvgn`5Z&jE*TdhO+hK#+bd^2c($Zezv^CgV+sZq_JlTeE zZKY1OlEQDQuHC-I(o;WRFTiNwvXn*|LHew>DU8KP=ri|RZZmy29@!G_qP}c)6o131 zVBI{|K5wo+1&v9%U@9fiO4Fn!Cb#^LUknvzN~62TN8vAT8@07RKFZHw4}15Db8NV7 zczx%61$Wb*AGh_tKcdZjEieh@WHscbV2O&azZ;+rhu`j#0N{;rt4L zcuW!rHv%@Hm5h*s4#`)u6;a$el0QjD=2nXtxnH*Pl?+E;cdX`)kmnucUrF{Tt_;0z z+IX6pG>t~-6G&mp_$|eq3pATahj#X(jsOVQ>BHZU?E@o^a>%&W94HOs*-lKgmyu1| z?dBOJyI2inbf(juH)Te$<^}}NXS2_Thb=d`c#X3@7R`Cr0KbP=9>1ZopCvZO!`V{R~tk&4e}<0?_)#+<4^k94itw zTj=|_pD4_!t5l@;B~V5j)?@{XU^S5d_W4Jo@kWK2R{J(g(v$s@ziR86!mEwHek`y2 zrlw?Sf1MXpy4PD6WDdso-dpA_i0_`(%GN&lv)?ZE)Nxs*)d5^y!IM1QvPx(%4K=o7 zC-7xb^e*QB0hGm@qlq3A|IYg-GAIYg<>K+OS{(eIfD9f0!*OyCb>#ouuR_R9?oxHJ zk9a^1#C}id0=2NN?%2tlP47vV07o|H!xZ^lhwnKW-Z^gGJ%9MuoqjSURbd(QM*v$N zyr+)jbuL}ZWWs=f1W@ksE|0{!An?yGz$3lr_qYGED~Y>^?t2$6V5nXV0Od|3n>S(j zZ?sJPU#M=5cT3ZC;&Tqo9_o$=rp!M`ApeZ!sCypvXx;h2Eoa-}J5bBVvsj`rB15vJ zs-(D1J}z<)7Y@*I1MjoJeseW`3FAde>BX_=WRY6vNPk zkV=P52J2N_`5AA70D}rTC{U_|pbLRp+uS<6`1X9cGYUvJv_QRN$BY#d=yFZgYmh+Or+@S*v0E8_L&uG!)BhC)@lQQw0{E;aTMpv#%Z!%o6_ix;wSG%7(p%3CZGFj(N1`lkQ8mEUiXcCdFHvw z?t|)~RXyi2frB&41-y+h@UfCFcTbI+zM$);DrLit#zl5Rh_3Nqwu&nWRQ2~4=2jV26^<{ak1p~rn6=+X&mXQKh${1$aXIZTk#}B3WWp>>M9cW*_?N&9EzssZ&!8~RgG_^e{Ok{fa z2D1pzpPwno^y3+>2gY0JbBCo* ztj=I2D+#L#zi%Y_0t*eoRs#7d8-@|QaPkS6Rh>E>*`SM`U6POZ95+GrboFzJe4cQG zgA8sW98evfgLQ%m7q{5E^g_h?rm_fgtrW9p;nNI zvyla2v;t{GV>*Tfhs!_iqceZ;C=kp&;OJ->Y9-H?E~_bvs|ae`3PsF6)tr7fUsr59 z7W@LzUO(15*AL|f`6HkzoT+2%)oICQ{SQAZEl2FisH z75kB%Ur1`hMtFSnrU?W8z4@tG#gS7PpOX|)<4@#9|O@;sNo90ElK zwm^bsPC;ROmRiH`KKA;OLVc1+Z;VrQM&bz|ds74^kNg0%k(5Bn#4@BVEj_ayIs#R1Fo*YZ$$0e`dF6yhnMx@=+2=P%MA278+wFg8R&MBvvLn zuoqMFgU?2ijj1xG{S}pK@_fXrnt`;vobvBE8>1d!%!l8orS=X;-z38^(l8L7q0S-)J^OrX@aV9-6PqJ3r4vOR9ML;dFSYGg|4gO-W#@7Z{-box z-M)_Nq0=A8G$)Mr%~$9zlhZ73+ay`u$W3U|>5@oTt|rFusekc(xtCdaV}en4ypSWfU6}I$Ws{3#cH9FO zK*YC`>>^q@7U4sgjYcMl+{gLu7>q~Y9RpEt85xraU)rcuNplZ-@KOK#=XU5zJ}Ze& zWwT{uW(HllljO{qCRae-aH}>?=1{Xm8FCPxm>AfTncvl$P5Jl()Cu+#OG@5 znUi@iuwA8Xe8%a@;KLrl_n22tzy~@E2@SN7-2+)0#HOZ2sA+CxAq+HYl%2p@#)4Kgzd0x}mIXG?1I3}Eb&e+Y2DM%R9O{vd)(yPEwGx2PUSLBid zeSOqO36hljs6qg7ZaMG3O|YN-E}g-O`jd^$F47p9xouR1=wT@JVvQrs0;T`%4*@P7JMYT z==GYJj4=(!_4Tlas$v+YeW%{?{un$UC0%v>X%drNx%2IJf7pK#&!wE}NjEV2Lj-k7 ztaa62>wc;-sd!Az`86melmYxR$3YXRLqDbQWa7Dhz!`?8=r8<-vH~f2I7}L@Y_D~Z z8z_-}|6KGcbGWEft}jnzc=l&1<%eR6hX@MW;b?^NiXL;UaHl5QFUdZ|s$! zLG+#>>ps=iygwXp7|@-kS51ytAYJypt>=tOI}C2nf$!bwS$u@6QL^#OowZ zn|=$8`khZ7^+Ss^R8H!rG>?(0C-|D?qFjeLVMjIIbEZ2f{T0;c0ok7?5~0>pN|=** zT?Mb$QMKnef}dG;^lg143jQ!HnVKC@Sfk2qg!XH2d@%AMqX3h?bx@Ny%%C?6$@r+oO+j zBhC7Tq*=ttY!1E2!Hw)EM7u_Dw4{K3EqKxZZ5PQwOh@Op8`AJdiPD$^l zXSIB@!|lg;m94G>eVMA+dKlfGm6aPeLG@q_*C?ZxO|go-Pi++c46hZ*n%_^bDBXZn5Tu?Shic6zGHv>^P-MT$ zK%L|d3~ZN$&r~Zf<3@A+1vCPscTngaA}#BSk2KIvqu3pe?F zMaCZ~urAYkBj4fFw%N37Wd1PiO#|20Fsl8Y@lknspG^KL*hI@?fkX}YCEvbPKCFS( zVfeIza-*bNnsT?*$Ea(wxVKLx^A3LE;JTT!TbapAVNG?XP_)SIcMlj>q*X*2UClj9 z=v026%PxcN8Tr#M2loZ8BG#9*c3aUZB-2@ZTd^-TI>`IKpSP+eR%XZl&nWMazh7lk zojm>7)>KBdo`8^hV(e$bXmP?r`YQHG!X2&+NrgxqHU8=6&q7bLIZwvW`i(K$4V;DB zIA2w;s_v5GH&{q1F|}(%Mf8yNJ2hAjji1{zkTIylKqKC5EH{AVuV2$)$8qb8;q;#O zJ6KW{a~}MBoo$i7_K*2~Qv_GRHD^rw)oy4d6Tp|PTqBgVOBH}E^OZ*rJ7-3BAmWdK z5ar{cF{Cz1X{1uxq2J$dpTA*%R@hMVg__qZy&$a)Nw0G_5FbnWBi$L!-BH0Kltm(j zI$1{6{3j2pDOU;vhL(tT5CZa*<4VFFb8Nad1oN6y%UNMT1=>K0SP#fR^P){0IFzNB z$%9Xo3|`k&y#I_EbeE3oQQw8UR#YGi0gHklyTrQ)aFh@<7=NAg9*lLIhV-KFd3>uY3-m)lNY8#G(%GLk#=$P7Fba)4ctCna-eo@WVpfWP`NMRE9d1L$~ zz;2Uc78ei@0X2XQZ6uz+m3?zfj$z-9Svb|Dw3C4EAy)3eLqC<01p?h&6Hi+GSkdGP z$CE<`QP@rcaU0 zmb^R$M{OL)+Piq?vNjSX*^$dfa@7(R?6I|)z9To#Dz4u{z1I)&lv=8~jSdT{<>x2n zHl8Xc!*uns0wz@{uiX1C0HO2B z$F!-}?WNj_%5v{)ZvN~t-ovU3GT^E4t&(()F0(4#3HglYMs5x|U^5?fFUxY=a9s!B zX)FgZ#S+pE+m?-^dD}^&$)2;Xk*^tI6;(7=+xUY{ts;kfREyp>oO$ZuTwo+ z;%5t+wS?m25qhZL1S3n)zVl-HEjbm{`TmEy8bXj{O4gX^me!Z7vZ6oHNl@LcCT+y?ksATmn=UW*WIk9_}?wQ&!WU-Q-x#Rzjz0VuVB*mLI^3 zSie>(2$yrbRO{RMwoHX_5=%#rYbPgTJ03rt_$W=BOO3RuIGSHKf&*U&v)<DEQXt!Cj6-%Z#`0{1 z_t-KpSu<_b`105DVhJLyKTnB)VKL9EdI~>NDOFIyPFRfWGo!w_62iJuvea(Mbs@9Q zUwF(#TAse@8wfl29L|TMs79a9VT7%|`O?cZ>+b}QGn$IyMP-2xiEZKBvGP&Rc3?c` z^J;vh@!H$nNR80Nk2EUo$+&+JI0U%!sYY@XGF zcR{40On~l%CmV@nCkew9r!_pB@lNkJ``OpdT;SMAVb#E9!Fp{u#1@q=1tD%fTVdr%V^iieIv8^2oN~#aZNd(sD=2QzWWZ zb4Cf|u6t&U?qs->;QEN!=risqd*Pzc-6vM#{os!)f3mq%!O`5baHvFEZB6S|UPG0h1v1C|( z!mjwnWz2dpVtRhti!Ai>a7H!jL=rNOhs4K*!;ox6!yy%c@IC`}jl8FUvpWx_eh>tu zWY1FCz+_>sKiKAH%RP>IG+ivJZppx`47T7n-J2Q$4jy%ci{-Eo8xpZhi$oW(RemG9 zsHXn{&gPUAOjxJA42h7=G$Mb>;AyM+GfkdD8%8eg(>%j;D9g1{KD_{r=+a$|F&6R&haBeXyj3UMTT~PU4bBY2)xWu>wIq}x zF#J8Bt@u7Q%i;Qrrm|Q?IY}-~IXvHBL7iA>;@KPbUgG`n?ExC)$B|6#qWS0EkF-c# zU9&`zWtu)$bgNhg^ib>{VUz^!|wm(87rRdg8MU8 zUuQ&X=-ov^6osOb?5stCe?Z#zh}Rr=wTpytb^8bLmx@X;hoQ{BF_<$!#Z~ zGte$>vL8#g7Gm?vR=%vXHdofsaP*CRQ>ttG8&n_aIQ?C!->@eOF2#$E@h@UoB1vbW zs+?pKx?s8HmE>m{-hj-c9;5xfU|{Erx15}@y*F9xEx2EUVZ6|SF+5E=wOprDf-&;A z_OwEku7zatA$LvM2$xcG<~6oF28sPthX1z9M=ipN;?<9p%Ha1LMS;Aq0bh*uw%Dnh zY56E*%}n23OetvoVYFSV30ilFONfOlqg7qVu(i62UlN%HPndt|rx1xl{&?eNY4cnX zCLU!6+@kJi+mt<%aj|5e!<4V1^yMFs{WZM-QILslkF|1=ASIlM_*1>~vUdy{-(szs za%gimQ)bsW52~j%cX;S6`x%jn8|mTV(&%d?9HMwE$A+h}zv@%TzG7W)Cj3G$jkgP}I89-aO*Bb%y(_e?NF> zy;@CQrb|C-@zOHyn~!Gd2*2uyq0a9$!rUx1vNT#qNJ96=upOO=w%I6gY4!+vg*OYv z42`#79TO+ai#D*fxy+BR@7soVI5XtCl$DD|+T#KI|HGWQ)H#SEhJ@W~G!=U3Jg zR^TyPanNj*9+gXXkO#Z0SgGeyHUh`s1eqmk zX-2|BOR*l72R#o?2yT5pDa4EoB$}^K7|L@40I8Ujl%Zv-J|e;Y0Y6 zL|zkfuaqD|!F6IDL5Y^UH^1%Tao9;Lh(Ux6&}p<2F(1RF1k^Qctk!1lQaTqUtS%yf z$whxkwD{k74HTQ#FLW61Nmg1cK<9M9O!ul)E5DL&bBUIZy7N`Fo9k-IH3wSM zLn`L>B2=IAnfjysb^7MpCj$EJ43`Vu6h++|>4Ou~U8kCnWTf5qR5DQl>!pQlb${eVZbPD67Yq3oJDFsG}pYeG;!)X!bOzV+uw_g7@Sv zvCL1>F<`DcuqxGgj|GqQBpdR)?MP}8UiRxt$(;4PiCfkiE^kKnTOPck@%k6 z+0nJ|)q0QYaVgGpO*4>Rvl|Uu6Vq8<~sE5V{b~Cmkf1F!d|kbO<4|^GZ>vM6!q~4Th~>6>Lr&62y~JvLXA?+V~h~R_jWWkrP6b_7u=8#K>6n1d`S>x~>>cD2-pw z=DA^&Dh(`LoGu4xB8wOtpGQ1e9`5O>J zxmMN^>Q&~`2VkUEFl_;?dC52oO3G_skXZ@cl!2 zf!LoSq8u2@Rhw(Ii1=SsQKFHfWS~g;xdY6@2`^^weU~7wREicNLT&0#zU0D5-9_y{ zPq~7FmV!sqd+0J%0e*KH-SEvCo8j862?0TC;m2x+uImR@3KOqp7#Pf5Fb?_c%O%yP zZ`QOBPz~Kp9d{ykkg{j_{rf9K-FOKa8Ig!MkJIw(A5x%k$jNgRSTncdt|?&);*pjr0DX)xt{b@LAM2@NIlCBd-~US4Y4 z_n!;p?v(|D>&~ps4#aA?%}d*W;wz7THxjSV${WXKKNYNmhb-w9O*QxITREFd(Gkwm zP$$d6uYNe4YFH?EXzip75%pK=Q^@`*th?UTntPM-y&%nzD_{*nT$=Nf;v}Yhjhi~S zeP5#f1Ebs%$;T;fg3DhWWOcevT@Ikn1Zz0OW&6A%OI59IE_PJW6i@)6J{dS2)%zAm z2;;l(n%m1et11&O&y(oCoB7iFf-&TTrW5(DvTomM?XjI^Tka4LGX>`LD)E;l6$s# zUC!smXWG5P>bnCp1LRzKwCJaAggjA)F)A~Dnqfq3a?(#YnD!!fJN6eX^HK>R`Alp^(VEgwQ*f+%DM87Eh+^_u8PwQ^K%qcS6o8a05 zQ!TPyE%PwSTF3bf>EydCWagXI%H~``66~!r-8YKmbNhaY+HVpMwy2b!Pzs1xP55;? z{C@g|6HskXvsxO2v1E;kJ(JWr%O{A9B@c9}YopCF{pPE=){?JyE=@NCXoHw`X!9lE8( zAS88=?(T-66_k>pJBE<%?vNG`7)oL&0g(>r61{uy@p+&3Iq!MT=iGD8F?pJcpFA5>*ww4vmIN;C znOU=m6TTrfesSdBjqKot?Cn!i7+Tz_}R9p5$lqpd^L?$;8|A8iNg7lNL!LgeZ>UymtSz@ zdBPnu`;L{~-^9>TDvd9!qpvEy(Gb^YTs_w!xY0E}(OI!D9UPiCOA(zJl-SAgLC9`V zcJ80+;A7cD_5`v$e0mRTzCu~&j!Xm5`^3x)=@uu*N)Q_Db>I#F%ovva4E@kLQZtDU z-e6=@mbSjP6|(^JCp?&H)tfy*zyxl#S@tr{V;HXaJo2yc!0 zXxE?noUO`cUMq!Gj;SL)BKS>=Wgh$bXL7FNsY_OQ_9k;xPpg~L4ZFV~CQKT4Jo~g= zJVjOW@p?k~W*S_gKEv90TJGe1WCiYj<7YoIl6T1mOGHPF495F0H+KSTyFvup^68KK zRUfvjz}OQmlPdv7gzwl5;EDhhoDa+ArnuaLg^axNprDaQQ)5AQ{_HG$K?_3`bU{k6 z7N65U&LN4cUuQh}zN_s`KNZ7PnjeBdmnXi4g`N23aWv2~BB$yBD$oWcPH+1=aaapT zcRC*AG^)MaKVNzOVESjvPo6T|sVz9#*8Qsr&-UpxVsz~@5|snM)FJune;jgt+wgYa zZ5yDYzrw<3e|~>EqP!Q=DY1U1$M$%}pf9Vd-<`V0<%I9ccS~DAip9K<0OoN}iAea0 zm6|`75r_3AOMzB=I4hd36fh6~s38N!X?1^urU?7x$UWHB3wy1Tor0n|Iv*~NL%fXS1r@7D& z;ipPnmQkG&*th6e*al2YXpVUd{%({Ojh*zW;V<$i?iAH$hih)Wf}w=AER^&oU`$H_`b=t=i_xTc~&=gL$}gn&~;Y zu(Ve%0^05LNORD=GjTZUu$l!YzQv>Jl~!7w#vtaWWeKRu|<@Rv>*FM zK@5z)^(EgnL~9GLs)Eq&{P5BI4Cs%JuJo*2gHJ%{&lgD+AM$dROldj^As^w zUxnt@sxhD4s^gj&F61cVPh8wPPmiwg`${O_gjpiSXG^{`Lh#Mx{U)_F~zjS~!w z)9cxa(oJPNyQFO4%m;Sb6JV{cOS;qG4xfD|acM}sv%vE9+Q!@dFn2|Vx|LMAVNTFK zhPnkkr>zul@TrKG{Bd}78MoTYDfgbMKF}-o(bSVO)>eY18qOtx$Wlwlyp`;?bDRnR zzM;Hqs~9x=8o6j*Yja9Tr0dOiVZrCPN7zvVDk3TXPbItV6B49sr1NWEUy78Z@$zqX`k%`si1 z7I5(at@aI>^M+o~wX5PolnukC$xS9CXckFKqw<|B(gw#>*!AHapQfdHuR6&G_cadn zu!K)f&?#b;or!Y~@JrzyS-L}`;hPmHcDtd9-dyH+&nm@0l7`)HPD~Ul4;SnP4G@h9 zT^vBy1w7MG9qf9%2Qz165;7ZAZ8;)MsyVD{-&Ailv48Knr_9Z{k+AB4=6Ijka;U(J znx@EH&uKK^d(vY=VV;gv(Wdodgpee>vmp_b%*1qWLUHk)NCHNcQ-z`Pp6`{0z+e^d z0)ySvSL;@AyNCj7f4G!dCH9xcv{MndKE#@=s$yi*%nm(pP-e3+MQUf)3tIyNE-Pnv z2I&vt)`OcKvGPM|@Hv+lL&8Yg>-j@>689l#gs5;vZ}Sb9WnJFwmOS2N+Niu%QUZF6QA}a{?l^+hqanHdYxdF} z<{d!MjXHBG*a{gEzIQ0aA|InjDL`!D7w{;Z@QVi}^;J;`Jb$cDZSW3M8Ap%b5}#n3sy__G0p-NNw5Nou^PVDrjsGWrVPlH7(`7*vhMJ5^Q|8tlYyX<* z6F_K1naw|E{SnisXsDG?aWEk8D#mQDZ^N=TA9NjDp7o2DlD*ctp2sm=`&=+Qe5=3f zTKL|DO=TZM%eD7rx|Q@Jg|z6>kDQz;*8Lm8gXNa=oCyjES@|sE+fIor{A}m-oPA~t zV%5*y!NtNds5Zirih|v!`aeF=*!E`j=`?AlH0xaEPi8hh4u+UK4@nNmOA{Q-qH~Rs z<|-wmanJWaP72H1vP9RM#CZnDSgr;Zck3EFft|!!{rz}yH>K9M&_DEyV=I&v(w^oD z3o*39orMcj}gxe#UNfY=u~;tk`DwNRJ1STk?+uWPQG zQKhlX6c3ByxQ3B0;9Eug8$M*!vC=NNn#6h}PaQqDND|-(7U85@{H{pOR^ zQt4!drIz=EobN_5QEw7Bepc{#_`Dv90AH$%wPHYb0c@7fIY9W&V%p?e!v+&=2?uRp`Ph zei|iNlC)5SR?0RUz_iQaT#fYN@w9%EkmX;`mBZC-D*b1&`~IZ$op=8Ytxrthb8A;& zeJ+NCsc`Y5dqvO-M1Qf8qk|1D^PxVzi|R9&k6p8x?(6uC2{RHz=1niHmh(-2lx#~6 z_k|5$HS}D?BXZ^7TTOmmJMSwX90&g@@otvy)>yKM%2t8e%7%-)vTm zEE$-6kn<}qIoGXhNgu_CIeyh37Q$ob%siT=JyF3JNaY%`YqVZaD@s0VWrp)Ujze`D z5<44b|6+c=-c~8Q=qK8CBl(bh?cb0;ltD?S#6-8bJX9;sL!bWJpJ*TqD(w zO!{dTSW_zOi6y76cfvQ$7{bW?l@}>1ggu7w1Vzu4`f5#;YiHHrsYcGJPJ*8aZ2p+o zGh%#4E;-CQ;wkr$ z2#P^=akDy>p+{$|^z*9S>I0ZcI9FYJEfdDtngyINjIgJdPfI3ZR3eN#XWdo|l-lof zeH=b5bnI42gmEAz@gS0m?M#TL#|!u_t6I@>L?5Ec*wDRlx)?vQH8Z5OiAdyp35^2`kF+ne1}0bF8{#dWSO z0;${0BQ|b~^45*};3iiRJLJG()$?qO*V`zmU1HlYP$1^Lh0riAveNg1=UcZ*ajjFO zjja5IISx)WbS3UDu7qX@t>X3c>^NJ$(=8Wo&GMuzH4%$DNbZBqn+S?R6?Uw#p(Gd z6>5u`8#>2bSj-vE2uCCBSZ?!`ENB@I>`}@IK6hqJIhDP>$s0OtuTk7)qz|DNl6D6Tb-zNxmOZ{W0)xJt~XA zTqR%i_6K2Ih3nlShJ!<7_hxEg*~cO}H#eJm8f{$Na7D**%(MxB5z;8RZKM=d)d%_R zUvZnv5}m$l8N6P&wZvOfTRah=b*t!WCwQ7*oUecea#%g@Hpsb!dxzu2Jr-pKi=am1 z71pK4J#UAy?Gwd>CctvBSxy?wW8o7ev7V(UJJqj7(qSwGcA34$8_{+I#r`0r8A!C$ zO%^08)iwzgZ&f;32f(N@}Xyl~pOpKXg6P1))(pJKcYgq0H%-YGbk`(B@!KK3FUXEv9Xm6c%Z}V z?ra@@1nqz7I*@>IBhZabg+N&?gtKFZBGnbSv~!my4p+DKB_aay*>W;5um$Ljc%~Ks_Eny&w|#% zjzeO@%6-5FL5`6a_tO$!?SQ)z8-P%e#h{zLf^oGUWcOFK%`-G7W;j^JdGv|#NvD_s zG=*u*`dz&-n~Iv^L)0c!?G#5%^TO2%RD%?(KPN10fj)Gh1FnLTuJ6*KEoZS}j1 zT2jw*Bx=(XH7Is$*8VXn!!tSMEAl@n(aF?9HL+0=e7yDO>EITp{Y(o19WoUB?2$AM zmUe2i6cWF4)S%e(z?1=A2$I!m`@Ti+gkkt~W-{HAw8?yp{x}XC#vy^ad2DdG0Dz)K ztxB9UxXn5S>0zx!!>h9=Bhj6!G{KVgM02EZ(?b-7jHmqB)y7{Kr=RHbo!GGPY8NDdM}zvy}F9+2=mXAD)g6 z5KpOy!wXXd89w4Ox1uC=$1OO)AC@b!89z}KRp>OcNt`DYEAa5L=&q>>Td9khpXAv1 zQ^lYk3Z^Xx$ID8`qQPwu9RN2@$;I@BF}TR!0A!UhafPskCZKzv?}j#hesgL51&e~T zzd+va`^~ZlYl)8mV!V3wGJ|F|=O-l=rQw{{ccJc`L+2g~p8PStPfLU2$f++yUw8c-o2XTKdpd8w- z-U+u~N~W-P(I?7)E!cwJCblOk-CQtzBMO8y0C+KA)hagyqe)`^e)T6q0N^e;?niYC zohPeUFKOIP-Mr`AE`wf1xXU_*Ag8Qvx-Wx24g`tjkaD<69+}!Tx zHb*FU;Y=v_9QruR4*z$*D+_kuh_csMX2jev>O5|uy*|3`em2|iFz+OC2{gul5g1mN z9Oe4`+2TA$Qt4~)euMYDI&LB)gC3Z-k%YDHW&kJ`FRbw)ATqQB&~h&09Le)r0_bO> z5$`qoA}_=5bf$f2Orh)cm`#mA-)kc|Sfjk;;+yVZe{)6;Xk~QxSILA-l&1pioC!_u z^KW4O?gatG(kkaz`VVJ~y)NC*Ax9>vhLNO8Py;9_eQ;}6sAQ50QAeA`?R=b~*GCu? z*(jSuGI{F(MugF_@TrJPVbd)WT`sW~>cm|cLKLH+AGpveA8QXqc z#Kr_cQz!aJ-Pqw!Gn;`aPU>zID8d6Q^iPwHvdDZ=wi2DrOoMWYIwZEdOGz?S*s})N z+r`+V5_gkA+`UQl{d@3JT{ZVj7T4*65=xKCTqz|Cl~1I5=%hNtF?#z+2AeFZXPygk z0`-8lF<^)i-|7;qw7k%rWS*=LRCXMcZ%_Km5R5^Pc-2sT5Joh{HcckL(I6jEwoYqeEwLNq=5^`huQ*&gY=x0sj8nhU?0 zAto|nyiStf;(y@fN+B<*IlfA!}RX@n?m1<;-%v z^Q~<_Kvscdx0Zw}LYod*Nrs27B>GZg) znY)NB%*`eP^XESIft%AnSRod@*=-#Wf7TgK?9fDJZ?|OiUhpH8N1*_){;~W3dX0gH{6_ec0lF{giwE}dNX|!e*SP-!W(LsxRhW_rhqQ_ z#TqXK_6?_?W-f0wrrkA#9OsVN9eDz2BFBd6($e-<0#Hn#P>$~;1*6e7Yer0ETXue4 z!fJib{CdsMXo;FUNIT3edau`{4ko1I%lr zDX*+_GQz7cAF-C;z~_^jdy5h_-WSw{kMP)9sh<>K1*dJve3447QxOkKqc4!m#~2g2yUG@kG;CeK!UBKI@GLuP8ysN ze}PwC1X(KW5jDeBjB-?Q$!#+vpB%u07P;%3)ZT_K(GQ-MejK-rin^m4H6EHe&}UZd z@A;On|GmV3hbZ-nUEL;5h<_IBn?IA2w{>9}eLNdfXK2(|a!(^)=efeuzU~%vV;7Ru z9R60mqJrkRli8`HrRcFUMixFd)a>X=zFJq9OI6!=!`|RAWK>#a-r@NZImrg`Rl}0m zxb98AgIM3)yW0Js?_wt&oa$8|!(o?iR!Ny-JEZp<9Wge|+yOgm&g(Pj2LWom1I4`6?>a zJwvr#VRho6ztlq=uudjbT6ub1Ipa`S;{s$|6*-4LY#yo@A(f>RLxQaQXVQo` z-fj8|0R_o>qb-Ys?$E^aTCenZN_Gfm%{f%9hykPVMYXoLByNG;p3LFr@T!ZDu5Lui zh7Y^He$Cd07Prt5O?c)u0e|kO(On3MPMey(d-)Q(4bjPJ z*oBpv4=6ICHClmjIH+cuXld>ZhtTTOmx-kCJu~cSc$GEJrD-rvtdtK zoc*)&r8@8|8whXJ0*uktJ=F8~Fa2gK@#uROC*QXb=P9Y3@0&g&<|tcKY`qeX3hd2O zNmN7oIkMKzWnTtQKDSa&4fJpW(0IS03M4~u$m-S7 z)+tomjw94oMC^UIPTpj%4z`<&#!FRhD65euSW$;cLepG0uL$Y=^5LFN4{bO)qy;V){?gc z?8X*feE4ZnC&r`O-Orm4JlDypirpo|P^{KE3w3QeKUriojPtRK6?!|YU~Yc;G?=co z8D`{bX1hy{PXoyCm(-PeM<&2?nR-uzG7)(En8Z4!a*FZUm4**!Ar+ijqJQ|j!GHC6 zPycjelHk=1&rI8B_;iOA5TvT8{<(0>DZxD@&eDNBuShx+i1#K(a*AtdWl^F1I6C)T zyWw@VTDZu2hY!+lID7*DAj?_(z}?^CZ2NMmaRLQAwTtg@iqr54I!IOd*6-L}O1T`Z zUG5cNm=hNms`{uUdhbEu;QDik1jSn}*T(G;S+|LIM6&OK`8G$Zf7!oQ+=j!i?A5yShojU|^9~~+3MOfZciE-XnnFz0{npl}8epKtdqIGn=AF~)_=DKC!c!Z67lK|f zJ2cDZR4ba^{iRsn*0^6XvsD&48O9WV)+N%oMsKEq5i4g^p{J6C|Fus$?*|$wDnzay zu)h!cuy31Ls`KjCtY@#yB9qpDX&KM~{c=oU)w0>r9XRCdZ&|w@B0in8ruEQ3*Ms>e{_0`2`hlWBGzFha>tfqghc!CiU4zIqJj zlD3b6N7G=A>0QAfc0iu^nOq(sT9NQN|UbTU{9qY8Kk$mw(<#a6qCe?UzM?s6j0<3Eq=$qbXS3Mpr z#)O%D4w_G6Lm4^dK)WXm+OJ;BuLdatOsri3@r5+ZPSLKqId&yrVpNMF>3%t5|3=#c z0bT;e?<$PmFf!jaS0YECq$tNHJy4D~KF&Ep^Hsh2M!<;kTt*bw2@LQw0cD2>_u|$~GIp4&`GBunx0g7bj z>I(q^9!TiCDpi1^Li?5M@n02oC~4JyI!OEm_x>6c^8a~H4if=$k+6 zW_5)FdwMJ%^Wxl+zP>FnBBb$hB2-nqDlkwm<8hPc#U_wu5l>wUA8B%O_VrWIoH~aX z81%#qsG8G$LQprf|QIp;-E@7}Qd2D0^B*HK*}vlJyVf)b6Xn;y~7qP=q_N zx=ki{_*Fge_|`JdE6reH5XUTKTU-gt+caR&s{W=r+4XpRH-*Om8D=M9sUleW$8)aH zgC9l+RC9vO3eE!=zH%4n7DB?igtdY?VpMUzERf=SYqvq=mDFD=BB-&+UgO;nCj75hoWB{bh0(RaA*|#IOx{j2PHqNZUi{Pv&2i_2?Sa5OfaK%a;To&sLf`YZw^Raetr3phzXscq+x?v@g3OSkBHI>7 z=gX5xnGI2eCN1(lwEeDP>BeKzk?Fd-JQ&W&v~VHqW%_mCcCk|5RexlofDLL=CGn_< zO*}(#Xj@{_%AL5m9G2$T9)j?*58*UdqMLuioLuQwg~rlsCAPh^%`JzZG7_2ZFquRK2q^2 z7PMYVr_b6D7W5cu1+o9{>9a52UmukUHYb>8W)77!GBd;!L@Zw!;UaYbUYV7Lc4u^gl5`PBKxg3KZ7 zQRvRLwlh=oqHFfzR@~S-9vXS>5i^Fpcy{M>HrsR;(wB-sG6+;|1gZuypyOWWJE5Z> z?3Tn{>t;1$uZh5IXjgpTUm|YuIlp!NTd&8}9T*ykE-pvwT_Y(=fI`P=L7K6dgYsgA zB>gWVSUu>kW*wTsns>GWXgcZn4?h?~JOZ$2*4)72eaWQe8#miql`{8JsXR+TW1uFvdt zBn06W6DAB7-+CpM(WSIkEiVn)cV-IMuq-%mVx(B3&2k?wtgxrIaq*=P6?Xd}X+&k8m%L~D z`GqSu%Wd51xhOrm`tDGoMLSb9{;uFFnI4gfN8CuKoJ>m|cs}e>8Ehs^{)4y6NW_+R zpucvd%2G}1j+&M;jhVC-2ep!_@T0W)7cD9lgRB}^&p3z>MJ3@b*F0scf7e(a=U5^y zEL#_0^*K`d^$W5xY6=IHcx*_7CW+;-mS)iQ6i*HgXEBd+6_7;8G^cIDS8j&O(uvI` zk*lL!K~6(JGX9xoEsfmtUOVB3A~}3b(?(LLe)o2l`|Wt9+~*uHmoOCt1^P}7EG<`F zFI7n&uH}k+b|&uc&`^!?Bc+OkQf$?lxTqtl60ECx!yj}HDw@@BYdS4gVkWc^N;_!1 zYc&6>F)S;lNICl^sHyoX7)S?rY<)ZNW1QS!nVh&VZ=Zxn1*XXwx27^QVKt!4#uAYv z$CRDVM)l>uU_XAGcV;N&yQ*VWQ8=;)eSa^pI86E0@?Q1qE75BOQ=WO*Kr>uxRHM%P zH-F3jI!c!!ur5h%Y^j=0+eOFtH1bqbO|{Wio4h>=R}+HKZ&@B~lo4ibyA7Ly8YF@& z)Q$!7s;PU+lZ*29b3%WNKO6TUIu90+jSM)**QC!g3Ao2E?eHz~BAWG+LV6HvbzuX{ zRK!WV>PS`Nj^u+`P99!U6b+D`ipgaso-4GTDuyrYrR>InW>w#n)}jRa=BQN}P+|%+ z0_el;tX z(ux_lh>bD%`*{5qTQ`&PcbO(MfqGgs4o_)so4kEG2210)t*eQTj5Pq@1L77A3@GLN zmb8siwPI-t6Jp3tDUOD_siRb)=7%bSL*&aNs~ zVmb_F?>Q9+bej}8SP+^TjV}757znmR^%(>xy&Nhj{y+G1e?4Q#am3JOjysUbdh+|mt*|muI zm5+Ats?p)62VcWRjh^ZGwJf~@`h=~E%aW4U+mJw*%_q7L?aI?<+-#~N0vb@9ZiCAM z|M88v8*TTlj%V}fwZ}?H3s23&JVB!Aj}jBTpCwgsPvNQ+5+Q2pS%;0b)?UHA6hJ{m zWQ9y_;&#T2_Fj35>YE~cA+ll@0`)-96jZIo7V}qua-I9i_}u9UX+u!Ad%>x~(|oC< zz)_qXnxIr~BVmg$F-`YIgC*Afz`oY?xRhMNsAi<>Mv**Oi>s5l@0T);qld8ZHv*|6 z)Q_8P7yF8M&?rcb{nFK zU9ELdH$@w+jS@C!6_W~Mk6jkx3s;GVmk?yZ!2Y@)pD-kPX(xZJ@hmH=fbbD&+tNxf zxXs+G;wT0ESr!2=Aw>*2h42uiC)$D+{fU+&u;6#e}LiF zmJ3L_gp8kNtyu+UJ!p=Q^&3(5oW{efGz8PiWhC-6jjioM11V~^wv13lM>Ov16w&C_ z{gYTeF8c(M#ctS#6?EX?W^hnRknuCS2!+9?@k{-E56M0&7z6t6u$3Uj8Jc4wsBl$X z5zQ*9cm;Bd1sO4B!_zZb9-MZNeIp*dzL|DI*G3kb-#%pVKnWb)WHQ;n30n+$jumE* z1<7!gZ%9HMzclAJdxnAl(73TufEJ829nczhwTe=GO!NR2C$yM-Q4e#^?p8sBx0u|A z_{5Gn;F$yKykYi_@KpKDUDOOcrLJ5a5wG0fqM&!BkVc}6LR(ifqv7&t?G z7dkob4q?8Yg%UlQod%K%vGI3uw;~C*^rst)hh~VUzR7Z=3ndRe_48!kpK5a{?B}R& zvJy4Md+A@*JOs>HQRjmdLkSip=a*{g49Q5*V#HU>>#=UHxw;9-d_fwxUJMu(KGaO8 zE&Oe8wSuLarA^8fwINEPQO z)FT1NP*4COTB6_5sm|yt&mba~m+V9>o!Gj1^qxT+K*zN4|0)$0Sf}mR(qyQ=|M*!L d7II$si6xs>+-A{6wT^n@sg%-_(nkib{|~Rmiq-%C literal 47736 zcmb5VbyQqU(=R&65ZnnC+ya3i!F_NKZV4LP-Q6v?yA#~qArLgUySux?ojiHY``+)a zd)7MVkC|QF)4RI5`d8L_Pl%k17z!c*A^-qDkq{SF005xNAs;t*XaE3e!K79l@&lBe zf|wwneB|9eqycLr@L2!=sER~-`UZrw5v;|(*Z}~j-G4q%eO86~06;T}gs^~;v)1vm zS0&Ma!z#i`(%jh#J9kaX<*dKnOHz6=%5CPHH|Hp`Plyk#o*o;uFNVq~Twc~EOa~$| zq?<8cC;h>%auW*Z!l~!*5@huc(XI@VD!G}Y!KQmYIazSyrsCww{^GvIgRV?)q{mtz z3<95rQW7LWtwt+;^L&X{ZaDF9IBjV-cr>wZD~+X*H8e2D;8DJvDH}jy<$Ldbl}nO; zwYd6n;^Y|uMD+(uKK?={MEiEM#JvJz7&Btt^Xcln#xpwJ(C>r{xg4yyIM zmoTLggvY!Dw2C0K_p$HVYCCQ7d{)MyJXu^tl^$8GoJzG?;Q&`nJ!!N!9^1STznr!# zoOf(QdO1T|z3c6GPD6;m+4pU6%!)2il!6skj6B=9WaOE`zC6o6Y)L?djGZwfzhXty z?SPPLNMk^$1K(S7)TytB(4pvg=lBfm&re${uT3^Dh!uqFGMVi^TcA)lXWp5a9r-r2 z9a}W7BB>0x>RD(`2vR+D1WZiMtXfwWrn%D^p; zNsgm3GIKA2YRarn@3SbrN!S0d@1)!MGMp3Q2<3)i3;Sk+k1{cDLh9)A9@+qB z;rY{aTXP1I?ZKB{{1gwIoyA zw0W02do+Pqh$;PlR`b&V3dpa{7LT?S zH(9iW)gntHvwL&#-X2Q1$!-T(6I+2?Mb>O7U;r3h1I^&yip{q`mc3`l$JsL^4eT}RmtDRemDX@gV5&tTv{$SaJYz-(l;oc!!ZGR6R zGQW3@RfQxY$C$?3l^7VOW`O$+*Y&AqD_yp#M4d{hBtHU&*Hf3l-6z6Mwy$dmDplCw z>Mq2mvHQoSxjp^wwiwe|n7 z;6$7X3eX80#ilY&9IesVoiIV29ZCB&D`(3cJaN*hpulH2_!-01;4>yZ(3PlHWqZ_E zQ~(JgLzROMm#_6o1Qf3)bS?m5JERdcNI8VN%KRE_%cxXyk2TDywK)1uk>NrhW8gc=>g84?s?!8{VJ1JRI{3KW#JpW zl&2;vuMI({{F6)34dI0`umbgG1{w9i+)dT&sFR{Y$Q>LQ6Km909N(q6-MQ)k5ZQVg zg}_>_5dF<1f%b?X3ZBxmK6wX5@7CYuB%A=oo<8ahffXvb@2L!TETwVPVz+0t zKrPzt_~pzns17^5sKy!>@zx#$RW(A3Mz3avm@A zg3$K8o<)S7p9Lkrc~fmPK|!)70j1q-Zn7CozrYdVsclAA1?Un(o>(?z@ZdgUo|f2* zrleDH_bB?85_>-=O;Szk=Z6yQXVYe9$|sn(b@p=_oz{cp6KCgU}sX}tpexkSd(BV|bW>l?()fG{Ve~^(M<{Rw?QWM0TLqo8H zUeGy#4o5Ff+sXV$`KoRIe9;ovyFXwu-bD62z!J;UVz{avkr{$Nu&RE1Df^5{_G^gF zKLnJf+y$_}VC8WDjQe*O9&pe1L70Q)5O9lvPu5e%LQqZ1Jw2V)Ecg#!_EA!rWTBhr)X16!Iul%HTGf zC4Gn~8m+E|lh^~WCUVXt(4RnK77Iw4iKObl7otn+3O<8%psDHHC;fvyNlG=Q4%}>$?!1@%3N6 zx)~NLL-scV25;@>N`HwzQJ|ah#yI%6ROWsQS!l94zos8cy@0*!)%~CVi?hOAWqWDCI7f39 zxAeW?P{)RVz9v7?-1w(%qCF36deIpmwK|THnOfC7Y+zF{n(AfaT8*U9YWk#s+_CS# z*6;OWB%_|7{`j1yQnDc$%0%*~$-o$JwpkyM0&k7b{)Q}6L(O@vcgvb_sRXVZbKGV! zd;*us)g8hKv=-`#24#h391#<~J=^3qJ05(>>p?TE0JJTv%`|C8mdT*PX?eM@ z=W9AH#{322ehkcdj|wa7`if#Qr+0XAD-EJ8l+?KOsaE>RR+s zM+*+Z>D=BY&9!CP!Yp>}R%#7W5Vow5@D> z9GX1_nL~v%m$^@PRSQ`~ZX!Z82JLf)N-im}6H?u1M9En8*W&O}I$qC>yJmhqChA(v zIC!I&@n61}rKBCYg|@`Nr(>+ZYW<;~?Lpf^`BZ4-AhG2m(RCc|yvmm^_cDHBPMiw^RZ=6xuO60c!AbY+s(9{1 zqAwE80dXRdq>#Un&#}Lg{QaA14R!k#)gl{Kj|#Eq#+a)@vVEq_aa$ zZ9UoO=H%F*gRroNgdZCb*iw1>yUZ;=r^)7{-yj;dit}bT`;#m$oeBEWl~l#6m)HJn zrkkazQ(2nPl4w>FRVLireA^>okvx)I6JZA0-ix!Td@&ko88aU3`+&FwDuD*o~SGt54v z!>Ge)tZ$zI2*XE)jzaq9Eear|z(DR=T0?1$T2Fbl=Us?CSKHfr#;4o?2DPEi=<$~@uw|in zudR+4AR^4c7!|Iou@ZGy!q1yUCXFN8HC`LW$qcFnIcPPamgLIY!FWUxx|>4p-@yrf zHs6R+U}QgnYQcmRsM15fVC^ybGtYZQeN?VX#vDow*7_mRK-dEk21DVx?g#uqv_F-B zEm*d6TZZpNMhpa-+$#nyjpGl!No5t zly2rmr)ejM;Z~+5pV~*v!)WHX6CV;s1|?2T+;;Cyg=>C(aDwNOa8n{JJm23sC);l{ zSRaV1r^kogHAY`*=^+<;2TQ}KnWM45J8;tkm4Fdu^-c{H00-4c3V{9R+Xh{!{mxDL z)<5BM^M&-P8=NQl*fgg@xK`aHUQ`Lu!;to4Q7fyXUX=j9n6Q}ZHb;AJdxj1t01p=6 z2SDe6S9yI@{ve7LkNInrTc#ss*87d_Vl>9!04%K9AXM4o=~y9?Ya^mgY%#)v zF5*Vf&Jff8rpv-}cEI9*p1f^y3*>Oir5gRFn(>iE&9q#6xP3V!$=74e#(Knfay! zzEoge>dn_ZF z=Xy$!4c>9|D|=$2GmV@2*gQf9n^Ao0-NyG6jzLn6xt#_RrMEkGht<{4i;hz+LYN| zlo-J0ef!kyIBNrj?;e7#M6?EljL8>i$cPRSDL*b`6d!iiXX{}l-j7&`)VSvJK3pyr zp{PGGpQS8D{4;~k`d;NFqw#2-0Dodo4h61zby}Djrg#g5e-IsB{>IX^8O-rIAhvgM`wkQQ(cqb6;Vd;mLQLPBQpQQL zCAR?NvN&T6<(t=lyON^jA#3Y6gXD9S6Kqs(YV!EJvKkqEs**L5Ja* zE*Nf~V5IYBhtK`^wTau^&S5(k9c&$MH$WX?36rrkG}N)Vt#b859w_&dvf$6^W+oMT z*$U*~!=5A1AwLsl`O;1RLu38$ba4|}*GNYeFEdCst42G)@ua2f*g{Ld1%o$fFh$aZ za<@R_JOk{16-xiS6}4uWt=6|2q7O3Li4&PQ~T0Kl?|G0^Lly)TEPnl)gTSd|ez~ zv2nLyoil6b&f3e#o%SKoB(3P7RwzcyJ-JWtWw#veUU1yw;JvEfj~&o$f-iCLaTxJ2 z3K~z>-q^}n*oTjK-j+<;x5f%O`A*^R@na6SRB9)>ERvH6-RuJ!ck(bSF3JUQ)OU&` zAnJ>xa=dl&w@dgbGiypIx=#M$#1z6Y*2mQ?{RUzP$0(5`u#O?(xItIDM_WBxJt9r? zOCGIm3Hn1V!b(?y<6jp(xE9ved>S)`XNOI-dS&pw2{h8k0H8xma)3LN%P&bs$=J%d z7Y{GS%;1!cq;@ait)`~Oe&#k}D?#6wK(({%%5|wzz{XeN*MWy&%!kaE6xt#Y9Q{l( zLj4}q?EFIb@W&duWeQoQP_rpd zkvOXf#!BpF4%?=ur{GW>Aj7AO4@6MD7h`hKGR1hF3i4+%z^|hy%R=!=rc&u*N?Dqm zLnc#;Fucz(;35++7N@CY=Q)G@hclOK)~i0|qI+oOgr&uK?e~@~I&;YhrN!#~A(1U= zsOL$KWPj7av87PpD<{w(u&ITF*Z)OvPQBkFK#nJ6J+!CYEK+<*)?NT2rGji0&4A+k zwKeW2N@o2H-C&ivC#XbZNj$VLqN8XGvK}LIKX2|Z>KIh$eZ?2_WXx}gG;jCk`ufyc z_XdB*+H_{_U64%Zhq!A=o6wC8`u@1y)L|wMc>g_4h~Zp+kt0dEV13hs&2wywj^RTD z>9lb^hj$_T&>z*;zw1Xpf19!@#P8Pa*J*7J>H7#T8U#_HpU$5~F9&@6E$92(Jqaf& zjx{${%IuF(l$hVn^GShv^5I!5Me^cB(TV!|V!zXeAmu4|k1 zh50JW)n?Emw{4RpZ;D*V^^piNV+<4uVFPQ!MX!RdLdD&>A;FOZ2A-ylooAB(*4<0B z9OEvv>!e99HHWFe*s+Oz1?4h+-DJc$orURrG~(dzndibaODvo6yTGH9SoZwaxpV)5 z`1~6V#3qXbWaUXwmTsRpiz?**V%{44OeuT6>r!;aIb|>9#}}cN(of41Vvop8RYG65 z7ITEb%OS20HmJt~Pa~28FU?tP>pnDiL<@w($iCy*ZR=g6|1^kU6JYg#egGZxtG=zr zc4O_-%r|uTzbw3DBD4}ZN%z7N1gvi_iiT7f7iDBz&^6Kz99>zDCq#~x` z_qK@ElDu>twik58Y`RXCuJ@pwwcKWO^IobWxphcji-1V&-$WScB*DkCSpj8-UM>040axN9f*>o)aYRDqoC`e;TNwopV(f zXVVqLS{*NR&#A4qZFJ{W1MFLEd#XQMwnt@0RvFurmT+5a+PQv~r%@N5s?ucV&mcU$ zD?^)FD|ya_bL$!z+eHPt+&xyj^V}TuI(y?KN5ulYr!)@sWNgovb%#Z#j$Go9Em)E= zPJGGj*_R7r$jI1>i1<|eKEj*h$bDMarjUV<+sz{j?)d21hu{cE2xYH)_8}4t{FI#; z$){6hoonf^H_+mq`0AkV8vi;i@8@^}P4YOmTXA}_I8st^(%~q+7}R`uP$Elw(LoK# zTIb-M`?y!m(O%cVJZ?8ft`XjP07ks`&!{nh260yV*4IWg}DsDbLA zreh;oYu9foCg9hkE*iAJ?iX@mfGVjXA@V_{h>#y_2q^|(P%=p5<5h7pB%SNTB{&ZYy~`iB0^ z@d^tx2)@1smKv-0uvg#K)AnI7oN%`yZKv2IaU!j7nJz+3{XPf(9sZ#l*~tR@o!ILh zNl^@{?_@#6-tv-n$MmAi`VCR~@`v4P*wy}%cS9CC&W8;MVczYPs5l$t;Q+4lV(evp zN3gaG&ga=jRhd34>f3|UKEgYB@&Uds_&ub9--``aW)%k@n>=M5R+2d#*sB1CLUgA| zcs2Ep&<{Vkl!9CEpeX*wRV)-n1xA!#TP+CDW>yrSiIRaX>E})1;bhZzP+|7JI9R}r zg;azAxVEokM;r;Dq?%XE-cV#QmI?(lepl8J{&O>K^jh#AK|!LO|MR-xjUkXef7isn zT_Zrw*DA0Vz`qoU=3EN*KUXH^?MYYI?ahd^ttjvlyir5&za%ECMD)(DhKeRtqbtFK zqRle?1&%$)R_;{D0wb1m+BSIwy!>(|=aHn>+w66@N6Zcb+>ekJnH&|_<3qXa_WvZN zl97=q&I=jXO3SzH@%2oO4nf#lp^|F7-^q7NIIEm*tKPoW-=^R%)KIh+7V8{{O)NYV zIz9d3)FK0Ry1+cnNKH$FJZPxuJQ`2VU5-_vH_lj8q%ijxY0h7qQ%tvGc~8A7X!ACW z(tLN=4y*W;csjr3FiZ=bcobeOY!Bu{lWTwXeZfAx!q^(liA>q-23es{Od7@_Ke8d7R%#yO9D;0_08v0up+3c2KL)@R_J3ec zVIc$W3uJ2(pdc1MpN9cRK!gxo@Oa#KPtUGa|}T$em**03s`F}0yF=N5EupDj;oo*DA-tP397D zbv>Qdqo5K&nG49cOP2z8Wx&uZRTyJ(HA=EQ80cRf=;Sh=KZr&$M|ejIJ)hyfxkldb zw()_u3j#6kHe4&LF^c^NWIz}IhN3g)9J~dwuBP*Hc9Dz1mHSbD%O^dAV^x9=x-EcCr!HH}ceq4-XgLr@Zk?b{jl+GtI z!+aH5Lk0w8@l=z{9>eTjdJ^kha*HjcOIk2Dr;V;{!maZyYQBVUQBB_`JYpW_ECk+| zlYT%Y2B}^8DEc$wa+^q7F{b2L$kt?cn*?u0VDR2M=?39@om6aL!CapP!*8pYSCQdw zsBL99$&7tX*F*K$GxQir%5qYSS4-ptv6FtIqVbtU)_q4TeXdZ6G$`7u(} ziT27l*||JmhKdVqV3G0g0bkx_Wl!2O8H^5^gu=RnC^vP|c*`K%+er>oXZ2LO*Bj&4 z`;upS9W(&nx&mV=1sR@z6|gQ8D7vC`eBS=a2GY# z0MbYMi~m><0|lu^D=v79!qCI>Qk+kzw3CG3m}kRld0aMIV_2Bp3SsqQKB$NSCaVF1 z|71~t2tLCTH8i3iH9d5d&Mljbq|z=BJe&*4e=QoSn^nei+J6_lHa>!nDY6_Ht zd6UZ#rZEWdW`sX%7ZplbCpe&wEQf4z%Z_mI0c_BB(pGjIVvUQ_g+=}yI~c}zao+b#U#X87NbL(=c@=u7`;UIH>)2?W2)BZ<@2}`wzF$^`x_of0u2|7)>8PV#~9 zCVXQ(vGIpT5xCBWKBx~le@)^t0+6cAMHB=p%HOPQX2jkBRr;bL2G}m?@rZbb!-f;) zjhX5$x|{C;+uz5GOO1<4a=bJXJ+g?@AOgBwxwj*D!4?H?MvHYjjubB7PbSKm7>oI1 z-B<3i?VqM`=4LV!Q48RRu(H)j>jOwpKN{WvI6tim;c|Ymm%OfN5aTuijY-7Uc9NWo z)83K{572tWd4b$hxSoWyyEx- zjSb1DCLyrNSo#MxyfW<2cMFl^a&6FCaxCIoJL!C0-DGqKn{Dd8Tcv4yvAjx1>&#z3 z?=SrJJ-dSQn&LbJ#QA_fd>s+!aI@rtUIOVoH~hgEs0}5N;*0QE2PQ)#(0EV!WAhSE z96C5?h$avPMkmHQrH@ACG%5LyP-R*R zfIDzaMU|vRsOGb?`GG>=z!?d8#AsSP;`A$qD>J2d(xUfIO zpG>}&51Nu5P2hG(JU9dTQPh1&YnJh=v8q|I5{Pq%1*Z!>%QM?@a|qlfUBIA?^P_!B zV{npq>s?b?uJAjkwE9S_dm|pYSrhwsT&gOL_%PNpkR}owMO^SSf;) zwo}0N8B;EkCpI+Vgst)1RVp~A64|{I%Bh0Bw)w$ycOQQ2S3EW%1%GHG{YVHBAH(RP zdaKeKzuNVVxQbULnguB-X=j!syGy!_VdLzU9sdr#dIEJ;-Q5qvI;rk%~B-07= zfIYj8cUEoISXi08POV6viw>04kqB}$Aqcg6;7B4>rEmJ`pUJhs!a#JMy_{9br}4dz z8aFx;F;|08*abmn`)a&~!;$)}{HCJmC0pG`cjPh>o{Le*n4ZwzuzdXMo+B!gqzGe{ zPv)vJ78;SuZ@LIn4{CItI@DX+0`LqKK$=f>gY-eGsLBTIQW)Q{zNUSL-F%X+qQoB# z#U$`2&wvu;r+_>kZy_k`vZ0?ys_v-igoh6<$p2F4*1Q-&gUh#8mEe+Q};~*s~@6DU+l*l41P_C z^n4GoHenBJL$pkWm_zUaRgZm}(q0SBS%vo`ZN%OpNIf1{EHmxIHd$f*M;o021ek~;r$OUcUNbn z{=PniM03dmw0envi8nXpA!lE_vEi)+9&!<{DlCQ7S#K}^5XAROG$&*28cFN_zP7RU zKXPJhRKpq0gBjozhUO#v*&g>UxB2t=&47_)LfKg8$%H3*k~S;Sx1t%lD8$~(vigcb zGg@YmNAoT|NmQ>T_GOh@3ukDFmc5JxBYJPwvL3zzBB0gjL- zKTVS7NSoA2zuGD#m*p4Rt-V7Kp6x>B?XO_)krB+I4~AHh0yR8RHK_+BC@v_qiA>$@cG{P(cE3>41>B_@$~mJvKKnofA5Es9*|*3Q{ok zH9JBMmg*f~S$r|Z!11IVn_vd1T|KA>g@myUNKNzyr_x%^>%hl3c)&-=H6Q?wTbc3f z4chB$$K&!YO{`h$>)oyP!_RfF*Y;Va=IcYn%3YEH3?N~YnUgv_mVL#!TS0eBfvQ+* zZPx4J)ayvB=udpw&d zYYU?6aQdKpv$fKlJ#~NGkf~9z<9j;+I!o2OLKEm{&J~(cOUt3WY=-Y-C;2w<^q*Ez(gXv z(SSURyl@a^8`}rp*ZaW7p6ucLo&LD$;{i`x2sQKZKwImYQ2KQ3`HZgbF{K}JQwYZ* zD_P&qelnhO#D(Id!gqDk*IO%PyfpxRZTchN#uJV9+NLiTM7=wzuSb5|uTQ+MR}>wW z`>LN|xdghPH2`zs)=uc&RWOWz&be=lI@&}4Kp3Vo6rdNi6#&qqxrCnFmo>N2E_tHJ zHekM`={3P(v3ngfQQ`6Gz9ABDd>woy%zr{;7vFx$J3l;O_~Ku$>qu3Kk9q)?oTkxa zs8?mTB$AP}N(8pN#7)hC1vI_BhUzUU}3SLfz}(^LUV)Tj3aH-hmsk zN}FvG0`b2v#g$+=kc%V{?waHpY$6vF;riE8=^GZK;*zDksUlBvcny_aAgnE$Qa*<^ zmoufQeQSDSVq-c|S5=b>mS1=8w;is@r5;*9-hXR3y_S7%C`(n2g~NDu@KrZlotcU8 zOibJLdGypHnR4~12K>A;+wl->RPOma@PXtmyMTc^ON&3zH64wq?Y8EMJgQx$90slqHL zIp^|A zrPK2E;@UolW8+$sP2X7UO_r`098IwXy$TO54_zRAP&Fw*Y;8+inD^Q~`Fr z-tG$uvT6f0Ym+kadu4dN?5GC?wJ>(v?5no~1qEfsAAeVRnoblK|J8AIHofbVNwa=( z!dgA%&uTf`xh(LJ9mq&}M%JWH%6`jnI6b@SdL19BxZx6tC~kH7 z!*V{P^O=y3bPU`CQeUuU6RMW)o#-w_SwVq1-BvD%o50AO%{oFgqP!(* zK+mH-Pw6uBQ?J*@&vdJWlfqA5wR|2`skg=6z>e^Gt+cbwMO&^8plBmfZ>SP(;y&u@ ztqMrDTsZJ=v_HNjZ3W;Vv$2>>)j)h%PY9MN`9*z0+vl3A56>(#^GJ=S$9>5ZSfgWB zJ43Ullb68aZab6=BNw4&z8vp{vKr7My){Lbi9fX0?0jM*X20%et_u}BmMe~7NC^y9~rEjDoNIW zoz36=tPM#k>;I$yQNdR}+N~A`*EbcR%X1WxnG~q6xX%A!Q*r>jiWOX-i*wAxuEx!} zFD1F_8wFlr3EQAOQMf+{kd8ileylxx--+by&>d(P?y5re*7zkas;$%H1w%mV*dWyt z`zTcZ&Aq7Sf)n+LBM7zkK4ho7~x zzCgWeK#sOWJ6R%4u@2LH`=&|LZ!&{>!uIRE_M^f?fjIG5?)(Ds174&~SEi*8&`ruk z9jxMZahMxG`A|?+VgVi+#+C zgzf1B@BQOW>Mk`MZLIC74Fa9##Zty`oN+_K9QUk_4zgh@}+0Ov|ZYfo}S zEIFrBNW+wA^t8nDN361bRg?z^CoGO&vq##Y!pW^y3^SbEM3kK(_6x6za1E}FqaAR z1vFM9E?~2xT{#xStLPYTkst@ftg-fy2P;Tg5nNI)OlQ!~m|%)9ge4-4w-hbpb9R;h zbG$R?A?RCR=MMm5B|QWV|GVn~IU3gRB@2ccGGxbSJCW#-E}*BH0Oqi4rZ8vFfH0!} zgg6NPy{k4`z4>Gcik`ALT~Kk&(H-Ho$%g#hS`od4b8*Koa=XPddkez(5-ZToLaTX8 zb~6!R%=mYJSEU%XGRJZAqn`j#E(Oss%_lDxSyaiR`aZv#>7Ah#UY5ru6;gCuJ2CYVK~&giNq?noM>C4j+NlO%*{JA} z#q5&?g~E)V%d~c5Qc7YzKc*KF!8s2HoIwzGHT&*R822?60jq4EV}(Xluw~0>DvM50 zFkAB)_%)iP6S29BN`8NT#4B3YRQbyt_;USPM-g>Mcf zPBmzvY$nM8+v*7K3n+%axMYHdRV4X5FL-!L4{QE7U=KLLsf1bN=Cf$zNNjR|?6eJx zS^AMK#$CIKmF8k7hD{=Yu%e~&ESBc5eshfUq(P|;{ zMODYFBJloryRlA^z6bnT=;E`;bL*_YyMTZd(AJq8GF+aNB~gfwnhyQ>V|o;ekjn?= zs0PDhHVYTb1EsujY!u}WO2-TQ2!lDi+DnFa0Yt3)!i?yP62Cyf4WXDIZfHgTKwxv7 z8D%aQzZ0ix1V2QsH#|cMs0DBqT?YcPcNMydV2Pc5s&#|}{o1p&rZ1~_ zt~BV*pgSiAkRY!Oaqr9iLOMGh9Qg8iw7VQTZH^c{VhG86fZ_b^Q)XV(SrNVjP2zQK?x$6vDdNUdt%2aThE=LtJx01r)7q^w1KN36_V?y%% zy^^W|Jc5x18fjg)`2<)+R{AOt-la`nM3N=f6H#|tH`y;(B(Cf@mcX z_6%C0d_*9u(mJs;X(yP2kMW~0f$Cu$W$n!89p#!zT!05;VN|pwy$A56)g!uX$yHKK1yr6AxF*#oVMf-YvIi z2;|x@pP14s(G33(SL>Lgv1wsReVw8Yw)y^hGyB}>T7j_eK#s0co@>7*Sjh4dxj!S{ zfeMv;(1v?_Kl^jPugA4q{Iq{UzW+_k$%M+0uwR{Ll)vc>^j~Md!I+hs8Q896H;6lb z{qsV{t@&4tyr}wvXxrQKsHvS0bmADu-R;{cOV(D^>5ugT# zI^R757(c#+Xk`THiY*43iy@f`FB5?wwWPv+^Ggp>PXUbMNZPm&)I#*>U{{~Nf(X)%VH-bRI+wD@_%UAWH()rs#BHYMwjnX$Z$+R6oK@;5jelr zT76SC7V`b+`ryfDKI9q3mdHo5uV5Y|BHEVIs*k7jk$$|K%7`(Z zQC#)8K@lf0RX!sZTngyL)f<84kn`rHOyz@su>&Kyi!s@6L`Cu%d0^<-rc>tgzWg*W z_pL(Q5B8@Cr2IXyCFtJxaTq6Ee57$E2^aZ?VI5_BsFpXW7{6e8XIyZdnwv0QMxY8~ z=k$I;b#ZvKf&)>p|3sS`6oD3O!B$}GZ|U|BDlbmv@Q?G=VVA!#;8UdhlCohfj`?&g z1^VnugBvVOG15|&!;~ruv_UaSF*)g=8# zQ;L@3#L#}W64mXz&*}k`rKG%czl2ow!gGq$T6TJUYaL{ToN`ie@1n1k1uC;4Xt1X9 zDM-cbT<#hc8_l1vrCY9!eUFIioggh0Fs+v8_8d*_i*1jw7~{avIf%WTkicH2SRk>| zqj7AKU2#(y2l1AyQMu2JFA!EaxN{2&D+PBk9ea|S8DhnmXEqC}0R%;Xw8z`7yv5^1 zzZxH!C}^iT4hLt~Dc5Uj{gG``e#<3T2H4+cy}deYlLyz)Oc~hLX~?sEyAlgEbg+n| z>!Ubm;O+YHktz|pLpl9w($W+3Ha8acPVNMF^k~UH=BeQYF_dv6?|`xSMujO>`Vbkd zEKH>SwFa@kl#a^^MCpB~?6{VFV{kbbf-7gJHO?GdXZLg1VQZO8cr+v_XI(+xR#-PE zkE~$(lR{_3Hg7&uyi6cvEy*kiZ=&QCbd5^VG`*{)smb_y=?zTLE~vKl2U}byV{XON z4imi*z5ZrDTIGkgy`uL=}#>poT`@%yhkZmQ?JtuY4g9ZC$xPk_MYG3}>L2 zub4hrKIrClU%^9rD<^@DJhYe9X((gVKg$h|rtOhumF-5G|eg9t3o_E1R5#c{ZF&R;h26i~u(5zqwK; zQW%goF_b(0LX!oNe;bBIW-O;|Si2w>)?)jxq&34Tz$&ll{VX`_H<{&>{6sn4Y6WlE z@72-R$VT6QF}%vJYrtOL3@NIN!Mi$_XTC^{iXUd<=0Ah13d}H4*5sKr%vIaFG8`up z19rUfa7(>`ZQh=@FEz3WAFlJ?yuB#O%iRRnE-{$ zK)(zr1J9t5l3LK6jx+rha7j2^w)LZt1tzB?zoOmC$#Lv^m1$I>Q)YE6a>wn8exCw6qrUVbnbX50{YHZ5 z2vS-Q6QHp%rF41tko}GG|0Ci9+F6wZ9&Mf>_X;!WWTIRo&S4HW>=Aa{Pi~jDAM~7# z)}fb~=qfza%PNLze%*-5gi}C0y8XV1d;9Jhra}8H3d>Dc?)Q;%0Hd|ie}Kbsbw5Lz>&Anx0_t8tzkj5m?T zv-7Ek7iA?MOktJ;fY(@nz79Wkzbiy>(Y01^p1K!<>MJSEp!Ebs^A&EOdEh6-mV^ls zV}4ZqFj2Nv*G_OS7N1Obk8N{$WAJ!klR{9WWQ5>0>TH^1ISDh;)<&O%a={Md>Y(Sq zLEx2RwgfI?EmcjRGJL8D+Xexe`N0MKH!crx$2TKS_7lTg%GB2ZwRGtJ zNuR??-e4qh$l7EbDxsCc(UfWW46<7op{uTOVT&GWmy!2Q6N#4a*GY`lV9URT= z+Mr*{nB}zWxc_UWm(c25E%isLo%GWA<3CUZHT;m<&&V}j2{XtX>wMP}1Dv6I3YE#V zSmVieb;c5Pi7bTr^HGo}@_6DCX(5kW$$sgpAYWY9zVp|awjpH@tS3Pg)&YVrgTtLH z3~RsLQ;Dv>C(p}Lg~IWhE|1#C&Z>(=`C|5^sm|>Y>hCIAakGvcA8u-Q~(KiRTTk$)zum4)=E>&Xo=d zCDp^(F5iD`*#EXjx+Moj^47F;PKz+iH8i=BvMF6yr&l!*`4aFlp^B)OfS;(DY&Bv_ zw>Sq^!o@1OP|<`uU&#BOA$&|IBBVC_2M6<1f8&B8gUiq_Bud5XXu-vj(6X$$LbSi& z&QDaNwObh*M{uQaEk`_Xe1QI|HAoPB^OyQ6V_={>>cq;Do{HWFddJ8ztsW=#&8;X< zAus_VfhC>TcaympBphNrw|;2eQ5_+ z6^HHb_r7&S($sDjJ+I>i{ba|D7u`JBqqDcPdx+6S8YiH+`w-cjIIg6Zm_YedCrKV$C z{*pBk?^ZG~Ad)JmjQ7FxU;HLG(V4(5djB@@s&)XmvTW~+%J0`Hm%#mhac){L5fHZy zY^*Id^W7L_@Bn<7{;AiW5&oOLj^+R z;iVdzisp=blLnp9or+DkLY`XU|3lkbKt-jdTtv zp@5PCD&5`9(9+%A2uOE-2h{hz_ulW`_5ZK+eQUXJX3jq6?DO<~p5L<%w5{6f&%EC| z&_AmPL;byIn^y*7{J(sXI|Q%we#@aG-vtW`{Pti2kWyf&bq|Oj0V!n*fC7aay#Ji# z0*XANp&ch4dwbc5)w!yTsSJ(TIQiN&MuRKD4jOp~K&s3UNR^M-639%t_w0~zx{ zNh*&cdLl;?l(OI><^=sCBOp_E|7i>~QG;~oI=?%(CT3@!{pU9FYA_OY2J_JI{$X*i zz-0e41&VdYjY;0KfgI>lxr0;s#~ChiS?hjA7b8lqV^LcXWLPTHBmwV^uE)$`BeJ>= zzS37gCDQlylXWJuW5SyPpSO1jzGj{IK=(p~&hyM&r|aH1 zg&wGm^IQ!-C5%56=5jKX;OZ6*-)*XZAJCXyZ10@SLrAW7FO>HMabKQnW59QT%|j@P zp)U{X6H;Mu)U+~Y&(uOHnPNB~bIo);nhd1{vsc?r=01U@Lm<89%COT%pr`bAh0WU} z;J0F^^A_af=bZ0FLe`&G?dF?E4JXrbBA(^W3`S$7G^+3e2MYzOSLbM9iG z8S1&YYy8sXbi&Pvi4aui{=MVb`qxvRJ7Bw{a$SS&Z7v)1{^sPI(|UoHcE4+kfnZD4PN zn}&*^4~L59J2}Vd{+B$=&o>LQxL{(iFv zX_;)+s;JDRr7Xdyx(8Jt3J*k;I_+cX!4UmEjU5}=vl0F}i-Dk)rc6QT`W+tC@%Bta zc2K}Jtuz^qM9&AYydF{{X3Qr~KoAOwJd*ZDr8S^r8{PSf>mTrAxcg>Mhpx+w!T!R{ zhV}Fr%S~Ix%YzLI7R(j0id7_^;$kto(3R{RyBSp@CaSNY{urz~#Xg!uQM*EdSaJqH z(+IoAbFn861W^V;MDa&$QOP33+h+FSKG|DsIfRjdXq$!eG1yW20~7rLcJ<7;9i`2k zE(hqGZP+DTJ8@aL|Jpc!@7nR-46J>hDzhN#w$ti6IK#AiE@c#&pJTdDE7$&@Jv2eI zSjNcIf%=7{$TzJG4dPky*1B5K9&5=UmfcYyAs}6IkHf3DDX!0wN@9E|meJfzIdF`l zHKn}z`1p_<*^6S}15_TGxb7$>e+1?~g(O^;$z8=WR9qkNyX~FSAJoiwY)y{%BGxh% zGhhXQ3g6)5BX7^#)REK|U(8}$c8|fY9k9J0%K!2b09lYD0l7qc-2a@U4yg0G>IH%H zBJb*7{|NAZNtQ>rcz3wX@qW8*IX>pN38Rc=di}g-N0KUkno9zbZOR);xF+Mga=3m# z<&U~XvsTrQK9x5RE;=2f`pG|bI_v?JsO*$1gZ3mpUw$6dDEGo~wf>eC4XV!k`H|Wc zJQ%8HWgn|x{rw?!Sb8<}6E6G7@4X%pLk4&(^63uO46GGH_pHfi9e4%g0*ug5-R5TE z-h^PA)YnyeT6h7K<&c89Lp6drFWJWv8?KpC9qSBVH;qoO7?zQ&q)n2ixk)m}cQiGM z9fhM@n4gz`GnB<>;=(9Q7>2@1WV;4EzE?z5(-(mV4UnXYMI~)E+RoG&{Q0t;xz}LS~i}gfnXjG>y@81uUso`iQplN{EXKWyOp6Gg>H*&!)cJufzx_72uT(%{UcwWtU z?j00pI;PGe8BkX;ef|OF39zKbW{)lS8hTDGhb>pWAus;Lo?XqTvKleA_iGxq){BQ3 zirPk>_frIYp7;_4Muo$3A16*{3$eFN{mN{mw&Zx`Y%!Vlc$6DKC-D|Gv364LzH<#f zZCc|$iHD!Xlbo&Bh4CF+V%+SO8;Uhe&r7Wx@R60Ak!p$Jy(!a;jrG&+{!rf`5t}=} z`2{Fq52Nxh&TC#f&6I%BVDFo-3QdQp?bu&4xKl>IdvIj(p^hH8}!1ITgSugJKTl zAT`|wQfi%l}CKmUsYrx4|kiu2dR17qxP^5qYDr ztr9nvL7mH)mPg;tnQ-PrhnL8oF^*&G!UE*z%W`sI4w6VClOpAh%)dTuhPbcfUCo4L zL7lJ9;;o5@x9cw_^UUGh2RFNUa&wC$lfy1ISz!{>HYcky4+=0W$M)ECj)!@@^K#L6rR0p=W7yQ#f%o)7$kUpU=t^PfK8H<|$511Q0a zIzN#gp_}xaVd(1$&%%yQZ!IW^jbF%YfMdAM%Yf263e-YC(|rgo^*Ae&8)BbLGt_q8 z-H@tb;ZOgC1EFQv;y*id7)d(Y(MND32fENDV#;+Z&o0TJN=t^EfS&h1igy$mfwZ@b zR(YI7_Szggq#Q<(4N_9l85A9;eLt(KH%1!wL{;8r5j>$<3v$68d>#jNKHAPRhY29u zFp#WC-NfH=djC9!i~k787SWAMMac>>ox0u=G^33*aGY<+#v-6KTIqRkpz99>Q8c8_ z*iyuhp#V(XK#FdkiSL7D*%t@`d5z}A^gCq^ZH4@_mcRHAgt`mX;~p>7V#~E{vTX(5 zF6!g-IH3%b};1B+D48X?DU{GT%-04snJZKd-E>nAWx##l|( zOXrsIUA?*O?8(at8=h?bL^63CQ$CXs^;)yT(((j+zO?c+-x;9=tcN+?A8DM!NY#A| zHX_|EEAZ%HHF)gd`f&WT%vdcrWD#eKtWb38Sh>!Jy}Jh==>EkRL- zArx}{Y^Q`K{$zeO1(~jO8L~hI9^y^?cX;EFx|;G;()BWuKBGLOYeaHZQy@1`?o^gdx62M`7NJMe+bZ|Mq@ zjhlFgy~-NzSgi*njrbh@p8sVFY4STAjs?q)`r{wFYKROLohLV;KL3d&*LhkMvd9Ui zEi}c(s7oh)z>WS+1)!Py!tEYw8%VSZ33QS2UaJS_o}TmfVF$V^%S4B^0sw$uynhWG z=5x&Z50`u5xnNggFzvdAf~(1bk?(Yr_GN39?mFsk5nNj2m(RZ_h?C-h^o{@`05>S* zQ=%>M$~&%J$+)3j8-dsavr#&+B|!L4|4qWq?{rVF{!+po$eJPieZ>Du5}`YL8@?gJ zXqW_GF86C2ivMx|NLDwn`9t(>4<%CAeLi{A?Vc_V=fNZkM4v>QX??rsqHi3Vv| zLl^~n9FlpCE(`cw7hvt88uVKwa!+vfeT7OD9tc2@OIhsrP_}0L7F7Jn90eFb4U$E7 zD)@6(nvARnB&>9G|K<^kjp%pMREs)tOr+Tr{orKDfLzJ^Nx zgya_W(@$uh2S5q*QdIFnq1;R-6wpdUx&$j_jd_~Ehw;`O;6hi;`^$QDUf0O1N&GOz zDMGI0H4M{}+Dpb{&qit`ZKZD97g*daChHZhjOn!Spslpdb?p_ASbHwOT%AysB)C08C1acR6W z4eX*9h3Z(=CKD^&viwB;bA+Ox^d}+?^5axXA#O$UzUApzi5SA7=5?V=S`~CW{m3G( zZrQlfwIg)oMI@8#p=i$1z>(IwCUuwPTxdgEoKeEWnSB*>S=ov8zG^>df5?*Z` zaISpka|tS6W8OO+>`3nz8iDjn7Y~268Cmw7rDRF99FORzQp-Cg=JKOvokr5TE=_YELbnxEu`420}_ z$0Xy3723@Ux?>|0DGcw$cfQb6UYEeIPipZ$U(ttIqnPecdN-5D{+ka#9%7WTtv^9GKM~3a2DQ*>J zZaZZu%6jzA&gInk)^w+L?ylT};^>yCD;C~^ZokMo9=uKtSysfgXcS=V$C!n*&2EH-F><17Q~%;N)yH*=)ghG!rk6M*XM{T2jZsDL%V574cwE_$_a1*$!` z{a6c?w~x6s8n+kPMI5XF0og%~+p8oS3N!&W_V0~`*8xlopw(Ug&gKth^lrWV$MgP$ z(%m^|6_y5m`~-MEc{0lxm{8EYFS#~_Y49{$^r;amOJc!K3i_R`QLZy@bg&M{p5_Gn zrsXGt>xx6&C7#|9_%giUmr4TTa*R(~1t?~A0VUL*;oQ~H6Xn2z$Nb&kPxc}xGK zFHb&xk5+FOMJIUG0U6f0$kW;@57qZRN_r=X*&FAAAXzf@iV@_O4Yipkc=sjq;y&r%B49C60D}EDoZ$Z& zeMsmu%xZ!;KRMNHYP(|LMu0H^zz+xj`~a-j8gDlNQe(*ME(k8)oy~aBEo90~q+B07 zn3{S(Z*B~iu%u6q8z0oa7;2WqwPl(tCuh=VQ4VvTbJP;IoLv(ll6=Bh4mW>5pG7Ej zH9Fq$;SEI!g0nZ7{4w}qs29;R|CyTns4ZVJB#=LDRVS-T{B6Xfxk7cRSP)M{o~4X^ z>W4km&>xVmyiUD}4}tUgaUd2$-Af~u2?3S4$~^NX8tIG*3IJMY_7xI5{GBUIQi$GY z^!Pb1y}1vb5-Y_(0Dh|Bjm?}8NQX{TY?1=k7E!3N6g_AdUos$_GHIibgO|A+50NAU zX%V52m5VwxuSZiPhxB14@>LM33v^u-gN8%cO@i}Ymj`@gW8X6KD-Ltci&ytEt!B3{ zi10VS8=;BwNWId`{f@?KpSQ7~B8qEGmQugIJ{Q)abLMUTG6g-IcbM{b9odRxc}02q1B;>e&~BgNhbN^k#vdvPM&X8U z5Z`3s*&=1}6r>zTZt%3DzSpGXM^Pb1`QFw+N>x!z{Hc{6Pa!iuRi2yYh1W1=G2M&Y z@r71T2K9Cfc{#~QHupfk*bNBbV|1L_27eng_N1TACQX@8Zed<#LAFo*k27=x%J~`{ zMSLkQ*U$*b9LlIemyUaTW50=2SeFDra@~yr@*=ZCgV>TOrsSu8>B<|Yrq@CH9m72& z`6m_lTd^!t37*_X*U?MBh{@=`wyzeIh$gZSOS;ZO+s{0AJpI-r-Il!lSXP1ktsS94{b#VjlEh$xL)dpo;=!~^oJLp z=nYGeGt9J?*@ueE*-XSLz+F|jn_Lqmqn(^YdVF+ogsvZ%`WM2p#>-RQQlxmNGx$ug zXQZm|iB3R%re>JJ;)%TV516IhCL#<~Bk9z}%w{$iqb4$?icC9Sxz4p`KeXdL02fu_ zEw83kkthz{U;J$HePEQkHC_w~@whZDjJlGyeyWsq9ILtPz5|zJ@ z0jTB2zR1D_*2o%P?QJBq$Ib}-p*4!4vG=QctX_jkMQ5W} z*(u?t3?SJ|9t#=OJP*&{SHxSm`x#*(&-sifTBZ8B+a4tNHVL-pjDCqD!$AJ=RE*}n zwJ0%_0nKply|Q!PzK`ltGzchZ%GqjBZ%c+2q$ZebAD2~=r>7rpVmN8xDn@gjDfk6X zr%de8n($iB>)k!_0d6A^5Au1+!C6ZyFH~;VDze=%W|_0dsqg*kS3=&}p~%~>Q(t2Z zUZc>l-e=hbAY?-TmMp;oDE~^{(k23$7}fKFKR!Kru5+khFG&0Irh4v6M8YUbb+M$x zpwr#r7Y4$@OxYJKujRl3IzH1>sV7{p>^D;99@61~)r=S|1l93+4C$a0iq z`(YfOQ$^BmH2}Pk_TY1eHS!E+jX87x(Bp#Oh>4aVBuHbNk@!kk z9Oasg^_IjbP<(QN84J{;GE-I($ejk2{s1Sk0LOmZ1|*>WRX134NOk&&V{xtqqjJ+i zI|s=(oV8xoyct*5wqtQHP5P<4Efc+d=6olwS#Ai0LF~@nS6d$S5h8R1HSQOZR*VBS zYY8jMm+OM~F^n;LOcgyA`nw)4ne!>aD^i77Yu1TAij`O>Y7)HmZT}-RY)4xeeU}q9o36@46-s2t0`N$5wf7n zLO&q6^KvGNeA~IA;(36g&+_{)3>BT72a=U;nOAr6dTSv}4#BM9CfuFlX$yu+VVvwD z8SYEL4ucs%tnMhx)XfUl*+jG1L}i#EV=qUG8IyIayIGft+GI(v+l<&$ASy(&BiSgi zZ}~Wy1*v}S9(4)TCvW`CR_k*yj8Bt=_hVT3G`jK!S}_h{{IyuV)GUdcPy0~gW%=gq zKU(em7|a!>ryomV+;kUu*;ziqY8H%S&4-d^PtaKATGGhW_BLcs3sld;)N2+e(PLHq z34ruzoMKKUnq-*-IF9(_h*xA$T`K6G_hPI~LUSme4iucU`1BBwqZDDIV@0JTN=je_ zANt-2Ibb6bU*P?G^etNGrmcn)!uW;o56|B>ir0dee*IW#uD3kr&mp{4jpQ=1~zYucJ^hn^<<1mQV&eTzZt5>`Lw8Za~;iX$Zm%GUdpL#LdTDQH;)NnWZ&iH7&A3L z%@`zXhAhSX9RH~PIk9Tp^!2e!5+h2PxQPAfkYm(A`Tm64tXHS-kb+wkwclj24CY z=M=WTh~axRf+fij`-dd9<{hnph}vHFS^Aq(YB=W)d6^7?_koP1Bc45NK(Gi?=sP?I z^H$<*kp6mdBmR2{IOQDbPQYCr8A6MqNFM z%d$ZhS%}sD{9~3j9yK^zYvZP>&?Vt*Ga&X}RAhGb?^^`LlBn?1LE1K&>UucLA)Px} zM{S=&2lPL2G_87sqC=g%-}Dy%iPYx5-++bQWYO(4fNDOz{V{kQYghq?S)jTnZ-HIA z$&5!mebXJK1f%>Ypc_XeH0I=cdZGKQjYs}*X}_AAYS=%z`xEJqI^khI(^*uFjdk}6 z97eko`bam0H?L?&8c*^?1h3yu%_K`7@Q=S~%AF@%QeQbD%8OZQF5wNJfv7XuO)Ge+d45|S zujTeRVydB)_urLjjedQ{NJSVTdcoOg?zC(j_DSVzCL!Y>F(N;NP z03nZQzO+=tm{h`nDRf9^Cg4|~|Ktycq8EFJY*9HY!NsUc?+Q#**NzLH5-Id;J&QLJ z)=F+l-ElmyE8@Pht3YP`iu)lZ=M44nOtpz{c;i8l;RTH7$Nt|;{()Bt@5lG$UZo_`l4OT{qwaHn-V z+O7Fm0{!$|g$1*Ki2V%<^_2AG1rpZ`M7q5ED7|cZaQ@**NAs46%RTOTx0v#(xQKuN z|C#ZlzV39IH%HVit>P`H;o-FD(a7`}1V_!t&-77}%)as~#Js*@l;Lc_B3T`o8EkG{ zw>8Bxe37WdrhaN5c&_>~{x#km=jONdczpwroEZ|_{N=h#89Sjzlrl|++cVh&JJcqZ zgQv1@$AAsTZE0JVYEHeY$TgzYTo}SS_qkk7of%*WZMxy`E8|Jkk;5(~_OB>(OYdKE1{73`x*StH$A*@s?++2#I4ZMn#KoHdswDw<$j zt7(pdy?KE!;4r`;`u$%au&9Kpb9#dPB;LIiXDq4ec8|OGEjGYPgnipvtj4hCIW>Ti zy?^I>H*|p7?!Q(h?;C}5NM~lYWvTZ0uOSHi=zl%5U<7ntOLyH9m&RmPQHUReEm4h4 zt;934hb41jU_SV0Iv+owbH?GA>6&^WRQ=m4SGmy}SBt^u=8luHHJK!Y^X4t(fS&Qj$z}d?$i)v2u^?UucOu^<%|gm1N{uN)79U-!nnPK?`=gwvz`0q}q+%P%M5j8) z%u%0iG_c6)0Id1d2WKdfNkxb*zX|tHM<54HC3O`y&yxKgRsm3ZqZsLCG24|=(=!vG z^;UPjgPLWFJXl8{{jn~h2#bJ{tmP+YWg^REa%4TuQ&$9I-2tw%U#}C#g*ZxF;%mJa z@I!J!bI3UgOwfx!_)j@m3GfGJ1iuZwy?48i1(xn_oDn>S=(K&tXHWlRpY+6w8k~VT z+TTpn-OAX2{T4@bw=8BQ0ANkv+c^Rm4rRb9wgXo2LhaS!j=#|ys>LM%%v~|_RgCrZ z2U&N|tPqnB>`OQAe?V&#Xvd60f(tYr8xQge*h1J(q?14NKGVNTQgL!#R=oc;Kq}dR zU#7c6(PY1vcbQAvhxs?)##ma<#~FAK?2^A@ZEg23?Oq2uJS}JcvdXA8*{?o9P24gu zTZ0TAgCpI?EL%&e6enk3^t*lMjFLR^D+BP4YUDlefW?+dYgS~v*O$o@o~gm_`+ zP~bTlAf-j?aPIO}_*$1RU+-?y-!Pl6_`oLw-jIWGHPWy5X%%;^{VN$QS#?%m;Dp|n zfGS(Hr`-$6rf;Rp!W7tMA>96h2Ls`0I;3CFd$5ZGa&vezsvutyv(?85IDG(@>=mDypN>V`FlIs;cpm- z-%H6~BsSC%sv^irnPz;M>0+rWvQyE~yGb3&Y9**4#@Eei_jJ7dqt;S_lA-b|Uoua{ zayIp}JPlm7fb60`1oV@s`x-giKDULmuHgeqy-60x(*uV+sZpHB@!4iT$jAGdfP%;^ zY->!Y{4x|_KcSND*B;Fnf0HsNb2#7V3oN9gvG)A^0mjQ7_>MooBF&`$#OVtW#N@oU z6?^&7a+JZsia!7Z;}f*|Ugy;wD+7}wd+zfSj0|*IqgfcR_dDte2zz`V+z(gWM`qum zq3O+rlA@d;)sTNu!~Ib~V4V-m1Y(o--oRWsbwIR0o*Dlx8=8pz=L#T}{`)|C^nKvI znXbV4?|&6dAaw)ezWYOgtIZ?57bt-iT8~{=5BHIKa9z_@60EU~WKO#yYyWbxZdS;3 zDDV%$pf(Y7VaGCk90zaRc6ym-q z+qEd*lWPx>3<+2$daYK*H$d69(21tI@7s6rwKYqx@ZEe|JF)vi(bNagXY(aL)ytAn zN);#KG&5y+jb8#pxm7EkHn1)EfU|y+{iF%9=Ebb6lo_uo?sB>Q*mr8N;OG^*$SoQKE}WPNZF_wVozJS1hPR*U9j8CzrYbX2cpP zuEge;rg}SKOq(mgd9J8qa-(u~x-j~uyh-I!MMp(xdMxzpcZ|vDUq3}@4D|`9O2Tmn z2ogRXj9s_y1w!Y;bK_LvLWSy+NYw==^9XZs##SH2?P}36R22o+y1BKydIeOSgcBPf zxk#;qA?y-OA1CowYjCTL{^(b32^6&H^;Eh%83B+$A?CGXzFBc`b z(r7xg^p9!Qu=aVAK zS?^gUM$lT$WT*3fZ2>9Pxs4A0|GRB_MB4#i`fReS;d z!&{;{P!H$li_gYOVFCHll(>qMb#6{{edBFAkp4Jv-sISi59ood+Z*)>6-S;4J`gQy zd2z1gj-~M$5u5RcB|DXTx1ctu+P(T?b*Z$K{F?DdRZVLxnE-dCy$|2Tntt;^?=jHg z-vZ&}5$sFtrxON${r*Rke@;P^XX_v={k$Q4Cf3#yW7X%ae@_9z46HwM{8k4l*w}WN zY9i+!8>$SQR^AkD5fdy(_DB|2%GZwGIiPt&q^Z81Prv2CF|tyRf4G)9+8HwVkZN`N z&7Dt1^RBA(qL{KwQ0vM39K7<}B)ft(tm#-$rpnbCzOOw`y%Ozf#vE>99YnLS8!`xV z8@&EALs~Zk7Xgl0v+zgF&6?PI#ATQ(bZTnxHqe=L^ex4p%KNY4OIIE-uH3^rcj(6* zzF4jgR%a;~Iret>B;sO%vV+y3xA2rnEsm)N(zg-r(7WQePG(1^``JpE+yRnymGpe2 zynY|T%Mf5>vUe`{nT%ctmMoOTm5cb6tu#T~82Z;r1tXbM?goB#8`#U>b^d9P@NTGo z`HH=_sm`20T_O`pVziW~Wrb)+S|9Gmi52@{x<((t_;E zjBH@Tiy2&_$As4Y`L`Vp!~$l76UsZIK7T|Jz!Nc`6g=HOgA??T)0nbORvqk_YQkPQ^o)I~cy%W5da&Occ645)p4V)2yred)+7Zf%f>Y*imr*s+XIFgHCdNor6dX&;*yGZFZUm&nzOT7fXiR%w z_E@osu?W!B#k@SQVjCCvGhnh-z&)<)+{DtArO*{2_>sD0$H_rsk>2mps8@~eT`c>b z1BQRuqr0Nd@3D8elmAw%{nsP>_YnDiylf&+ETcdS3A-gk4+)Wqz=v`j*}#ou@2ykc=AVFaO)XwNc)RkI5C7u6LQynLn!$ zzj_ESB@C&YV?F-aB>uKs^J%GIo72+HarHl~DI={m&84=Cxv^z=Py9xbv5Kf+)8>&b zyg5DRDd|R^rh|s_hN4ytw;n`3enxAV|5y&m7cLvcS&=%s_2>^3p4SSjyr_Mjt?@eV z>~d*z`;7rJ)e;L=lW5ZyxqjM=JhV+9)NE3j9K=#}Bntnd z?CMK3z9YA7F~8^Wui&$R0LbLv{Sj$)H-!4;ZnY|o#a4sV{fB*zyU%*39}Xwq&(lxP zq~F?sw=r{u5qEW)HgaTnh6X0vQ2#Nf=sE(P8in4mI*DB-S{5Sr>4#GIwCGiyhlvcjert3A70r)D%IUt-M{ z$90K{5An%%;&vS~zr~Bws0$-9bBc@1{6Zc?czBl2?k1%ZNy|}8t0|w!+$o-5+ftos zaVe5Fo~lQa=82RjyJg`oPXwD z@)qGtFNjp){1*>0?h%;PU`XI&f?ADSZ4M8+<5GrGbUY)C;fyN(P%p=3dMRpBv6QS; zg5<9cCD5L@hDjUHC&y8HlB+6BIzcN2boHAoFB{VNu{ZdAop)~&ib4p9= zyhmz%Ib0@*-add0`;SPpU4YMzh+`Y}MR6X>vCo>)eJ=In_4ns1WMyg4WY-(DYpN%8YD(m_azx0o7?4JQ}P2F^oKR=?A=yv=f zZ@PNgHKHB2dzlqGgFBX6%H%nVmy^FyiGgeyt;MQ%A)lvTzFzX8-|x3SYM9p1yB2$Y zbn$$MPL6-XekiP>`upbEajj%c1sO!;oBE?GnGyVBBtlaaM#bDN$Xo5i;6G=2?L5@C zI{D+*{$-5y8gxL1|NZBGQR{!U(e`=(u7%m^1rU_pj!!}KU4&>4cz}n;NsEGKsS}G;Z3gO!ep6wm>SZEVHqm5Hj1htaLZf@_UD!j%mDlV zz%%6n9lcVm*|$I}hkH7DS?W=M$tVoH?XtRUfZDJZn(E4s9XK9dsrfnpL_!U~HjVja zLgj3+vgy%4I~cUmt!iXm#Zn8J+X)azU2Jt1tTxn=*deDQ@J&bzXoZR}{c7TLCTdmd zc0^y5fWk`}mlmlP^6BRoDq^at_uY4o&jm|Wb|2!Bp$wEdom!7~;C--KFF6~fd` zL$c2Nv%VMK1FFFXoU3Md&r>|>yy9Z=m@bx&N>Sf=(l5`{lpvDjuma>8{rtQZ)Wf53 z$&w(cc5kK`m@tT`fwgg4XGKFyiTMCLaM2=?phL=CLq`awkKt1@rLcTTRlpEE~#oIHM3(rQKQDFFqOn^8*wp%z^9=nToO~mL=3jN<>0YHWFpXUbP ze!(h_f%MfTvP^H(RS7*(Tx?E@8Lo6G*4>Cd{a*hCe>M*3zd0tR0A6Jc`iSNSy!IN@ zkSR!e_m$w!*L4Ea+GBsWz84iaH!sgi`mUN-E-#NZ;ipAm+BYMFBp0VYtf$Y9uKKRF zXTs*(2TBou(+kPEk&&(!^D15*OO1KXlia}Jw?KaQ4aQB_&9;`O{XXovtOIsEakF-E z*_twj0oxf^Ai0chW~sA1<;A$(FFDaUi_)#KY6W9hzfgL!GmG8DOWtcQ7OzY`lzOFw zfsrshwV9#Nc&UFsZ1`ht{Q8&k#7Qmb?2HV_z}a&W5GWe?`Aex0lMc<>cb>GB@bZ?H zc_h*P>isA`-&en%7C-{u52%1`tR$Ro@0^p|oWpL8cTU5uH|&5-HYZ`Hu&bGqo5T3N zIp<9Z_~8z0K@IM*vUaoRv{QHa0X}Y!QJT;Auz+|%QyDw5V>nZSNfggy*DM%k&oTOq z($6j%3aJ8s40uK!LI_m(SI^!&hCJKMZ%DYA`0>)_I^$-o0=C?Avx|5$RB<_SvoUe= zE9=|M%+315%{>2E)Xgzb!r3-#|CIM826ixWlfZwbHFq>=tW$SoM{<>ko1?h5@5z-; z_bBaac~o4)S)2@mt3yZN2X}KpwMbTBVyX}5fe!3xxVp9B@+K97ACuFe@4@cs665Z# z!_Ae81NCCBjba6vI}+c}zqT{e5^2c_t@a;Y^cs>d&8Ll$7NW6p7{)*WJtej;GjEEF z#;E#DNqYNJoO@4RJR~*p16zA+tJ<4vrCAyx(Z&eh(6+*R+5J`ap!^IrT#p#4%W}~;3PZ+#1nm4+V6z(Vjneev>@Tq<6;-cJj*i#!Z~kwDo*<{XQ+M`-&lhCZk}w;zjvPhjSXbLF?nJr!Y6@^QP~v zR75Bz(j<70x`^0%+q9xJyo`)lka_3b-dk4kx*7!|l^z$zIf;bBYNO_Qcx>CK{RB68 z{O8(HFkQFxf)*I;e3GB++k_KRZTv}&v}8#euBMgqXQ<^Q^2kb3ss1PF?ozz&;I`nD zkJyu5L!}DhY15jLv66*fCX)PyNW~SIgk0}WeQcE~=itIYZW15O?H{j>qBO-y<+PP+ zX;$SfAg5Q)6gT0DmN0$!_1A0TI@{}72+z0<@GfjLA@6NcoS#U3;2Bdiq}jbtr_0l@ zo73&S>+T=A=OZlFn{#L9WAMG7FptA^U6}1!Cx4CIS}zU%S;yRI$Q;lS@p5l34CW4l z0ZM!plc$coy6eBXLT19A<{#%p%0_O^)c&QPgDl(d+%#iaa{xKeXyV~kD^?k>^#kR> zV3H6^4+s7jqoivD0-kNOR+l!j@Z;DwuuR-aN`~G-QfD^0ts})r3E|>2T)iOy+I}KG zaGjTYBClmq!_LiU#@y-R&ed5R%N)PEKP>fhuHN?a0sL$VexwyJcWQTj(o^u_tgE8_ zGKAl4%b0(^8{>K&L$ipwSk%X{yYXOuxSCH{lAiLNIl&Y%JsT=3WqQ|jB=!iaM@2Id zecpxH3i@H$QT_i!9vnlybX5cydg)xU`YF0N9WfMVFTN z<@Mzn(6NQswRh@M^@w?*?A#w9?YDCI`52hXjkzxGr7z6k)W479<#neT$z{zHeE)RU z*wG1oO_OkX4!_PSfSu7Ck_aL6Gq_(QzN0`y^O8*xkUZFTjm29D`nA8G+aDL7HN*D9spW)i>YPtbsO;HsUQ&^~)kTkH+K3=|~o5Ha4N>ngNtPI;c4M z9h+R%FZ(RjLAPQIK>}V74&Ng2+&P)8I>-vR*_czJ-PHd2$y~x|mA!iBdmOsSmF~Y1S{&IS1#U{1>B1rO}%8 zPFDxIBZuyQYRbO7jZ|I?ZsiNKFvZszjp2xMf0K>i{%PDvIczT-`O%PpeW&e(YWg=t zM0c{7&<@4=SV(bPPy0JzgxMO0tr&iz4@J}WPA_9F$>qqaF=3~ZUF(QQ6~Pa5s)<<^ zC+-`<)+0ESGz4!?y`G6@`8DhL#IPoR<=|G&kOA0xPU3SMe43Z4nZUic;8l|Gf_g82O3>^$_vSD1kt^V1S>120@UKs(k?u zP>5>cf;dy8lOxzg_%rl~;0x0Kk(K|Se1LbEi0%Z-$E~`n9hW}0Wg<#|&aS?%bDmFN zAtQ|fZw?zXJ<|0szn!}P?tD*ra^xKCc=PB)gD3Q$;tP{{Nrn!Bl zbjxuwQHX>(dm`-b+g%9uEr>1}RH3{^#OHy6? zGI;6mU6DK{2kyyWq~qYH?%;qy&(BipwWR?#!HxnXx2*AU?AAub1B+woWoZfsh#Cce zjq6W@%heWdJ2HEBE_>mZUGQN%Wzy#>(Jx7DawvAbm0!$8hN@N9wv9q(@3Ay?0N#0R zWwKO$I!4x%23>-A+aRlQ!hThIJy$Ww;=v*4@BHL-PoZc?lRK!Gu*)B?CveWwr~>yD zbKMI9ORgJpU#p@A=7@jB8X9M||B|22a=H%OLMN&B!ytXAF7|IxsAK>&blzGF(AJll zUud|%f`Sv}b~Vu-TGiDn|Hu!l7xDku;dL^chIo|5f8X!98SVU>^l6Zs`=S=$@8*un zD+Zzm=`Ebu7WCn*T9-%-q5P0an>4+Uf6W3o2~$^0r0XW=N%$xCw#`5^joxPKD}VoQ zu+F)s3hB`(R4bDABow!A(7pAJ{&L6heQ>T4t-Rb1|LIZ30=&F?NlHev1(^>yAOFYm zeolE0zV7jZADhFED{hYGt~X&<1w+w;lh#E;ij#r3MSl4sZ4QUin5u!^N!b;JcjT0gE#aL@0PE>1@E^YsAqJ= zqqr=T*IBe0i8Oe72WfESA2;4h<9Hlw=j~qPL|vSG8$kUduE1FW^F4lghW*X}Df@X> z4W#T*flokmt^8l2YfRK!lFKqN!FP5Fi2o-z6MMv>MX7wWuI^7kmR)m zoZ7C@AWV)kE^^u--V|*NzfLcm=6Q-PD^*Ns@V1B#g`=lRM>A6@t=?Hx+=SB#FQr?{ z>NoqnGE7&VaE8y=H|vazBBYW+@!`X2^nMTO@4+`>9oGwVYepxz1F_( zo^^edlhvYARB|CjS}`SWg|VqwGo`7`ht-^QT1$q;EtHTNr*%aWqZ`VlJxqPLNYG(# zm0doZ=ZOuwaIV$~UTCK0Fen#T{lE2s>QXS)DA=E0o)zL9V7XDXH|uNR1ar@G458+s znoZEmBqLL~xc?xKv!8A(q^Yo^}eL1YOF)PZn zBj&8FTQ=dN3Q3cl;-#rU>eDpJf>;b&I#jqL)RL?v$PM&#@4?6SeOBsxLAg|(RUtV3 zgs-0A>@t6uDX-F78^RX+GF_7>N;@RZ(bxz^A=Im#_j^T=>os~o^efICz8E7*NjT2be zA7e9XTZ&;;cXr$Ke}%jCfE4nWRKN`zna<)6gy<_HA&{yBKojDZm@hmygad^nmnWVD zper+VdJd41nTvMncWr|Q$9_5__bazbs(cB36)zZgKW#mjCr(MdQRRb)f}R73G1G>}L$7G4s<7zjSz{#gBVB3rvH*)-xQDZY z>h)$GPX*NA!#Gd&2-OQ6@lNHu;QKqXqe<%uP{K^m>((&g-x(%|!N*TQZ1 z0{VYC`|hx&zHQrp1R;o00!Wn>483<$3`G)(p_9-%1f+w2qDT`$5khZDgwT5x1f)m@ ze@GP&M4AF(K~MqFw}a=Lch0%@-21-AANkl}v&&j*&N=27bFGC1>@VhAqB-zuhoeC= z71_}L*Bq66jsKd^>N~=Heh&kiNCFt+(-GPF_N)|8 zc(q&$IV}+N55mL4ba&b7 z&2q1NQBE`Hg#XA*UPHXpoC?5WuxN_cEFf?>v%rq4zkXb5JW~^Gyf8J$2gtj}re?fB zU5630bf7E%7=mKxg~UL1)O6&21D2*aOKwL{xZz2=fzHeS{~Q|AgO|V{B_U6ynOaW} z2<{sk?DoRJ5JCj8gF%(&b3zqpJ?zXVK{-ITbor2dBRPQpow=`!xEHxoH572As6{+b z^IJ)(TchpZE-)=>M{admg;n^f)}sB|Ef&^NXL&8WlIk50R~&XBL#9zJY`?z;$~j(V zIiz%@#?)=Rne(!(zn7#ytP&vv|!4WqUVmvwnD06 zdItKujJgq#vJO|h`HDtZQ6H1n_!l4HAFT&41U6ckeBET%;xhC11To6HP8%VOCrY8; z58G4Qn(AV8zt%ayoJxwaeV8P8CIl58JDVE?F`FcQN=JxO2oF|?V0{wV@Zz8NO;puz zdM;G*WgR)lDNEBPu8A}`la=Y zZ1h^P_d~v#zKQ-NZnkL#5lXGA9656 zor%Ap?26#a;55?K878VkJYR-em{n=coJwN?)|tQTn+-1S`YmEJfg0tNFf?rTUw|rq*#&0S`n>z2zxodc4;&wK*ncvm8IOKxxq`-D)QhLvuac zWl2&isS})2teNJAZNkhx&l8h(-!QzEvK(mCX7qGUlyp0UBvhtYXwzQJoW3O=zHgU= zF6at95CW+nPR%;d)WR#yfGMY&E;4C0iD5%=!?089^26Em*>#nQgbACRgp5E=g1lT! zv7wUOT?XMD-Qvbff&?ircU2tHrw%HVghYze}BPFWO_7ZBgdCMX=Za6 z76V+lIcFW#YS7$2J)3pz4hp81#uhd69fC9oxn!qq$4KrmkO-1jBZ$efzq{+2^b&T5@1lc(@rZe&(@B z_w2b992UAkWZ@727BFD($X~LkLTgv%GnrVi+(xhn8eR$O_M2HKYb#fFMNe7eG)5+^ z$kC_Q-kFdSKad@GTGi5=li>3bn@Zr#z!yJeCs3J~!KY=9qbc(N`f(U*i4BQ1TT!uQ zJlIz%R`&fSwi$=&j$Iixsz*nPqFIdYsrQMzf&**xlP6bRIr`AhEIBSgD?IY;+7Akf z1GaDG->$_x5Ac?NtJ-jHk=+s4H_V2-wIl(6(Kz}N2-fH2$gcY5sk)D z8YNqrHZF5WLM@lHN`rFV^lnd15Q;3kvW#`oDh~n{)9yFwJhpsEl4+x#%kiw`a<+ND zCDnVi;j@s(%=KdKPHh-!w0xd9T~FB*Hy~C!SRv0@CKq?pG?limy)2eFLw8@#o7iQ1 z{gU&o8$@+=R%;uZ#jTO#SXg@WtoS?Oov1*8IDAggR}me7Mu2kZ>yBYQ6%oo%kRSo2 zk$7=Hd>`I^YuEiP_;mMidxIKWD0X zKxZmDyLPEvE0UURW!FYfq_P$9i8RUO{^W9q7+ci#jpc z7On_Z?i^)^Hsza?F>|!)%Nkv=5Ri-8nMx`x7YnwpGx=+e6%x=UT6;@ctil&l+|*qE zs=qSUl9bwJTePjsZy?U@5+LwEzr?!^1wnHqTIy?ZKBk-cJ#`_&=wc9*f}oC8|nE+dk9Q zANxr!Jp!jw^^c5?{Tw7sslLXus~O1#_?*8Krf$4bC2!9H7(;GE;(X%zdBi;#kN2PO z`txZ))r#$}`=bf-Z|dD7d;%(jjh-)HV#eehHp!;yJjx77)`gh&ZVtyqcN_Z7=Y^W^ zVm^Q6L*6yUj5+NK>U~3?e2S?`vL`$z2_XXUJva}oQeoH0)o599DxH}rKh=Jd%jhzl z$)zW3DwxtiSai=F5tuN6%COsD%KJunj$dCcuP9ciMr1gz&&1Lg`=w8mHabXjOavEd z4^Mt%o7(m>e2pVrjNhX88O9}9SH>+1GMhKwtPNPYozf^fL^JdGS(H^evvxMaV!le) zVhk5j#ZYK;(Fy!QQF3#EdD7^!{6KSbYIkb|r>vYp| z1`EMD_H6N%iaNWw#vLzcRV+23FI+^q>BW^v%A1W*DR*xbR^;JR=nibb{(v z{XLpRipvjJMkplK*A2xd6&+s^2#11G`49JN=HsHzvrfhTz&iNewYs|E-_W>HfyXp$ z5i<54RRAgv$+p^x4gkJVTpRS@nQ_=Ul(Usl{1YwKMBBe|`8I0Ad<7mUVz zX0t&qBIs5|jtA2ACSKH7Ywg%j&mYk_a7{$SX;u6F?1z|o5;axaQD?d$<0R(soZVX* zut<6W2Y3-*S_ivv&FM*fn%LAb#3b5;7hT7p!%@sT9e7*b=kfeuwTnP>ZwmjMWq7Ko zArrW1%B0=QQRXdYe|C`jHWIvoUP1)5h zlMZ?6a3J{5u+XqJs{%Y?gOxRrFq##`bKqSOvyca7j?fDIO|f+%qEqvxsx-SU*XgfO zloVg&KLisvnRK2LmI-IxH5;|Xqjya1Scd!H`ltnug+^H3ibXEX&N70%JX$Mxw2C@l zuz&T_@#s!N4^zF=b*DlXshZjM4hj>*b(p=*UlJe5NRO%EHlnKOY)|Pxld6#h9D3w^O^I2%IFY(gSc7@!8StIw->^Vt zrI6rR^{CHR?3Xf-gNWX5&uQHU$MG;bakV;{kNQ3w(BH0@1_DDkP*tQ+BbQc)4JsN`ssGb4j&Y>oMkaWhD;yH5$muTu=(sgW=PQk zg-eT)8#AlB`B=k_vnDBT{WNW!`da-C$k-qLp4qXU&UNd6i#ug~|F2;T>Ni)SyeHwr zYY-oyd9QX}QjvUAJ!$PP4_!#6o0H$}>D%3!9n#6TbN&%u;QY&~IHo1Px-I@i`Sg(e zcd(W>uD`|l+xGuT{^NrLpmye7ckaY9oa6Wz98k8@Vx(e4YsA>!^kQxA;+*u=@$0%)C}n~Rj*`wX#GplCg0ut5hZUB-aheOf zt%jQP;GZ{nWd$GFbqe>>W7yLtkhqH25Ba^F(CYy*5225RGi?HY*J{`5ZlRy8`| zq=*S>6wl~uLDglfgs`S(=8qcivK2=d8u0%vUWAuu0yx;kRIwpt|5T-JJr)sKye=lb z)iiTjM&DI=7#XnlD=sMCXTxv}qGwH*W}1){cXcI_0>-%&)2>^tDro>7`1sR2L&3$vkL4czdqa=lx$k*}g5}N7>zEtjd)oOzZ_|g& z8ohSg#H*z|G>iicEZhV=q;Tav;ThLUyEauns87I$~HEm#|vb-79G*2CWdvt)(IaVA}U zH}*%67bH{Y?U@ZV#VXk*Vf z0dKJTc_FsdCbpL|M}i3O?Z6D@d}i2wR3UM_$;AybV{qEA>Eh9i{8T*0bfv?znEa@E z9sg`jXyR3)PZ~m-1C;9-O1MC|^R$I8OLWCYHH)~GZ(ou#i=F@FqZl!LpOW#J$bBu9 z^#L07Zw7gnwh zdDlvqhK~H_H=8UQ#Q2mAMs^{S4FtWnjJD)mH|)hz=>ngvS0N4z$7F(GWwGCUOSC!W{Lxy zDD{YQq&;d)9DCP{3j#_eKTQ$`M3eof6G+Q*T2;Pe2$eMcPI)YBZRxIk+QYYm#?l2W z;r&pF#jnr!PT@G-wa23M`sv3B@owc7QA{o=EFM8R79aCQ5imw%ziZQL+E!F~u>;=D zLujnh)PsJi!Ae}3+u76DxY~|52Y6JZ|Ape$geDXgsZTrV9F_icMJtk2Uu5y|XCS~M zDj6_9_D0l*UB#xl+MXKi5? zvgefPhXSKC^u+zy2NFTnceY{ZW8KDx_k-;>Z&V@5B4AF6X?L)Fa zrnhrhfA_9MD!Dx|m2jw=#gKa+EnUs*cyw${Xe3-@W?JwsRtZ!alfAS*QUF`#67tpR zSr-ANt;e}kp!zuU=oFYUO0vgUZY)}r+pbRA))+P5c|Bv%B`-S1MRmIQfTJ5nW{oYv zS)u_YCaMo+XyMBr5?9+kHRWfBV$+*^Q>&?LC?+~J@6K}nFyAev`!zvQa&1m~DG%MR zYdnt>$5g+Z&6^0>EMOo7uG(lew$O92k=aZ-pj*|Kn})~xF50TONfyi@fA<(*$IEf_ z6)EL)+R%Oin?%-Nrv8(lVvl!lHUGB}mgw~QZoeb$rnA06y?sGmvZQ=DSiHPKJ z6+-y%zuK?RScUv+a(Vp30lMOC%`Fx#Qd*ajC3voE_ z^`^ZE$ANDw33qBigAUhxtmgFn>Ih@4tKor7O%VobA4rAM4@o5nIKtIhlp z`BPbT1x4AP3FuCA{?02xn)!1l{7#c*o|K{vd;Mf-*AxsR&Ub0jFN4*EEe^`j4HZw8 zVyBtmI736+sNBj5>S;@Hu$JA4^24~J9r}n}ALoYR;%_>H$|ygrP|g3s%CBXgpMt;L85ohSOv~G*n1=r_G{J!m#VRqY8 zy28wQ0-|d`F5x5Hgw1Zl{OpPA-9_^?vlbp1lQ;X{eN4^P^1I#p7`5qxIMSK=)#Dc3 zxN6UmW8ZH=@+v}`pH^+ll|Kbl>PLqIlvWh=DZ>{`T9H)4QetilW7d<9=DfM`dx8MH z#gDj`{sov(4D8Hw2&~W56m~BNse@^LfG+R`0t)DrT(J8CiY`5P(fevOhono;@kQQD zXI0B;W3glpNMouNlkiyvxa3TilXEvDmg4Fq8Z_W*=>RX*Maks|SKka?x3Mm|0e;|M zvnt<5(o2uV@ou$RMZ(GjeGw07%_y}%`@HI8u=B^@R)E0{)c+p;A^QLU2cSXz1{Mlh z(98K`?uZ7g?)s0L?45_?)pcOuAayzg^q*=4v91XX;Ql8{{2#gC-wDR>B?QIcn{Uej zfb`IIpYq#k<=F%M=DqDI+F!J<)_>Y9?25G*s`S_U7=)_kjc4_p;VEMe+tWyQewCN% zoFJ!CDRqPLmrm>OuREWEH^XAd20DHTN@HR*N>EEud>T-q5btm*W40VDR#U8#;=I@E z+jN6{fJvA`k?$JCrDywgWdl7YZhMar5=F;t(Eq(FHue`Qx0NZ+9*iB;kHx#Aezd$W zG4_jQ(G`A?bnC&5DmTHc_#C0hzQ=z}Q(aWnionDAhBPKPea#%|rK^6dq(>p1il1hY z?~sBHCN*|sZsjx6W^8(!Nesf+<@88zU$b1l*I?uo(zrTd=Gf7y1>|+IYP6t7Def+SS-sO6eI776jUw|InZjjY|TW-hmSy`l9~jY++I}l zeQ3Kw9q)0iinY+%wRMV698fNe6`3PCRd!az>Ryx=IuCajY8OnCG;vi;bX7C{U>47| zK`mTpeXr~v*mzWei579l86V)8b^R}RJ@kac$l!#G+X{R)4pcs>4m4Ub9XL8o}^1rkmIk}|h2o-TJR46o+sbqSI{_WNq=fDb)Yo^@{ z7Kc658)V_T*B+>N0NItDbQkae68jUP)rg=sMX=qY#@iP=zjplaY6)34zJ4T?sq|_o zX;Y!?{Kb5yC)zC=V=e}&orZoN>ZEp%ZJ9A40%6?lw$O#ix)gDouF9x$mbH;_Ce2CE zZzpzrqquS0Ln18qy}p_G6INPdRJss>DjG9EBs&PwmZBDQh!V{L zwypx)JEy%}b0I~nZk;>9gVio>5qk~-jt(BTuFUXwnpnbdb62(CqFrrTk^GG=I@&6J z&c%pXA<~S+!MAT|B4-F6+RfuwixA>ioP7}WHn)XZX{B~b)VEY4F+&*#v#b?ElL|}Y zKjhLm@N?54+j%x%)$A7`7%%kM`qItMJd%op_kF?e%(R9^=9xt3c8>e~Nn*cAdkhY2 zT{UcKAr0T`vCo)d(r=aKW^!mXvdAKhcOd_!0JZVaY`Y){WhMDsFXnfz@Qimvi#M_1 zJ~(J5A$f&AK_5IuFXjNw0DxFJ@PeVn^P0-KV>e-MGNV@32`+FOjf9IA+%7QeIpozl zbeA$sve@_0=%NCf78rMa=y9jM<8Y9XT|X))%fJ&KV~d0piz~FAyv>f2fV67YJ%+DF z&ZLPB_6#fgwNmTi-aSsj#Kv&wXAh z?MGbmc6{SQqU7pkfKO9*T^k;I|Kz<}O5&6LQ+Ah6n(HLGgZ`Y*#r0Y1*M`-~*ZVJY z+hA9VA9%Ga4my}VQB}0oy;&9;kn!zpuM54%>63x*192~8Hmh%@$kDZI>|Vr=H9 zCAg-PPJGr{gg>8k;j2PZT<3>Mnm?2zg2K=Am&c24Z(l4o>8ta{_3{Qhm1M5O1B)!V zNai49^t4`$h1mpbmG4bS=H3bxwU$_&GIvH^i|?Was?6258`ohohU8Q!-!HWm$3-=X zZpB$7@9S3Kq?tx=Dr>HNkqDCIpjBU13dB6AV2Lq$b!)d4=)B&c1eVm!%9-zm7sZIITL<1d!1Ho*#5kt_Da#A6;dK^UeW z4cEpW?Lq~?^o4R(8OD5QG&4_oj;iN~F1oPaZlKe`Da`t1Gqi$w`+3DFLhKhBgL!teod>I2g|5u+(5w`Xf4%#B4`D@%D++V#onXMe2p z#emB(B;YR7@+|Z6mCd22B2b&Bf6bp8AT1C`c5QSqutWk zjnmsw5Z2ru-h0g??2{{odhH*gm$P`^a4fpSd@li2sbZvoUd{3^>1({;x7G2d}qHhx5V&|8n<=uq|K|U3>adEpqmj@ zz?SlQ{^+)=x%pjiEnlmcu0E}}A-)fD-X_fQ3LbR|-`r6ec_%roGs)bW&to8Gf^Xg+ zTz<iwG5giRBx`Glv3*U=Lrc9=DL zuVB-ivYRFVYgvZ@-M!kq2|iwq5c!0mdPMY`GKUxg=C;c@9^+=v(&e+x*tmxLq0+WyQ_C(k zbh8d4=J;Xr>Qp5^S%eBW2c~4XYku?Y&Xfj)c^>y%yI1RbXY&hXlo5@ zwwaKO(ETkozB>&SUfB`rEv~l^|Jqzq^Nr12F6jg;UV|^!2z$`|Oi(;)UfGv^ad6W+ zWIqlp%*fG2Dy$_e7Zq99>eq*kil?UeuZqhb2Kf7?xBXOqnRMMhn|D268VVB;N-ULb zm}4*EG>v>)I;5bHEo6N8Z#XdB5e}$oU&e9ysmWG_1TCtOJ;jkTen@J16MDf&xNYf+AY89xvT*Y(lW)&!UgtrBLQ3OIr>3Yqy%7vH z%UbXc^CCh_R}j8?!&CjlPs(Dy1#f zj~#X}UySB`f>zG%u)g_Vg&N>5bH8`M>F9Iy5sQ2SznQ<|h{paw>(@AoSo^CTu{AJO z+vV}UCtdm3BIP{p?n=}Dea1D z-Uw(dG*B7xN$mVMbYZpQ_*?lq+4Eh%r5zI=bB<3EexT5$ z%U8XZa;&M)+5g%er&(FxB_0`oJIMOUYY4Hc>O50TK0K}{q<=tWKv5GPmT5-}(? zY0$D-&Sfy}>OAHEnUT>q_nn}PhQFP%3H6ywwka5HMthgB$ z+{}abZhtz15r{*k?dR&w(OBSm))-RJR>>+ttY%ym;Q(xGyH-IXs%>FZUa^?uHZagH zBjOy!{@879*(1Pl_OW?HP#SRz>XGvtaRhFS>=$W|4X` zVpq=hX>zq>m(O`kGW$g?zdL^xPz(;&#o9O~MZMd!^+x?un}dDlzTo{I(iwMpSv`5& znl`}tP8D@FcI zfye4%15={Yo;QJA*bD0=O;PXC3348Up{-*6svtk2x-v7~vV29Qfs<9fU8?Avk_2eu z#8Ccibn%G)q z^S#*GTSR8WK*j`CQya?k1sAk(PC6tEL3pdq84OrAH-T9 z49)sesCaUt+Dd>D^bva{SZO~80-+!O1`dIr!jqcz|2qGYe2IUWj``1rqb|E)wp?3R zRC_pPW8%5(=|_0@gQDokPZmD+zWgBAV)P7H&)cH0GG0K<>7*Kbl$zLOrw&J-2H-I0 zUk_Z$h~&BPLMfZ3sr5gA>GIM$4Ttuv#BkN}PR=`lp;W0O=fFP(SF>|d1-P-y>8t4;?+wQHM*NPZEGCxsba_{Twg!{23bX*55lsdGKyflsp6E3^nXWqP#HM7=ZtzPv1ch#<{T~+)0_O4w4AEm``u_>@YAQ0|*@i(#{&>aZyalyI+ zyb&!pJO%!t*vN{Bf{F&Hwt)vUqgPU|K%kN^9GDI|@O;-wT*U?idSH9|L0K@Qbp(OD z4c@OR#VPl(a8OvkXrZM z^&^9gI=Uj&tiSZ0Zwziy2VFuVR$V|uGwCWOoi9P;;JVv=_2=3TX+%BU?nX4Hg@ikj zG0`if&g%7XY{cmaP0V~QY`73|fxwZ`wu8!gp_8hcbG*pSM7Kd+RG^=K`?Dgxeen0+ z0ljj&{l@c19usTlwovoKG(M4!w6`zu?vA5)Lu;K@c0FJGe~kCn2N>#NqY z#cbh=co~ng(G+NdjK>K>3KC`nrns$k<9RD}J{-%jm2#lh!x9$44I4OwO$c7rpD(x^ zUeDhgx^40wdK|h)3&Febn@(HYC~$##o^B#`o~ez2M#)YaL0ZtNCi_mHVe~3k-yp0n zp3@=a8YgxDmMQGI%&zH%G=em)Gbnl7jErj`o5!^pH@9U3&vaxleqaEiSg{0I`G-;q zMfPc2k6txch1<+LTE?T_$-g>~lbOG%tkZ&(Av;e!_Bs)pO_xou`CX6WK9BPvP7k;o za#zOnau}isZ%J2bx;iX!zur|6hIU;FpATg^)UVP=1tn6MxUJ6E#M+rlsc(CMnHhpI zcGIKsV+S?(2S1j;%Dq2_L^DFqiuo?glWK=nIH>x$1W+ZTdyzc_X~e0j_|2Yc!e>t@LUO`u{s2E-E?9^i&mAh$cSj%~z z+kJU_v2lL@c_f24?4*UZVY=T`xyy}y2n<=!`qAGpJY2DyKlIBvMS&DkD zxY5tSjAngeR34s=JFd^wKIG$(&-Gz(IDM#nT30Pu_$)u^a^1SymN(E@cAm}ONwn-I z{v?aqB=LvXglE%c`iHx{>gv3FV#EcB1^K`@veC??O%={q&A(&%;3>;t6X&y#3-#B{CLsj80ikzf>S!cDv*c)^(_Dj|RP{Oqx_6NfvK}@U#ELE+K<(Nm@1hg_#_~jCl7BwU--#$+CA5E9CXn$JQ zXBD5yg~)wb`$m*rX1rkOEB;F++LiBoc`rbqCEGM9>DxWjf4mgaBzH6xoxN~_8MX+O zv8*}&+H`f|agNh;HUNRa0PFDEGP#|MyiU0q0zONxQye{QLCDLSLl3|(eO3)v+zNQ; z|7w(kE!Ifd`i$uTk@J2{)JDl<^lYhI=f~#~4#)a4scy^z(mIl?LxGZxGJTfiqd3kE zni#Rri?V}^b$qsgwBaz@>c?|?i<(>GK1RAvb9H?UKysc?couic1gp)EcTWJC5M zvJqe4sHh6QE3w$PyL{NNyy^iZ6h^XKE_xhlI5b@MTSAi-5lM^C{zd0iN{?0CN9aP( z;lL_^6w5$T4Vt!7vstJj|i2Bzkz9DSEz$K5nP{LUN}N(b1tj*rpwCj z(wHT|0YjvWMg~~O3I~rpg~O|!PT_NZe8Dg0U|Kjn@CsRXx)O_QrxgA&%cA8pYtAn0 zfjHMfLMOrHVXo;+SK3%q)D?I>Y_mGViEL!w#XBW8s)|`PduLTxGfZl*qofN;Lm4^t za^ze|C1fh*KkX`VsvQ-Y<(kI+TtSrx>EYjZCQj3psW19i#nG8}S%J~9;%X8COu78s zSve+(a^jqMpF+8m#L>rh9S8t>$qpOn^f;f_a+>T!%zs`)j?XUMh&j|B4r?_Y;vgqy z5l0)OurZfKo8^PLMc7yF#3ol>{+FOQbXima0OyKLZUHa}wCopSEw0yH5Z8n7xn0dmRp=qErK8(rFFGi$$Dm#x0GUd!Tbz5=c)ouq zaCSthX}4+Fbartnd?^7zUMnG>V#0`}Q5oUFUQl1K>kW$P?=Dhl1cqF=bJS6UmgN@0o@mYt$qEi&Dk~m*>o?mtvoO2T=Civ1Y4O z3_}!CZMxf8+C-5 z9$gpbJdP@!C2=gY0zW09sVz^`KivlqYtLlPIw;CTeUPnL2o?OCD#uI3lY;EqK?5)o zNNwWp;3|sZ*2h%14`i~?FTkxh!L?*KztcJ3pp%u3d{40Tp7JYLld5U_2NI z{RT|>LKAcxB7~%DLJV9Y4>plo=`zCb1~KG*I<3c`o5KR47ch{`m_kQhmkoz*hwhhk zi`N4V$%%>e@O{h4a<&n~f{m#1n^@``DzxakjSFwyC0U^1^sbD)b(tZ!e>Y;E&(?rk zArL>rFqxXt*^=g0bxGG5Bg5Vbql03d!dH^g7K9=WPZX+>Jl55V?u#$o_6x=rk|-Cr zIbO>mxP5oVnni5!Nyj$nz*e34?&nb+N5?W+@MeZV*n+}J?x8xoRU+kT%OB!?xVY;f zgY4#9gwJdWpDwY(TG)+MN!^jOHll0xp0e07c_RsASek*5*3v86;l!Ajbk28`J6Ch> zfWBqf+%NIG+_*2vp{tyglSlol*FI*`KsRgYv!eJxAU2BD<7pwz=>>@r{oWL9@_*`( z{)Nb=6rZtXTKBb8EhLN-0e`LKbhX2%i0W~2p05QPI&@oOphr)xISDxwK92_YwN2A8 zREshj<4QCPT}aqj<{P~nT`aYoEW_6Vas4j0dAoz~l48~c4J%QOXOy*)`MMK!>LK=l zVc)V`=zlR+vag$aS?hi<8#T)o_bT|*yzZOfdX7*l_=Zu*vPQ#}K~uG5`EYuncNjL} zy#~6$`?tj|j_bPLtHsDHf)qSEI&4~hW_i75Bn0nsXuM9tciW23Zh}K67tWztE~mR5 z`%*Fo^IBnQVue_^DY8 zmzRdVMSD^xeXPMM*lSy4Y*;zuN~XwIDPcev^5_|{X?@_3U2Z}gWM|~~Otp%khN9J} z9Zegut%yqNevR*se}BVY3!!r!y4EjdG(gp$!am^_bXRXP-Y6JY5cpb-qt~aG^;(d) z%f%=y886c(mbFJZ=eRzclNL>Pa=g5@FzZr8gyd)3LA+q7LG^&Z5*5NZ|P;oWhe#nW({(j;5CNo+1Az zQ)K_qMyx{@3g3lXc$txooaqwm8sGguVrS{}YRyKeNoNxNvK%$GeiN<*#qe0a+R;n7 z?pxJzd!r;E#KGPY|9V#D&R@1h92a&>>mgX50C8Wr6qb-(;!J_A@zc~fTQ9dMM~6Xj3>_p5dG!Nz=TJv4@nOlV9uw-OfzS0)CH$BrD+<|1Nf-O9Kw zU8TuNYfLV=fV?*YfG%+n}skpMTl?xcbWQd;xyvz`@v+fjn>-nm+I9= zStW~KKLVEOCv6m96f-b1uUbeo8(|?b9?%_HM8aVt#Z}jMRl_O+q|R!&h5x{%Q^V42 z*AlT|*?2I(zX-4NKnH_B%H4Ee5&z5|u4Z}LgC|y9J1N11Z%Juqh4`i#MWctk^9c+H z=?$;Vj1u0z>tm7|ft%G^yp`a}#%P3g-N+0qQl5d5s$Ss^VJB6Fxt=p4oROHVmk)$s z3w4W#cygfeWZ-qr)n4ZTu2^N_N{Fn=N_HeX_eMU*S1*M= z7eBKrmQ7i?lB>XP8>obDKi=rXbLe41{7Rq|1#YDW#Z3==JK; zOjG%@Y5~!~FCK{r)HC)pUH7;*bVE=|g$B6FDh}MHB^eXsQ6Hg74|p5}J;IU4oibW( z(V)HIN*d0<>}m|FXwG9l8C@P^x^NLb5K1EzWlq^L<7^LCA_#{sbSjs0UDCZlalLBM zxOCl^{fJ8WMz|RLoL3xo40a}iJPU(Qg;7&e3nH%vn~pmuJz$+4Fe8r(Baag%Efio< zwv2`*F&-2WPCRUU_mQR`)6Ku0QezlHIXX<<{NABWWqgR;fkC5gXkvdJijdZJ*>Tve z6IIwMnpi}vkb#F}*s&0pK-=$liaR4?GZ&(19Z>WwzOi^FrQs-Rt@kl4CV(1mFrEN` z6VLwV8n{Qys_5ZSLhSDk$WqXwAjm`hUv%2P66;6jn^0 zit!cTNjM)-Q9u2`vAIzH72R%ono5XwPb@_hJ;_R&2RbIg{vQzY|63OQKj8ZR*CMTE zU{ruxft#9O=65@0Z868Ii`_Fpn~j*8aR<5~|2+kO+n3z|7ki*FhQDlvS1lrne`Evy z&D26gfT)LvaIFU3SJ_mIi_ra)Cb!#H%|&Um>)KBYq`_9(BblqKt46{%(?)~InZn(V z!-~9Ww)osB7x}T$&itXeZFVOWz6b@ak2}{_YqC#*R-QRT{Y~t~CsY}s>op0@lgI?i z#_JY89Icy~$s+X{QIAL|niJvUHbM%_i7dB`lWubhzVvoHe>o`zJ;IxnPh5xJMS&O<5Meu;*3J#;h&tz*WE5i`G(e^IaYf8fD zO1qJvT4D#mo292*eG3ZCtIO7GUDFG7)Tw}*ok}~;hWVPAGsjB;@P`ha2BYr&7&5(n zhWZKh0H&FXA+333v@;6Dfw+<+t;g6Q_aTTD!bK7nEcw%~NRF~knsHG9^9F)%+4GWph<}A!zx9@#kC!(Bki2tzT=EWQ+0*qL4naiF!VP$v zm~ygTt_;chmCX>a72-D|qGKyz!z#>LFILHDDYnsuL4=K?-(F$i>p`m2>G5IiStQ*wRL%Aog(91-K^UQHg{<;Z|q8Df^okkuNaP*gLl} z*feTwPy4w&kT;9553##s^3R)?k1!ummrQCnBvI{~DQWF6nSw>aIU6FE0@xF8m^NwL zuN3+ZiSEgxYU=n7Ue$c3^$EKk8lF7n#Odd|b;tf#ji~3-P0V1C`m;>-hW*OfTK5G| zp=shLx7xmJvvVka3y~+^d_ESswES6H;i!K;N@-!L$9W2`#~He?iif%9k<@w+IUvvN zFL}V~KF#rBN_K235=PMP$fzVpx8cfg>Fdw*&B z*GKFz&=lw2y6_QId+={kL~uO?QU426w#mD-3)Hl0d%=If@R6~IcM9hO1OYjTjuWqey_i?`b|NZ z$BuwE4o}<^*aY_68PoJi#`umJMijnbj@N6? zVpv!hSQU^<_^+~)&kKwMuh*jFcXYE@6IxoX45c8Kx4paI!phJHyB`%?8b6omy3dLARmFXChK)2_~w62mkh%!-l!3bo{eZLRj# zi66__DgWBtKen?-#lmUwWe)bY`dy7fdf`Gm$9YfTs`+i2^u&Cjg@mAc=r3D-0b!QE zTW0lI+wF}6O9bMwNoIZP3h9qLqD2hh!wKNbvYxPVzNJN?t0;AIhnOfaNv=du0?rL< zQO${7load>l7Fss!1Q@KZUav8ta+6kydFh$yc#WKn?)qsJxeoV)u7`3r>iK59>PZ>hh`-z|)Y;bO(M95Pn} z)_pKpP{L#7lF0L43drGtiqZe;@3{Yop?G0+yz;h!zQSL2LmoAjO@mKJ$o--$#qDBG z1sY{`vPA*n{EbQg@RFyNEz%;}Gev&ez7*FJMs}y}eqehpxA;Na_CG5Xsiy(_2md<7 zapi6ZsZTG(h1 zp49n@B3Ljv4Fiwp&ow0BkL?vhM0Z>G=qG8z*4o;e$Ht=hot>Q&h2J+haJ+T22)~Ko zQa$-gIIo7RXX ze6;rjMXN9FGyLduv58ogwd0w3{g>+hLBr-*j24x4+>CVCCpEp(C*i_Os?1!j_(jV76cWHuQHr9TQKz zo^}1uShSW1Tv9^K<4!sq2=3}mQ3af-n|rrAv2Q@YbSZ!-xj5zR)vYRT&3D@%Jz9dN zkUl`U`a&&AiEllLb8BW;viB~e3Gv(By35@90mX;^J4XWl;wCJW4|`w(YerkqHmdOV z$-&;8ZA_N^nZb|FjyS>-0Yduc{surBad&gP+**;})-C5fZWPx%Z|;Y|&17)5fGh{k z#Jl{D#+qqfTVM*+=m0%_;EH-3EO?39yx~Q`Be3@9T+FI8A=|b$p0=~U%Qga&kVq?5vVcuf zLH%tuMXKB~re*CmCj9Z-9DI`ZfojcKS(&Fy7SS)lklpeDvuBRUJaezvUE+m(HyMem z)QUHClaFjIYP(Yo^DU=(2 z?(Jq6eVD{nx+Fs7eZ1~B-kvTM;bcmxVJb5473OPv(6wteTBtr5*_WXC4%s^#KKSBW zO<1@bPvnY*+^*vr#X}+o`ywjKSX#)+LC$Fr$`p-;>C#Gjkg0+Q?jD0{^V8$2my>o? za}NgPg$!DILF5kVlLJekSK?}uApRbP6>(Is*4yfzj^&dIs9z4HT%Mcv-RE~Bb9nU8 ziYCH(BtkE=$a_Ne9zQ|-LzG{RD(BH_Q;!P9%c9rSe-U&n5K-%)1=@!AzKF@6w9*{E;Ij8IQ_-;P0l7Iiyi%v>VV$|4j&zl(dniS04{n3X(9iO~hJc!ww_o{P zpRy$KGRu}tCy-`fy!kd-SCNU4X3E#`L|*nabs?ojk@QQKRTkEnCdvZEW{v6(G0KF5 z_NT`WOlod!6?Bf5D@ylM6A0^g^Rj}M9CQ{I>`1fVJmv!tTWdUG0(Z|w+N&S*dw*Gs z6<&RA@u>G?d)WR<{Aki6Ri1YzUmRnnhTD((yXhZ_1a0ABOesh*x}EoF5FajoR7(va z(pMmNSca=ehO)MUa`$#dz2gjd>Jl0FG&rA8F?0%RJ`?#qFG~oj6f1e1hlWKjQuu*D z1eZ0=M;5jGkfe)?$^jX?)fa~L*r`-QFcH0Uh&5-~*4vo3cJ0toEyLj2miyh)>Ew|5 zWl_=f#0?q;gPMoT3r-<1W85^t(HG)=O6_8@Umy5CJ^@!P_4Tn~UGu{n^}Oc#%7B4O zfm2DxGXXAe5%!hhTY{_a<$f_!EDnlIWCZ&xHt7?Vue*k?M5VFSR(cMWj;P&&dBHE` znUl6H^zU81-Ak|-ky*mUJ4&w8B!N_aP+sYAib?tK;iHDIt7W~2P%lAsT6Lf!t*Hca zEjr|2WmO?ZmFls=X)CB$!4#aT2v~GhFIC*Jo1*>h`dz{=5WH%u&>$A51GcZNlmkmbiz=!ro@j7uZEWm7xfVi+^SVbwRo_RqZ)elDl(Lu6Cm%obW$WCy zmRz&L>m|}k=W6{lFz6?T+k4zSuwiV78m5$Luo?EN|0AeUug{zud$y5HDE z1BiR|n^6G<%hLyR3sug*FPMK2vHynx)21G>Yu4u|W?TRb!+*n-bI!P@Fd|3-==>h- z@6NxL!zJ+B2Z-$r=5J#7@i6=;3jL1VKdTrYgg-@7mGuPr{AZb=ir4nlhJ^8|DO-C*KfI4t>m0_ zle3Zy@>zNd3dkq5DPnRSQLIU@ZifK}w=If-noZBX1BZv&%uDt^qL~CPXh2-Ih_CH_ z8))QI#vxLBe>mXNfaw`>>m0<<-X4SpPe_Y47N7fqp|7!Y?1|~sU*uym)|Q^}g$lCx zVuJkNLnykCcr{I}(~CUk%MdaU-OmJ{)JAa|$hU!F$QH+deaYpcs46Cw*U}{#wU_Ps z7;3~I+$&3YFT~qp4}&wyD0rr|$EtV#V?-bdh`u!b$qr}WDz6Bo_>sZq%6uNnm#6d` zBQEJupDQ6KpqcMRj{RofniyG$Pi>l5{+qlzYIoE&} ze5eBk?}w#zmLJ>>uBVA?y5gpeB=LeYB;@4Js-?V7b|`)KUw}O4F+FrpKyJ4@i5ts| z4YYUv3I_+Y_4+og@Rha=igsADmNH0$_P)FKW zpYNF_DIYdilqcKlaLN(t?u87(?r)jQThFR+J~x{MS}T6?E(c|SWmVekHYE}7D|wa2 zpl_jlhb=CBF@MX^bPS8y?Z*|) zzeDsuXXSK#DWQl>3EXfZg0ou6+noq_2Rw|o{fQ1VXWo-zvL$$75)k(87hZb{BPA6nk!aEEc@K6- zAR1#^uRv_WuQJ`rmm*JIKJr^CPG>l2-?)dl4K8Go=ur-AWp!;VyP&Z-0y#*NTf+;-9&N>WZEv zyYDPB)$cNok4iiP3;RaXsusD;KX+CQ`^;pVheCYk{<%HD0sBuO0Gy-)I7~f|#%^->g#=$6TpPmZ-^48#xJR;IMcq%q_ z{`CF2Z1nee1011-=V-O8$r79+{Cc7n2@hfJHv8)X0<@AIDt=q$ot8}9^467wSQX=IkH0U2jWSc5l zwPOB=!vFGtTF{Z2gVmOuG{8Bp)VjP|zHPPjie8c+sXw8=WwiZZC==uCXKlgo4e{9I zoWoUWh0oeb(tf(hoX%*VeW&Kml+pwwLU1*p|6c8G1=&Rx;3N4ln~GFItXYB^ued(B z$o_;Zad*-u>s0ME-#z&hXtt|QoAk{m7DLg(&&lO&Ak&%RCwk?zJhlaC>U~31yRPyY zsBB_VOPq2lar{wo+@f(dDHN}Vl0!v%o-r-AAKNcm@cKjcK%`X0cb)al*=BOtIPkGf zrFy3rYgl*I4D}CFk-{!XQ|%$%7YD^AZ*TMl_Zmyx&DC!n_Gy*qD`NsNJRM(Pe{WWm z6$=jw5p(C2r}Jj(9)C5ra?d^;px5l?>IS*YU1EiX?wvMxMJMPi9LRJp-Sm08-M4W` z;5?%$7OETwdRxmqcRd`tV*Wx`b!RU4WnyPw0(*sA*L{XS(Y*-wM0vIgcVlLSvL)se zO^Sip1!lPs%nzEu-K~$F<9sluFSOr~V5n<*S&YBxUH2`>5x(fFEY0=hagE^bx9EJJzA0@lH~mrW)I{(dkV$br zlU*Uy4+mdkg8P%h;D)e}y_VmSv;D8Dz=#5qn24WcWTH1*yIvaFz7$ye-y<)U&Q^HN z@9Ut-%~?D{^WXpM?qg&BDXr@w1DCrBQxWg;FiqS_t92;~R#2bp7JW=9POU&7M~N0+ zNe^F4TXFhrCd&Mx#M#w&ABiiATHZ|NlbU>JT4r34(*36;BI%;@9aP)f5xs#-YN&c& z8q41WkU@su5X(zPtMb%23+d!S6IQG-1=$vN&!z##=ge$at~2GywrxIMLb-ghFvra5 z3%PgHaV;>_QYTqquPObwSo44lWxKLz3X^q>1ePVeNDbRb=V!f}IMLZO>CzBA)|>;7 zy$^?Js$o?n69_|;wi=fM)KP2zrW*=)AVY$m!ggGo8@m#iy`HZ3A!-lSe@DaM%Qb!X zfJA2*gnCwoWC&pLRiPV&*JWJOLTu9ml>Hr_G-{qqv<9(hJiTc1)IbMlG1XZBkC55q zhWwa_KqUo}gsp;vt>}2?$6aI7L|>KZYU7$l@zMrvV)IV>IO0;pw=XUF7vGe+8J0H0 z>UPHn+qkxifH596+M8rXW7yvXIJJ0}(%SJWepEGiRMN10vb6MoK_d4k+E4aVV-g`t z8^iL{F2NY4TIV_2L67)9i&>P+mQWjNcWF%0u%**fO&uiLWf;4gys~~{tYaYeURa3B zf#I=z{*D*5jvxSNJRkKvuG+|KjRJ02!sLR(mD#5~y0lit2d)RkEV1=WVcnsb8yp4( zg=o~yC4nruUxM2W;b!yG=5l1#lMCt7F&z**$ye0#ywbWngHWD1vXHD8+00mu5_a^; z8Be*}aQJgC^E{MdbgK`vd;snCybCySIM6X_-KFB&m@)va+8kY%cTOzjJX>#x`g0V( zjFX_>(#1PKc~)%Tu^A1(BxRyMs{?2WJc0=S7ohs~v;=5B$EyxyiuNqs-tu>o+7hNq z9H5KahMIMNfQra%F{?NLhr@62p6W5s(4*TX{O~Uco%;>d|}tStSTFX8dZe|%ZMS4`^R%GwHcN`5W?=*N?Wkot;_)Q5sC3m^C2pvnyz zK7EZdk#z4vEXYz^{mAFSCQCui;3W~fw*Q$UF*EbLa~3pCeWftr9@c!y7Psd-^(v;?T->D zGyB$Tg(exA7)cH7$=7uCi}OBYooV7D=b>+Dp809jsSd51#zuM>fY*<-@ab;B~ zt%UflQ7kiuqjdVlXtjfqna%fQAQoF}-#g6Mk9^DzW#!Rb+8M$GPJkq&%TWGa3zF44A7GW*EF6oB{(H>JT=!-0}KVT*j-g~|r8fRAPaPQ*uQ__oGdJO-!d*Vjfni&=v1NAghGT5&^N}#MP zje#sVD>JbxF|Vmjqm%6O|Ga^~H4(eAN7T`Fr?AWSvJLi*zaiD_A^tagFS}UZEG`zJ z<>nYNyFUbXk#~`KsmoADDH7pvEIuwQH6(W9a-(6Cml-POW~vJvF_8 z(xr3ZV-8xPC*qa)%RV(^v4NJ&;3WnVU`2X{X^vyuw=U@n zHUCB1ZOCt=@#vE;I=|(s`(Gk^wnu*@>v^X#qkn6aL#>smDeStSYkKW8yDzy$(o}e= z8*zYJ6>y&Em=GKn!^h2lyIHcbA+b+n-S+J#flCH0Q*_YgO6K7wG=+ZeY*%L!9!r;O zNhe!<`GI&~y~q6!XWrMcA+Jm@s8GeWICl3tRd|Bgx8S zC9-i$jlQ{Tj5Mps)y&8m$Xx?hh`W`2pbFTPcaX=xtS^fPb7p5_>>c$FYG+;Oi%?N4YV&1>#}`p@w{#Z@2ymWx0wyJhjpkVsiWb-LHp|-Sq1^ z)Uc+UV3NW?{=4i;g%b)D&N4f&6++SDxxZda=1ln;vf6YV6T_?QIG{5utr$Pz8jm&#sE!eq+&E5Jk(T30b6P^%yVzQ6*2Rd!&VOG^|h}X{_PBqQV4v+rCr{G00InRgL zw#?rmKz?hUZcNzs8pDM6XSpb#3v_tSyjm(otx0G(yUhU?;1Zr*CjKBiu;6Ewa!ryN zn|oN920)&gUN8k#o$Pgj+BCU4f!frNQ>@Y+-~L%`Va@!r4hI-d%}V$a5*V9_{d3jV ziUZE7-VFPjJhKXD{)Q%<;e%LK08oAlcQ z=a9v1gNIc;Et%TB5N@hNcW7k7h+4=}SGlK_!YkKcjIN&R86?RyDbGn;y3Lx6D_x>4 z73NS>K=4p&a?Lr6Sy=YvgIUr`>CK>!L~>*G>;mlwrdkR+)m!ey3s#2ndE=HU(=7k>PpXl`q|phm;6P2SXhvLpV`sg5DsMMI z_E&y z`Ck_N1T<Qy?Z7RGQ|zPUgD zNBi%72*~K0%D6;EOBcN%J;|=6a^oz>AynFJd&m5B9-3_Wz;v}r&*=Bfu2RB30u*^( z)z32F`BPM@MH}2a3p1grP4(b*n`)a2OZPANwt}*e5;D6<(o%zo6LYig?hk3D`TlI7 zVA^<+R?Ow20(Jjaf?{oJ&`CXIEt#kIbQH{JDdW%5Se zZnzHjNDAOOK^L1ANd7y|iS+>EmKO#Bu5d#oi$#&e4MWQW@zIUaQP%ua=1~^YaKF-h zXaP|oSV`<+);$4Or5oi`CQ+ZAgkRGXmwNy7`=*@#B}^fl*YH}SL$S~XLn{%hH#bzP z(3Ci{=lrL&Z(03fOR3{C!)RY0#QqfjZL~T_w}4{mmj-h-@0zBh5T$L^aX5;$+;7DI z@o@~d7$=b)%tVUYj$!9`p+D5J_(}qr{bSj_1ENWu0L}dGqDjpcW6kZWoPgtxC*Zt^ z3wVrAYH*M*3xGSbyTPxxe^v<(7Ct|*I-_5zBa)!hEpiBXZTT~A$HGFn6M8*%FCe}T zgJwW7SPqqGyeU|f7GZd4;+pRQZ%lBcaLaIS!-M5}B{_jR1ZYL=`ClJ={(QM$_OkfK z(0?wOLVUAgs7{Hr1eGj><5~8rT0)_*4PN@4>{S81nc#-b_~iGLPc@qcuPxLEgBfa2osvIz|Afe0zPah{M<;B@(OBuJTAmb)49{*dH)wTtAg{FlN%OB z;_HR;E@i{b2MN^HL8f$zTsKua$NYQW1)Z|o=H`3CUz-xxJv<~IHrx{&IFpF%AI_Fmwbog$)EG=0n zwu@fdw$6yZdOu~3Q)FN21Z0D|s+^ZQLz$iCIWE_L8-m!UWfuZb3p%dlpCgC2wmw{K z$}N5u#o1;iPS4V*O_oe2oeYrSAM4wpqOF5WSqat_->>Wf)RG`kQFp|Y>+P1OS`CZQ z=b~KpN0t4?Q&U~K!hH&zn*a^3x_?Vx*ReOWB{iGV@hp}7lzCsRnvZF_j-h=$a(Zj& z!3QSBH-UK(L}@5#8t{ARH z`mS-_N6ji{rYMp!=7MVecNCmm^Mp<;k1K8Z<6gd1KPjxy8SY@rAXiV68DuCopC9%k zXI|*DH+WH-(%qv&@1FC9bDqD($rjpNP+R!LR?rk167brN+GeEg!kkkG(-rOMb}EX z%~1DGLa0fJgR`IUAupEo(lG?;9)c+SYO`LIZg^wgcOZSZt4tJ((GXHHK-4wNFT3id z#OjCbleJ@_kCE`}Lj}*AB6qX>xX2v){9_Y-%pW~wd5Na-=%N*D85%m+|M5!!YPWg~Nl~_g@l4LeRqh3>y z3yB%lU5#<`JVc9SfxBAh0NHfjstqNx(90hKZ`N8PW;b2do=c59nI)~cy9>v z7)^^pH;$^UHDoL2<P&0hJ_MLGsrZlMf@uW=g$LvR6@x_bLFm)V1};_O`MfIQ*cKkhY&SWog!J#jl8c zdGmexdZYbD6_#X4{6L!zXx?JhxX9=VU#SJNO`qA_TC zKR53kTh)Phke5LNaAgeM8sr(B*m0f0`3~2Na%Lis+U}9XC|YO*?OqIT|K)0U1+7i< zb(D)s+05U}2)-~|Fka=yuJ~Dkm9F=d_O5%>YA!EsjHS3PT`LFPB@a69Es5j(rji1t zbgyRX_O%v@$Z2Y*e_+aSWV|g-=`zAYLA*2OmO)z8(<#uDZQeM2ea_|1+UQ;lpH3cp z*|Bgq<#-#rx;?sj^Mi9uTBvHhTF=8NG=d#2^6)Eu-Nj%9qwBii?&DSlzmj9U?%ly_ z*Q}DygGSxIIm}mJbM>9e8CCg@Xbxx|52f6O z*;M*)shmv49Xk4SG}4h(Q()UXH0)(U$dS*c==8zE3Ulluy}0~u4%EFpZT{IW=Y z6`J2|<@$|C7`}~37}g%d)X;x7qHuAo4u3HF^8gvK;6W#P?LqfIaHDtjA6%=NVu|`a zR|+9CLx$UGCf57Yp_XoENL0V>rYiaNou0*qN^2Mi3x?FtQ9V}6g3_(e6n;_ZuYW?f zrSj54$!KXqs;HP>gfvU{8r3<78|~uOe)z!Im|yC0WFJd0={HVPt=^~a@l=Fm=iBj4 zH!J4b4x#wU7? z$uI^o*U&j!e)dhsM329=)V!A~hfPhHnB2bSP369QM?w{QQtSwL-5*D5^hx44{GFIa zn`ryMCexFVV(_HJdN|cm>iRoMQp<~;9u@tQ$|Dst#;(kKf`thUR{1^aqk8Kk%{5yz z9^;zf4u^n03h}91*#v*riztNlkJm0SmoS2l$UxMAQk5j}1Id65rdSh(L#FgpGDC&B=+_h6$}XjB!(lkEd?w-PRBRI$$2r4=o(;&`87sGCjU~ zQN+b^n9}X(9k`&0iCy^hAfyV5{h}lEzw_R&Vo?0_rELHGCZm*0bOEH3UnAzSY*q_x zbd$qEJ2M!|k!fjn4Tp2zg3Yq+sNf^wsJi}~Q_GPmg`J-3>80uDFNUa+qtK2$)nG;1eO zJkZW(Xf@2;k|rP4Kk1CkP3RPL85xyb^ldb5M7`0@GZ-J&nq2uheNSUQv5e!9*mK#u zFFv)>-&))2R#+^AXF_yMB1HnH+D`9667*I+Bv;uCb{_pIzSk+YDXYz@(>b2!14zv| zO2fC8Nnq60JNR?X{b%pe$<%BJITM9GqMqKS{lzus=6IQisd9eNt}u~un^-IHv-`?D zk*FgE%mL|boB;@vJ0Gb;b&^bwFDTo5m0N1OIgso9#FK`x0US;Mk#LQVsK0FT-BEu{ zbmebV5sFS-t3mEIl5ON2D_!|r!Tq=Hj+bS9C-FJK-Xq3`lXDnN&vTm-o5j9R*H6d$ zG#A85jJVTW_rS$Kt9$_#s-DZXf5ehtlI; zF%<(0)RA=+4l1{vfEuOsyNfRyk#e6V2uH&rJ# z=CH5-iuIX@gs^?t^s8yNM%XM__w0hn)p)IRDgA>%ciaW1-$6p)hOcHS#$%4j2FZLq zmEB;DM-D}^>hJ$-NeY&D^TLKU`zJ=A&9F;izgPxcGHV1|O8{At>l;4f5CIj(TJ4pm zESS*X6myAU?UeD-Q=9nuY4M$W3GxOzYa`E9h)F}+mspNhL*MV9jWySc;7aNixx_1W zmQIlWx8A-wE~;-|n-EY06dAgtrMp9Z%Fx~2IUpTU5>k?qA|XiUICLZ3A>AO|T?(S_ zoz?mx;V@1fQ1^qwUlpymlhjh?i$!R z6)>@!&i9l}=QB2*@(b!o>-~4lmtKl>>cNH~GoETEmNbQ**euQ_d()A1?>T2W9*R)k zO@UL4lHZL$GOwE2*EG($vz)YV=Ct;^p(D;ezT4O<<-op@YnNUT+jRyOr|lV6zLK%` zRf8JxmEO3D&}9TtgU&-&)<3nr5W#!>$Vb>!Sa@e7Ov z7W$75B$St~AT2&VPr~tsp1qM{$VHSTA9XBunmS$`;?BR!_VEii;$BrZfR+LxCHi`c)Zmgwj3b3Lh+$-pV! zU%4vYR&6;?Qmt-rqZ+dah}nl=!$t)g!XHVM;Q+cGgRPK%X=gH{ScX z>KT~}P>$D6)sqW(c;UM?$xNs4>%>s&Mx&uEoQB=Kz&wLx~9U2W!Tc>7{= zTBu0oaLZQ@dA#psK7&r!KG2BuD1)?T z)kd&5ueljysUEAb9pKJ}7Dwk7lG_9j>e9FX6IBi+;h=QzGsQQlXFTybJ6+st#`^Gz z`@|pOJ`%+2g0#77nHHz-rF-ZK@!F`|Sd31NQR{%@z5R$U2rGI%bkW|+1PX}_|CBN> zSVvdID2uDF(4pSe#ds=jVq9MxvZ|Uu3F)S)kmp* zYLH#$CZ&s2;)QRr&;*Op9ziG4$oT+cDwy(#T`xCMyMUK%5x$6s7k0QdS2OBLL3ReZ zI1wR_f5xs>GP}Bm%Z)MaUo~)n|o3fe*l)vW?h1YQ!2t8Y{Ssj`7F58#lNC0N# zjX1K4qcq%plLC@&B>&RCQ;`t$O+>-86Tp&WzFlfe^(k2`&0or18)0y4XrQE~~GWA!2|p*}DB3m=~6AMg)BQ0>O47DnwsflHk00^U8TT|L1bY;43#4 z&xDu6F>A>Oud>pf!UipAew5UI$w|r5=pNA@3_k*wSiHEQ)#x8pK|_LBBdWAO-cR}R zyNujs?o)D$*z_HR-Jj;X!mObc<7xXnTW-i#5lbmRpMHVmDmFIB%6Vu^9Pt<|*9jTzCA@ zfM?#4HLb*}95qsaX9JxCn`YiW#IeuC+lw{|MKYeb1uqK%9H(<%Cw@HTqIk9Kf3{gR zV*v1>HVXt6Wcqgp&s=e>Cpm%PV_^gAieEOMjGGhW{bxv1#-Gco7opG!UGWtd#)Iy*rhFhh@JSe>rpkj1bK?ih zy_OU^^XbJKRoRGX!^Xi zH6eh)OQbG7J50pUR{3&ub>-{XW#f)Axzm>7(+n+hzIXW^dg#Jg=-n zD4>gQ7a7UB72sR>RmYWjqv2ix*d$IYK<8~i0&Sa27$9?H!Vwz$PeK%%XGbgY;0m@mITE8=0ZD{U!# z#1Y{T{aDKT)O4schcB~LzN(mbqfIH;d!op3iKxY$!%T5umjg}=kT-re;lKawK>hfw z@Z7pt_*3+_7a!U3*`BeF^98DFwmb*q{p zbu{v3Op|xP8AR*%y1+L=q7NP)bkXh$P7JJ?oe#(<*1vt~@`Qy!@|%wp|H2|MMwp8L zVf?d-oI9QMjAY==a$`+4K07vwhj7DjZ|^n9-B2`#y&scl0kv&k4l<%Ov0aGW1!~o@ z*tP&RP?|YiM1m8=flY8Ji+2Qw-|7Y6lRGPD?A|^XxRw=6$Zcw_OD{14ww&_j#4~eucA~eqf(2zMDSQ6#bOqQSV*g zehRC{&=wgPzZb}V?rutYTkkFW$j5#tZ+nH*2`ff-;4jc$cRYFIA${O--;f!*N~1EO zo}Xx71HR0vMAHI)H#3&;pBA+2THLj1>LQC@kpasEgvLWf0r$qOjsjj|I0L#Z1bq{x zzr}4P5_8Kc31BS@pt3%5%|yrg9_YJkduY6kI1GjjoIVW)?%~Xo|66Lwe}}6QQXCMU z%{}#@p@i^`0cE;=lh48IylA5KE8SLr0x@|H(HT>7(ISbVI(%l47pLxxq=tPS*1pcu zERyi|+vKVhZ#G?|5!VI`WomV>kRNJyhBhZ-v$At^kF)<+Z8%B9Ec#>FrN9)o&9hED zC59&fYoC1%<}(=t%+d< zx($a>7BL-hY~n;yAXS0O3^u& ziRKgYDRivIZ99X`bAWybr$Lrr$|<@TyP!}4riA!>+{)(*oG$psP&1wPcZ<`9a~zUc zlH2W)(pIHJb7~1Mz=cMR!|@CvR?~rKA}>0yz7N5`^T{yLaXz; z6vnFM7d2Klwl7E6^p3WJslHguW}psAA4cBuA)?Ly7qvQCvgb}3GRHR1w{b<43^hVS zlhM$)(a6IhvL<`c(Zo0p8tbYPG@;b+cwaZ2Cid4!qhUil{cXF{jBJPND{*7rX&Jcx zLPgBU6W)h4ul!IdtH-JM-pj@wtbV87?@4DI+K77Ef0yu|%5!jng*#z8J&W$8;^N+x zDoV3MrIzNR z!u*@qoXP1Tt2cCi24LRI&V2cI9Ed1pI0xd!0BdvL{^+yXEi7Y*(j?t1GqaVuv0L~E zQJ{_HV=JbI#crUx9YZ>{73mcSbW?Glzx=QJh#LctYj=ZRj3?o~NsiY%b)62ojoLZh z?fZwmjEnR%dAUP_((Rrlwck~RgUL9vo^()bcgu8|X0tD+Gd6jjWJ&Pq6SH5u?ely; z!H5$b)f)6OH4uskDI1QODw6x6x-h%frUNojD%SE#e>lj_+7l5FURoR=b=dfq*)ZS@ zmpGoBh6qzmM8xWg9N0<8mE!YnzUPj=_7d92_$kiv?!?R9(U(t`Y+yhexK7Q_D%CaW z^~R&PkKajg((esR%)0*@LPGxQzY`MT8cu+IiU#LQ&uBdO=ws*>%JQ~A>)LFK_>?#D znt5yAT3K@3gq_5k0ezSCC7p8Rf~FZ3D?OE4tRw(=u5po~@=O;2c2i48lWkFO=k30L zLc_Me=6zk2&SQ_`m(dk4&R<>+g1Xbd`8>oIXDvgVx_}+=fGHC>HO9mHTJ`cxw4`kI zPmZ^Q;LLdabbB!GcIrK2?F179hyyFj!{__VD9lvb93tQRXR=7FDcSd$;-7+X7%aY- z3qE{qV?YkVR~qADNr;Z!P!(Xj0~5CB!l?!ol7&AVj9*|&KIqvvI=wF%#nV0c+?s_> zk(mr?z^Vs}-tQHp8`7zk?-ZQIr{vR{#I*x30+_PU=bJB4IpX)ROuZqQtNvfjByPl> z;XD@e&gw_mg~9SLaNo1h2$yxJm&n$w^}GB+@(xFf~5uc>o>gVibh93ZC1?cTds(|KY9?r13b7CzHrg9vn62quuy zDWbBooVJKOC3nwMW-(N=d77d&vs`rSGgH(^yMGQdxZepBR&`~mMymTl}*BW$} zS`wV`bjRXwFqm%$`}q%}i3>3AjW3U_CEIztI#NkWBEIO*kb|}h;m~esj7_XMx1QC> zjs&o^VIx$UQTZI$+ry-RrB+dO&?8AaICRsK=0c#e0Bn2e&;fcdAR#TL_Lfc?3X+ z|K(4j&GO?M$tUpD%Re5EWB%RAad5zExGMPn7m;!c{8YJx?ACey4S@tOE(Blm77tv8 zd|i|NHA@0GJ+k@b(#?}PTiZ<*JE${dskfc56xZB-he;lwi-;8b@Vu8E5^au0Y2&JQ z{7Io>iLpk+#g&@Sw&K|8?(b}l7>Z8a$yV`Eq5Iv!x8~~b4W!gm$g}nR9G;mD7lG0l zJ|}i`{7=JI<4y;Qq)miCW`oE_fhI`)|Kd=|idv!X{U{Z_8sgJiO&ot9OhA2p&o3%I z>^=cr^Ecw2%lf_y!6%~5u4{IfReh}j`4Kjm+6*P%1yL>L++)WLL+_iUUuwTAJ%~23 zsvoywZtEIRk;fC5b#vm=3D4k|q@qy}4@wrHGe|Vh&znq|xKd#@sqzs33uk%JpFa=( zFnJA~2~J=B7>v2TW^-p>*<(N-?6W0s{Qe9(9-~_b{Ki=wC&FWPq&`t~n3v|yMG6A^ zzWC_@4{9&w=)h6R)z`$_rE+8R?QX>-Fn-;nuRA$xZbc@?RPypr+o3k&cvfdn;+@Ty zJoc5MsXfS82^&L)+2 z;0Z6|<>zeQhUd911;`CN!X%CO)fYK!lx%p7pLzSe8rE}!Hu_Oe+8f>$hA}XM2~AL= zhwAN|Jl-VBhOp^bESdT%xL@MR*SE4epZ^z~|-Im$s$HDd8(E98M9b zh7BEcrEu>7%Kp=G9o~m;)0y_8W7mc~hQ%vNYV;I~%$ivqbHL;_#Jy}kw>fz)yt?olP4auusZuDOmm zdQt4Sq`Ld{Nlv5jJ`}0h;eTis)foOtm?|j!^LfhG2oorYU$9Zwl3&;dWl>vM8_p-6 zT5gL(NejMXnyv1P?O?v0hn=iCK2MSpXTcPnYq0<`wa#PSDbx^SD=w`vXG$5>r9y{S z+yQ@qG;wy=+l2NTPfn%Ty7^jl$f(=RXi2?Xg*4WRnVv|aIs0)0Uc-ErT^dy<{WEK4 zJzOnT{T#dEF7|@G)Gws}tS*>V6HO~h=cDO+NdI{ZP#0V@-4E+pE6brBCoeA3Z)6s` zdS4>X$;Du>r6CB>61KX`wF~+m#Gkv014IM(r4~+Fe^wk2wIZgzZ(G)8GG!+j+}d3}p@@r>h&7xxJEDsyo5& zemV!fxT_siNr&`#;>^Uy7?_tsG;lI1aJr{X63LU#x|m5oW7naw;{SInR|jw~Fgisr zHf>wsh7y0pcNQ#MSJ{ZrcU#miS7)|e%+P82%QSA7o^@qZ&-A83Ajr@SlB(2M$c}di ztz>pWS&MgRjJ`Ol}nl~f9lUs)L5?0-9Ix(ZktBmcQz zbcyNzafzKmHO-Xo!V87Mv+uI{^!-W0mny0nzHrUf#8aiFR%9Lr$FByLL4!Z%gA@`L zz7&uGP7&c4xKy$A<<`6j1m6UZ&cImNp9Hvy8;W_@e?b<@5$HTC2ryYKwKOMxs$T0M zmse~&%$3Z}HI+UDcKHzS{37VZ79YQg`}1u3hksx`ZQi%9UPg&GpQ$-%a+&w9p29Xe z4lJdeC_FX+7079)h>+B;{>W;Me&gmIeGehRK~Hp?8NBL`bMq22*irR=0Z||V5j2}< zsp~(>|0S;};zYBWtuK>r?`rwfj19ce&3!G5vv(eG${NNnkanZ1eIh}7n<%vn_hb`! z;xyxs@7bg1Ox=Glk%-3mWGI9u`&jRF@xABT?rP|)V1a5K4gt4F*xLhrZDJ1B9G<9+ z%i%Eyk?72IQwLK}NZf1+hxdcY2QW`Ho$jx1PSxI8REAsQ=XnxZG>`*XI6w^~-B=vG)puQbvwr)|ksur#v8t(+LLu?eOtIdfIevgt7R z;^Fn2V0X%C?mWWVN#)XSlyJw-sR0*p2|P~bbnTI*k{{Sh*F)5QoDU;NWY*qJ*BUU@ zk&N-FWl7z8v*Kb2>vy*GIXfWGQ$T$f^pLUbSe3>93^Cj4p zma&NKVCgh7#2m8QECJX^r6uj|dBv`k&H%u}!@M0;H?s@onJ6kAHssI$eP7Ndm3 zNaRsdP<9b6b4pklB*BY9Jj!MWUC*V^yl707t7w|xAGC2#~ zoK(21$!<1js%qG+WKd22RMinq2G5zXwMb8XXE7CI;gvNT$M(Ge%gw?{P2Mwg&?FM7 zQBeV6Gop|zMnR8GXzMA`n{y_oEEAzmWeQCSB!lhMt0yg%YvtTs4S)NNJ;h_hx+WWu z_tO^!80QV+3=SJE^p55wrR}-IayC(el!UW@EK4VRERIe$Y$mwkN!tg_Pd|mIguIU} znu~(sbQphO)z^c9Q%oeMie@Y@AACq8dh}L`hxC1ngD%Uvo}m@rHBI~rbzssgz0i!iv%6L%Ob0Yg5=0o%25|Yxxe3 z@>UCg=OpdGaiyK}IHlUEE$1Z4Qfy;HVsxzwX$``iGwVU*Cb-ZULSpPFn$bG}iO8r@ z;eW}{9;?1&q{NG;pQk#!za-l$ETp!b#!+*v8l(c&XDcnXJu-?)2WkrdVj+p`fA?^T z=E7$7)Z?X=(cPCldIrpnEyj5upYp3eVs5%}KKQc`?E7c8B-)QjBJ zXtn_|J66&(;Q=I15Nwi26;zWNk}F$1i%YUZQ(-o%;0*b9H<8~VH3Q+@`2EfgNFkUCWlK=e)qguKwHz>JFoy0HGqc>ki8d*Y(f{Xm@l{;I89^DTqXR$=PGa=4H{cY;MQFaPYstDjQwQN7=T*3^p*Pdvty#i5E#D&tQa6nAJWj6|G2<4%9oKd*MtBJjWmMfZz>8>gQ$Sy_Ce|4~(%9|HFJkWuh1 zyu%&1(NvFxBWZf6sfd-WMsgQ-LYw@Tsbdjoci6k;Xp=4?U>>)$q7sNWzesRRiwfhQ zbO_Y#`QTUBktz#4bh9pMy4OtYRCb!@MR|W&i?zY&klf6bAm7^iPE=uKa?m)KqzQdI zw%;!D_moOvr;${$R=a~g=c2$)5x|It&-5WC;PhF-MU_!2L#rS70@#Go(dJeAQ)A($ zdmivEk_4Uh#mL`_Y^U;oOwc{!N*IHA`xk5pAF)^)N`Z7+7%r#--u8c=?1tA(i2pDY z^V_ZX*|iBfJgafxmpW9Rqps{LdW0DbmWP12CVpE|9Q##Q* z5I!T%EeCUoPJN}e5*k8}1`94u4Ah2yuoc3GCj(6;n} znOml~HuhS^!%l zxBhvh)Km;DAxv)`X7XR7k>J0Vi3A~FShg7;UA(e)hFtq%JuVhy_Phu?u5rj zFuVL1HAg%iW8R0=k+psTYOwtr8*9hu_HcvzX!f)+Tn2_)6js()mea>V&zW&Q&?IV+ zfH_=lI5ZMle}v^R)LYNb!a&r^&j-@_9t_de$iSyJY9zP9gfcgP>){s_C|M@a(RaqD7x~k;>n^rUQ-0W2MbRBho0YH# z89sj5_r2RbP$^$I=37&%jA}FH$bj@c!L;E`2sut<=>@G&>Sa@<0$^AGCH#AaygPES z6Hsa$ug6|Oe23J*Y<*N(i{OH^%ykhu7?T(&mBAgZ7*cUv^-WKLrSe^55uwP8-tdwl z{pmj5H5r#2jl?Dc#hoM{k@tLZMgTNNgm)jf zy+yoJ(*3h%Po+;Jd^=prBV@5MsAO$fNi{+M7xhwD!YI6^H_WEcg?rSIg4w=#T#-sD z@(E^{)RmKJ-AgvZD+;jk1k205{C6Rz)gFBbgAe@wLO5}NTs6}=dO^zerZT_sf}D$v zsmZQLF;Yc;e!WY)hOQpanomCm(=jLt)f!0sbzzMXd+@XcS);pAah1(fR7M(EGi$Gg zS}eq)DIAvacA3_X+^I=`U(?0i%oyX-6*0?*)~Uf>AX|*7{9f#$tp&N9>9k7zH@2jM z%@~T$DKmi%7IGR5Abd*MKLR)JBDdiBD8bP&ns@k0)wg@}NFtOTKqcLs^7B3W(0z|I zY!crc9i*fdAxb2;#RK#qRWo|L;u)?7#gWJ^utf|+R}mm)d2ykF-J_N95e+AaSPbaJ z1W2AE)PTh3wm6TdK>mwXB=>%a-CMFp|N8Y$NKt~;^}{=-$+t`t$rvADV`Cx4Mh>N}7Y&U?lFGio|HNnr+LY!Ih5&Z;D*t4ey=lU-Q z(jz2)I86j_b}HDgbT%TrHJ2u#y&IbhRqy+j#XzT;TbHka-SeGd*+tB-#_xTJ!553u zchE^RK$Heo*a33^5DSoy0NCa~pxy$<{P#8C|DD3!|H^=piLftl_%uoD(Enx}(lXi(<@PeO$Kh~fy02%1 zjkQ-BSGR)|G&@6c=^o@WlxT!6pX>uD0`D6MO^VUJXxWrI3qlu-_j6)L5ygwdLouBR~%w7tc!q#)XsJXq$qE<9i?S)i%W! zn;R6%X9R?@ia;YQ8cU8jWb{>X8hx<>QoG78%fn5`$jp$%l38;#Lb3Rbd9#wDKn7i+ zR&BSHNc9I5&dK@b%WL(tsZrl3N*I)AtV8R~Hkeiny34t6HH9-|mN?uv5SNDo)b%j= zEasdzPjoyOz`To5D}10IXM6|df=SYnWd0QhhGN8OuKD!U3M3VjMtHcrwSVAxTz@WI z5nUt5;5EZ07psz>&SJVgO$@UASOx<-4#j$ul@&3g2B0;_8pdr5UQ%;jU4rE``D|+KtgKhFZ zbxTt9LYnNR4VR5G>v+AgJ~nQB`hqAwrhT>$1?|d%^v0Qy+&ex?)}Kn!W&$P{i4m40 zsxZK`eTVu}(j)Gt4HoJMHXoXcr!wY2576KupaIxH_G8|8xxn z$b3T8Z{w&J+-VN2tn*iFT~3GSl6DiTxg%Tvei&_7dqij4?e#7?li_(dd-y>reyvWfSfCE559QO!Xfd1nW`5sxMu zE#QIpriErcz_Q!*-KnPq;DN!fk|h(p3(hV9{@nksLgjyGu(3Mfe~qE^{Ij>%8tFbL`qq;7c={c7W>BvnatS3NeN* zydZ5b$G9n#!j^0meXt8UbP~p@YgKp}R4Qt|RPcHGsK@h`_N9Vaf=2KAQ_S2Ui>Ls( zNxL&L_ac^xzjiwmRu#HOdd^QyAqX@U1o8!3NTw84&?n-%jMPFE86!#55vrAbZy4;% zXV?wslq8<*ATrw@9pd4!gCkRdQul1&xLDif%@&xzf=NtUA)xPYFZ7lOC0~T2&`V=JYUV z@r|p;^1ftX9Jk$H8b^R6^L}a( zz#E3@vO=VS)^~1*@mOnv2v!z04!5)!H1E>uLDhL!L-5?neld0qNVgk>Xv^m-gm}(O z`tS|P?zYO>9<&cg7k9Q7GD-E|y({v-EY(4?1r_DCc~(utvWXvBv;KaL;&sSq&QD(m z`rvw0ZQUm%+wKXsF|4+tn-lzdvh3O#%xh_{>CTs*;~nt=eKK;{T-&6xJHeJ&bCqT# z>uT=qf?75f-OIL@8uzG+{nyb7y`}_|jurtJp=kl+)$#JV|l_~lh&;6)@-do=9-xvZ?hTvRa+$o1Yqm4EgjkQVf&+SmgA(y$2^fM~SS1f@+09Ah%pI9}4-! za$U=7&$!P__O270-WuX!6!BHZi~%AalCB*X9^>mBCV+s;fL1ecWjOjGCdO=Bd|La* zy^p{0{F`>&-Wq2yt3*IgV6XCu|%ljs}$XBJTb61lJaow=y;x&}e&~ATbw}Mwc8~VQ-c_HXH1+RLQIxt0L|+U-uEvM08U8DO){u%{B!p}@{}9@=NpkD?@_a6 zx4|Wy5A)U_Guz4I&I*H=izrkM283lfA8)Co$$u{Zo2|?fvptz^6KW@Q`*8&^9=t{| zCW9XWgzm8=+>I*T&u=$VKwy)g%4nVw_0OLZ8^b@iQk9%XI8CgvyWT&x1_<_6Eh@TL zeatW|5x7n8{k&JD0W;`xjExeKaFQdS#I($1sz>j)|43Bg_W`Ecl!`TmA7NX7+V;-8QrDy zbHd2l2;|lj-~=k(Pn-XGhFEAoe`qS80{<^R{AYb4{|jdeEU5oJ|Dui>gc+cr>W}D!evJcc^2DD6o}~MW zWugLVz~yqaobr-_|2^5d=f^{L?io7IK; z`6?MadPN#&4;lBLJHxBI!7vg)UzCqCUTDvZz%C5fP~h}gW9)qMZck{+g7XK*PA0CM zI(DT!Bmda(;$dVLmMMUnAR$?rszLlOygX>{*j;;INDy;BNL59RO2zcRRjPXVWv2Jt zo@7ysDhYJiP8Iu$v7nG8AI$sng<$XVq#t!a4G3iq9c0Pc`VN<5U3#$Oeb5+~DleK;JQm~fb_F9!uBTO8|kxGYY(BU@0 zm>yV`?Eq>2JD=PyEgVTWZyMr#sY2h{$LtGa0$~=Qb=TcY@~3c z{b!BSgj1XR?egj4&0|A%PVW`pbLJlJ-qrni=FEznTU;zWntE?e_x1ei-sv+JY_`vh zCVDEDH;rF5@fbEvtw%h%k0~(G+=Y~ir>vV{gN~mNyAIQ zJ8#$5RJeWrAp4wek57B?*o8O?eOhV~MJkOlO}U21!CO;bgWy$3RcmjZ1Rl%eeIjo^ zXZv0Drd$?WVtL!|T>WUF?3@Y*Hd0bz*YC=vD0IM3&?B1fN^wYD`of?5ZY?ld-k`Z# zJ$>w|d3teb>(<&oW5~hR^}5(zO|owEag4hWze+p2T}t0UvOE;(x*O8=8n|rs*t>}d z`W36sdG*AK7&hK%VZ4#6^>S=5mqk1+(U}uqwOP6##G!_{kn2RKgoxb0T zz1S|rvI)&?nt}cIQ-)Gp8ypsOsO#h@YGSpIz zpIOOATYX~ul!L>tINdG?Pfwkq#r3$$#Fj{6#=uyt_Nk0u_J?SPDRH8qVII z4DY=pDB`5f5AhN;j#VsT!4gd{+hZW%GJCI>_5;nCWy_ z2Q1cBS`E;=jS=T2e9weWGSbpCRoC91&zbn4r=92FYx+B>kyU~mRfGggR1NA)^SG=)B+)yig@cW_3PC3W^X8}~ zY1_PP_B`c|rKm9}elT|QY}({Ru{3hr6*Yk=$~A#Jte}fo$;;naAl~ySS7)L8*q=H+ zbS$PB&?_dE+%RQ|G>EHH8)Isjfks@!2hI~eWT1!}e`|D9SRSAq450P~6zGCMji%>Q z)!&>fwxFdyS>^X1xa zerf|p&X!9v?6rlCc}!K|E3AyNY0O@ZU-mb%7HBP4+7cbuOM_6JTvfpskso3we!Oy* z0$}OKFRy9-cd+vavCkG9Bc|~rQ`c!ZQIn4B$w1==rStGJdUlZSl!m*2cH)XETH5ke94%xH!uw0OU ziyaI7XW({??kj2K;#M0e%?P^-(%?jf1~K+FT?GUcgmNDZ=em=L6^muwWIFjQyD~{N zpUBjVVGO0}ijr`GQ%Pz1W>t?-9>2KFK8iSJezfkY#!U$64TaB}a2Q*KJ9olCGirZNa(6P*` zNK!|!3adgtw8EK;6o{cXeF~~#p6%_KA!A# z5?EK(=eOejV1`&W6&d<6Ftg1c-*3JSQh+T5238oX=OVEeB8dx}!M3aE2N~7qcYo$# zdmo8qQvySwA?jUBxerHiC$Z_CSV+S`F7zGZzS4^2b1z`0j@1BqLyQxaBB!Do4B zJ|j0J+axbB-9~wUFBywV80)Hs@pUwJe$T&NPZ<}ZPLX}sR^R!$>jt4B8hFD-_$Fu2ZR=a z_{ye&5Oy$)`%^bRKPRU_Kv%88s#~euw`n&WzIcEB2`+9w<$U6O5W%qzNn6UcQ^!f| z%&D#$A+4)vzqU%sCJopc zfsW4R*DuQ)Hz#X;EzQktXZRjR61S&oGa5~c6H6#CTtkTQTCbf3Be_Us`3Uw zf1^L?6oFlb&`b7j4_@L+@aDF}4DUpZMp6h!{%1MELW`eqSnp#}M&p;KeE1-%{W#H8PSKj{dIrNyfsQVBjQGx1J zH7JoA-^@DorZ)Y3#9)&5eQy`ippW}ST}CLg!+ zjD3L$3e|rtv}+_qd7!Nc%s{OIE^B_!#D>guWk8>VFxB2`*xbcg%^4cbkKESHbdMqp zWd*9aaoLmI(7x_p-Q1awSU+3JBoeJI%}`Km@8NDA$Vk)vtXL2MwM%T|`Fg-5k^Cx3 z&r0aJlV;u=*4(ypFI9&GQ|T4j4B4!mD`0hCBIwFQwf0jZQfZdE1hM#(o*)z|vEs%S zwCIJ7pF5=p)}b*SR;2v%c=a``*LN{2gr+ysW|b{SHs(bps)7ycAycp!8y4Tsju63F zAvX*n#IDSoHQ9IxRNapXu2S?}<4j#I3i<9Q$+zzuNheCBD}htn5|vF6Cfk_P>C6^v zxJyO;cH&DhWsOZm9Pz(uOQuH~Zj&aLDu1^KdcL5@U+$s|=?>itZyQvg2K$+OmP^UaQf*5huBJ_$fPYt667}~K z2dUg(#sdU8zpCIMsoE~;oVCa1-A^JR-H(Y^Lo6s?Dv>Odw(CY2IlYDbAf;bK_2H(t zrx#IZl#VOZVp%%%+%{AdK%Q8xg#i~KHP~?&)i)LE{%y3f!7nDMa>-n8CURZ+W+Reb z6a|NPb2!J5@mFBrMbrAN`c|*rs3|bRJ87+`s_DU2m=CJvqKt#(#x<;Hk&Z`Ps_pv- z)MS5uUaEBfQ#gjszOTfP{;VX|H#Tj({d|_ksG{NUM_!r^*b42I&{iT}a1ESWijPQU z!@V0sSAQ2Mb|99_RiD4BZWuXGlhiOBR5jqCh5Xhw^xK`};S`7)S+=aB%cZqamYtj4 zEvFgw9oYBj3{8Y9Ddc{ZPHNHXLG25qtpOfv(3%aZlG69PalWrDKm2D@A?(U7BJq++@-9ErV?dWW;xiQL!#v%D6FxhtOaUjuTr9NJKr2`+e318zuwS9Nz5gyd(kZdM zK0*nH$~y|ol;94`gog>JUuj*KikY-WN1gAEU?tie9I71ug7sl`Y1Z_?w)i^cDZc9L zAt>jM8uT;71xvx7;v2V-6tC<_*qnOrm=Ja@k~g-6MJ*)ommnQ$`9yFTbJQT6=<>T9 zUhplW8&!_h#8|QrpQoN#)+|P0)QCZ2Md<AatF)J#dGDH+fK+I!mK^bG+XR_ecc6}`kZ>H)~o4o>7H_cB$iJv%9Km`T*9a%H|lkKTiA)G z1h7444T><2!Qho{zh&3=12r|BeveZ#zep}lVwRuc<_9{IjmfeAvvqLC&}1Bxdiu~kvY=^E+@9rWF-|xf7Yt8s3j1ZN9RAvr4YXM7dC~~su9rKD zb?exQ;aJ^2rySukk^t-u(ahF;oCzR;N++mLfamUAuSIe($yx_PmKYJ3)E45owcl4* zW!Ahe%`&U(E`I8(U%8s|0GT+{@=)CadkwJ<1*zW>s^!I2VwNUmlTSMfR_pHo!MxQMWjHiuwrF z2v4ikpp7wzm=j|8+V3>F0#ytAnohqHLUMX3<yuV0bpA4$+K@y41J)5<*HQ5#H&PzBM7y@jCPkA^kEoKa6fIInq}II-C=k)6O#T zQP$Xr{Hv&AebKmkYXzwR`!Ikk0Be98;6l#+@@c>LDN^SYW9o}MZ`$%eP2haQFS7lS zeZpjUFtJU)!w;!B%!OxRCJH7ZfHUw74^$SH&Bur0!YYC9ClTtBN)(kA&rpGc zbbi#Y_0b3l1p}0?@6@dG*Ygs=Yo~K<~#U#7g z!P}wp5~*Vpr;CpbXZ*JJ)J?+}4>>R8_>_4uG$Z^4Yt5r{NfQA$g8HAO>`xNy=~7!L zu7*nz(|#|O#7Ta#NRgL{Yh zwHmLiAih}ZjjS~7`BMP4t?x@|`UswC`bN@M7J$5hkN{MHLX!daTk`oApsLIv%+2~X zRj$M|k#iu@-ui{1Ms8J$=YPRz_v~2Z9PuK=l@QIb56% zZ+|967e^QF4qoyKNDFCt4qp0Q1!i;Z^8{;S7cQVgTbYCRSBuozUd3BM^ zqp1?)$Ju@LzlCSN(6?dkrvdAzrIeaLMi}KZrU>Uk=!TU7&N0N z)!J$yj=5OOsW*!Zxw_qB#Ri)M?0QQdp;&1xE~Ra#BpDAPfXjpPix1)c*bIob7p9oV zL~K8LMK~&tL%w$KPL4FnhPa-0dq+7l56;pefu~lejC^Ve>*-t-+baZRa7jPc%JK;2 zrJ8gNYg+J9GiU#&JAbRfH(yyM`adMc6M2Om7hm&*s7rI3(D8md0}!fWM%Hmc+j$Hr zNnXGsWB&c{7a^a&oc9;jaCgw+T8Yx6fj*d&Ij1nyiv?NK39leLlT_bO@FWvZs@M7Q z@fX&YzW<;nmyS{uBRP*a{b6%;5%V3tM6|i5b9MR}`}U>Ce3Eu7!#stzuT)8tM}{jg zzqh2e4z&hQiy&bZvGnE_4828ME~d)lQaJKw**6pS-wA$2thV4?9wa<;8oO*oSm~*P zgcbMS$1J>HMatJ9l+8ok$&by^^;(O$45fsh3JzB%x>` z+b0cg7Z7#j5mFj`XP`P1_`&^_@Tf`bN40OsSKwAXdSqfn*b<`aU2}0`#j9}LI3yau z{X%p#F)U4apKL8ns}9^D*<)2`DwZ|k`B5rIrz$zU5b2Z;ky|cxI_~S&s;(0-171}O z0(Y;dH_z?#F07qlp12VPh*REdmXaPqZW58Xk*cJ8axR}kASFvmz&9Gw7`lL18ez#+ zLN7c1v1}MxSNCX1TK&eAF&)?cU1#1WD^D497Yp=~BgQ$h{;i-lsLerA0ZC{0*#+Ot zG8Ehu@o=4u1}J2Ul#Cd#=*vnat-gFyL007E=ZwdG51y`96pNe}hsid;DV3s|g#vTX z7W%%^wtmOlA}81{C4t3O7`g%=K++;WcMl|kup&hLmK;)X{#(H_psp=qp|7GR1;Ij) zSX)LE|3Ih5=lpJ!O0mlLZKqj-w8=Y5(%~U4LdtoE%p9-dCGJ&Jegfg{ciw#!oMYT$ z_{(itIYnw>e1g4r50_S{0G*&R$0-%RZ)a+otc?G#$NB?m zQozsU4}Lry>h(RIod>BxC7C8^r*cHb?b?n`s^PW??murgoqOK>%*Y_QyLPjSP@=B& zYQd-F8==@_KV~LJXFxdod_8gc0P%$041@5$`U*u*725!ts>m+K5LbbbiK}A5U4Tp` zlZX!{SJ3+D8#%>IIa=~Rc}LmkxrK5Rq7GTGu=l-tg(+F-*&@L3k!3>#bs@nE@!xV< z%>81lZ#X1o@-eSQ2jmni@x*3QxqClINrK(LqfH;5^HwIZ{FR~^^!ddC3<~30i^Zt- zllC`C9!e~avT{N6kS7Bt3m{2dnl#u@TkySedJs z9eK8>9Y?qA;b{T2aaIPKoUb|OakHph4{w&IQHR|H*#p)XG2~k}e+lb8CwWb&Si6kN z>2Mb4v<$@`YF>NkVh0y&N&HrM#F5A%eNpx~!fDPnO)=9(QyGto)K z%R416&!?;TmoBZdG79gf;}?1mLh9lCJL!0kkb2`Z!tyEdJd_ALpTYimV$Y-y+FS1Z zf2#IqZ#y4Xw$34mt8^4^ixCNS+@~iEZa;6{y)kHzyT-^GwSLX1!?JENze3RMqX^0k z@YetIY2x&$ulp&hLj7ftn*SUzh2}Q{j>)$11&l41z3;%?ng=l zo)7Gv&WTcheOfhWv$;*#4skDj;JdPux3_wn{JusTYO@B68fflUj4$BsmkSBMO=@4^ zBLB&ucg=+Y^SS;{$Gb}w-r&_8<=c9FeI4Ulm&1DS=qZmR_~OG$9b6t<)pfMjtsRL1 z+QRa3yWi>jjKu8$$+_jy+VW$@$?t9-rYH*3{6~u)Aeq zHjApg$*-hw*~H2O%7PTbwpkk$+pgW`HH@-M00@pOm`72djF)+NOQzz!+uZ0atBas>2{e5DkU>9Szjp% zZ(?!J?(@?nO={#D4GersnYTtwn&AIz#rXV5xgpy!`=2HHe&h`r4Z=GaW7DX3^>7>i zQ-mNwuTX&EGYE%}hZxHMjY{bafSbVkae0k6`S(w!K1arEd^)41wb)eR?{TW73ScN_ zcK6Kz#6y^R^Iy>WBsrTg69O%cTKypIHS6I>G)Q6(A>qF`0hbnpP4YcPwbb9G=S>|F zHpJ<|Ar)dK(Mn<1D}OShKR^VZS97Vek!S|@d~w2XkpCTF&MWBYRo1sMj8**IA(Xc| zliz^3<$q;RJ7FHAqE?I0=vf8t-&-F|oa;3FJskwyS+7DO$hUrVKzn6}$=10HGRal}9Hy1ZGB4ZY>$ASIp?|s6uva+N!h6MZyP@$BzDpiP6 zK@t`lw}(`JzVIRS+HZm3o6+e}86okydcO#PU-?5^b6q$G3JnPNHppKaQN#I3S*e@C zupSi%q>846Dhur6Gh$~;!!mh2n0>9ojLJ$B{IypSWi;}L`wf{JYWPCq8C+t$dJLK6 zGE8#3klonEm!zA?Y)sGqe1XJF&Jf9>dj22&Zli>jTOTNvJJ$}y2cW~c^3MzUx8JS5 zz0=LEB&Ps3i66<$?pL(FtYzEvs}y)g3yy=gw70qNpk~&&uqXET(=n?R9glcl+bwq`h?dRBLDG=K;UB;r6UiRj;PTHp!o*gP}8L0fTX zh0Q|8y58%jKtFzM@G=QFw+MS#jD;MB5JrR6tYf9Zr7;32cna#kFo#w%J(O-ZWAI90 zR_|WiGZ6UJCqgRX?oT26ST9>|WA-gh7f?^tuo0%p9LXrT)wYOnTQ#mY**aM86?tON zT6*&MN;gp@<-j!U!|+>KD_KNJ1%7m?#DcHeZ^ia3)Q$N}7^RJ9rcu?J;KR`mLa=f_ zNsc&3wATSLCKt^OSD2R(`A8R#xnzZDDKLEe+0d^6hz`)LRND%xkrb_$cZXjp%v-=^ zZy@JHL{dPcv+jyG5i7YNOA`GeUn(Ff#WF}dZpQT@q3vY=b@rVW8Tt{_Z2YV^(6dICbq<~|6n1bX_5Ht-{gV5|-iH+O>H=$&8{dZUas zH=KDq-44@61NxN!!Yw2{sgm3@GDcnLW?HMtRo>54ulB8A zks5y_%M+GYsNF8?nYU2wrDgltU|9hsic#3rBbRDDO%#0{4LDY~7aJbSjhbQ5ctop* z2MjHBPeb43zZ!S#>i6n*{?Z0ySC~)iuaKf4(qo+=9*JXh`Urlzi+cl}MUe|3rVg`U zuaYZ`jG1C+EWeO!GI)o1kw~UTU2OGf;$@Wb*9v51%|>EByz+x(1Xc_&?7kX(?f1+) z`5kfmsvsmy;XmplvSq>|wz#oYn zTaA}bk>5lSm%zlu-jU?-`SS$a_%96M7ndb(xev+iod+ZQ03J+|*!n8vmU5me(||${ zvtRC08J4CR+GAZ+l($s`Q-_7+2A2Hd`3!vWs2V3{gI}ictY4-0dQQ*|1 z7G&sYDDH>j)ahSw+QK*90y-(*SIK^D$LaD?^y(RG_wsUMOjPg^v@nib8utVo32-@( z-(-*SdfzEPYYq59tdO)_$1wwIv!Ub(l`c-Wbw|33?anYMDQxcOb0e*}kN302DN&OD zHwsMZ@2Hxc4xd^oCbFMypu8OCaIMRj+A3NrfFX;;E7@j-?*Z6fWf(%X+k3oCoyOX+ z=U;*{VM{~NN@I|ei+{f>E}!dUDs!wDfxZ9O6n2fYY4H6P`S)SKuGyDtW38b@SfM zzoZb?4njhd+(bfU-4T{nr;roGFG)<$nB4G*Y93adUDOmJ!11v^>Y2BY+OQUMDxbp+ zpj&KboX7e6@zce5N1Nak1SxS+s~S6M>b0e*}U=AaS}!+AKiauO91Vh5f*K4t^OlB3s2!XKgE{6}%X0yHwn%!86Y2PE%Buymw*6$WxpJ*F% z_{2mdXC`+^SFv!oq++k|>9gSL<@TjAXnNEGcj7)fzQfq@0@zm47Fx?@MmoRGLkuij zTYF;>B3e&u@9MlcFxc*#DW82jmFl)rR)>juZx$yk9NE?~j4`KTy43kLo7p(z!zs$4 zh~ZzmY0N^QyiO#BpjPn$JSTly_9AbFy60a{f^3Q1i?2bpQYSDV>6BZ}ab3KyRA76* zbu9CkgY;QLwBG{^%@E8kP?}4+y>=@_bjO>gxqz~@~=vSf>%j*XZT*M zEqC-AhZIWkbY=U5Tc1J3}h zmc&j`H7WSpi*MbK65}NPEP!_WvP0|iw-jB3T0;}Zb*Aq9AcvIX#{QiJ-OnUT48^4R zX^F&p4ojQhZ=#>XS``E)DYTd(YVglZcVl?t=-Q(XIUuBaxee?gQihv@HbE$!!Xzp~ zF549Y#Ela&=JiU9#<^w@WQVW@rsOwyN`>dw!dAtP)OrGbq;~8eW_C2TI>%00l*^)w z8ng(_5kRY(~t1pJ5oNtco%JJD~0|uLJ}QF%u`m z3ZM_6j&(=t#=fMxTeeS%?=u`oR%U&R$V^c!9m9Gf+okfUoeuHm(}O*$Fw{d11tioc zNR13@pKKs2P_p7F`tKAeSz>)D6eWz`Q>J8lWcrao@nrX@m1vUCv<~%;7`*{=3GQ+y zP%06>1vkj_mzs*#+jhs)ew@Xntkg7#T3EJvAdpbahIbh))g$-_I|wnG{d{Mwhfw!d!chYwMY`8pmQuG%B#5KYkl60Xg+@owW^R~py_x!&rOCkwh|IX zq<<~XAVnT=aef6ozdlsNGI847%I{LZ1tJP1( zcihx1)sw+p^hYDln%IsSsaS-A)!DKMTRU_ERBP#K`kh{d#Tw)SSg91-T30bCX40Rp z>f&X{%Nk1`q_|M5^$HnJvYZrUQPl-(GygbXE?R9^L+QOU#x8OEvsqL@zUXPSk_N5% zYXYilwbWZ*eNo%oF}%FJow5amN#6WI49Q}ZQa)1ls@3dbwGxXE3i8G-;a9rA2rWE_ zb$PNC5fZjVG8)k{M7w6i3$nd89(guJ{6vZ;a&7C(NuNOw za!%s?48}fGr=jXsC&;&81feY7da`$^G5KKQK-u^$9feLqH(o}nAlg1k z#S+HgF7=WR;F{o&Zz+8?j zUWXvA^?aY?RF6PioL%vg%#Uin4|DFU#h*oRGN%6lz=NUzZ-YIX$?`PQI8Ud{><6Lp zcZrrYB|&wL8H?t#FXH!T_i7uZf%AG+LO%(UGG?qaiSp7(05GUc?(BgVXpwmJJxKH2 zC?M%PKaX4U-f_C60|IJYR62Wdy3UIPIxdyhp4Xn{{7xBt&eop0{Z9Hh)*g!VALsW_ z1#GAKs?2ZcXU8^P8t@nVZc^be(PpBk#ca()`(+Ndv`}&m^fZ6k^^}da`dqg5 zlqB<0;32@R^XU2X6_1;(mXitb+8SVk)549=GZ}yjFxaoft@RoL_zM9U0spp`=ows{ zxXpCq>U(d#CJf|50hS?DqlZtu9^-tPUmhR8b_ISEb^9YfE<1eecZ3$QNwOd}9midr zU#KK7K006WnmSxkJ>wO1P$Xh1(?oVU?pz(rUVx?T7RC}hb-XletNKR zd6Ft7i<)4SZx4PW*5Q)PvtWYTW+aJy>LmBTqnyg-RiXW@*q@He^G_`1@{iJ-#1a?y>UxS*zNvQ(|xhreXTw0cW%DseKam`8(>b) zov-H~S{=yZt7VhT&*%#0kJA1JQV+PHVcSp@>xjB)@h8F1jusd zOBR)ON-b_*cAgxgywWtK^Smw+p%)WTg}eqhyA;G&uYHgTlnIN$?yP1!PxZ)(N&aR; zb$y6cdh4rEb{*FhVSlbj`GW5bp1m0V9HDpl`JKYqe(ttEw!A^=R6q zHR0UWJHO*LfKglNp)M`uhSoDMG^La`H-KV{o2=v`RmMYuACY5n$HTaH6J0=Q1C)jjR4u#4ugZ^$ zAUb$W9Gf|`)2dA<4T4JRc@12~S|5!;=)dow7;E2G{`{k45zb$LuhE?#g&VOj6AH!bBZTQhDxT61nkVFfuxpiWyFK_sM(Dw?=8VvACe7~~ zRt4ifTC~>%0OBE*)HAtA%$RHUCL`eMlhh6k%hPtNDHL4K1>OlB)IHGWYpxA=Q_Q>M zt$trE8UuBnXTZKF>zhvhld&eWCLD(F*|QYii|tmKFhWia?himCeM*$Vg{fAbrR?OW z%CIz}3ncJ72DQYVg;#{E>+TtbZQ=G~vK%n1z)6XYS!2{a2kayyrWb?K;%Px`hSdPa z5_klZ#;@aE$Ca*hCTeS|a)-iSM!vp$cDhoh{5YTMKq(R>o{UTrtHjg6ry|xgWMv{1 zlBO|~XTW0b9>E-~39p>&nxmw;Jyw)70e`@mW@u@c^fo#5C83_jgpcsU_UO7Y>JMB8 zLpi-A0k_0&X>#?vw?vtW*=*?{3uNZ4$_Qo!gV&!)jy-!kgPMAf-X`M$j?g-Kko<80 z*0BGNf3f5E7KvKkb=V%Q0LVB0bOiu%Y0rQFWFmJcKqxB2M@6VFfoRp4^UYAI+0*p= zUZD9ecb^J7o7Gw8kenz9QKP5J*+`qDyNo>|8m;SQcbvBxMYuxUx-H zvY#FRFwvXCq;q^rqU1F}VF&5_nZ5qU?f*NV+y(Fy=4&*2z7aVfIO1n3C8J=ufktB zHgh44vCKTGhKsjg@%scbnzG?SUgA?pSDW~6nMLX3rfP=ta*~Q|s#3FD(~i+-k`bh> zC*}1SlZ{vi!vvqCS~Y{9T|3I)C~`AkzWfqYvR4)5sh{i5tGE2dm|IuFDW{jQkSFp)U z3XOY!f6u14OA%9RQ2rA)i>6v^HFKAdde$coSlf;Dwf-btgc^TEfQ9xDtyX z!ZTZH;ZrkM{2DBF{e%-o2Sw-Y$Xkj)Hq~A2IHE7l_~vb*`oebaPe!hv+&#L*fBiOQ z;M3bs-~DK@#XsC8lZ4C3gKxPGxxG^`Wg#z&#n~>QNNpkU&CC2}c5W%Acg`hUMfwxs z(HEWLaC9jGiskYCFti-66D|~i%kM1slWn?$vep4vSu47&ag;=oj}Er99Gf53oxeLs zI+-H6ZHKZKoe2v89jO`dXC1_Z>sa#r_lGEuk2pitMH3ys4_!}%EZ-h48PrazB81Gm z4O&4H;U6keMH5HsJU`WwieGr^*3E20*{7KjmhWK$>l(G(s~0r-;$atgb0vS!5{eaN z)i#V5l5G8R zJY#Kqu1h;7oQpUU7@$F)*J#O914D4jHLq(g{#U;6f0SeMdr!ly%q!r?0Lo&8Ay%(L zP-kpH)&+eT9`scP%sSwk_txTj^?i6-vVu#S^-bts{kbp#*c0FwbNLR!C&Z3Ql3xhj zCFB}3OI$tV<+7F6RCyjMwkEn|( zd2l)>zO!yzrMT&?;agwfr{$npf6}bDDM5)5BL+!c! z*q@^Q(+>4tCO&vV`G`{Ule!x^8?thXM5RvQB@Rk>5;uruPborfDT$do3%w@dzj8UL z=19zPB84~Ig~#)SI){<~BH_45{c4o_vC9Mt6uk|kptU+G)VVBKC;UonJ{lsFc63sd ze`-%8pnb!@O?kD0p2t^MDAx9_u5tWh7t@CnoUcc+&I}e*$!Th*$gEYco12;^a_7t` zIG3X7qaHFdJYrL+r>8OEH>6p-58@Vd^vWM1(<(6}D>e-RFh?*4$O_KhGO~z$R1%LK z2o2#VNk)(wv%Hrd3ChK88JSDw8g zlxn(~4f+VSOhe*J-*R=;s1DZnV2&^nhd_hFYKwms98y9XYD%#Hh}TFRZ*{)5+(d|L zn=TmMAm&BC_>rTJsvRLYq#UbQ^8WiJw#Q4$NAp7)I3rsuSyQ~hVEp)p9Mu0bHf& zgu$t&C#ckgwXuSMZC!9GLQEi|oDlD(PvVH67G7_$_?PnE;*tvUx~qb!i^dmD0jfiAVE;2xWrJK>=&wumoC(NAGPvE{XG}jI_?DiH{301)}tA;Eg2{0PYc%q<+;4(E`l%ZlZaHoQ$N@Ih2>>tyiE23;mQle0HS zKU*3pBSVLn4M`rasMJ7tYNfPao&)xN1rCi3_uQf9j&42FD}a>?w{Fp_*Lk!^jCvyG z$E-0mp*y;IsPKi@Y|4^O@DBH1`80Y3FnPL|j3o{7mfr^$A;EK@D24(X`5Y2DgYqxC zKdUOwPW%6&j#bT(&E%8W;2T>Gbyt;;DY}TF7AM!H)82qJp{0R$6A-`{qebF}goz-^Te?JbmJ zUrSXvBDCRRnS3Q-CJ7ud?z2MN$$VcPVoRf~j6xA)L^fvnm5-ql;cvX{bqR2_7oU`V z3&<0x!67;zh-^uLHToOlS3v%wX4YDR zi)iw9$r}rx^QoZECWFiPo?P$Z*TDYZfxpvnK5jhqQ!)?XyrKs+Z=};6(Du3&7eAL9 z;eLb53qgV;g^W|vQ%%BVGQQZ~iz#6$%$~KtBFCPDsKMNETao16{fl>W=|glpZMw~1 zaV{F^;3js};Drr&3j<*3Kaq%Zh8+!qXu6)ZAgjedBsP%s`%{t!g$JF~_9&jO!F&y@ z#t;&3$A?_#6d>zYbG$MiAvR;ziSaXb52&0hA8z0^B-8 zW{}*&|9^_5o&iUs5*4ODK6nP)iD2D#X6P>42{GP{^95qiD@J$Rm&~MSb)xh_NquZJ zP^C&95K@h2@VGdNi&PifiirzNnE{_JZVtqLVv}hF=`vk8+|FB`NQ6jUxPtFuJeTeUQ}GlyRN-psWB5 z$VAzMr7cpRh4t3FLCPsGgm}@JG1n){KIltL;-Oj&?&?b3OJ*l$bio~-mxo(!N47sO zwc~-XZm|$hl92EQB{Fz89*yv&h6>VvYz_pcOEG-Ew4_$A|7*T8#WTrM1hG0Vf z2HPTDS#r)uFW57{BDKlFqyp9fF=y1_T(w=JgNQSQmCF7rC8-b%$Ol=|JVxe zspi4d_UBIFTNdrdS;jBG?%cHy-*gJ4T#a@s-cNl8iU@o<1?rDsUr-1-bh7 zRx+}j!ab^BBp#7TE)`a0^cwv97p=t&@VCH<-AdDzbPbBYfx02Zjm%u0zq2Wh(kW%$ zjX}|cj5c_9Dpy{0imc&bd7D#Gk|HBhdZn;}Ru$=!V|eAF`m$IYx`FA?5I!SF_;3%f%>}pluZ^j`$A`{q zFRA+EXqjdYox3aZjW!w2`R?F*eT8$z^7wi`4{Usx zBkH5X%F@DVQz=%|x<|B491lpAPDEuHn^99gsH5;+_dL^yE_YmzMna+>aw44hm7;gU z60|`hHY4;=;>kF&cqzV0t)5ZfVBnN3tuA{C(9y$Q+sG1F*)7-q9kJa&#JOh#qXgw& zp8kgXe>zP%i<8O>bIUr`HvLD#m%xnyRp=B62bYTRYldHSJ)!^V0$>i4OY|>^GvNP! zQH+ta+sWAVj;!w@&UJ{Vy`AT2oMp~L@!nzG*{RM%`ZH^K8REX(foB+!JnSsJA=(X5 zGy!S}Fs-}D0BkyMm3`MvM6Q-ab)Zm7vtk{0>~;C?e3J1C$nIITJf(kFL4_zk4)=+^ zi+RD#>Y)8)!)O&n97+BZBbmsyXj~0L%aQ$*ST!~9quem-p!0o#Nlp}2Pi$Z=`IMTo zW@!f7R`f18H%-JTtfcUqB?Aj))Zkd2CtIt#p=`cpdZslMVJ-`?({}JQd2~{9O7OR8 zVT^wvaJxhOYA*a$&zjK1St(_b_Mqm8-+W>3z$&bLd-b`8?}h;LVu^ycnRb+G9VA{F z`&5UEQ=ZVW2BsdTzcL2_1y3C`@PTS z7k`~IbI#fMU9s0*Yi$}WRIj&ww_-A8h;I z6CtMuqr+IKdeED;F$@!AWdQ{||hsot`yAaav6 zgTUsmf2JL3XEJDz5mAwWkTW zx3hG<4>+w|F6u^0Nk-4&vv<&E+i|evV!05lFKqD{Zg`{>hMM8L+wPy5HK$2LM@muL5N95`$6>6Pdbl!=N&h$9!_tEh7E9Eg zSjXeFxc5*=^^E4YUfD0dv!+0*B(7N9vb@^ShQRXSa2W6piDyBy8=6r&KEf~4XCI8s`r zzAxKW*amM_76eO_t1N0~`*vwYBRC@zeeGQVC+R$LqQC)ORQaH)|7c+aD_Dx`Q!SZ~ z)w>i8He0y`W}0^E#^h=@h0+Hd9by;`A3jGLgY-c8)GE%Nm*2V}Cp~4B2oiB;d0)k6 zM_w`afNDXS5{qEM0AmuMZ~rtI?tt~6x2J3#hk-a0LT;yH8u~74Q8C{)Vn|c6iSF|w zh;xfVv^8GKBEf`G4CTENFK#x3;nS9dLkIgOYDl2Qazr9fV~QsPWH6|z+i00Ae6xsp zE_7l~QTt&f2D-a0VRPHw)S>S@zYGGskyu9*x?-AWxK7-^VQaYU5Qlg5gy;+3EjRGp zCHgMhOm@6C+ev>jz!)jEGzAVsrd(qy;;gJgon&^txOloixVf$j3W|?@BAoKFO4aaUte$txqP>q9(UNSD$Z3x>gHQdR-r|jXr@E&{kz`olS8GNMS>g&G8?uPIQRiKHL zNOkI|q{*p-z?cxm$nMAst0|(vd}*q}z?{)1X+PHLbN9HdDT+N4Go@p;x-wyMB>i{bv zENiFu^nz!vZlALzU7p``_cXX)4BL>`JDg`;Ctm^6!5qg>2@1Pl3HyPVP$CAH z$AyJ>tZA2)gm&r3$V^K73@B8T*4b;~jp$LFG3mYVXX)j1gC1OS?sm{%tVQ96zw~b( zIm`{U%C$sFkudp)FoY_1f*1?A@DFjnJjm;q5I%0WUG&v+9r(nW=l}Rojcc{jS4)24ArI-;$=HQ z!PQD&Z69I#lyQ)><4(NKp;jAndWZ#N-(1&kILvV9RWT>Ij>szHv`sI3$hL6aB`g3R zcwY;@6+Ujl@o0R~_-eQc2NeHm9msR^5{VVq)kXRjKo@@?fG|lbK_CPmbI$jE&F)notyZk9_O*VoH0)R|u5~h9}gEDJ6J2X=--Kpz=gDk*vaQ>ckM# zBf}+#MEFT1F{l(@STMD_^l=#1)-{5Ag9zUDq0Qa)J%=9ALyuM}pu3M2E&>Pc+K-*~ z=Wkc(g)a|7pf?)OQwb9xrJ)UPeK>Y6W6mSJ5i0dyMTxDQB587aiF% zChF*33%suwQ#mypsRpbfANwdT@nV-8V-ozxl^hV7<-*nQ{g#!!zg^vqvj(#onB?19 zirXPT58fo-mbS1RhkR+ci2rM^`s!+=;bLUMWWm>S z9jaG8%RbEq>VZwhFRWwVKet7A_RiW!B9Y6(%%9AQ2+zJdn8WCWAKG({t7kG&h?y6Wvb&E&YSBbTt7e1 zg(czckkyKtB0ni=O0I!@r^(utINK{aN+Pyt1S)C-!?rqg8!-$U9&GI)0$EtH(@%g< zp+mp#Iq-{%9}^VhBSjt;d=g=+KPI$R?q1gOu^M6@cn=^bhwV~J-$m-etfelt>Oxw; zFcwoRoknh6jlmIwccer`4^D!X+a?w)&Oo*Z227gqY9j63x*|lt(4**pzF}9wV(*y* z@Qlx_=m)*J&{DtlTL7wyh#+Dv+y5i;DsKaKZr?UT>ZAK==1*BY{E%UCjjq-P{5r5Y z6)X820)r8N8IEHC+xWkLXka+C@DVjz?LqTI!=2-_@?^$#a6OUY(D_Z5%-#FpT#*F= z#zOX9r&DhIn|Y;Z71+ly@Fu_5cSKfD{v%-Ld^DYt=wLaJ&Eg78iYwqtFl*^bJTHN; z{jZ+V_j(LCsj=&m@7Y#A+0qsumPIb(8<|tG5k==8&m9aKMqCql%H!yOG@k?8^w|=| ziFbwY(}sdA>V>=Ag#slF`Q&ljG*-&`ie&g^Su9GF@H2%4B7?r;vK9-x^@+Qy3A>*7 z%Q3sG5isd-Mt^sBqH*6N9$MPMoq*eeFU!O-9iP=elZg42U+A-}Oy!A0-aKkCEE@?O zTWWnlq?j0BoEOK+J8&=$o}|R@d_SrMT|{iGP8C$?Xh;huCg{=uv0OJ?_Sxj3e{SA; z1=EG~mQQ`Uj(||U;Y=z#IQP)hQs{)RicIW2A5b~^6@S^siJI1b_1DPm#(r3Jaztpw zV?)h#0*q%sxrVx>;)1!q5Tl#rw06Ef^p!*X*Z8R~BbH-Tf{NY)jsi*{pCOwF|KI({ zt%k|DDci0ASaxiwHVJlBT}M2TYEp1perWS)X2wir=@*W7PsYOKmWl{({2@Qw1qK0a ze{t+1JpnEk)xuJj7g>$v`+yh@a1SuEtZP&b^5B#q_n0!F^&_gXC zXw!p(UE=mE`79pwU!BNJLUTKgU${Bd2WIz51I}m-QNZ9Mq8va}f$4&TH`#Eo?RHFr zcAw(_h@S&IA=1gCsz8V_NT#5Fm7mKB>IMA^DNW#${~vyonHF5iv{wApaI=AoFbXB9 zpa3IQk!1W6RS(J=k@`!uSI`&C_(Bf`uTqxU|IknqWU~Ji5&NOn+t#fS4WqK-cb_+G z!V{9wp75gcX5e5C*So1JCgY|64F>hJ-cP}3J}YGbs*(3dX%~#4Aq~#L=_X1)- z4>5lG7ff8A4Bp9!lJ0Zut;8jNsgS>3Ms#2S1gbETsN(_T6rk!L{7cob@`nu0;FLdOQ)$=K#ZS?8PRgi-RxNVU(^>p6u6fG)I=}Wwl^Ktyua-wH>Qz4Bka2m&RZE7qt=NZE&W?$u1m)1zDkm^URL1}d_jtl|4Jj9 znRgaF#5*p;a2F=cQo@%*KJ8D^mM^+*l?Mq8i5tY1>v#zrNY)?{F(f$xw5FwGj?%Xm zEbkl;%4E9BXdNb?*RNWc6<7_185i+_;V<{=wPX}2pvATy7fj3N>T{oKVs zUwJ>BhnlNZXWS$}f;l#~JL=`5x{|RE#5y2fN6W#I*Xpbp%vV+tI1&&B^~}|`o*fNn zY{fw@bp%j#L>e|PG*me$iHc;yA)z@@DP3|k^=Z^vpUQtFM1BwpRqO~7Lw_9@jUqtI zl`3r}Q_Ai$=^jczO1X??HX4CDr_7AY`4*Z=i>{r`LeDq(G$Wj&r%M4)(N zoklU@I0z^n0^9(+CLZzs*>xM;gRGJU;H<7<)WT_al`tO=Akzqi@6dnW@__%Fs|Y}1 za!sz*0AKm%g5WQe|GyEgbXA~R%89;XweOV43y6=r-H(~wo(!2?Q9dDlVc1x+Z@;a< zb@@_d!>0TBg*eVhybh3TGf3dcgaZsIl6x_MkAoVC85vH8f;z$50|GM}S0j&{?iBSns%-jK%JV*%tvmXAn z_Gw{VOf-lX`l2d}eD4(WY#s4yQ+pa#P6~r3DyzW*vzLr!(uO3i zsMQng&RivmsO{-w5L)byAS?+iGZBJAzY8L$ua9re3SgWiwKA7wwO zSw`YEWnq7$ZG7jC7#SDI&5u{i{Q>#yF9U(-QFRo&FQyTmC3XJ3)Z{p%AHL2n59;)N`mTO}wFCwG9lVdQJKNUw- z$#K2|WrB1R=eZpQ&m!eToWTdwIRMss1*2aE{ja!q=qRb}fj!uAJsFBY%03TZHG@HdNy;hgePgTCl&|U2hg@93Zx1bJjJJ>{Fo;C z8AC*=xHrPy6b6jLZWV_z0Hl6MVF^n##hVc`bJ(P&SZd*kp*H^P&rhAe4-nbw7Si(-w z5*_Ss_0q22FRJZBYZwJmapO=Lzc<9h_RZiIRW}vJV$09-Vdic>V%xy%Tm{1ky{sZA zcn^_&s)1V4W!ya5bKgJCZjA+oP@-F)#`H?toFI}dgb zrnBQZSjE@CT*pZt$OTk|5|T#i?2Jr%He>i`J&TM$>IgB8$Mzh-HYWh05Ket#NQ=l- z^uSj5O%Jh%tR(>*${A$|5eSg@oP|tY2@_5EZz&HW4$nEu9$}*C?O?m+B2kg6`WoU6N%aj;eqRH=)y-?y7z(1?uR;|g@?}}wy5yT` z>leZAuKYa^+yi(8SRQzc>1W#Sam09dEbV_AT9jp7+-nn@vUBD;W1Yw9l1U&-EE){e zjDieGXtm+m?x)K43MbGsBe~r>`lS}9;JIW3Gasb4a`@kS`uQQX%leNPVqtrCn5=p7 zehr0L;2k!7%Xko;{nhF+b{UB^p3sZJjpoAek+=ld=I3ZxdZt2^j5u=MSduZ}MQjrg z@$Et`m2?x~HZsytFu8TWTfEv|NPK{UW*NpsIY1<3&cK_=&DO&6f{l+WJYera5^o*A zvCsD(ElL^LUwc;(lXempQ+pE@clwnV)4Z)hd!pN)NzBzr9*62d`e84VtvNx&#Z0&GEOpnknbFA6EtsUe4FEm-Zjn z@0#UyVj(G^*!%27v}b#-r;{FZ6g%-`(nfjaBX&Ys4;Auz!JTH24bx=r;Mfpkj18P6 zX=W$suW}(j+r4jKKhDH#SWqVAIXed@{YvXlTIbkjQ|C&1nTHsLh}eQ6G%>pqzmTJT zJ0WJD4ZSJ%X6b&x(TTzsi z0&>7-4y-1rL>Aix-Z^9d$z9`P^mx{AGn2Q>T#2;Jo54d zz4|6%IUX5D{O9QL;8o*i5fD%vBGDj)!+2duF_&OYnJvP-4KDvdC2Xv;pOrGHtiyiD zgCtn|SR1SGHjdEA%z85RvZ?ZoxQ+}<^vpA|9>-EvdQQOt(yWgN2DoPLn6a%TjTwm+ zH~YY&1ppl^6ArsRYMxglHtR1q{M)sz*?|>g_4HnXNyph|*L2rrXr%7Go7KQvP>{8Y1-hm@7uxZ2Lp;mqG?`n@gMn>nb>#DZ|t*~4t= zjWVy4BtaO{frZL5Y2U>Ps!)uVhAe(Wx!7;)JMx~B(nO=@ysFxI${a`z`%88P*dxpa z8<};1Y%3yj7T!$Ilb!SJb`M-j(g)Gb1&~z{#02q|%B$q8Z>RM-_ZIhrAigb*3h)WQ z-fxdL-D8c*vQtc0UE$1qPsS{R6UWP)( zpcE&?Tw>m7OyoqvOT{RME{ELDKLLi>nl;KKyTvz2Ls(XxTuzM3qEIWZPMsK4_H5&W zqkIx8t+PpY-K}@twkOj_4QM-NHr3c!1ukqaUO#ZC$zNr48c3GU%oq9j{PH375pO8O zX|AH!tLfZ+@Fg~e#%J;=SwNX8X6QKFTvd(;68)5~ z#vg4(FA&UB?CKuq`$YdH9O66wd9OsQ(~m9OXZAaTc=yxJ6(6TBnQvbWqe#KdwW@9s z3JorQwFykeydA;yp&|$>#r;&`d{jEjJnWW9zDkHm5lTvno|BtJgG0_TDn6y^Trjm3 zKL&L&u|r6Q@G&!_w8XcZ&<6{VldC?(b0xbq!--LsW#pL!9r^0MJ=uUOagqnO8e=&@b2{+7vkk@6TKFCYx5Od%%tLPpJaEaBD+ueYA& z@+p7mjoF6zXz4fvM`QX2}>sTXi9t6g`wwgO5oRA?%ZJX-W-ix}vXi z$J^E*9cKLkr-~^qmS9Pl<o#XF(3y>B;+>C;tRiNsa&i{xrDRG;Zg!_Pi?Afh6=gYW96H<^em z>;WEzjAc|&mvQ0!(Jsms#=$y`&EIZ`&3_cDpCS>lqXCn^MSJj@5Hn{Z?SAELcA5I5 z+45a9N6$%w(uS~px%}ydCrMv?$)^?dePE7kh$f41AYWD~3B7X-HvgMxNz17GdQlj3 zmS&5R0Dkj&o4e?6ay7kJmnJ=Iqrfc3?!(et8ENvzC?Pc$?ae#^8NjN4zhEe4aH-}e zR@sOSJf4+nG27U1I~6M3QTHBBJ@(afc>@6d?8d8@naE1Alfb!4!{J153NIyFHdb0v ztWJ`gH8tY%bQsGg|1hKiqkO6^_EG z*nY51#~UxZGQ0^2Knbq~{Tg2deKc>`KAx;7u{MsWSlX*terKMdY#Lp~^&nEJfba8} z$=E7;RBKcdTGcnsRKn4E=6+hnXnF$Kh=cOn$N6FIckjO0#vNs#rd_jyRCFQmI^r1) zE7ULqPI*GUL4LHJN&t9Zh4F=cOrNaCwj2)1s8g(Xtn~0#p*oFn`Wos-yhZYy237QD z@lQ=r7_fS*G(Me$nc2VSP5AI$72MA3=T4vuD=!w{)A5=`LHBvBwR@mmW>p3miSq5o zmy8#4kMTX^;qB0@d;4lY&PXF-!+_Xft?if7j`iwn-M3_F@0&BZPM3|{Kks`%Rn3fJKMJWQswqz=U zw@VC10Df~!Iw-9Jy;poei?KuC&L=Qob5vt$dbp<0K%1xr#WqbFd%Im5F(;udbAEd z0&b?h>C-qF9Zn%z_JVb`P@5G57w5OstGbN+c$RLmvTvZiQn#w0E4uqOB ze>iMKw*wKGx7dx3W|#eNw^S?#yx-(|{SrEt>*b{N8le!`-@U7aOp>T2ivf>Kqah+kXD>}BKDukc-ug`DMT)fJf7%~!C~X21w#nK!{Q>VulmGX&B-e(C6@ z0z$a5#b-AI%1HwRE~ihCKjBp=Be}J)70UkTvSkRvW_O2ugP-&Tv5Ewkdg)Z$7%x3M zV-O7p=XhFtwWTz@5K+wF6+3hct-)xFdkl@{>B8-#mwLUBnF*5l#iyLR$hJ4EEaDyb z`tSDoy(ws8Ps3VK?*0j0gv|0Pv#YMpB=@xy#S77q_<-8)#2=} zfl22tXe?^euU-vR<_=M6w;xw6u_oq#sb5tOXyhZ9DzaQm-XQEI#rA%wfk74m-D;(fq7$zUD<m)48bq;2Og2J)y#|UjI`AsOF*7$4}p~&%ON4ITJ$< zXR!XIL9t3DQM{(+G!by-wRs!!esTMKua5xY zZ8~f^2z@2`oP76m&4RL!s9cvl28X!gF`oh zJ6v$L`MRXo2c~86)PS&+^R*?jCh4;((D_;d->yyVI2#)BEPrVm9rVT&Z{FjkSphd- zZQxAy_-?M&dBzK1@A1#S6l8HTn!JF7=@a6^#Kk?b=8;vr?!H|tj)0@>1ey&&h2Np~H;OQ|A!j2z7M)n96 z5#<7zmeVI|k8jaJjPQ3MS1z3G?!P3sPpO5M5nlvaG#PEvxy>uIF=@-JO-cTt`f2c> zfnP-4*9~Xs6a?~_t#_aJI$h%1HIL8?2_9ILu-T?_eKkr}(g7!+&(oMl$cu7Y_xwtD zExj2O-xun`Mh^B1_!$hyNMJFVw51EfRE;YzC!U&28ERSRceAo1NyDdXri@|9NvvX& zy6E90s)eBOIEoxCKz8URSs74>7I&E*+dLC^i6Cs24#~!6Cf1PqTx#3Kq}9R*vSJve z0DOW}Y93d{W_R2cxdP}ezUZhqYJBJ zMMcy0-wxr)2-krLG*TC4$#TJ8H3;Dau{Qj|82~$s1$n*=r{mY%;UC6r^QDuKbwCK_ zUfE15C0#^Z7yC_>X^^6gvr2w@)J&}yr@6*JYH7sW^zaub;fjtYsp)3HbRJ48x=+47 zR>xLAwY1X?_oj*S>AFlzTWT^g6or3?7cb}GA#fe@ zljWY;2u@$i!ohJ+$e2;+=cyP!$H(g7Xv*DjhmpXZarAL{6;19=Qjp0FBPBy5xeMVa z_*JRap<8Y)HpxOTo3tho0MM;ZIgr4%j3utJ1R_@ z7G8somW&t1mU!CzcaYk4OdHy7+#Irkn9)do_1DqdkaWbcS3nkFR&79{BMG|Q939`M zSe@OdZDvmUJLuDT0!`FBbh0y3!cWE3y_5^HiTqZQ|1Dj&`oIUMwL1?}1n7HUqn>2+ z*4W-5&@fgU)j5>DS#ap1)I%08pjnLO@5YVEq5_e$(eAuHd;gw6z)U@0#R?++4MD)+ z3IP7!8i6fBBLI1#e?L;G0WA*wTdMzWj2BpX{hLO9Yl*ZxnRjM^2S8%pUtQz8T zS;>1m#X+XAHRO^`eRS0tq};*e6(-YHFW$YK#%un)&U|jX$vRcIHZw$HAL4DU154Mc zI($$)xv%%dCEs!2b!V<5#r95fWED^clC@;!CgMe`j!S(s?HzT4kAy4lV)@;>)~nE< z=@Ti{JvphbTV48FdyyI}mM#Tf-i`V7Oq5fl@G-`&X_<5j_YdUjyg29{YNLTbqhr1E z2fPC?Vyn9=cDM$~elvS~UD!!Em%#~#UgnWxA!DVr^c$DyiY=1)i%pIxx*ny1i~O9I zmJ%W0y!ZBAj1x;ws@QI{Oi1SKn7LON3||V`R?d|6K4w}Gpu;RSf76x8|C_bM?jU9( zwNHF%wRP5x1{*SU>FVRJje=j|MRoEBx&mjcwEPs67yQ;$QjQ?*{n;Fwi%?nIU9hK@ zgRk?2$o-nwHils(+zgB6J~ZIPd1)`H41*LUdb*eGOl^71?|F!N{hYS&0JX7<+S>ZJ zvHjlUw}^=1`A^GWYgR_4)r*;oh_U99@}hCU>8R3$6=${Xuzp>n!|qyTjqH(>^ofm- z)yxD3q1mnK3Vww>PowXVj?q0_8)$QZ6BC}Qze^8rLbyUXoFl`qEyRk6+nEl3I6b!R zJQb@%MzWT%vQSJUUSIbvgoe|MBwXB!BWg1!Qy@qeEI?c%G%#_NnGiYHD{ZHaj)L>i zX$nS%Hbu5WZX5PW%$Hi@I^Rto`y$s+5)VSrBg^?UTE?|1v03TWE7A88#weE{^9pSf z8MCvlo}p-PL|z5O?=CLu!h!(*hwix?>F13Z1GsoE-NX3n!r$u~+e{ObZK&&)GRz5* zT74QRpy_2}3YWW*p!U8SdM_O=ZDv09zP{&;+BojhqEHO0Pdv<32L%Fvs53Bmr|U1k zAArVC`9Y8S8?6F5cW60T?%y?rSAn*csjM0_!anqf?Owg_EeiN3tgKA7m6M=|8iRpE zOB9NErAk0{BOiYZCBZSo=XoW#`W7wG;lCK!_wJO7iM9L`^>0 zTmY!;V3370pB4vwJ2O$U?iTc0cR97_K6w*^NhTKW!`Bgv^n00PITGonU7+IX!@lHY z{QJd!FWQXV<4UgIm8yu!1nya)2@2cLCKWJ6>4xN6N(+C@-%!4c+eYRSWEG_TjZrNV z6&|c2Y$O{K?Js7Y03o8p?Hp4p$N@4)m(fTx3gvGd>Rl|0`FvVYLWImlG^&ydBR}ym zw^^0Ug93RKqDYykEe<{L-IL2nD`&;$X>k@h_O^DnnTj6x+@(?Zx_I+gw%RrUL6v#8 zCR$7qxoxr^GUlpPexbIlnFg!cl@C;$C*&wk4J%pZ&*MhQ{cQ)Tf{pGv^KXf&k{mOx zz9*IVq8-XXSG;!)Ce7?}Pf0RY9cRH3*j`HuO=9ccr^Ltn$og_?$b`J3OZ7CV0cDsc z4sVvRacvK3xFl1+N*R|+$Qkt`_a*mBxMmLhZ}<#vB342;>u09aJ-U~@e_>-v%M^2h znALZRM3q<2ZfP+s9X?q_r?1#7mUMXfD@syn%9~pn4`zRJWDHuxdpqT`)za3F-`BEa z>Vmk7a$O?VLAzNHH2pop=Qu(-TqEXzfF1YJ0ugjSm z>;4yd3op5PH2SWQ(mHR={^S|Qkmc|fCb&mqmgWMlF009WoFls0JZc??u(Db*toZ^$ z6HSaV6^%b2YZF|3emOL{)H>tp=#L?Dp>STErrE_rI{GqQWJI(LBM5^^iZMx@()uT{ z-S;oYMUmXUhZ`?mnN3<|U}-+BPNF8P!H|xuYn6~GF$B*g)c}D^vfrfqC#+^^?_sVy zH-tnI8Qg69qq|Kcm1c{bB5$%# z7Zc55*ovv@v)V>#f@FA$md3pv3~G?b?#vTj@kcRdI>#r_H<-5&$1O>r%OKX9B1FSy zRU^_^DRXQ?D1L~AXE)HWl!EO{+>@_Y7_3^W=vhp>I&spq&H0DIj8xk11X-TZ?|91( zdA%N|4E`-QjSW~ACDqqkeAKaa9U*^_*}tinmYbI4L3|;er{^C=Fd6AOmn|Rh*oyXd zsX3LPxvaqcDO%&XU#F(Lx;Vl~2ygyiiIG*rM#op=uFT37LEvJ9#jHr}k3nY{(ah?& zP_`ZQhX2_)gWlyzvIZ?hQ>$(f+3y$rk81J%>(}0@bnm;zt}on>KPICfJ5cZ^agWTt z;5E4Z!J)#Q*}$o;@(^u*;1`KIGoQd?IjEWdDFr^x?{JWZ-OOx?efkRHBKdrBoIrG7 z^@LtF2I6m?SkGW=i}z3$md!29fWPzLSq&_U)46&Re{eZdY})hS6E|6K``nP)rrvta z*8*Cph(y-2hj)IzVX5qZz$eu{M4m*(^O>|EJ-lU#x@Gp#ELH@4IsREXuDgqgwOEf( z?e;@)OMK;2p(6Zti{ZmKs+ewie|J_Lm@PhLl-va369hSTKN%SM&6&@P4MJ@{k#dQJ3zU(xO3pT=s-s07 zLQ)0&BNXA`12(N2fl|bHYvQj)oL;<6;x|c^d79o#8?&R+ggmsgYo_C3_)(p`Z3C}D z{Dn1P>J+{8TQ5;iZnXQ$PWKgLNsIfcJ7Wy#dx~T z85!jtfA`jMEOM#{IS=%E?*8Q`@Nd;6JnqO$L!o(vn^uC)6Vsv2XMHnmL~`wM>QW?? z?mppq_Xm_;nQ>>MCRr*}g1y~Mggy~}yBbK>Iaqaa(~!x#4N0@f`LknkT=He=)Q!}* zBTKDeMCeWptEP=y7{3V)jy8`u$2oB&&hrzkFKL55Z8jg5YkQ0Tv1*o+eAROHaZ_4X z^0O>vHBU|&Ua(l0CW}=cw$HJ$R&gR7H0c6%6p&2t^(Q03n301<;BLJr^TZj;Hd*mw z>=Ad0SOSaYZ%RzRX_cWG=0M*ymoi*HAs$o(!Z05gAIfADQd6Ucm;7iK?~&Ik|M^Ix z%49CmL}_wvDJ1JSQTSH5NHg|=_nqf)+Vo-wZfUJL4M8qhUzrE&y=Byc3XYg=vXSU` zmy;M29=LkrTvB%Kn77L@_a7t3Xe5`g)Om`KygeE?gD5LGC!1Z-4k6QKaonMVZRU$+ z=}sgII+2vPu2QK-vjyJ(6DI z{*kskPNrlc=kya@2k(mjiFL<{YDR!uDx<9L$R863;bf#?b3Wy>H^L`oj6u=ln?F^1 z{y1&~noA2k&wBlRm)A^a$1>y8OnS2ee4?9c{GU>fmS^o7Thw9fciF|Y%>1M&3?JT+ zHojTvJYyd`xi}?qX?{=VW*ojh9j%6#X?653BO(V|C_M=8qw9N`yopG+2JZgD@Wvw# z&BvP~s#e}BAXtipQ|$gWJ~}!Q8OH_eiIdf(6&w+N^$y%f@Lt|F(bd!L@9Obw`d8s- zD~d?9QEyZZS3?i!;9$e6yKg!h?FU;gxs~KW^TZ%3FN*GKrg8qRB_#7 zq7j*Mwk30#iG`MP=Be8TYun$+)1*eeD@(5_8B0e}`%Sndx^n)Wf^5Hm^1(hPGdW;z6ZQ@I%;5k(obv=9sw2#z?mRv6VVUYeqBW5A^&YBnFn(r z5EUH)It4(evCUvuA7G2)zy%>}lk^oqKp;%Q|J$I5duOZr)QQZ;$!m-{`cI-W4bqGa ztM1)fT}4}tx=OMuLHE&5$|;8C!)^EOk-)0V2Uw^6>zZh;3xcW{aD^|{^_)BNlj=vz zbpiI7J>9GzzM1;*0y8ZPU7f}?71to+`(s1s07u60#2lT*oWWDJWWG$+lxt$ztPcne zzc>UZ>4M1Ad%~K)uw6sIm-JZZ!#-yXtmyHkv=b5Knc&X*_VBsQQDf2r^#{6sI_U^g zc@P6Ho_=nXDZPhKr{FrI*ZyBCn|bbCbD!-qrX0IT$`)f(I`LwglN@uh%zS%Hk4m+o zxH$qokeEhBwBAX%F3w`Oo>c6yM*5xvBUF34Id z8d2c&`4-}57P8%hhcX4a(NB~ldj>t~L;&m9c7GYG0eO}k!tGlv3_#3DNYp5va_YKK z0Q)~qi- zLI+REqm%ELplddow%FMP0h(N(K*N)Z!t7=X$Z2InZ!5g?h3dHBfuiy2ZXG ztMQ8Zi%qEeSryJr;yy3jec{|aedu(k;d*&<0q)gs{jQ@z745LF zKi3ngJ-2)=Y|(XJHOumpx~w^a;z#|1Bu~rZgw`1Wrv`dF-;M-MXn|;)GxjPjuF)_o@7Nl1QHZJ6+7Ivc!Q7=E36lLI{%qPX7oSZ#n?0xi4r zf*vOy=t+)~8*sULrU1R5Z#YZJgI_Pe_2*x>ZK*U|K!k0&a#eL|7lIA3 zXRCk0nH6}R2xN36<;Y|E5=*i&Xd=ooJ+_NtD~99`|;&Pi|)viw|$;&r=ni_p^L7kfDV3H^d;2 zIx;UkWX#N8`zhb;Koz1Q-Hp)V64NEs?F`cDTV z%X0jBsPu!u`sKIJ;J7`jK&Qts#CtSUBEwLF-rYVSO%(&9 zSyd)rsceR{g*)NqCQ4MKVFJxX<>mdWxsMM?MKCp6Wy^jbc^sebK^H3;K3qp6S6^>8 z9F4GfSi_t2-406O>-%-r?$2#J9H8*&pE&Sgw!2}rn;SN_&6mRGKoptnzLUpB1&bEJ z{xbS=T}9cMSw(cz7itMM;r?CdEvsu!(zI2kmCfG?NT`Qj!{YI0!Y|mtVkMFGO3#*Q zhMXfacQEmgg9E6d%{&saNnMCPx|0)RYMVUC8P{V>!1OS&!T9AJEHLdJ1^y26P{O&ICR9x_{|g;j!YgJyAGx z0(EdOng*Sq{(#JKVt_!6Y2R%17yAltx0bvXuKn{GF48s5=1&!b5BARQcJ|%Q?w;2l zVg;h4n6AEkwN?W7io$$249V^(6UKtFeSbBmH2CW`CQ&|sX%K9wc^hGBK$))Rwx?`UkZbSuziNQi^;rtvQI|*#Pm;b#uK*6syIRVHo+CDLiv`G39Me zvS=fd?uh#)+ou@9GTFFn56bgiFQ-p=w7U(vPI;t>>hQf5`=VcJP-|(z20D{mdlvFt z5A}k9&PR$m$;58*gyGwOL|ZH?+6*2i&FCca!Z*rHzu_;#;%S{T#Tn9$4UtY5%0}t| zX0>aTFXSi(0??O6+~-};Hf+y;Y!Grk zEFZ`YB=lWx2e2Dt;n);6tPJjVV;c3R-=RnG4VUo?SM3u*2hXl4oX@6FlWq^5C)Ho1 z3s+yyQ@FH;bB7I(2pFP$A4s-Iew53AG=#Xcp4Wx`dXG9yyI?@uq&l^%`x5ZqwV<~^ zi_A}I-N1`5Wk`IATw0`@A7n;r6w^z{Ic(H5c**qB5!RELBo#SkXP#X*ykw?5vg8nj z2Mf+}A+y~-V%U1p3*=;$<)fWwPanF7+wFxsQpsXb5N^|Kq~z4L$nO2D&iwYd zEgwnfXqia=c2h$Cc9=S9P}c2W`cP#i{*`F_tAU0a^>9Jg+f!dchYRl!W8UX~M%oED zkV=rx6_Cpv&;z!+o32Ot*T7lfmyL4R&vG5MS5iI^<@3i`ul3Omz_aqnHWBky75WM3pahG#Vp!Pe z^Lz~v&ttYAJ7|9c95wD&QDfthd^=hQp7Zr|`tP9HWs zw+o*EVPiSGJ>8ga8Nv}50DIC21jqXGPYvh5iQXH|0(X1+cYCF#19yoH$4+-c!oZPk zixf9608Rt@SgniW7rCzP+l?VzRT6u~yIOTPI%`MU5G~i*qw@jnDkJT&c%`A1nmQXT#%q{QRr;g6i}@QO-c>;ZW^B zPv!*K5VpeiWR%wx1^c^mmud3lY#s>;zrcLS->01S+XI0!dB?ZU&6^H}2Hf=UiX3cg z7T}n$iHG;#gICW!>69yuR`}M;vqm(5fFBLW7d>Y~czd3H3!g#pJ@?go(YFnwQr2oy z1u$%&67~i;`6`?RKMUzE(!75TKn4|HUgs2Dg-DTFgb2t0l<&E6kuAVgu*VVV?nk-^ z00;A9fW-jZh7IT|*&mMn+3}ujv+LYH2Z6po{-<2Mkrdbp1A!oo30CO&NaKO18uB6H z8#dGP@j&#Ai$N2C?Qtzrw{l9q#XdeD85EmmjZL3Q32(!I4BCgyK9Ge&vW3I)in`!( zd^-O&&w8^sXJf|{Z)c^<;I7Z@=DN?zI$XUh2Da(LL~|sCvvg_h<%M}DO1k(E=-HBWi zsRBwqg75yM5soF9vG^6?c3fM6xrX zIlr=!Dd=UNW^TG{q!{-Z))gRSOm5{T1|`SXAJU{bW7VuMA-{R|%qu{}ZVCU_<9OJ@j->JgGOI4>6qB5~yBHP= zjD4L=pCP;3$WH!s?81Z^??DNaMv_7R>&U>qFAvs#s_(o6?yEs-i!MZ+ z9PPBvnsteeeQ~3frpHRimAH%C-BrislQ{ahswsd&p6UAM0io8{v^ zcP(Br6^AN0U)@|b1FCHutet2VcKLU2r%0qZ_xVJIHo*0_GYz-aHlH3@KfiTBNb2Np zFQoX#^j&G8f{Kv;Zp+6n;Q-8eQ10=VLS`S6mL*>$Pj;Vt3o(m z7rncUBD#GQ&WQeVe^ZtE2l@EaBzh>LV@-7bQ9sAXIm((gEVOS;783~GgwD&IYKSd| zHf9Dh9LzPa{H2opL3r&p$hfEeIokNce~iX0aIcB@kM;nA`v~ct6AXT>>giX+%SUQ# zhyAN76*a z#Q(cXyln(9F)3jF63`YNS*0y~^176@`ph2oTz->-%Dhzu^>Kf=%P}K0x{yF6!9V&D zYe^=uadlPKL|5%*6Pjf*h4Zkg(Y`|dfGQ4+RIQKMg|MqArF`uvoihR}qT!Q%DPk3aHa7Lhu8ChY`3%;fn<<%#hdD`iq6xxJ}eQPVp; zc#v>*Jsv*{+Ekec%d9QlU88QXr^qXPOcBAp?B?rI@n+hngAO7|8WnVm*S9WoUdq}r zwBP~VwExxFcZW5xb?XNZ5Ku%2O+^Jm353v*CMDE_-a`+)igYO!1cEdvp@rUi3st&+ z^eVlG9zlvUMFd3@&z;~o-~I0QyT9+b_x{6^XPBA2XV2Pez3W}?p8cn<-r&eoWWcad z{=Fc!^QxLAPlsyfcs%EptMhDqMML-l0h(?16p_Lgm3| zO~=Z@a%5lZ;zbTe?sH~Gu1a_RxG_kUgtj_+f+C1@UTliFjP2g9N_Ns=y z*Vkme);HjIwC;(G7M^}S)-$<2v=2FzM_Gp<7y>e*J-T7$3R5+nM-*fMg4!3m4odw8 zhnKAu4FS{3PO9ya(jRIX|N3n)_N5o1LUxK zbhD=yu7tB-fg?$CB<<%)B@&Es$ZE*CdWcOD=%{ys^B+?oWZzu6&Xsi{UBeKPgaMDm z>%4@wq+)wDDuT!`rTY=(7_z=gtXDNXby_ZSThrP^kbtgDTV5LE+QW&S6X`46Dl*g` zvLXSM_f9$#o<69g(lubSPon~XJ{%R(H_FQ2}1_g7?$l>epjKsKehxkezK!DXWg>B7|P}-ix?mLOf3QlTV z+xr*;d<7IzDegQ$6BN9w<$5<9q9Vq*r+@LtPpO;84)9XgXW?sRZxsb*yRw->+rr(a3NlKpWRdNqJYGWj{nMak#Bf+;$uGJMbqA%MUEZZ1X-5R6QylQ#nWI` zmYQG89DdFusKu6_CB`5>0+aU3AwdD&oomgT>CJ1V)C-Mk#Tu*zPb00zd5Sa;+};6e zPr)-Tm!FJk>D;a9KnLqoR&MZ-(4u%2T}rEG^{pruehTn`Xf#bPYM4^WbOt*3ti#n2mpkC-Ov#I_{D|mo6KB>dXUw1by7vLpmCHr7>j7vB$8` zb&Vlfa@&?AT(gIsZO9XxLytP*1mV|Ydojte*DmVFoIa(&DUSo1`XK++FfMtpwA}EA z*?=&l5g%zBJ?VQYuQ6a(WO^fN2Sh`@VM)0U*2}ODNH_5D^PJWYE9bTLMmfxA`wLwg z<6_|5SE=szFiFKo8=Gi2^c5GC9OqixLClp7d}6lT09h99qln0XR9nqT?@ z>De?)d1~C}{K#{sOO<5Pm1KiA$VXjkpI(Vuml+Sz`0Dzk(An;~;1^H0d94m|&ssC5 z+^(vxt{3Yu0I}rf<^x?8tA{i&X!Nlyu~BBl-!Q(**+Oo^5l(&tkxj)f-%yV~UVv2| zSK1ixw-pwt8rC!v*4MYaPEi-sA?QqSQS0p`@LbWh*1ymnaN8m2{7JFqOj3Cf%B0z& z>Jg+|T+e(-Yj*vM>766rt_wad1iBKLwYi+>8T>7&rZw*H_WGmhL_Ld4=J=#Wcn?(c zByO`gbkw;k5=i^hz<>IJFO5yqL3fYz7LbYrLFBwr;m(R$syTnthhSg(bYJ3Ab3z})KYI8Bw z_i6|twV+ykAqHt~C;1JgI<=urfuzfgh)i=ipkdB$&SmhbSR`}pc>v7XE_vNQ_oqbh zj-K!ChwOkhHqX#8hJrx5Kzh9P<_$Fo84-YXT>$)YR|*kD68{Ins1p&rAb{I|DN1zN zcp^SupeMSX(Jq^LlKC2|$E00c@(*VN_xg#xSx;$97)0UAKP$HLB}7lNBOGKG60v zxs-5w@5$k#UEff?vbSYuKdRJb+Fay!U@=5f{j~=vB6crA=tGtFe}0)T8`Ql_>&o^{ zMzkf9KppY+De2^;fYceV(Srk&eBPVkkb=@JEIWySIqp>$l&yPAtZVca zt`zr3meeULWge88sd3UuWPvwg^oAim!l|l{)U^1+D^OahG)DFGrD&SI)m*O9G_P|N zwI{pUgM7vI-b0rBYcA4M`W84?VdK*qyRKhe+Vvee7dcKEE=vtl1Fc$k|K%ec3E?1o}?T=$R6lpH6_1@XAlm zU9)HT`hv!F*$2m?A``?lv#shROPqNhc@@nl@qhM~_=;fVi_sID*2rikUYyquH+2=v zBr?XvG+gAKlqfqCl3t1R2!$#Rt9A^DI;9HG%v=;l$JT}Ks_{yfm)8qzuE=VQdE_^} z*TX64OJB82dsbVvKcBGZCbk-t^qQS>aVUvQ3#~OPqHamaA~QQx>H7GZFH)R!fWW|n zQ+lwJo4S*zQXr^KD}LSL;*2q9cz=#$+ot_e)LZT^nhh^Yf7G%q^_BQyKP2xkZ7(V* z$mPuOv&P`?xq5_FM3+6P8&QTDz`q;Bt5tDkITdybyNa0HE!oYq$a!{&64>-Ok=jZ*1*a{M42(4EDu8FsiC%;a|9L6f1YkvvkSRfW6YWn-v ziS0#!YNqJk+t$+-ZyGUVHR}2a7MvSFj1Cg5XN9PJwiC-hl$HHXS|2glP`6F@4L&X) z`*EtfuK`QCfs7ncf1!o?F~pp%SaFOhUMaC;ylon}|4S&GQ-{}16D`2so&Nc@m5LuI zoYlGh9gUTAVULjComPxFw&CJ_+@3}CTaZZYg~{V_t)L1`aYOym9%?4#aQ#v*Jnh_P zdo^onR!(WKS`oVvw>Iu;c}sJWgPCpFbLv`AlGKzC_%myq>FEp~Obzuy(t_s91KU_>`6AO?mgqTo}~P$R*CG%#e;@xJwK zPUOidRU+Zd9y#~cfm)>b0r(G|hP5<7hmS84q7ZFZ-a<~#OhMz-L*GbN?d{~{9mH6u zi}dXcC%EEdEMs@yT(s$J`{s7)&u%>GEVJ#Mm%O7~vU-mVs$1Epd&!)&S6_mi?pfV1 z%7k2rt4qpK2+7qI>ZKoxV=&~HCp+_p#paZi1#-hsCa+tlw^w}{+^5Je?0>n^E++Pp zSVhy%!Hh)zXx1YN*bGQ8rIxnY+ZuoXSS+x~b7sp4zL)X4o6?th*31$XpPL7^bj5Ls z)(u{6s{1Vl`AkYyn(qmrr6#_V^ZWyWr!!mmA|f=Unb~-EAQ_%jdCZ*cdRsHK_vd$b zzW9>b_sgyx>yPhN*Bwq{S66%_tBcrzgbHF?1e)SU(3H((>CX43(pcTI}Yi8UUk9F7f?A%*gt%jw^p~8I1 zqSwcN<-@w2Ndt^D2FLCD3-!Wya>N|bL;aj;_8x(<0oB%vbKX8K357R8?MJ{))rpZ< zs$&Fa)KEvf$R$J#-XzYm(n7#RujVRrV;v#u3kAahM@DR-d_e{GbKeh@dW(L2U~)P$ zDqX-*9IT!ernPY}IPoyrS(1l6*6<MsE=Hs8GkYWT-xPL`zY9CO zzEmrfYZL{3^xA`yJZPBN*QxX^FI?-}H3VI{j4>=ZA0_k}49CWJSu*TJ@M3-2cmb

    {;qrLJES)1#-JMKQhimhTzftPI=5Eh1FXVXUnlVxxC1M^&mtv+f9zuh~KaS{`LO&_QeaA2h)$sR~f?TIrhw*EtmwuQOq0L~Hi4zj@-O$TqvvvNHXPcC zOz51anrfqL2bOW`iMDUTmCP2UGoFD_<1R^-MYSjx_uKn^S8($^{N!Iw+7q9L^hh0X zv@E-pmFvo;vcOZzQxeq8CK5QX$}b{3h*3d2@_|jxxhkp@+0Vv!2R4HFVE5QgZ+iv# z1LBC9mSCS3ps`Zs@v_ zrGxH1Wsh<4`)6;dhlKxF;V%d8uW$7a)QiI{v7IDM=r<3}z` z7k0L)*2A6spLoM_SM06=Lg$2%S#lnN6LTzpha7 zZjCe7cayKzr0!(VHJH3_Ut!7xX>vUkO%`z?kNg468M%Y4m(S=nBrN!L`GQPqV@XeP ze@F#)#7S^I(n-4}`ZTokU5jbYFl20PH*EC1*tV*(nO7|8N0Oyq` zSH?%Q;~gOVExTMyIL2#Wi^2Y_fqkWsGzVPDe%X0cZrgas&#Fy&LosuHfA^N`c3iPS zx56aW?E#!!X40!Tt&q0F9HxR|5L5peT?;@&o0XklZjdNYet7{Tp>)jPny-5P8jd_0 znM-d>I4d<~3gyK#gCFKecBLD6)bkHX4&%7hg{0`$cgnN7cajO!d&-e z4pE124>|HeDqFp@fH^v-sei3FFfI3w(E`rYZ!oCL$(?#|oEXb7p>+74CsoY4RqyTA z2SjT~wty$K+PY@}0FGuwQyz{O09KWP&H3JhzbLB#5Gli5Qn^+@Sat>I_MLIzd6FPU zRc`p(#w=$Zu3e|QO&Sl&)1s?J^^XTL?a}%`W$6s3h!B>1gVo^K$$zL7O5mKXLM^kd-8Kcq$@ z!6MuEA5+wl+?|;jdK=<%_t@y{W!PLIloSNU5_Bi}uE2CTjcSyl;x9w76WK+KPh9*n zgbal;>pYZE?2$DYQ5sE&B|@k9Rbo$z|2(0V?*;}MaInocgr8d7rp$MJ-~4V3XL;f* zI@F_0IGv_skDRjOCl@(&n)XPCjuyl4S!StN2LWc6!9^IoZJ)oyLLkp9GK?eCsLHE- z5p@$6V;onj6N8zhKhEW#npJV&w=;FdB9hRh4s4Mp`NiD`6`?K#Do!)3luvCUFFWp# z^qESCDQ9K~J@1v65W3nx6Ld0_QCzK(lo&(UaBuKY6XkMw~F$0?hMeyCRpNMeb8HntOwqdAGT1> z4og=Y=3Zf-m=0iK#g^*LA^A5 zvGPL@2J9;}V4h@kpXJe;G*o-~u5yzNJh(=F75L(PG?_fDvNC@ZLJ2pS!Rm`^nDP#2qOPls11)3?LG?NwvHekLr1% z;Jxr}2V?K%wl44h7%`eTUHKaqoPiAX!?WMOn+%v)f2F&GO5d)jk58JcHU}&KQ5f)O z0LulPC)t|U5ie`YQN=o2ZY=H6RJEVi>2b%$C?3FXV3PkxKyo$eCGAQ?)uvs3O9ku; z*a>NbRfMFIg3K=d#;TQM2Q9d=vFy6{B@--gDrf+(9y-uE-Gh9%&W&3qrt0bn&mE>9 zkc_d`(;@H(rs5ii;xCk2NoH3)QX-WOeR&~`OI?m(z$5Y1RI{@vEAH6lpy3vHPbsR_ z_ZIyaGaJl16gKNSmz@DT=R{*JfPCO`DBy_W9u zJ_2@K^n0S0lg8VfMFX!_L776n^hh&HEu^XC{rqBhp4q$gN?N#kBjsFday8l7&*d%- z;4^$S(4F9e-kzxn8MfgVE`|a+g8-Bfi8I!urktxd)B((zsRl-8>V;pkG05c-{3(;& zV;{N|VI%qAdvZz)Of!ag7K6f05_YA{gg7?Pa7k{e^-71dnEE=Aw^eQ?v6vQM>rjBz zG%#wXRbz;H%7ud=@n+jDXVb1AhsuOBq`VI0cEZ_f$ac;!iN@Mv0d zU+jhjs9C@Riid+plC^|o^V~3oXJo~bB48j>UM1SCe4eEN`-xC$!rjKP=&Exds2#84XZ(d4Ke+Y#FbnA+u45HK6 zI{f*L0Kj`VmOP)oIzN&EIhtS;71|>fxHzYP3kPE{84s3Me)vn1`y&UjrbYpU!%G2VuzAU_?fs$;+^TmACoO9rj-|3E*V_c zFS`m|>+?fkqsMODb4;Z#q<3oH3+DYtcj{^B28OdIf1RH+39MOU*H9?HE$@8M+DLuY z>Tte(XF_jK3n{V!$&?90x+#soi*~tqu3GV}n{(8LC0ClMTaHe0UVhL?jOt8GT-;RP z;hSLoctO_lbLi;=RvJl16M$`)dj|fJ?)3B}@Y$bhVDyF*=2N8@%-e6GkS#atEO5%} zqDuA#Zd3%)vfu;D+y3WK*;&#&#$g= zyIj#I*_9O^O#ld@B)8hY7(*W6HUE%!2|XGr!*^~`jgV^Q=Q@xZUwb0rs$L`Wg176J zljgIZ0=i*fqtA&u-!eby1^XdO+o*v+LoDR$t?>p=dYaBdn(1Ff0$t=4$xjXQNZ;it zthMAEV$+{6DDWMUU#Sm5%JKd%DDudLBI`NQD&2XfT)3I3!6Ny}>W1xKKe*&} zlIr{?FadgwC{~bD?HAMz&G$^vT2SuMZMZch!PwfsPF^s{UctaD&` z5KGmSoMy>5V9UB=Cd`;-$IUwBqifaBu?keYGWZuzI-7hLdq7Jg@b~;X zi(7x;q6H#l>HM$E=D(S*J%>BNKkavC-*oOfFefSBk0M8#mpKsHGa<@Mx|b?=UvtEA zBKmheiD^iF&H9Fj!va)jFn?Z-Z`YHK9x)}QtV8$tWwN=ov|t=%zb!M@tdj}p(ZmLY z^rGY4TeEH>DtcdyBy?S6`db&5CWT-cZ7EV$R=Ox2H@28cChta=X3g+H)lhehN3qz9 z)7cHD5}SNe1EUeyRP%|}q(aMTV&&|tz2LomkMj}tc>N2amL)aAPtlW=mr}#*xQB(w z^Mc@DQ3G6BKAUHQ0{XU@WUG=IiX=KV-*k-ABMn=6<_(-9wC8(dMa&8Bw_I$n~5fkhG3WSFGxr{JEeGXtZEkZa$puZ=PsBZdv%gvhbsZ zngW`g)m{IlH0SD%Hkr|{-P)qDa1H0Du@a^F9_{LXy0Y3T36OtLIgy&`6#Q<_c+TYO%y^D8r2h&G(%0^8<7%u zjrFDcST4Kdc+W)xdPbC)20bJkVvt6IYIbptecNUU%$=?j!Ix6tL|XQn9)BdO%uDHeF2@~0*+jY6n+ zcs;~TR?DIvf{j&1xq!Q3yX* zz(D~Oj0sPh%-PU_I5&$r|DGXxOhz5QGk*1^c7&i+_wQ-kAsHcwhDEC zFQK5Vj71h1;_bb<0fC$ITZftk-)(XZ58k?5cCJSW=m0fp3(lZA^y2`JnJLSx?mef;a~t@t><`_gQWQe)Igir^&zE@_>+ zFu*zi%LE{9L=N>Ik2qhjJf28uH$I6>JQ*v)DOrt_tr^=c-s^CEBrI~>#>NzBET&aU z(rCu-p$vp-PA4AmKi{gC?(|(qvRmSi2q;@i_BkpI>>O%hEXZqswgo;qB0Y!vTF@l_ z*~6uA(gwmxM}uo$YA(`)!X`Kql6sxN(UW$WGzGX51;Z!{VZFiVy|7{C4Ar;ea85PO zSN^X}ZvCEOfovGsGO!DceNg@W>R~U^|s6kdREb8Z`3KygFmqjS$?(5Zx!B z8#Xe9e5u1UJ1S8DK&@aU-WJvQ+YDcAN(GZ4d3{he@Y^kJHD#6=<5^xWFO-NmO9D-g zhja(F6z12gz*9s-9?(6K>o2*$H}vH&GSGn2dePL?Ia<{s-U&5Vty-S@*(0B@s3sYC z$@>76eoi&~C1ke~q^>?-DWDSV85KnpU3AbBbvY&Jz~%X^rFHig@W1T(XYMh<$ zLlZQY*+93Yr1;#5`D|d&pL~Ne6~wf@0{G`h^#@_f)AZh_uRFipXyh~Y&M!Q{t}ht8}j52R#7DS8vBy~M;9?!$)^tR1w0qlwt<4(nNs}C2hGgL5lSjgFTL-~-Lb9R%0Lp>|axvRTB z8m<{Am*@mlKl6&%hCj9AC>r&GhBM~0)9X0hmJ6vnE4fEEzvuhcl6z4K$A4F6JB{c1 z&8dTTg5RzBy8aj{F}$XE9(MW`5;{)WgmxT-R{d-Tq{qFb~ieu2?EcY!DDg@ z)An)ko$* zQuM8CmVts_{Nogb^8Jl9n|eYIeSrQ|2Go*d8$~Fr_MB2T&Aiv>9ypd`Vfq}BJ-u|} zwt`&g{M%_&4{H}rJBfrpE;YAH+$C)EU`eGV=2F?Y4(A@gJ)imwC~&VOm{z%PbJ?JE zv{$_&haP?p?HzEi?sH@;a9QN6(t$z?wiCn~3~tW3yg}T_;8AN-&3BT)Y6`JzzQIo> z{kGe6Da`5TkM|^Das%19R1P9Ev?tb`v}XxQ&s-Idtc;vVKmI9i0m>M`&iA<7cgej$ zU63;a|IkkRPC3}dJLu%Q-sb^zXMx>*F$E%z_=1bcg@Od+`kVL6nkNa%7&*O%r^;%c zp2;cxzO?-5W#R==&>T_8u|V%&PU#`BCn$t-JX{hL(92lXpE3$Hfq^g`XIYYUIsn-~ zEN3GPbpF3or2h?W`+xGRvj_h>UHkWi?%%ha24HW^Y0g(Z5T&h=+|rxKKe(cXzB7ZX+lJ&;q2d;5XrDnzI_|*U!d0t>-s{YE;YY-;EEXHl%)!$tr!9 zENPdttJB3uFj5k^TDm4|afboUPi}GLC8TkA+z|?%lQua2jPOi2Dx4}6VfIM#8hv> zWa59A;|={b0rnjbt*AsCZ}J*Yu9sAljrvxAf0z<(ZaI{oe23YUpp=a6pf}-!ZuXmb z9j+9w`Hn@T7K++Hmtb5q>G{2jop^kmAVr0v7^7GQE){kCy<{D3nGyyp?CyOE72L~{ z{GVoZ5F(2ND5B;`awkPd1+V=T@G*hFkFyyAi0S^$^nuI))N--h=MLXTFH%h@Ki9g) z+xHFTV`&Z7;zDNlj$V)q@Eq!l`!-*%eC{jvyhn$mK)4*b8R>GJTE!ElWb8ps^D`oWy zlIJJAOvw%vN?PSiS~b5NUATZ+pMg=T(dWB7LwHUiM%5}gU$!(3rE7J^I>FC|3~$4B z^JCR&5Z+v4Jp6u$9F6dzv*1m1>!?}L-zhwI;fUVVs>NjfHjnJE!n)~Mho^dy`jKDJ zjU^v*dftcPNysY&O|oHd4Rc*~F7F;Y-aM78t=t^G#0D3BnjZ&{fHD8VA*~DA0CE|y zTRes!s)xz5Eo(f%H^KsLf#0$*k8fWsiapRwhY9TVPS!EcrL zqpFHMqQJ8$jNc64oKlD)aW^W!EdEyTInR-Nq||Jces8#H(-S-AFfvn;-m)+(gN>Ux z;`5az^S;gunkGs%iPh?0>Y||-NMlVpZiXPKH4}KEC&)>IY9UW44{LhD81JE(PHR)RHbDkIPdYr5r0_f0_#1IV%~6lrfM}P4S!jRvAXt7m8 zvcBjbLLE<4P|MUlupdi1}J5dS&CzXPR? z6=f!aTS=1{Q6^$Uw5(v((i*b!SwC)Z-6gKw{OcG`HCYn;Oc(q25kTb)tQPvm2_GH< zfeui%DxAq^{}1bc0Fr~W;Kp%J)35qlm7YX;@%4GOR5t5pB-iVR2nwVjU!vh%@fvt` zMxyHi=}_zhSCQ-lOA()`3s?rSaD_lydZr52zF1)3WGv4AKTRLM`|#Mx_^{ z9RI59uzz)qF^|vk_IOJXP(8$^w zJyQz{3XGUjhNXr5%5Ht|jO&Rq|GAVlTDk!F)eg(^^V6*cz;{3`oT-^wX?fW6t~dA< zG2LYjmyf_x68$m85&*|^k3Vq*9-Mrh5gY@-vVw$5>w!+3=JwZR*S=p>qw1HO!0tRX zmGIB;aA9huElr93+PDUe7!cHD(RlSFPT+OAhb(cVf&)yJr7&2SI~!pf=E3$VBI6B% zavnGTxlQ6r2jKypsVQ6&O}Q@??{DGs==UYvQW#fspA@E#2w*^8LVUaCfb!$nVlND- zl)d}9oOI6>(Ev9-zc4Xa;MLk&Zp2^$bo^ge`kuYJf3k-fvd+UI0X8gK9`=u#H-j#{2NvBW;1j;*6 z Date: Wed, 22 Feb 2017 15:57:38 -0800 Subject: [PATCH 38/44] waas-DO - fixed typo --- windows/manage/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 43a0a170d5..45a0062308 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -72,7 +72,7 @@ There are additional options available to robustly control the impact Delivery O - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. >[!TIP] ->In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the “domain” configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. +>In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. > > For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. From 8bee80f5dc860637523d632f1ca1b88ef5347222 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 22 Feb 2017 18:09:23 -0800 Subject: [PATCH 39/44] WaaS-DO converted to section with heading as suggested by Liza idea for heading from Justin --- windows/manage/waas-delivery-optimization.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 45a0062308..fc5e20b3e5 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -71,10 +71,10 @@ There are additional options available to robustly control the impact Delivery O - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. ->[!TIP] ->In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. -> -> For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. +### How Microsoft used Delivery Optimization +In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. + +For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. From e31772d62ef6f6d3c9af3eab2d90888ebffb2423 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 22 Feb 2017 18:24:20 -0800 Subject: [PATCH 40/44] waas-do fixed typo --- windows/manage/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index fc5e20b3e5..8f9e0d54cd 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -71,7 +71,7 @@ There are additional options available to robustly control the impact Delivery O - [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. - [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. -### How Microsoft used Delivery Optimization +### How Microsoft uses Delivery Optimization In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. From 6b8172c587e29f8fe469620a9a145b9f9172df0b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 22 Feb 2017 18:43:02 -0800 Subject: [PATCH 41/44] Hello - remove passport mentions following a disucssion with PMs (Mike, Sam) --- windows/keep-secure/hello-errors-during-pin-creation.md | 4 ++-- windows/keep-secure/hello-manage-in-organization.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index a362e1f253..3d85f75565 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s 0x80090035 Policy requires TPM and the device does not have TPM. -Change the Passport policy to not require a TPM. +Change the Windows Hello for Business policy to not require a TPM. 0x801C0003 @@ -149,7 +149,7 @@ If the error occurs again, check the error code against the following table to s 0x801C03EA Server failed to authorize user or device. -Check if the token is valid and user has permission to register Passport keys. +Check if the token is valid and user has permission to register Windows Hello for Business keys. 0x801C03EB diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md index f2a43b7df1..806905c587 100644 --- a/windows/keep-secure/hello-manage-in-organization.md +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -352,7 +352,7 @@ You’ll need this software to set Windows Hello for Business policies in your e

  • Azure AD subscription
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
  • AD CS with NDES
    • -
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • +
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
    • From 6d6a37131536024bb5cd2a28f20c0e94f5db35f3 Mon Sep 17 00:00:00 2001 From: Zach Dvorak Date: Thu, 23 Feb 2017 09:39:29 -0800 Subject: [PATCH 42/44] Update upgrade-analytics-deployment-script.md --- windows/deploy/upgrade-analytics-deployment-script.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deploy/upgrade-analytics-deployment-script.md b/windows/deploy/upgrade-analytics-deployment-script.md index a189c5290f..06bff0e12b 100644 --- a/windows/deploy/upgrade-analytics-deployment-script.md +++ b/windows/deploy/upgrade-analytics-deployment-script.md @@ -56,6 +56,8 @@ To run the Upgrade Analytics deployment script: 4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. +
    + The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
    From 191a052a4f54aacd4c57057adaf2f38c7b29c5d9 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 23 Feb 2017 09:46:29 -0800 Subject: [PATCH 43/44] hello-identity - fixed another passport mention azure article was fixed, so fixed it's title --- windows/keep-secure/hello-identity-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index de233a49af..3806b27b42 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -113,7 +113,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi [Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891) -[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778) +[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778) ## Related topics From a3bb5385c6506dfb3d15d8feabc523f2bfaf2071 Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 23 Feb 2017 10:55:04 -0800 Subject: [PATCH 44/44] fixed formatting --- windows/keep-secure/credential-guard.md | 2 +- ...ments-and-deployment-planning-guidelines-for-device-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 30a494b20e..8c70f3782d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -85,7 +85,7 @@ Applications may cause performance issues when they attempt to hook the isolated The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > [!NOTE] -> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
    +> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. This requirement is not restated in the tables that follow.
    > If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
    > Starting in Widows 10, 1607, TPM 2.0 is required. diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index c00e795566..49742f17e8 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -42,7 +42,7 @@ You can deploy Device Guard in phases, and plan these phases in relation to the The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. > **Notes** -> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). +> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
    > • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections